Journalism investigatigation
The Pegasus Project is an international investigative journalism initiative that revealed governments' espionage on journalists, opposition politicians, activists, business people and others using the private Pegasus spyware developed by the Israeli technology and cyber-arms company NSO Group. Pegasus is ostensibly marketed for surveillance of "serious crimes and terrorism". In 2020, a target list of 50,000 phone numbers leaked to Forbidden Stories, and an analysis revealed the list contained the numbers of leading opposition politicians, human rights activists, journalists, lawyers and other political dissidents.[1]
A small number of phones that were inspected by Amnesty International's cybersecurity team revealed forensic evidence of the Pegasus spyware, a zero-click Trojan virus developed by NSO Group.[1] This malware provides the attacker full access to the targeted smartphone, its data, images, photographs and conversations as well as camera, microphone and geolocation. This information was passed along to 17 media organisations under "The Pegasus Project" umbrella name. Reports started to be published by member organisations on 18 July 2021, revealing notable non-criminal targets and analysing the practice as a threat to freedom of the press, freedom of speech, dissidents and democratic opposition. On 20 July, 14 heads of state were revealed as former targets of Pegasus malware.[2] Various parties called for further investigation of the abuses and a limitation on trading such repressive malware, among them the newsrooms involved, the Committee to Protect Journalists, the International Press Institute, and Edward Snowden.
The Pegasus spyware was developed by the Israeli cyberarms company NSO Group. It can be covertly installed on mobile phones (and other devices) running most[3] versions of iOS and Android. The spyware is named after the mythical winged horse Pegasus—it is a Trojan horse that can be sent "flying through the air" to infect phones.[4] Usages of the Pegasus spyware have been monitored for years. Amnesty has argued that the digital invasion is correlated with real-life consequences for spied targets, via psychological or physical damages.[5]
The NSO Group exports are overseen by the Israeli Ministry of Defense's Defense Exports Control Agency (DECA).[6]
In 2020, a list of over 50,000 phone numbers believed to belong to individuals identified as "people of interest" by clients of the Israeli cyberarms firm NSO Group was leaked to Amnesty International and Forbidden Stories, a media nonprofit organisation based in Paris, France. This information was passed along to 17 media organisations under the umbrella name "The Pegasus Project". Over several months, over 80 journalists from The Guardian (United Kingdom), Le Monde and Radio France (France), Die Zeit, Süddeutsche Zeitung, WDR and NDR (Germany), The Washington Post and Frontline (United States),[7] Haaretz (Israel), Aristegui Noticias and Proceso (Mexico), Knack and Le Soir (Belgium), The Wire (India), Daraj (Syria),[8] Direkt36 (Hungary),[9] and OCCRP investigated the spying abuses.
Investigative methodology
The leaked list of targeted phone numbers provides an indication of being a "person of interest" and a first indication of possible hacking, to be confirmed via direct forensic examination of the phone. According to Amnesty, "The Citizen Lab at the University of Toronto independently peer-reviewed a draft of their forensic methodology outlined in Forensic Methodology Report: How to catch NSO Group's Pegasus.[10][3] Amnesty also published various tools or data from this investigation, including a Mobile Verification Toolkit (MVT)[3] and a GitHub repository listing indicators of NSO/Pegasus compromised devices.[3][11] Some emerging unverified online services claim to be able to assess an infection by Pegasus, but their usage is discouraged as possible scams themselves.[12] Amnesty and Forbidden Stories received numerous queries for checking devices but were not able to satisfy the demand for assistance.[12]
The investigation suggested that Pegasus continued to be widely used by authoritarian governments to spy on human rights activists, journalists and lawyers worldwide, although NSO claims that it is only intended for use against criminals and terrorists.[1][13]
A French journalist noted that "in a matter of cyber-surveillance, we observe that abuse is de facto the rule".[14] Forbidden Stories argues the Pegasus software and its usages de facto constitute a global weapon to silence journalists.[15]
Forensic Architecture and the Pegasus Project lead a data analysis and built a data visualisation plotting attempt hacking of dissidents together with real-life intimidations, threats or violence. They have argued that Pegasus has become a key tool for states to repress their own people.[16]
Targets include known criminals as well as human rights defenders, political opponents, lawyers, diplomats, heads of state and nearly 200 journalists from 24 countries.[17] The Guardian mentioned 38 journalists in Morocco, 48 journalists in Azerbaijan, 12 journalists in the United Arab Emirates and 38 journalists in India as having been targeted.[18] Some of the targets whose names have been revealed are listed below; the list is non-exhaustive.
