Why we can expect more hacking of politicians’ phones
Pegasus can infect a target’s device without the victim’s knowledge and allow a government or organization to access personal data, including turning on cameras and microphones. Anti-surveillance activists have called on the governments to ban or at least heavily regulate spyware companies. And the United Nations Human Rights Office called on governments last year to regulate the sale and use of spyware technologies.
Yet there are still no international agreements restricting spyware and even governments that ban Pegasus still face a mole problem of other less visible and less regulated spyware companies popping up. As a result, officials are forced to use low-tech solutions to protect themselves. Macron replaced his phone and changed phone number last year after his number was found on a list of 50,000 allegedly targeted by NSO customers using Pegasus.
After researchers reported in April that Pegasus had infected the phones of dozens of Spanish officials, including Catalan President Pere Aragonès, he began leaving his phone outside the room when he goes to important political meetings and has sensitive conversations.
“When you need to recognize or someone is listening to you, you are very reluctant to speak privately with your partner or loved ones,” Aragonès said in an interview a few weeks after the hacks were discovered.
Citizen Lab, a research lab based at the University of Toronto, found “strong circumstantial evidence” linking the Spanish government to the hacks of Catalan civil servants (Catalonia has long fought for more autonomy) – a charge Spain has denied. It was two weeks later that the Spanish Prime Minister has himself become a victim.
In the United States, officials confirmed that the FBI had acquired the Pegasus technology, but only for testing. And some lawmakers argue that privacy must be balanced against the need to use all available tools to protect national security.
“It’s a very tricky area because we want to protect people’s privacy, but on the other hand, we want to make sure we have the tools to find terrorists and that kind of stuff,” the senator said. . Angus King (I-Maine), a member of the Senate Intelligence Committee, said in an interview.
Vice Chairman of the Senate Intelligence Committee Marco Rubio (R-Fla.) argued that the issue is not whether governments should sue the groups, but whether they can. They “operate in the shadows,” largely outside government control and without fixed addresses.
“It’s a huge challenge, and there’s no easy answer,” Rubio said.
When asked how he approaches the danger of his own phone being hacked, Rubio said: “I tell everyone that you have to assume that anything you do on a mobile device or that is connected to the internet is vulnerable. And no matter how many steps you take, these people, their full-time job is figuring out how to get into things that they’re not supposed to see.
That’s a big part of the conundrum: Even the most sophisticated governments have struggled to find ways to defend themselves against these phone hacks. Pegasus operates by exploiting undisclosed vulnerabilities in iOS and Android operating systems, and NSO has deployed massive resources to find new vulnerabilities before software makers are aware of them. Pegasus is also practically invisible: it can be installed without any clicks, including via a text message that has just been sent to a user.
Pegasus has become the poster child for one of the world’s most secretive yet increasingly widespread industries. Governments will rarely confirm the use of spyware against targets, but a spokesperson for NSO claimed at POLITICO this month that Pegasus had been key to a number of governments in stopping “major terrorist attacks”.
Even so, governments are taking steps to limit the use of Pegasus. Last year, the Biden administration effectively blacklisted NSO Group and Candiru, another Israeli spyware company, adding them to the Commerce Department’s list of companies deemed a threat to the national security of the United States. United States.
Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, joined more than a dozen other House and Senate Democrats in December in calling on the state and Treasury to sanction NSO and three other spyware companies for alleged human rights violations. Legislators argued in a letter that sanctioning NSO Group – along with other surveillance companies DarkMatter, Nexa Technologies and Trovicor – would be a major financial blow to the spyware industry by cutting off access to the US stock market.
“The commercial surveillance industry is a threat to the national security of the United States and other democracies because it basically allows a dictator with a big checkbook to acquire a whole bunch of sophisticated tools” , Wyden said. said in an interview.
On the other side of the Atlantic, Aragonès called on the EU to take action to regulate the spyware industry, stressing that “we need public transparency or public oversight by the parliaments of the governments that own of these softwares.
“If the Spanish government could do this, any other government could also do it against its citizens,” Aragonès said.
Some governments are beginning to take action. The European Parliament in March approved the creation of a 38-member committee to investigate Pegasus and whether the use of the spyware violated EU laws. France is investigating the impact of Pegasus on government officials following allegations last year that Macron’s phone was infected with Pegasus spyware. The NSO group denies that Macron was targeted by Pegasus.
“The security of the president’s means of communication is constantly monitored with the utmost care,” a spokesperson for the president said, adding that incoming ministers and their cabinets “would be made aware of this type of risk as soon as they take office.” .
Yet many governments are moving slowly as they attempt to balance competing interests. A complete ban on spyware would complicate investigations and classified intelligence operations, and could lead to the growth of the surveillance black market. The specific ban on NSO could also complicate many countries’ relations with Israel, given its ties to the Israeli government. And without an international agreement to end the use of spyware, governments may try to outdo each other using the technology.
As the outcry grew, NSO worked to improve its image. The organization published a report on transparency last year detailing how Pegasus is licensed, which emphasized that Pegasus “is not mass surveillance technology, and only collects data from the mobile devices of specific individuals, suspected of involvement in serious crimes and the terrorism”. The Israeli government regulates Pegasus, with an export license required before NSO can sell Pegasus to a new customer; the company claims to only license the software to governments after investigating their intentions.
“NSO continues to evolve as a company and improve its technology and contractual safeguards, customer verification process and ability to investigate abuse,” NSO spokesperson Ariella ben Abraham said during the interview. of an interview with POLITICO earlier this month. “We believe there is no other alternative to prevent terrorism and crime, and we continue to call for global regulation.”
NSO also claimed that Pegasus cannot be used to target US phone numbers. This does not prevent the targeting of Americans using foreign numbers.
As NSO fights back, government officials are not the only individuals in the crosshairs, and journalists, dissidents and their family members are among other spyware targets. The Guardian and over a dozen other outlets reported last year that 50,000 phone numbers may have been targeted by governments using Pegasus since 2016, including a number of journalists and pro-democracy activists as well as suspected criminals.
A consortium of 90 human rights groups, including Amnesty International and Human Rights Watch, urged senior EU officials last year sanction the NSO Group because of its concerns about human rights abuses.
“Is there a global equity that requires every country in the world to have the ability to hack every country’s head of state?” This strikes me as a terrifying result,” said John Scott-Railton, senior researcher at Citizen Lab. “It looks like it will make us all less secure and less secure, but that’s exactly the path NSO has charted for us.”