Amnesty International, a French journalism non-profit, recently obtained a list containing 50,000 numbers that could have been targeted by Pegasus spyware, which was created by NSO Group (an Israeli technology company). Amnesty International and Forbidden Stories shared the list with 17 news organizations. Reporters then began to track down who the numbers belonged. About 1,000 people were identified by their phone numbers, and over 60 of them agreed to give their phones for forensic analysis. 37 of those phones showed evidence of a successful or attempted hack. These phones belonged to journalists and human rights activists. They also belonged to two women close to Jamal Khashoggi (the murdered Washington Post columnist). We don't know if the original list of 50,000 included numbers belonging to Rahul Gandhi, a prominent opponent to Indias prime minster.AdvertisementAdvertisementAdvertisementJohn Scott-Railtona University of Toronto Citizen Lab researcher who has been following NSO Group since 2016, spoke to me about the dangers of NSO Group and the vulnerabilities in our technology. And, what can we do, if any, to protect it.Lizzie OLeary - How would you describe the NSO's role?John Scott-Railton : The mercenary spy industry is at the core of what governments need. They say that there are people they want to target but they're increasingly using encryption. But you still want to hear what they are saying. We have the solution. You can hack their phones with our product. You can then see what they are saying and you can do whatever they can on their phones. You can even do it silently. It's not something your victims will notice.AdvertisementIt turns out that this is dictator catnip. They claim they sell technology to track terrorists and criminals, but this is a fig leaf. What they don't know and what all of us now know is that their growth model includes selling to authoritarian regimes. They can then use this technology to target their enemies, critics and family members or anyone else who bothers Mr. Strongman on Tuesday afternoon.AdvertisementNSO is very private about the names of its clients. What do we know about their personalities?At this stage, NSOs customer base is a familiar one: Gulf countries and the United Arab Emirates. Saudi Arabia. There are also some very small, unrelated places. Togo is one example. There are many NSO targets there who also happen to be government critics. Morocco appears to be another profligate user. They seem to have tried to sell to different places in West Africa. It is interesting to note that this customer base is dominated by authoritarian regimes.AdvertisementWhat can someone see if your phone is infected by Pegasus?Pegasus operators can view everything you see as soon as your phone has been infected. They can also see encrypted chats. They can also see any messages you send. They can view the photos you take of yourself and your friends. They can view your internet browsing, read your notes and even make your own. They can also activate the microphone and camera, and listen in from your pocket to the room you are in. It's very intrusive.Do you feel validated by the news that 50,000 phones could have been targeted by Pegasus software? Was the extent of this even greater than what your research suggests?AdvertisementAdvertisementThis is the terrible thing we have been warning people about. This is it. This is exactly what we could have hoped for.Government customers of spyware companies often use it not to conduct criminal investigations but to gain an edge in the intelligence game. This should not be surprising. Everyone wants to be able do some kind of signals intelligence. Many states cannot. This is what I call guerilla signals intelligence. It's not surprising that powerful heads of state are being targeted. It would be even more shocking if they were not.An autocratic government may want to hack your phone for obvious reasons. To spy on critics and see their thoughts, as well as track them. Is there more to tracking than fear?AdvertisementFear and censorship are the glue that holds their Mad Max state-building mad Max structures together. Authoritarians have a new tool in spyware and the threat it poses, being able to access anyone's private life and find something that could harm them. They all want it. They are excited about the possibility of threatening people across borders.AdvertisementThis reporting reveals something that is quite striking: how vulnerable phones are, even iPhones. Apple is so concerned about privacy and security. That is kind of how they market themselves. What does that say about the security of these devices?AdvertisementIt is a constant arms race between those trying to get in and platforms, operating system developers, and companies like Apple that try to keep them out. NSO players are notoriously difficult because they invest a lot of time, effort, money and resources just to find the next hole in an iPhone, or Android device. These groups can always find a way around security measures, even if they are not being actively tracked by companies.It is important to shift the conversation on security from the notion that there is a perfect device that can protect you from hacking and towards something that looks more like: OK, so what happens when a company discovers that their users are being hacked? It is interesting to note that WhatsApp, Facebook and Microsoft have become more vocal and visible in calling out mercenary groups and, in the case WhatsApp and Facebook, even going after them in U.S. courtrooms. They are suing them. This to me is a very good sign that the spyware industry has crossed many lines and that big tech regards them as a threat both to their business as well as to the privacy and reputations of their users.AdvertisementAdvertisementAdvertisementWhat if you are a user? How do you respond to an attack that doesn't require you to click on anything? We are referring to stuff that phones can be attacked without their knowledge.There is nothing you can do. You can't do anything. It's possible to be flawless and still be hacked. Pegasus, NSO, and the entire industry are moving towards a model that allows them to compromise phones without any victim behavior. It just means that the users are naked and twisting in digital wind. It touches everyone right now. This is in contrast to cybersecurity where only those who cannot pay for certain types of support are at risk. Here, there are 10 prime ministers and three presidents. A king can't be wrong. Everybody seems to be at risk right now.AdvertisementIf there is something I cannot do to fix it, could Apple or Google do it at their level of security?Yes. Yes. Tech always faces the problem of a threat actor being in a country that isn't susceptible to the usual consequences. This means that you need to find a way to minimize the damage this group does to users and your security. NSO appears to have enjoyed a relatively free hand in this instance and seems to be able to continue their operations without any consequences.AdvertisementThe other half of the equation is that companies must do their research. They must be able to tell their users that they are going to protect them. This means companies must be able to regularly work with government to say, "We have a problem. We need your channels." Or help us find accountability. It is out of control right now.AdvertisementWhat is the point of caring about Pegasus or the mercenary spyware market in general?Certain types of harm are difficult to explain in simple terms. It is difficult to demonstrate them. It's almost like climate change. It is what people want to see. One of the most powerful things about Forbidden Stories/Amnesty is their ability to see harm. They see victims. They see targets. It may be that they see people they don't know. Many people will not have the opportunity to meet any of these targets. The problem is that you don't know when it will be true. It is the ultimate goal of NSO and the mercenary spy industry to enter the U.S. market. This does not mean that I will only sell to the FBI. Selling to local cops is what I mean.AdvertisementAdvertisementIs their technology compatible with U.S. smartphones?They claim that their technology doesn't allow foreign customers to target U.S. telephone numbers. They also spent many years pitching their technology to U.S. law enforcement agencies. They must have a switch that they can flick. They will sell the ability to target U.S. numbers if they sell it to a U.S. law enforcement agency. Pegasus' DNA is not able to prevent this.Ten years ago, the industry was still in its infancy. It was difficult to get people to take care of the victims. Because victims weren't like them and didn't live in their country, Each cycle of this makes the victims more like them and is increasing their likelihood to be in their country. This surveillance shockwave will eventually reach our collective doorsteps. We need to stop this industry from growing.Future Tense is a collaboration between Slate, New America and Arizona State University. It examines emerging technologies and public policy.