Heads of state and government
According to an analysis by the German newspaper Die Zeit and others, the following incumbent and former heads of state and government have been targeted,[19][20] implying possible full access to their mobile phones' data:
Used against opposition journalists, opposition leaders and critics.
Used against opposition leaders, union ministers, journalists, administrators such as Election Commissioner and heads of the Central Bureau of Investigation (CBI) and minority leaders.
Used against anti-corruption journalists, opposition leaders and a judge.
Used against opposition, Western Sahara–friendly journalists in Morocco and France, and more than 6,000 Algerian politicians, high-ranking military officials, heads of intelligence, civil servants, diplomats and activists.[21]
In July 2017, Prime Minister Beata Szydło agreed with Benjamin Netanyahu to buy Pegasus licenses.[44] Michał Woś, deputy minister of justice, requested a parliamentary committee to divert funds from a ministry-run fund to "combat crime."[45][46] Once approved, the Central Anticorruption Bureau (CBA) purchased the licenses for PLN 33.4 million.[47] The transaction with NSO Group was camouflaged with unrelated invoices.[45][48] The contract for 40 licenses to be used over three years was mediated by Matic, a company established by former Militia and Security Service associates.[49] The spyware was first deployed in November 2017.[47]
In 2018, Citizen Lab suspected that an operator codenamed "ORZELBIALY" (Polish for "white eagle," a reference for the coat of arms of Poland) was spreading Pegasus through mobile network operators.[50] In 2020, Rzeczpospolita reported that the bulk of evidence in a corruption case against former Civic Platform politician Sławomir Nowak was obtained using Pegasus. The CBA denied ever buying the license, still the government assured it had court permission.[51]
In December 2021, Citizen Lab announced to have found multiple hacks into phones of prominent opposition figures during the 2019 parliamentary elections that the right-wing populist party Law and Justice (PiS) of Jarosław Kaczyński won by a slim margin, which lead to a further erosion of judicial independence and press freedom.[52] As of January 25, 2022, the reported victims include:
On February 7, 2022, the Supreme Audit Office (NIK) revealed that between 2020 and 2021, 544 of its employees' devices were under surveillance in over 7,300 attacks. According to NIK experts, three of the phones could be infected with Pegasus.[58]
On January 17, 2024, the Polish Parliament established a commission of inquiry into operational and exploratory activities involving Pegasus. The scope of the commission's work will cover the period from November 16, 2015 to November 20, 2023.[59]
Used against an opposition journalist and a women's rights activist since 2018.
Used against human rights activists, local leaders and local nobility and Sheikh Maktoum family members. With more than 10,000 people of interest linked to Dubai, it was one of the most extensive uses of Pegasus.[65][66] The targets were mainly from the UAE and Qatar, but also included people from Egypt, Lebanon, Iraq, Yemen, and Saudi Arabia.[65] In 2020,[67] the NSO Pegasus license was stripped from Dubai due to human rights concerns[68] and spying on Sheikh Maktoum family members.[67]
NSO Group did not deny the presence of its spyware, responding to the report by stating they rigorously vetted its customers' human rights records before allowing them to use its spy tools.[1] It says military-grade Pegasus is only supposed to be used to prevent serious crime and terrorism. NSO stated its purchasing client governments are bidden by a signed contract and licence, agreeing to terms of uses, and contractually limited to legitimate criminal or terrorist targets.[68] Once sold, NSO Group says it does not know nor can see how its client governments use its spyware.[68]
NSO Group stated: "NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers' targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as the identity of customers of which we have shut down systems."[74]
The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can not be verified as a reliable one. "This is an attempt to build something based on a crazy lack of information... There is something fundamentally wrong with this investigation."[75] The owner of the company that developed the Pegasus spyware categorically refutes all allegations, stating that the list of the phone numbers in question has nothing to do with the Pegasus spyware.[75] NSO denied "false claims" about its clients' activities, but said it would "continue to investigate all credible claims of misuse and take appropriate action".[1]
Journalists around the world have expressed outrage at the use of anti-criminality tools against non-criminals, journalists, opposition representatives, and other civilians. Edward Snowden has called for governments to impose a global moratorium on the international spyware trade in order to avoid ubiquitous violation of privacy and associated abuses.[76]
