July 22, 2021
IntelBrief: The Final Nail in the Coffin for Privacy? The Saga of the NSO Group’s Spyware
Earlier this week, a consortium of news organizations published the results of a months-long investigation into a data leak of more than 50,000 phone records associated with NSO Group, an Israeli spyware company. This was led by Paris-based journalism non-profit Forbidden Stories, with technical support from Amnesty International’s Security Lab, and released to seventeen news organizations, the group named “The Pegasus Project.” NSO has sold its spyware to several government clients who have, according to Pegasus Project reporting, used its spyware capabilities to target journalists, human rights activists, and politicians. Despite NSO’s claims that they carefully vet their clients, a number of repressive authoritarian regimes have been the recipients of NSO’s product line. NSO, founded in 2010 by former members of Unit 8200, Israel’s equivalent to the U.S. National Security Agency, had touted Pegasus as a tool to combat terrorist and criminal groups.
Pegasus’s tracking capabilities can no doubt unearth important details regarding illicit activities. The investigation found that NSO’s Pegasus spyware program is so sophisticated that it can defeat Apple’s iPhone 11 and 12 encryption and security protocols, gaining access to a target’s iPhone via a zero-click attack. Pegasus can remotely gain control over a device without the target clicking on any malicious link, website, or application. This “zero-click attack” strategy nullifies the need for an adversary to socially profile or manipulate a target through other means, like phishing scams or business email compromise attacks. Pegasus can collect and access a wide range of data and tools on a target’s device, including but not limited to geo-locational information, browser history, read text messages, voicemails, and microphones and cameras.
NSO’s significant capabilities have previously gained attention. In 2016, Citizen Lab, an interdisciplinary laboratory based at Toronto University, published a report, “The Million Dollar Dissident,” that documented how the United Arab Emirates used Pegasus to remotely break into Ahmed Mansoor’s iPhone. Mansoor, a notable human rights activist, would not be the last such proponent targeted. NSO gained more notoriety when WhatsApp Inc and Facebook Inc filed a lawsuit against NSO in October 2019, alleging that NSO sent “malware to approximately 1,400 mobile phones and devices…designed to infect target devices for the purpose of conducting surveillance of specific WhatsApp users.” The lawsuit is ongoing, and in the meantime, Pegasus has remained a tool to monitor political opponents.
One country reportedly on NSO’s client list is Saudi Arabia. The Pegasus Project discovered that the phones of journalist Jamal Khashoggi’s fourth wife, Hanan Elatr, and fiancée, Hatice Cengiz, were targeted prior to Khashoggi’s brutal murder at the hands of the Saudi government. According to The Wire, more than 300 Indian phone numbers were likely Pegasus targets. Among them were two cell phone numbers associated with Rahul Gandhi, Prime Minister Narendra Modi’s top political opponent. In reporting by the Guardian, U.S.-Belgian citizen Carine Kanimba was also under Pegasus surveillance. Kanimba’s father, Rwandan human rights advocate Paul Rusesbagina, is currently imprisoned in Rwanda. Kanimba has been on the leading edge of fighting for her father’s freedom, which is suspected to have made her a target. Several other national leaders, including Pakistani Prime Minister Imran Khan and Iraqi President Barham Salih, were also targeted with the spyware, according to the investigation. Reports that a Moroccan security service targeted French President Emmanuel Macron and fifteen members of the French government for surveillance using Pegasus spyware was denied by both Morocco and NSO.
NSO has publicly claimed that it only sells its products to governments. As such, it seems very likely that Saudi Arabian, Indian, Rwandan, and many more governments are using NSO’s spyware against non-terrorist and criminal actors. Spyware development firms like NSO have created products that erode privacy protections to the point of effectively ending virtual privacy. Yet, this industry is lightly regulated. The Wassenaar Arrangement —an export control regime that promotes transparency in transfers of conventional arms and dual-use technologies, with forty-two participating states—added intrusion software surveillance tools to its export controls list in 2013. The Wassenaar Arrangement, however, is significantly limited in that it lacks regulatory or enforcement capabilities, especially for non-participant nations like Israel. For too long, companies and governments have used technology under the guise of fighting terrorism and crime. The reporting from the Pegasus Project should lead to a discussion on whether firms like NSO should exist. At a minimum, it is time for lawmakers and multilateral bodies to consider whether there are stricter compliance, transparency, and mandatory reporting standards that can be implemented against spyware firms. However, doing so will take time. Thus, in the short-term, it is with perhaps great irony that major Silicon Valley companies like Google, Apple, and Facebook—firms that have all faced criticism for their own privacy issues—are best positioned to innovate and protect technology users against spyware firms like NSO Group.