Pegasus can infect a target’s device without the victim knowing and allow a government or organization to access personal data, including turning on cameras and microphones. Activists against surveillance have called on governments to ban or at least heavily regulate spyware companies. And the United Nations’ human rights office called on governments last year to regulate the sale and use of spyware technologies.
Yet there are still no international accords restricting spyware and even governments that ban Pegasus still face a whack-a-mole problem of other less visible and less regulated spyware companies popping up. As a result, officials are stuck employing low-tech solutions to protect themselves. Macron reportedly replaced his phone and changed his phone number last year after his number was found on a list of 50,000 allegedly targeted by NSO clients using Pegasus.
After researchers reported in April that Pegasus had infected the phones of dozens of Spanish officials including Catalan president Pere Aragonès, he started leaving his phone outside the room when he goes into important policy meetings and has sensitive conversations.
“When you are having to acknowledge or that someone is listening to you, you are very reluctant to talk privately with your partner or your relatives,” Aragonès said in an interview a few weeks after the hacks were discovered.
Citizen Lab, a research lab based at the University of Toronto, found “strong circumstantial evidence” tying the Spanish government to the hacks of Catalan officials (Catalonia has long fought for more autonomy) — a charge Spain has denied. It was two weeks later that Spain’s Prime Minister became a victim himself.
In the U.S. officials have confirmed that the FBI acquired Pegasus technology, though only for testing. And some lawmakers argue that privacy has to be balanced against the need to use all tools available to protect national security.
“It is a very tricky area, because we want to protect people’s privacy, but on the other hand, we want to be sure we have the tools to find terrorists and those kind of things,” Sen. Angus King (I-Maine), a member of the Senate Intelligence Committee, said in an interview.
Senate Intelligence Committee Vice Chair Marco Rubio (R-Fla.) argued that it isn’t a matter of whether governments should go after the groups, but whether they can. They “operate in the shadows,” largely outside of government control and without set addresses.
“It’s an enormous challenge, and there is no easy answer to it,” Rubio said.
Asked how he approaches the danger of his own phone getting hacked, Rubio said: “I tell everybody you should assume anything you do on a mobile device or that is connected to the internet is vulnerable. And no matter how many steps you take, these people, their full-time job is to figure out how to get into things they are not supposed to see.”
That is a big part of the conundrum: Even the most sophisticated governments have had trouble finding ways to defend themselves against these phone hacks. Pegasus works by exploiting undisclosed vulnerabilities in iOS and Android operating systems, and NSO has deployed massive resources into finding new vulnerabilities before software makers are aware of them. Pegasus is also virtually invisible: It can be installed with zero clicks, including through a text message just being sent to a user.
Pegasus has become the poster child for an industry that is among the most secretive in the world, but is increasingly widespread. Governments will rarely confirm using spyware against targets, but a spokesperson for NSO claimed to POLITICO this month that Pegasus had been key to a number of governments stopping “big terror attacks.”
Even so, governments are taking some steps to rein in the use of Pegasus. The Biden administration last year effectively blacklisted both NSO Group and Candiru, another Israeli spyware company, by adding them to the Commerce Department’s list of companies considered a threat to U.S. national security.
Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, joined more than a dozen other House and Senate Democrats in December in calling for State and Treasury to sanction NSO and three other spyware companies for alleged human rights offenses. The lawmakers argued in a letter that sanctioning NSO Group — along with other surveillance companies DarkMatter, Nexa Technologies, and Trovicor — would be a significant financial blow to the spyware industry through cutting off access to the U.S. stock market.
“The commercial surveillance industry is a threat to the national security of the United States and other democracies, because it basically makes it possible for a dictator that has a fat checkbook, they can acquire a whole bunch of sophisticated tools,” Wyden said in an interview.
On the other side of the Atlantic, Aragonès called for the EU to take steps to regulate the spyware industry, stressing that “we need public transparency or public supervision by the parliaments to the governments that are the owners of this software.”
“If the Spanish government could do this, any other government could also do this against its citizens,” Aragonès said.
Some governments are beginning to take some steps. The European Parliament in March approved the creation of a 38-member committee to investigate Pegasus and whether the use of the spyware had broken EU laws. France is investigating the impact of Pegasus on government officials following last year’s allegations that Macron’s phone was infected with Pegasus spyware. NSO Group denies that Macron was targeted by Pegasus.
“The security of the president’s means of communication is constantly monitored with the utmost care,” a spokesperson for the president said, adding that incoming ministers and their cabinets “would be made aware of this type of risk as soon as they take office.”
Still, many governments are moving slowly as they attempt to balance competing interests. A complete ban on spyware would complicate investigations and classified intelligence operations, and could lead to the growth of the surveillance black market. Banning NSO specifically could also complicate many countries’ relations with Israel, given its ties to the Israeli government. And without an international agreement to halt the use of spyware, governments may try to out-compete the other through using the technology.
As outcry has increased, NSO has been working to improve its image. The organization released a transparency report last year detailing how Pegasus is licensed, which underlined that Pegasus “is not a mass surveillance technology, and only collects data from the mobile devices of specific individuals, suspected to be involved in serious crime and terror.” The Israeli government regulates Pegasus, with an export license required before NSO can sell Pegasus to a new customer; the company claims to only license the software to governments after investigating their intentions.
“NSO continues to evolve as a company and improve its technological and contractual safeguards, customer vetting process and ability to investigate misuse,” Ariella ben Abraham, an NSO spokesperson, said during a sit down interview with POLITICO earlier this month. “We believe there is no other alternative to prevent terror and crime, and we continue to call for global regulation.”
NSO has also claimed that Pegasus cannot be used to target American phone numbers. This does not stop the targeting of Americans using foreign numbers.
As NSO fights back, government officials are not the only individuals in the crosshairs, and journalists, dissidents and their family members are among other targets of spyware. The Guardian and more than a dozen other media outlets reported last year that 50,000 phone numbers may have been targeted by governments using Pegasus since 2016, including a number of journalists and pro-democracy activists along with suspected criminals.
A consortium of 90 human rights groups, including Amnesty International and Human Rights Watch, urged top EU officials last year to sanction NSO Group due concerns over human rights abuses.
“Is there a global fairness that requires that every country in the world have the ability to hack the head of state of every country? That sounds to me like a terrifying outcome,” said John Scott-Railton, a senior researcher at Citizen Lab. “Seems like it will make us all less secure and less safe, but that’s exactly the road that NSO has set us on.”