Haaretz argued such invasive monitoring technology is the weapon of choice for autocratic governments, allowing continuous monitoring of opponents, preventing protests from the beginning before they are organised, and discouraging sources to share information with journalists.[77] This technology should, therefore, be shared only with countries with independent and solid rule of law.[77]
The Committee to Protect Journalists called for a critical reform of the surveillance software industry and market.[78]
The International Press Institute, an international press freedom network, denounced the abuse of spying on journalists, calling formal investigations and accountability.[79]
Tamer Almisshal, an investigative journalist for Al Jazeera Arabic, said, "[The hacking of the Al Jazeera staffers' and journalists' phones is] a crime against journalism. Based on this spyware, journalists have been arrested, disappeared, or even killed. Khashoggi is just one example".[80]
In a statement, the National Association of Hungarian Journalists [hu] said they were "shocked" by the revelations and also stated: "If this is the case, it is unacceptable, outrageous and illegal, full information must be disclosed to the public immediately".[81]
In a tweet, the Press Club of India (PCI) issued a statement:
This is the first time in the history of this country that all pillars of our democracy — judiciary, Parliamentarians, media, executives & ministers — have been spied upon. This is unprecedented and the PCI condemns unequivocally. The snooping has been done for ulterior motives. What is disturbing is that a foreign agency, which has nothing to do with the national interest of the country, was engaged to spy on its citizens. This breeds distrust and will invite anarchy. The Govt should come out clean on this front and clarify.[82]
Similarly, the Editor's Guild of India also released a statement directed against the alleged spying made by the Indian government, saying:
This act of snooping essentially conveys that journalism and political dissent are now equated with 'terror'. How can a constitutional democracy survive if governments do not make an effort to protect freedom of speech and allows surveillance with such impunity?
It asked for a Supreme Court monitored enquiry into the matter, and further demanded that the inquiry committee should include people of impeccable credibility from different walks of life—including journalists and civil society—so that it can independently investigate the facts around the extent and intent of snooping using the services of Pegasus.[83][84]
Amazon's cloud computing subsidiary AWS stated they had terminated "relevant infrastructure and accounts" linked to NSO Group, following an investigation by Amnesty International that discovered Amazon CloudFront was being used to infect targets with the Pegasus malware.[85]
The CEO of WhatsApp, Will Cathcart, called for a global moratorium on the use of unaccountable surveillance technology and defended the use of end-to-end encryption following the reports.[86][87]
In a statement released, Algeria's public prosecutor has ordered an investigation into the reports that the country may have been a target of the Pegasus spyware.[88]
After the revelations of the Pegasus Project investigation, in which it was revealed that the French president Emmanuel Macron was targeted,[20] France launched an investigation into the matter.[89] In the aftermath of these revelations, Macron changed his telephone number and replaced his phone. Furthermore, he ordered an overhaul in security procedures.[90]
Macron reportedly contacted Israel's prime minister Naftali Bennett to discuss Israel's internal investigation and express concern that his data appeared on the list of potential targets and urged Bennett to conduct an inquiry.[91]
French intelligence (ANSSI) confirmed that Pegasus spyware had been found on the phones of three journalists, including a journalist of France 24, in what was the first time an independent and official authority corroborated the findings of the investigation.[92]
A statement from the office of Viktor Orbán in Hungary stated that they were not aware of any alleged data collection.[93] On 22 July, the Prosecution Service of Hungary announced that it would open an investigation to determine whether there was an illegal data collection.[94][95]
On November 4, 2021, Lajos Kósa, Member of Parliament and Vice President of Fidesz, member of the Parliamentary Defence and Law Enforcement Committee, admitted that the Ministry of Interior had purchased and used the Pegasus software.[96]
The government has not denied the usage of Pegasus spyware in their response so far.[97][98] The government has also denied the request for investigation or an independent Supreme Court inquiry by the opposition into the matter.[99][100][101]
