IPI In-Depth Watching the watchdogs: Pegasus spyware and the surveillance of journalists

Photo: Hacker with cellphone. SHUTTERSTOCK/Tero Vesalainen

By IPI Contributor Jamie Wiseman

February 11, 2020

In the past five years a growing trend has emerged of autocratic governments around the world using sophisticated spyware tools purchased from private Western companies to snoop on journalists.

Originally designed for criminal or intelligence operations, these privately developed technologies are increasingly being used by state agencies to spy on critical and investigative reporters and monitor private communications.

While this form of targeted surveillance is believed to still be limited on a global scale, major revelations in recent years have laid bare the increasing use of these tools against bloggers, activists and journalists, in democracies and dictatorships alike – already with deadly consequences.

In this report, IPI documents the use of such spyware and speaks to affected journalists, researchers and rights groups to highlight the threats such technologies pose to the profession and to media freedom more widely in an increasingly digitalized world.

Pegasus spyware

While various spyware tools exist in the global market, one in particular has faced heavy scrutiny in recent months. Developed by private Israeli cyberarms firm NSO Group, Pegasus is a mobile surveillance tool which targets an individual’s phone and infects its operating system without the user’s knowledge.

When installed, it can target private data, monitor SMS, calls and encrypted chats, and collect passwords for social media accounts. It can even turn on the user’s microphone or camera and access maps to trace the user’s location, travel history and home address.

Hatice Cengiz (R), the fiancee of murdered Saudi journalist Jamal Khashoggi, and Jeff Bezos (L), CEO of Amazon and owner of The Washington Post. EPA-EFE/Tolga Bozoglu.

The dangers of such technology have made international headlines in recent weeks after it was alleged Pegasus had been used by Saudi Crown Price Mohammed Bin Salman to hack the personal phone of Amazon founder and Washington Post owner Jeff Bezos.

However, over the past half-decade Pegasus has secretly been used by government agencies to try and snoop on dozens of journalists in countries around the world.

In a groundbreaking 2018 report, cybersecurity research laboratory Citizen Lab published evidence that the spyware may have been used in 45 counties in a two-year period between 2016 and 2018. Many of these were autocratic states with poor human rights records where independent media is heavily restricted, such as the United Arab Emirates (UAE) and Rwanda, and others where crackdowns on independent media were actively underway, such as Turkey and Egypt.

In response to these revelations, NSO Group has repeatedly denied allegations its technology has been used to target civil society and has stressed it only sells its products to “government intelligence and law enforcement agencies” for the “sole purpose” of investigating suspected terrorists and other serious criminals.

However, several publicly reported cases involving journalists have indicated its spyware is being used by intelligence agencies far more widely, and unscrupulously. Such revelations have raised serious concerns over whom Pegasus sells its technology to and a lack of knowledge about exactly who it is being used to spy on.

Emerging trend

The first journalist discovered to have been targeted with Pegasus was Emirati blogger Ahmed Mansoor in 2016, who worked with Citizen Lab to reveal the use of the spyware. He was followed shortly after by Maati Monjib, a Moroccan columnist, press freedom advocate and co-founder of the Moroccan Association for Investigative Journalism (AMJI). In 2017, he received suspicious SMS messages carrying malicious links.

A year later, in December 2018, it was revealed that Pegasus had been used by Saudi assassins to target Washington Post columnist Jamal Khashoggi. A U.N. report into his death revealed authorities in Riyadh had access to some of Khashoggi’s communications through Pegasus spyware installed on the phone of a friend and fellow dissident, allowing them to partially track his movements before his assassination.

On other occasions, the spyware was allegedly used to target those protecting journalists and human rights defenders. In August 2018, it was revealed that Pegasus had been used to try to spy on an Amnesty International staff member.

Elsewhere, an espionage scandal in Panama in 2017 emerged amid allegations the country’s former president Ricardo Martinelli had illegally ordered the use of Pegasus to spy on 150 people, including journalists, while he was president from 2009 until 2014. Though he was found not guilty by a Panamanian court, the U.S. Department of Justice maintained he created and oversaw a “sophisticated program” of surveillance.

Fresh revelations

During 2019, further scandals involving NSO Group emerged. In a highly explosive allegation in October, WhatsApp publicly accused the company of allowing government spies to exploit its app to facilitate hacking sprees on the phones of 100 civil society members, including journalists, in 20 countries.

