Pegasus: The Spyware You Need To Know About
Have you heard of Pegasus? You need to. It is only the beginning of sophisticated spyware increasingly invading the daily lives of ordinary citizens.
Without them even knowing.
Democracies, including the United States, have used Pegasus against their own citizens. Bad actors like terrorist organizations and drug cartels have used it to target journalists, activists, politicians, and corporate executives.
In this article we’ll go into what Pegasus does, the NSO Group – an Israeli company – that developed it, and what the international community should do to place checks on how governments and bad actors use spyware.
Pegasus: practically undetectable spyware
Pegasus is spyware that monitors and surveills a target’s phone in real-time. It can “extract the contents of a phone, giving access to its texts and photographs, or activate its camera and microphone to provide real-time surveillance.”
All without the target knowing it’s happening.
There are no indicators unless a user runs software, such as Amnesty International’s Mobile Verification Toolkit, to identify whether a phone has been infected.
Not even encrypted applications like WhatsApp are immune because Pegasus literally attacks a target’s phone in its entirety. Both iPhone and Android devices are at risk.
The scariest part about this spyware is its “zero-click” capabilities. Pegasus does not require any clicks from the target in order to infect their device. Most malware and viruses require some interaction from the target, whether clicking a link or downloading a file, but not Pegasus.
The spyware has attacked phones dating back to 2014.
Meet the developers: NSO Group
Who is behind the creation of Pegasus? NSO Group. It’s an Israeli-based company that claims to “create technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.”
That may be true in part.
However, as reported by numerous outlets, including the NYT, The New Yorker, and Amnesty International, Pegasus has been used to harass and endanger journalists and many other human rights defenders. For years. The New Yorker described it best:
An analysis by Forensic Architecture, a research group at the University of London, has linked Pegasus to three hundred acts of physical violence. It has been used to target members of Rwanda’s opposition party and journalists exposing corruption in El Salvador. In Mexico, it appeared on the phones of several people close to the reporter Javier Valdez Cárdenas, who was murdered after investigating drug cartels. Around the time that Prince Mohammed bin Salman of Saudi Arabia approved the murder of the journalist Jamal Khashoggi, a longtime critic, Pegasus was allegedly used to monitor phones belonging to Khashoggi’s associates, possibly facilitating the killing, in 2018.
They also described how Pegasus was used to monitor U.S. citizens and members of the Catalan independence movement in Spain. Although the U.S. government blacklisted (i.e., sanctioned) the company – preventing it from doing business in the U.S. or with U.S. firms – the NYT reported that a U.S. firm, L3Harris, was in talks to acquire NSO Group.
Why wouldn’t the U.S. want to buy spyware with these capabilities?
For now it seems the talks have stalled, but NSO Group’s marketing and licensing of Pegasus to customers globally have not. Despite the international heat and pressure on its home country, Israel, NSO Group still operates today, with little to no checks on its behavior. As a result, the use and abuse of spyware like Pegasus is widespread.
What the international community should do about spyware
Pegasus is only the beginning. As spyware grows in sophistication, making it harder and harder for laymen users to detect, citizens risk losing more privacy and civil liberties. And potentially their lives.
While some of these risks are true for technology generally, from social media to location tracking on devices, spyware poses heightened risk because of its invasiveness and purpose.
Governments cannot act in isolation to address the risk. It’s helpful that the United States blacklisted NSO Group (while simultaneously trying to buy it…), but given spyware seamlessly operates across borders, one country’s actions are not enough. All United Nations countries must at a minimum expressly recognize the threat posed by spyware technologies.
One way to do this would be to more directly address spyware and related technologies in the UN’s Guiding Principles on Business and Human Rights. Yes, “principles” alone are probably not enough (and likely unenforceable), but it would be a good first step towards expressly recognizing the issue.
For real action that protects the civil liberties of ordinary citizens against spyware like Pegasus, we need a new Geneva Convention, but for humanitarian treatment with technology. Until there are enforceable rules in place restricting governments and bad actors from inappropriately using spyware, there will continue to be widespread (unrestricted) use and abuse.
Perhaps this is a pipe dream, especially given the recent destruction of the right to privacy in America, but it’s necessary to address the severity of the risks posed by spyware.
Do you have other ideas?
NSO Group, for its part, has no incentive to develop robust monitoring capabilities of its own to track how customers use its spyware. It’s easier for them to claim ignorance. Or explain how they don’t have the capability to see what customers do with Pegasus (or even who gets their hands on the spyware).
With stricter (and enforceable) international laws on the uses of spyware, the NSO Groups of the world will have to develop “know your customer” processes and monitoring capabilities.
Just like any regulated banking entity.
Pegasus may have been developed with noble aims in mind. But as many other technology companies have realized, noble aims do not excuse unintended consequences. Especially consequences that endanger ordinary citizens like journalists who are simply doing their job.
Governments need to be held accountable. Bad actors must be kept at bay. The international community needs to recognize and act on the threat posed by spyware before it is too late.
0 Comments