The official response of the Government of India to The Washington Post stated that "[t]he allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever" and that such news reports were an attempt to "malign the Indian democracy and its institutions". They further stated that each case of interception, monitoring and decryption is approved by the Union Home Secretary and that there exists an oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary and that any such interceptions have been done under the due process of law.[93]
The former IT minister of India Ravi Shankar Prasad asked, "If more than 45 nations are using Pegasus as NSO has said, why is only India being targeted?"[102]
The Indian IT Minister Ashwini Vaishnaw in a statement in parliament stated that the reports were "highly sensational" and that they had "no factual basis". He further stated that NSO themselves had rubbished the claims. He stated that the existence of numbers in a list was not sufficient evidence to indicate that the spyware was used and said that the report itself stated the same and without the physical examination of the phone such claims cannot be corroborated.[103]
The Minister of Home and Internal Security Amit Shah in a statement on his blog insinuated that this was an attempt to disrupt the monsoon session of the parliament and that the opposition parties were "jumping on a bandwagon" and were trying to "derail anything progressive that comes up in Parliament". He stated that the report was an attempt to "derail India's development trajectory through their conspiracies".[97][104]
Replying to allegations from the opposition, Minister of State in Ministry of Home Affairs Ajay Kumar Mishra said that there is no reason for a probe and the people who made the allegations are "political failures".[27]
The Israeli government denied having access to the information gathered by NSO's clients.[105]
In the aftermath of the revelations by the investigations of the Pegasus Project, the head of the Israeli parliament's Foreign Affairs and Defence Committee announced a commission to investigate the allegations of misuse of Pegasus for surveillance and hacking.[106]
In December 2021, the Israeli Defense Ministry imposed new restrictions on the export of cyber warfare tools as a result of the scandals involving NSO.[107]
In the revelations made by the investigation, it came to light that the Kazakhstan's former Prime Minister, Bakhytzhan Sagintayev, could have been targeted.[20] Furthermore, it has been reported that Kassym-Jomart Tokayev, the president of Kazakhstan, was also targeted.[108]
However, top officials have claimed that these reports and allegations of the president being spied on were "without evidence". Furthermore, the deputy head of Kazakhstan's presidential administration Dauren Abaev said the list of targets was "rather intriguing information without any evidence".[108]
In a statement, the Moroccan government denied claims of using Pegasus and dismissed them as "unfounded and false allegations, as it has done with previous similar allegations by Amnesty International".[93] In an interview given to Jeune Afrique, foreign minister Nasser Bourita stated it was "important to shed light on the facts, far from controversy and slander", and claimed that certain figures within the Pegasus consortium "serve agendas well known for their primary hostility towards Morocco and are ulcerated by its successes under the leadership of His Majesty King Mohammed VI."[109] The then-Moroccan ambassador to France, Chakib Benmoussa, also denied reports that his country's authorities had spied on French President Emmanuel Macron.[110]
Morocco later sued Amnesty International and Forbidden Stories for defamation, with lawyer Olivier Baratelli [fr], acting on behalf of the government, saying that the Moroccan state "wants all possible light cast on these false allegations", and that it "does not intend to let the multiple lies and fake news spread these past few days go unpunished".[111] It also issued defamation citations against Le Monde, Mediapart and Radio France on 28 July 2021, and filed an injunction request against the German newspaper Süddeutsche Zeitung on 2 August.[112]
The Prime Minister of Pakistan, Imran Khan, whose name was revealed to be in the list,[20] has called on the United Nations for an investigation on the Indian use of Pegasus.[113][114]
Rwanda, through a statement by Vincent Biruta, Minister of Foreign Affairs and International Cooperation, denied using Pegasus and claimed that "false accusations" of the country using Pegasus were "part of an ongoing campaign to cause tensions between Rwanda and other countries, and to promote disinformation about Rwanda domestically and internationally."[93]
Saudi Arabia's official Saudi Press Agency has denied all allegations of its use of Pegasus spyware on journalists and human rights activists as "baseless". The allegations were dismissed as "untrue".[115][116]
A statement released by the UAE's foreign minister stated that the allegations of use of the Pegasus spyware by the UAE on journalists and individuals were "categorically false" and that such allegations had no evidentiary basis and they denied all allegations.[88][116] This despite ample material evidences of UAE dissidents being targeted.