A smartphone screen displays the logo of the mobile application WhatsApp. EPA-EFE/Hayoung Jeon.

The biggest operation here was in India, where it was disclosed that Pegasus was used in an “unmistakable pattern of abuse” to snoop via WhatsApp on at least 24 Indian journalists, lawyers, academics and activists for a two-week period until May 2019.

Though WhatsApp declined to confirm exactly how many of those targeted were journalists, it stressed it was “not an insignificant number”. So far, at least five Indian journalists have come forward publicly to reveal they were targeted. Among them were editors, defence correspondents, strategic affairs analysts, and former BBC journalists.

One of those targeted spoke to IPI under the condition of anonymity. “I don’t know why I was chosen, but I’m not surprised”, he said. “I was contacted by Citizen Lab to inform me that there had been an attempt to hack my phone through a call I received. It’s not the first time this kind of thing has happened to me, and I don’t think it will be the last time.”

Further revelations came at the end of January when New York Times journalist Ben Hubbard came forward to allege he was targeted by Saudi Arabia using NSO technology via a June 2018 SMS message. According to Citizen Lab, which investigated the attempt hack, the text contained a hyperlink to a website used by a known Pegasus operator linked to Saudi Arabia.

Mexico: The ‘biggest customer” for digital surveillance tools

While these cases have drawn more headlines, by far the most widespread use of Pegasus against journalists so far has been discovered in Mexico, which already faces an epidemic of violence against journalists and impunity. Investigations there have revealed authorities abused Pegasus to target the phones of at least nine different journalists over the last few years, in what was called the “systematic harassment” of civil society.

“The Mexican government is undoubtedly the biggest customer in the world when it comes to digital surveillance tools”, Luis Fernando García, executive director of the Network in Defense of Digital Rights (R3D) in Mexico, told IPI in a recent interview.

In 2017, R3D worked with rights group Article 19 and Citizen Lab to publish a major investigation into the use of Pegasus in Mexico, sparking a major political scandal and a criminal probe. They found that three separate “operators” – or government bodies – were using Pegasus against journalists and human rights defenders.

Former Mexican President Enrique Peña Nieto. EPA-EFE/Leonardo Muñoz.

After the revelations, the government of then-President Enrique Peña Nieto initially denied purchasing spyware from NSO. When a special freedom of expression prosecutor was assigned to investigate, the government backtracked and the former president admitted using the spyware, though he insisted it was never for political purposes and only to tackle crime.

Casting doubt upon this claim, several Mexican journalists contacted by Citizen Lab and R3D have come forward publicly over the last few years to reveal they were spied on. Many of those targeted by Pegasus were investigative journalists specializing in corruption or reporting on drug cartels and organized crime, García said. Others had been investigating the Mexican president himself, or federal authorities.

Watching Mexico’s watchdogs

Among them was well-known radio and television personality and investigative journalist Carmen Aristegui, who broke the “Casa Blanca scandal, which implicated former Mexican president Peña Nieto. Her son and members of her news team were also targeted. Meanwhile, Salvador Camarena and Daniel Lizárraga, both journalists specializing in investigating corruption with the organization Mexicans Against Corruption and Impunity, were also targeted with infection attempts. Carlos Loret de Mola, a prominent radio and television journalist, was repeatedly targeted in 2015 while carrying out an investigation into allegations of extrajudicial executions by police in Michoacán.

Among the most disturing cases concerned award-winning journalist Javier Valdez Cárdenas, who was murdered in May 2017 in Sinaloa state by unknown gunmen who stole his investigative files, laptop and mobile phone. Days after the murder, his colleagues, the director of Río Doce, and even his grieving widow began receiving messages with suspicious links purporting to have information about the identity of Cárdenas’s killers. In reality, they were attempts to infect their phones with Pegasus.

An anonymous hacker uses malware to hack passwords and personal data. SHUTTERSTOCK/Suttipun.

As chilling as each of these cases is, they represent only the known attacks. From the information that has been made public, García said, it is believed the Mexican authorities had a license to use Pegasus 500 times. “Imagine 500 bullets that can be used to target people”, he said. “And this doesn’t mean 500 attempts. You can use it against people as many times as is needed until you are able to successfully infect them. Right now it’s impossible to know exactly how many journalists have been targeted.”

To make matters worse, the license for Pegasus was renewed twice under the former Mexican government, García added, at an estimated cost of $40 million. After his election in 2018, the new left-wing president Andrés Manuel López Obrador said his administration would not use the spy software. However, in October 2019 it was again alleged that Pegasus had been used to spy on journalists’ phones in Mexico.

