On December 3rd 2021, 88 human rights organisations and experts such as Amnesty International and Human Rights Watch, signed a joint letter urging the European Union to prohibit the trade and use of technologies provided by the NSO Group, the Israeli technology and cyber-arms company, especially its phone surveillance spyware Pegasus, until adequate human rights safeguards are in place. A month earlier, the Biden administration’s commerce department blacklisted the NSO Group, citing human rights concerns. In recent years, the NSO Group and its notorious cyber surveillance product Pegasus have come to the forefront of human rights debates for its eerie intrusion into every aspect of its targets’ life, and the role it plays in aiding the suppression and persecution of human rights activists.
Pegasus: “The Eyes”
Pegasus, a phone malware, presents one of the latest technological advancements in cyber surveillance. Once the operator chooses their targets, Pegasus installs itself on the phone through vulnerabilities of common apps like iMessage or malicious links sent through texts that claim to tell the victims important pieces of information, for example, pretending to be an anonymous news source for an investigative journalist. The latest technological advances have allowed the clients of NSO Group to penetrate phones without even sending any links, and the technology allows the infections of the most up-to-date iPhones, which are claimed by Apple to be the most secure consumer mobile phones on the commercial market. This shows the power of the latest cyber surveillance technology and highlights its potential breadth of influence if fallen into the wrong hands.
Not only can it easily penetrate a phone, the range of tasks it can perform is beyond many people’s imagination. Pegasus installs itself as an invisible software, which allows it to escape the eyes of their surveillance targets. Once installed, it extracts all data from the phone, including emails, messages, photos, videos, contacts, and calendar plans. It allows operators to read encrypted messages on apps like WhatsApp and Signal, which were commonly thought by activists and investigative journalists to be secure ways of communication. It can also activate the camera, recorder, and microphone; some human rights workers reported hearing playbacks during their calls. More fatal is that by gathering information from the Global Positioning System (GPS) and hardware sensors, the operators can obtain information like a person’s location history, real-time location and even car speed and direction. As a whole, Pegasus presents a severe intrusion into virtually every aspect of a person’s life in the modern society, as long as they are carrying their mobile phone around.
More Than 50000 Numbers: The Potential Targets for Surveillance
In July 2021, a consortium of 17 media organisations published their findings of the Pegasus Project, which aims to uncover the truth behind the state actors’ unlawful surveillance of citizens worldwide using the tool of Pegasus, following the leak of a list of more than 50,000 phone numbers from the NSO system. The numbers are gathered from Home Location Register (HLR) lookup data, a database containing information about the phone users’ rough location and other identifying information, which can be used in advance of a surveillance attempt to determine whether it is possible to connect to the target phone. The state clients of the NSO Group can obtain these numbers and the surrounding data from the NSO system interface. Although the list does not reveal whether the owners of the phone numbers were hacked, the consortium believes that the state clients can search for these numbers through the Pegasus system interface before targeting their phones.
The following investigation further discredited the NSO Group’s lawyers’ defence. Forensic examinations of a sample of 67 mobile phones on the list, carried out by the Amnesty Lab, discovered that 37 of them were either successfully hacked or showed traces of attempted Pegasus infiltration. This finding was corroborated by peer reviews by the Citizen Lab at the University of Toronto. Moreover, there is a close correlation between the time and date the number was logged onto the database, and the trace of Pegasus activity on the phone, sometimes within seconds. For example, an examination of the phone of Szabolcs Panyi, an independent journalist in Hungary, showed that traces of Pegasus surveillance appeared days after his comment requests to the Hungarian government on 11 occasions over a span of seven months in 2019. This is strong evidence that governments are utilising Pegasus’ phone number data to select targets for surveillance.
