Longer online version; updated 08/08/21

Pegasus: repressive regimes spy on phones of over 180 journalists

OF PARTICULAR concern to journalists are the recent revelations of the "Pegasus Project" - that repressive regimes around the world have used state-of-the-art spyware to spy on numerous human rights activists, journalists and opposition figures. At least 180 journalists worldwide have become the targets of surveillance in this way, by the NUJ's estimate.

**

A journalist's iPhone

Some 80 journalists from 17 media partners including the Guardian, De Zeit, Washington Post, Amnesty International, Forbidden Stories and others have worked to publish the Pegasus Project investigation.

The Guardian led with Pegasus Project revelations every day of the week commencing 26 July, presenting an intimidating amount of information. As journalists, it's well worth us taking the time to look into this. A good starting point that doesn't involve too much reading would be the Guardian's series of 20-minute podcasts and a five-minute video.

Israeli company NSO Group, which developed the Pegasus spyware, provides it to the regimes of 40 countries. Of these, 10 countries are known for certain from evidence found by the University of Toronto's Citizen Lab to have used Pegasus to spy on journalists. These are Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates.

Not used as specified

NSO Group says its spyware was supplied to governments for use only "to fight crime and terrorism," as tools of law enforcement. The Pegasus Project has, though, detected widespread abuse of the software. It is being widely used to target private citizens who have nothing to do with crime or terrorism, including many journalists.

For example, a deal made by NSO Group with the government of the United Arab Emirates gave that government permission to put mobile phones under surveillance in other countries without a warrant, on the pretext of tracking down drug dealers who may use foreign SIM cards to evade surveillance. According to the Guardian, the spyware was instead used to spy on exiled human rights activists in the UK.

Mohammed Kozbar, Chairman of Finsbury Park Mosque in north London, found that his name was among the 400 names of people whose mobile phone was data acquired in 2018 by NSO Group that appeared in a leaked list. Kozbar told Islington Tribune: "I cannot understand why, since I have never been in the UAE, nor have I had any involvement with the country."

Pegasus is very hard to detect on a mobile phone. It can track every call you made or received and every message you sent or received - including messages sent through encrypted platforms such as WhatsApp and Signal - and every photo you took. It can reveal your location via GPS. It can switch on your microphone or camera, even if you're not using your phone. IPhones – increasingly standard in journalists' kit - are thought to be more vulnerable, although this may be because Android phones don't keep the sort of data logs that reveal the presence of Pegasus.

Paris-based journalism non-profit Forbidden Stories obtained a list of 50,000 targets of Pegasus, leaked from an NGO Group client. Not all phones belonging to these targets were successfully infected. But the Pegasus Project investigative team's forensic investigations of the phones of some journalists whose name was on the list did confirm that "dozens" had been infected with Pegasus, or that an attempt had been made to do so. This had usually been done through a WhatsApp message. The most recent Pegasus attack on an iPhone that the team found was in July 2021.

There's a full list of all known targets of Pegasus here, noting which targets are journalists.

Ramifications

The Pegasus project has political ramifications potentially as big as those of the WikiLeaks cables or Edward Snowden's 2013 revelations on global surveillance programmes by the US National Security Agency (NSA) with the cooperation of telecoms companies.

There have already been calls for ministers to resign in Hungary over allegations their government selected journalists and media owners as targets for surveillance by NSO spyware. Democratic Party members of the US Congress are urging President Biden to consider putting NSO on a export blacklist. France's President Emmanuel Macron has reportedly had words with Israel's prime minister, urging an investigation into allegations that Macron could have been targeted by Morocco's intelligence services using NSO software. The Pegasus revelations have already caused the Israeli defence ministry to carry out an inspection of NSO's offices in that country over alleged abuses.

The NUJ - and the International Federation of Journalists (IFJ) of which it is a part - condemned the surveillance of journalists as revealed by the Pegasus Project. The NUJ also reminded journalists of the need to "redouble efforts to safeguard their own data" through "using multiple phones, including 'burner phones' that are less susceptible to Pegasus hacking, as well as adopting 'tradecraft' to ensure that their phones do not have the potential to betray their every move."


So what about my phone?

8 August 2021

So how can you check whether your phone is affected? Amnesty International's Security Lab has released a toolkit that identifies traces of compromise. (Look for the heading "With our methodology, we release...")

It works on both Apple and Android smartphones - but may be less reliable on Android phones, which do not keep the extensive data logs that permit detection on Apple devices. It reportedly requires some skill to install and use.

Various groups have developed easier-to-use detection apps. One from iMazing works only on Apple devices. The Freelance has not had an opportunity to install or to evaluate any of these.

None, that we have found, claim to remove an infection. If a device does show up as infected, probably the best thing to do is to offer it to Amnesty's researchers via the link above; if they don't want it, possibly the relevant tool is a hammer.