Even if the president’s claim were true, the physiological damage for Mexico’s media may already be done, García said. “Many journalists are scared they have been targeted by Pegasus and don’t even know about it”, he said. “This has had a ripple effect through the journalistic profession and has worsened the atmosphere of self-censorship in Mexico”.

In a country currently in the midst of a major press freedom crisis and with worst record for murder of journalists anywhere in the world in the past decade, the surveillance of reporters by the state will only worsen the situation.

Despite the special prosecutor assigned to investigate the misuse of Pegasus, in the last two years there have been no meaningful results and investigations have stalled, García added. “We’ve seen no major reform of the system or of the oversight which is needed to govern it”, he said. “There is a global urgency to tackle this issue and ensure we have proper regulations in place for the use of such technology. In Mexico we were at least able to file lawsuits against the government and have some legal protections and rights. I can’t even imagine how this technology could be used in more autocratic governments elsewhere in the world.”

A crowded market

In recent months, NSO Group and those associated with it have faced mounting allegations. It was recently reported that the company is under investigation from the FBI, and it is also facing other lawsuits in Israel. This global attention is putting the company under increasing pressure to review who it sells its technology to.

Worryingly, however, Pegasus is by no means the only spyware technology on the market that can be used to monitor journalists. Several other Western companies sell surveillance technology which allows certified government agencies to break into phones and emails.

One of these firms, Milan-based Hacking Team, likewise stresses that it does not sell its product to “repressive regimes”. However, 21 states, including Sudan and the United Arab Emirates were revealed to have used the spyware. In many cases, it has been used directly against media outlets and journalists. In 2014 for example, numerous attempts were made using the firm’s spyware to target staff working at an Ethiopian diaspora satellite media channel well-known for its criticism of the government.

A programmer shows a sample encrypted code. EPA/Ritchie B. Tongo.

Many other digital surveillance systems are also in use around the world, and often the technology is “home grown”. While nowhere near as sophisticated as Pegasus, they can still be used to great effect. In Egypt for example, intelligence services were recently caught using their own spyware system to target and track prominent critics of the regime, including many journalists. Spies targeted the victims’ emails with a sophisticated phishing technique, according to cyber security firm Check Point.

In Iran, meanwhile, numerous journalists have been monitored online by the country’s cyber-police force using a programme called Lawful Interception Management Systems (LIMS). Many have been subsequently arrested and given heavy sentences. In Central Asia, the story is much the same. Repressive governments such as Kazakhstan have long deployed advanced surveillance systems to spy on journalists both in the country and abroad. Among the worst abusers is Uzbekistan, whose National Security Service (SNB) has been accused of regularly using surveillance tools to monitor independent journalists.

In addition to its growing domestic surveillance program, China is suspected of carrying out targeted digital surveillance campaigns against diaspora news websites. Between November 2018 and May 2019, a number of English-language Tibetan diaspora news sites were targeted in spyware attacks attempting to gain passwords and IP addresses. Similar attacks were also aimed at several online news websites of the persecuted ethnic Uighur group, including the Turkistan Times, Turkistan Press and Uighur Times. According to tech analysts, such attempted malware infections “were part of a state-backed attack – likely [by] China – designed to target the Uighur community”.

Growing trend

Unfortunately this trend, while small, appears to be growing as more countries both democratic and autocratic upgrade their surveillance capabilities with spyware and other sophisticated spyware and malware tools.

Crucially though, rather than mass surveillance systems developed by government agencies, the tools being used to spy on journalists now are instead increasingly being bought from privately owned, profit-driven companies in the West.

While many of these states are assumed to also be using the technology for legitimate intelligence gathering operations, there is no escaping the conclusion that journalists and other members of civil society have, and will continue to be, unlawfully spied on by their governments.

In a post-Snowden world, the threat this kind of digital surveillance poses to private communications, source protection and secrecy for whistle-blowers, are abundantly clear. It has already been shown that such access to journalists’ communications can facilitate attacks – even fatal ones – on the press.

Going forward, unless more is known about which countries are using spyware tools, and until safeguards are put in place against their abuse through greater regulation and oversight, it is likely this illegal surveillance of journalists and other members of civil society will increase. If allowed to expand unchecked, this could further damage privacy rights and media freedom in the coming years.

MORE IPI IN-DEPTH