In India the Indian National Congress accused Prime Minister Narendra Modi of "treason" and compromising national security following the release of the reports and called for the removal of Minister of Home and Internal Security Amit Shah and an investigation of the role of Prime Minister Narendra Modi into the affair.[117][118]
The Indian IT minister made a statement that similar claims were made in the past regarding Pegasus for WhatsApp which had no factual basis and was even denied by the Supreme Court of India.[119] However, many of the statements made by the Indian IT minister were verified by the Internet Freedom Foundation and were not found to be accurate.[120]
West Bengal Chief Minister Mamata Banerjee alleged that the central government intends to "turn India into a surveillance state" where "democracy is in danger".[121][122] On July 26, 2021, The West Bengal Chief Minister announced a commission of inquiry into the alleged surveillance of phones using Pegasus. Retired Supreme Court judge Justice Madan B Lokur, and former Chief Justice of Calcutta High Court, Justice (retd) Jyotirmay Bhattacharya, have been appointed as members of the commission.[123]
In India, some news articles were released making claims that Amnesty never claimed that the leaked phone numbers were of NSO's Pegasus spyware list.[124] However, these reports were later proven to be false, and Amnesty issued a statement stating that it categorically stands by the findings of the investigation and that the data is irrefutably linked to potential targets of Pegasus.[125]
The European Parliament awarded the 2021 Daphne Caruana Galizia journalism prize to the Pegasus Project.[126]
Government investigations
On 20 July 2021, it was reported that French prosecutors would investigate allegations that Moroccan intelligence services used Pegasus to spy on French journalists.[127]
France's national agency for information systems security (ANSSI) identified digital traces of Pegasus on three journalists' phones and relayed its findings to the Paris public prosecutor's office, which is overseeing the investigation into possible hacking.[92]
Coming soon: Global Spyware Scandal: Exposing Pegasus, a two-part documentary series, premieres on FRONTLINE Tuesday, Jan. 3, 2023, and Tuesday, Jan. 10, 2023.
A powerful hacking tool called Pegasus, sold to governments around the world by the Israeli surveillance company NSO Group, has been used to spy on journalists, human rights activists, the fiancée of the murdered Saudi journalist Jamal Khashoggi and others, according to a months-long investigation by 17 news organizations, including FRONTLINE.
The investigation of the spyware was coordinated by the journalism nonprofit Forbidden Stories, with technical support from Amnesty International’s Security Lab. Forbidden Stories and Amnesty had access to a leak of more than 50,000 records of phone numbers concentrated in countries known to be NSO clients. NSO has disputed the findings of the reporting and said it will investigate all credible claims of misuse and take appropriate action.
FRONTLINE is producing a documentary with Forbidden Films about the collaborative investigation. Watch the trailer:
Click on our live blog to find links to major stories from our partner news outlets.
The Forbidden Stories consortium discovered that, contrary to what NSO Group has claimed for many years, including in a recent transparency report, this spyware has been widely misused. The leaked data showed that at least 180 journalists have been selected as targets in countries like India, Mexico, Hungary, Morocco and France, among others. Potential targets also include human rights defenders, academics, businesspeople, lawyers, doctors, diplomats, union leaders, politicians and several heads of states.
In a letter shared with Forbidden Stories and its partners, NSO Group contended that the consortium’s reporting was based on “wrong assumptions” and “uncorroborated theories.” NSO Group insisted that the analysis of the data by journalists who were part of the Pegasus Project relied on a “misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products.”
HLR refers to Home Location Register – a database that is essential to operating cellular phone networks. A person with direct knowledge of NSO’s systems, speaking on the condition of anonymity, told journalists from the Pegasus Project that an HLR lookup is a key step of determining certain characteristics of a phone, such as whether it is turned on or in a country that allows Pegasus targeting.
Asked about those findings by Forbidden Stories, NSO Group denied and said “it will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.”
The consortium met with victims from all over the world whose phone numbers appeared in the data. The forensic analyses of their phones – conducted by Amnesty International’s Security Lab and peer-reviewed by the Canadian organization Citizen Lab – was able to confirm an infection or attempted infection with NSO Group’s spyware in 85% of cases, or 37 in total. Such a rate is remarkably high given the state-of-the-art spyware is supposed to be undetectable on the device in compromises.
