Journalists, lawyers, business executives, and human rights activists across the world appear to have been targeted by government actors using the Pegasus software sold by Israeli security company NSO Group according to an investigation revealed Sunday.
Amnesty International and Forbidden Stories, a Paris-based journalistic non-profit, have obtained access to a list of 50 000 phone numbers of identifiable individuals who are suspected persons of interest to clients of NSO. The numbers are primarily from countries known for human-rights abuses and the surveillance of their citizens. The list did not indicate if the listed device was infected with the Pegasus malware, nor subject to an attempted hack.
The list of numbers includes the editor of the Financial Times, Roula Khalaf, co-founder of Indian news website The Wire, Siddharth Varadarajan, and associates of the murdered Washington Post journalist Jamal Khashoggi.
NSO Group’s lawyers maintain that the technology was not designed for this purpose, and points to contractual obligations of purchasers to only use the malware to fight serious crime and terrorism. In a series of statements given to the Washington Post, NSO maintains that they do not have access to the customers’ list of targets nor were they ever held on their servers. Notably, the NSO representative stated that they have only sold Pegasus to “vetted foreign governments” and that no customer has “been granted technology that would enable them to access phones with US numbers.”
However, Agnès Callamard, Secretary-General of Amnesty International, maintains that despite NSO’s claim the technology is indeed being used outside of the contractual mandate. He recently stated that “while the company claims its spyware is only being used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse”.
It remains unclear if there is a legal path forward for those being illegally surveilled by this software to counteract these actions. Most countries have some domestic law(s) against espionage, but internationally there is very little regulation beyond the rules for the treatment of spies in times of war. Even then, the prevailing assumption is that the spy must be a specific person and not ambiguous malware or other autonomous technologies. Article 5 of the Geneva Convention protects a “person . . . detained as a spy;” Article 46 of the Additional Protocol (added in 1977) simply maintains the status of prisoners as “a spy,” not a prisoner of war. These laws, of course, were developed before the widespread use of smartphones and cyber-surveillance technology.