Client Screening: A Warm Welcome to Human Rights Abusers
According to the Guiding Principles on Business and Human Rights by the United Nations (UN) Human Rights Council in 2011, businesses have a legal duty to respect human rights and exercise due diligence to “identify, prevent, mitigate and account for” their human rights impacts. The NSO Group’s Transparency and Responsibility Report 2021 claims that they screen their clients’ human rights records strictly before allowing them to purchase their tools. However, the Pegasus Project has identified NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE). The human rights records of these governments are dubious, especially its protection of rights to hold opinions without interference, and to information protected by Article 19 of the International Covenant on Civil and Political Rights. This shows that the NSO Group did not carry out sufficient and serious efforts to prevent their products being sold to governments likely to carry out human rights abuses, and even if they did, their efforts have proven to be ineffective.
For example, Hungary is ranked 92nd in the World Press Freedom Index 2021 and its current Prime Minister Viktor Orbán has been put on the Enemies of Press Freedom list compiled by Reporters Without Borders this year. He has harassed independent journalists and pressured independent media by withdrawing state funds and enticing or threatening them with takeovers. Moreover, its regime of checks and balances for approving surveillance requests is one of the poorest in Europe: if the surveillance is requested for national security reasons, only the signature of the Minister of Justice is required, and the current Minister approved 1,285 surveillance requests in 2020, a significantly high number. Except for areas of war, Mexico is the most dangerous country for media workers. The Committee to Protect Journalists reports that more than 119 media workers have been killed in Mexico since 2000 and at least 86 since 2010. The targets are mostly reporters of organised crimes and corrupt officials, who collude with crime cartels to transport drugs and arms and traffic people. This is evidenced by the Mexican government’s statistics that more than a third of journalistic attacks were carried out by public officials. Local crime reporters are constantly under death threats and usually have to self-censor and obey vague rules about what should and should not be in the news. Despite this, more than 15,000 numbers on the leaked list were selected by various Mexican government organs. More than 10,000 numbers on the list were chosen by the UAE, another government with a poor human rights record. This shows that the NSO Group were suspiciously careless when choosing their clients, at the same time implementing a sham human rights policy purporting to exercise due diligence.
The White Terror on Human Rights Defenders
The NSO Group’s Transparency Report alleges that they have an advanced approached to human rights protection and contract with their clients on the condition that Pegasus should only be used for crime combating and national security protection. They claim that they severe ties with any clients who they find to be misusing their tools, without identifying one single client. However, despite mounting evidence that clients such as the Moroccan government are carrying out human rights abuses using Pegasus, the NSO Group choose to keep such governments as clients. In countries such as Mexico, national security can be used as a pretext to purchase such tools, and the collusion of government officials and crime gangs mean that the tools can easily fall into the wrong hands, according to Fernando García, the director of the digital rights organisation RD3. These clients then went on to target people who have no connections to crime fighting whatsoever. Instead, they were mostly pro-democracy activists, investigative journalists, and government opponents and critics. This shows that many of the NSO Group’s clients did not try to observe the contract. Nor did the NSO Group make sufficient attempt to ensure the contracts were observed.
Below are some chilling examples of such human rights abuses. Cecilio Pineda Birto, a Mexican freelance journalist, was assassinated in a car wash shop hours after he openly criticised state police and local politicians for cooperating with a local crime cartel called El Tequilero. His number was registered on the NSO system by Mexico’s Ministry of Defence weeks before the murder, the same time he received multiple anonymous death threats. Weeks before being selected as a potential Pegasus target, he sought help from the Mexican state about a threat in the town of San Miguel Totolapan. The state’s chief prosecutor Xavier Olea, who investigated his death, also appeared on the leaked list. Despite the incriminating evidence, his phone disappeared from the crime scene, making it impossible to determine whether his phone was truly infected with Pegasus or if there was an infection attempt. Although the truth will likely never be unveiled, this shows the potential of the NSO spyware being utilised for extrajudicial killings, especially when the government collaborated with local crime organisations to silence their opposition. Other examples are more certain, and equally reveal the governments’ concerted attempts to conceal bad governance. A group of international experts investigating the escape of Tomás Zerón, a previous Mexican official responsible for embezzlement and obstructing the investigation into the enforced disappearance of 43 trainee teachers, were confirmed to be targeted by Pegasus. Ten days after the 2017 shooting of the Mexican journalist Javier Valdez, his widow Griselda Triana was targeted by Pegasus. In 2018, weeks after Zoltán Varga, an independent Hungarian media owner, held a dinner with friends and discussed exposing the corruption of the Hungarian government, he was warned by a government acquaintance that such meetings could be “dangerous” for him. An inspection of his friends at the dinner’s phones suggested all of them were on the leaked list, one of the phones was hacked by Pegasus, and another subject to a hacking attempt. These are but a few examples of Pegasus being used to endanger the rights of human rights defenders in the world, and many of these instances have been life-threatening.