Journalists from the Pegasus Project – more than 80 reporters from 17 media organizations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab – sifted through these records of phone numbers and were able to take a peak behind the curtain of this surveillance weapon, which had never been possible to this extent before.
Among the victims were several journalists from the Pegasus Project, such as Siddarth Varadarajan, an Indian investigative journalist and founder of the news site The Wire, who was hacked in 2018 and Szabolcs Panyi, an investigative reporter for Direkt36 in Hungary whose phone was compromised during a seven-month period in 2019.
All shared a general sense of powerlessness when informed about the cyber attacks they had suffered. “We’ve been recommending each other this tool or that tool, how to keep [our phones] more and more secure from the eyes of the government,” Azerbaijani journalist Khadija Ismayilova said. “And yesterday I realized that there is no way. Unless you lock yourself in [an] iron tent, there is no way that they will not interfere into your communications.”
Amnesty International’s Security Lab also identified new ways through which Pegasus can be installed on a phone, such as through a security flaw in iPhones that has been frequently used since 2019 and was still detected as recently as in July 2021. Well-informed sources shared concerns about countless vulnerabilities linked to Apple’s messaging service iMessage, a problem they say has gotten worse over the years.
The leaked data suggests that the spyware is used much more carelessly than advertised. In the transparency report published in June 2021, the Israeli company stressed that Pegasus was “not a mass surveillance technology” and was “used only where there [was] a legitimate law enforcement or intelligence-driven reason.” Yet, more than 10,000 phone numbers were selected for surveillance by NSO Group’s Moroccan client alone over a two-year period.
The project shines a harsh light on the business of NSO Group, which, despite claiming it vets its clients based on their human rights track records, decided to sell its product to authoritarian regimes such as Azerbaijan, the United Arab Emirates and Saudi Arabia. Insiders disclosed the important role played by the Israeli Ministry of Defense when it came to picking NSO Group’s clients. Multiple sources corroborated the fact that Israeli authorities pushed for Saudi Arabia to be added to the list of customers despite NSO Group’s hesitations. The company’s lawyer denied “NSO Group takes governmental direction regarding customers.”
The revelations stemming from this international collaborative investigation throw into question the safeguards put in place to prevent misuse of cyber weapons like Pegasus and, more specifically, NSO Group’s commitment to creating “a better, safer world.”
Three years after the publication of the Pegasus Project, one of the biggest cyber surveillance scandals, the sophisticated spyware tool continues to have global repercussions. New victims, among human rights activists or journalists, are frequently identified. Jeopardizing source protection through cyber surveillance poses a real threat to journalists’ capacity to inform the public about critical issues such as corruption, environmental crimes, and human rights violations.
The safeguarding of journalistic sources, through the regulation of spyware, is a cornerstone for press freedom, playing a crucial role in sustaining the health of our democracies. Four months after Forbidden Stories’ revelations, the U.S. Commerce Department blacklisted NSO Group, the Israeli company selling Pegasus. Since then, the White House announced in March 2023 an executive order to ban the U.S. government’s use of commercial spyware that “poses a risk to national security or has been misused by foreign actors to perpetrate human rights abuses around the world”. The “national security” exception has also been used by some European countries, including Greece, France, and Cyprus, during heated discussions over the European Media Freedom Act to prevent the ban on spyware. Those policies undeniably send a strong signal to the malicious spyware industries, but their impact is still unclear.
Organised in association with Forbidden Stories.
Revelations that scores of journalists have been spied on by governments using NSO Group spyware have inflamed critics around the world, and hastened calls for investigations into the spying allegations.
Mexico’s president, Andrés Manuel López Obrador, known as Amlo, whose family, cardiologist, and political advisers had phone numbers in the leaked list while he was running for office, pledged to cancel any outstanding government contracts with the NSO Group.
That call came as Indian opposition politicians disrupted parliament on Tuesday to demand a full investigation into the government’s alleged use of Pegasus spyware on people who appeared in list, including Indian citizens, politicians, journalists and lawyers.
The Pegasus leaks have dominated the first two days of India’s monsoon session in parliament, and on Tuesday the house was adjourned twice due to uproar and protests by opposition politicians.
Members of the opposition Congress party, whose own Rahul Gandhi was among those whose name was on the list, held up placards in the chamber and shouted loudly, calling for the resignation of the home minister, Amit Shah, over the allegations of spying.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Congress and other opposition parties have also called for an independent investigation into the alleged use of Pegasus spyware by Narendra Modi’s government.
