A recent investigation by the Guardian into the secretive Israeli surveillance company, the NSO Group, has found their software being used by authoritarian governments to maliciously target individuals. Those affected include journalists, rival politicians, and pro-democracy activists.
Investigators have found that the spyware codenamed Pegasus contained 50,000 mobile numbers within its companies’ database. These numbers belonged to targets whose phones were hacked without them even knowing and used to collect information.
The spyware allows individuals to extract emails and texts, listen in on phone calls and secretly activate microphones and cameras. The potential harm that could be done with such information is vast and can open individuals up to blackmail, extortion, and fraud.
More than 180 journalists were found in the database from organisations like the Financial Times, CNN, the Economist and Reuters.
However, it should be stressed that just because a number was found on the database it does not mean it was infected with the spyware. The database is a collection of potential targets. Individuals’ phones will need to be studied to confirm whether the spyware was active.
The NSO group states that the spyware was only meant to have been used on criminals and terrorists. It also states that the software is only made available to military, law enforcement and intelligence agencies from countries with ‘good’ human rights records. The client list, however, fails to bear this out.
Emmanuel Macron was one of the most prominent names to appear on the list of potential targets of Pegasus spyware. Other numbers also include members of his cabinet. A phone call between Macron and Naftali Bennet, the current Israeli Prime Minister, occurred with Macron urging for an investigation into the incident.
In India, dozens of numbers were also found on the database including senior army officials, leaders of opposition parties and journalists. The fact that so many of the numbers found on the database were of those critical of the administration of Narendra Modi raises questions on his involvement. The opposition party is calling for the resignation of the home secretary and a further investigation into the government’s involvement.
Israel is reviewing export licences for security companies and says that it will restrict the kinds of organisations that this type of software can be sold to. However, the current NSO Group scandal follows an alarming trend of Israeli cyber companies working in the service of authoritarian regimes.
For example, cybersecurity company Senpai assisted Malaysia’s corrupt Prime Minister to track opposition activists. Software produced by Tel-Aviv based Candiru was also to track more than 100 human rights activists, regime opponents, journalists, and scholars, according to a joint study by Microsoft and the University of Toronto’s Citizen Lab.
Often, these companies are protected by the Israeli Ministry of Defence in the courts when they face lawsuits. The governing bodies have also refused to release the methodology that goes into choosing which companies will be granted an export licence.
Part of the reason why such protection is maintained and guaranteed is that these companies produce hundreds of millions of dollars in revenue for the Israeli state as well as thousands of jobs. A much darker reason, however, is that these deeply harmful surveillance practices are tightly interwoven with cyber operations for Israeli forces.
Divisions within the Israeli forces such as Unit 8200 are used to spy on Palestinian civilians. Information such as sexual preferences, economic problems and family illnesses are collected and then used against them to turn them into collaborators. Information is also gathered to be used against Palestinians in courts as evidence where the information is oftentimes not even revealed to defendants.
At the end of the day, whether action is taken against the NSO Group or to prevent the next spyware scandal will depend on the responses of the politicians in charge of industries such as this. In an increasingly digital world, our privacy has more threats than ever by organisations international in scope. Actions we can take on the individual level are small. Instead, industry-wide changes are required and necessary to safeguard our online lives.