Notorious Pegasus spyware faces its day of reckoning – The Guardian

Notorious Pegasus spyware faces its day of reckoning – The Guardian

If you were compiling a list of the most toxic tech companies, Facebook – strangely – would not come out on top. First place belongs to NSO, an outfit of which most people have probably never heard. Wikipedia tells us that “NSO Group is an Israeli technology firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones”.

Pause for a moment on that phrase: “remote zero-click surveillance of smartphones”. Most smartphone users assume that the ability of a hacker to penetrate their device relies upon the user doing something careless or naive – clicking on a weblink, or opening an attachment. And in most cases they would be right in that assumption. But Pegasus can get in without the user doing anything untoward. And once in, it turns everything on the device into an open book for whoever deployed the malware.

That makes it remarkable enough. But the other noteworthy thing about it is that it can infect Apple iPhones. This is significant because, traditionally, iPhones have been relatively secure devices and they are overwhelmingly the smartphone of choice for politicians, investigative journalists, human rights campaigners and dissidents in authoritarian countries.

Pegasus is so powerful it is classed as a munition and, as such, requires the permission of the Israeli government before it can be sold to foreign customers. And those customers, apparently, have to be governments. It’s not available as a consumer product. (The company insists it is only intended for use against criminals and terrorists.)

In a farcical turn, French government officials were allegedly in the final stages of contract negotiations to purchase Pegasus

And it doesn’t come cheap. We don’t know what the current price is, but in 2016 NSO was apparently charging government agencies $650,000 for the capacity to spy on 10 iPhone users, along with a $500,000 setup fee. Government agencies in the United Arab Emirates and Mexico are believed to have been among NSO’s early customers, but my guess is that by now there isn’t an authoritarian or despotic state anywhere in the world that’s not on the company’s books, despite NSO’s claim that it vets its customers’ human rights record before selling to them. And those governments – it can be assumed – make predictably heinous uses of it. Evidence suggests Pegasus has been used in targeted attacks against human rights activists and journalists in various countries, was used in state espionage against Pakistan and, most grisly of all, may have been used by Saudi Arabia to spy on contacts of murdered dissident Jamal Khashoggi.

In a slightly farcical turn, at the same time that Emmanuel Macron’s iPhone was on a leaked list of potential targets for NSO spyware, it transpires that French government officials were allegedly in the final stages of contract negotiations to purchase Pegasus! The French have, needless to say, denied this, which only goes to support the old foreign correspondent’s adage that “you can never believe anything until it has been denied three times by the Élysée palace”.

Until quite recently, NSO was riding high. All that began to change at the beginning of this month when the Biden administration added NSO Group to its “Entity List” for acting “contrary to the national security or foreign policy interests of the US” and effectively banned the sale of hardware and software to the company. And last week Apple filed a lawsuit against NSO to hold it accountable for the surveillance and targeting of Apple users. The company is also seeking a permanent injunction to ban NSO from using any Apple software, services or devices. Needless to say, the Israeli government is up in arms about this, possibly because of revelations that phones of Palestinian human rights defenders have been “Pegasused”.

What’s mostly missing from coverage of these developments is that none of this would be happening had it not been for the skill, dedication and persistence of an extraordinary group of academic researchers at the Munk School of Global Affairs and Public Policy at the University of Toronto. The school’s Citizen Lab was set up in 2001 by Ronald Deibert, a political scientist who realised that the world would need a way of digging beneath the surface of our global communications networks to uncover the ways that power is covertly exercised in its subterranean depths.

Over the past 20 years, Deibert has built a formidable team that functions, in a way, as a kind of National Security Agency for civil society. For years, it was the only place where one could get an informed picture of what NSO was up to and without the lab’s work – and the personal courage of some of its researchers – I doubt that the US would have moved against the company. But even if NSO now slides into insolvency, Pegasus will not disappear, because there are plenty of non-democratic customers for its capabilities. What the Citizen Lab has shown is that the price of liberty is tech-savvy vigilance.

What I’ve been reading

Classic storytelling
Interesting interview on the Public Thinker site with the Oxford academic Merve Emre, who’s done a handsome annotated edition of Virginia Woolf’s Mrs Dalloway.

American nightmare
The Terrifying Future of the American Right is a fascinating report by David Brooks in the Atlantic on a weekend spent at the National Conservatism conference.

Geared for failure
Tech Can’t Fix the Problem of Cars is a good New York Times piece by Shira Ovide. EVs won’t wean us off cars.