Congress spokesperson Shaktisinh Gohil said the government needed to clearly state whether or not it had purchased Pegasus software. “If yes, then the government should order a joint parliamentary committee probe to investigate the entire matter,” he said.
According to the leaks, those of Gandhi, along with several of his close associates and a political strategist who works for the Congress, were among 300 verified Indian numbers who appeared in the leaked data. Two of Gandhi’s telephone numbers were selected in 2017 and 2019 before the 2019 general elections, where Congress went on to suffer a major loss to Modi’s Bharatiya Janata party.
Others in the list included two ministers, more than 40 journalists, three opposition leaders, dozens of activists and one sitting judge.
The opposition has accused the Modi government of using the Pegasus software to spy on its political opponents, as well as lawyers, journalists and human rights activists whose work was critical of the government. On Monday it called it “an attack on the democratic foundations of our country”.
The Modi government has maintained that no unauthorised surveillance was done. The former IT minister, Ravi Shankar Prasad, said there was “not a shred of evidence linking Indian government or the BJP” to the allegations and was among several senior BJP figures to call the leaks an international plot to defame India.
The news came as prosecutors in Paris said on Tuesday that they had opened an investigation into allegations that the Moroccan intelligence services used the Israeli surveillance software Pegasus to spy on several French journalists.
Paris prosecutors will examine 10 different charges, including whether there was a breach of personal privacy, fraudulent access to personal electronic devices, and criminal association.
The investigative website Mediapart filed a legal complaint over the allegations, which Morocco has denied, after confirming that forensics showed that the phone of its editorial director and co-founder, Edwy Plenel, was selected as well as that of its gender editor, Lénaïg Bredoux, who has specialised in reporting on sexual violence and sexual harassment.
The French satirical weekly Le Canard Enchaîné has also said it plans to file a legal complaint.
Its former reporter Dominique Simonnot, currently head of France’s independent body which oversees prisons, confirmed to France Info that she had been selected while still working as a journalist, saying: “It’s a real scandal.”
The French government spokesman Gabriel Attal told French public radio: “These are extremely shocking acts and, if proven, are extremely serious.” He said that France was “extremely attached to press freedom” and that any attempt to curtail journalists’ freedom to report was “very serious”.
In Brussels, the European Commission has promised to use “all possible tools” to gather information about spying on journalists after forensic analysis of mobile devices showed that Hungary’s government was using Pegasus spyware against investigative reporters.
The promised action from the commission is likely to disappoint some members of the European parliament, who were looking for a tougher response to the allegations against Hungary, already ensnared in numerous disputes with Brussels over democracy and human rights.
Didier Reynders, the EU commissioner in charge of data protection, said: “Any such spying on the media, if true, is simply unacceptable, so we will work to follow the investigations.”
He added that Brussels officials responsible for communications networks and technology were analysing the situation, but did not go as far as promising the full-scale investigation by the commission that members of the European parliament have demanded.
Dutch liberal MEP Sophie in ‘t Veld has tabled urgent questions to the commission, demanding to know whether it will “immediately investigate and assess whether or not Hungary has respected its obligations” under the EU treaties, charter of fundamental rights and law on data protection (GDPR).
The Hungarian government has taken a two-pronged response to the Pegasus reports. A blogpost released on Tuesday said that there had been no illegal surveillance in Hungary since Orbán came to power in 2010. It also quoted Hungary’s justice minister, Judit Varga, who told Hungarian media that states “must have the necessary tools to combat the many threats they face today”.
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
In Mexico, Obrador rejected calls for a criminal investigation into the revelations that the numbers of 15,000 Mexicans appeared in the data, even as he pledged to halt all use of the Israeli spyware.
He said: “[This investigation] is irrefutable proof that we were subjected to an authoritarian undemocratic government that violated human rights.”
Mexico was NSO’s first client in 2011, and at least three agencies – the secretary of defence, attorney general’s office and national intelligence agency – operated Pegasus during the previous government.
“I am absolutely sure that this government does not spy on anybody. If we find contracts, they will be cancelled. We do things differently in this government … we are transforming public life. We don’t spy on journalists, political opponents or activists,” Obrador said.