The Wild West of Cyber Surveillance
The International Covenant on Civil and Political Rights Article 17(1) protects the fundamental human right to private life from “arbitrary or unlawful interference” and Article 19 protects our equally fundamental right to opinion, information and expression. UN Documents such as Surveillance and Human Rights: Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression further illustrated what these rights mean for us in practice. Restrictions on the right to privacy must obey the principles of legality, meaning the law restricting our privacy should not be too vague to abide by; the principle of necessity and proportionality, meaning the expression targeted should pose as an immediate and direct threat to national security, and that restrictions on such rights are the least intrusive means possible; and the principle of legitimacy, which provides that a restriction is only justified when the security of the whole nation is threatened, excluding restrictions carried out to further government interests or promote a political faction. Moreover, there is no justification when the aim of surveillance is to undermine democracy and human rights. These safeguards should ensure that we live in a society where everyone’s voice can be heard and discussed, and everyone can protect themselves from unwanted government interference and hold the government to account.
Judged by such human rights standards, state activities of surveillance utilising spywares like Pegasus fail to satisfy even the lowest possible thresholds. Regarding the right to privacy, cyber surveillance products like spyware intrudes into the most intimate details of private life by their intrinsic design. The right to privacy entitles us to be notified of the usage of our information whenever possible, and the information obtained should be kept to a minimum and be strictly necessary. Instead, most Pegasus targets are unaware of the intrusion into their phone information and the recordings, and its infection allows NSO clients to collect unlimited information about the person’s data, even though they are irrelevant to the clients’ purpose. It also contributes to the harassment of the surveillance targets’ family and friends, which constitute part of our private life as well. Put in the context of the safeguards we are afforded (or supposed to be afforded) by law, such violations can barely be said to be legitimate or proportionate and are a serious affront to our individuality and dignity.
It is further pointed out by Amnesty International that a violation of the right to privacy is often coupled with graver human rights abuses. Targets of Pegasus surveillance can have their location discovered and themselves arrested, tortured or killed. Sometimes their intimate details such as their religious beliefs and sexual orientation were procured and they were then subject to discriminatory attacks, presenting a violation of their right to equality and non-discrimination. These snowball effects greater emphasise the significance of privacy protections and the catastrophic consequences of unregulated cyber surveillance.
Moreover, as Amnesty International points out, the rights to privacy and expression are intrinsically linked, and the violation of one can lead to the breach of the other. One of the groups that go through the most unspeakable ordeals are journalists and media workers tasked with holding the government to account and defending human rights. Surveillance and attacks on journalists can deter their confidential sources from continuing to provide valuable information, force them to self-censor and expose them and their family members to danger, presenting threats to their multiple human rights including their right to life. Considering the grave consequences, we would expect journalists to be afforded additional protection as they are a fundamental tenet of a democratic society. However, journalists continue to be subject to surveillance and persecution for merely exercising their human rights and protecting the rights of others.
One of the reasons why these grave human rights abuses is happening is the unregulated market of commercial spyware that is subsequently exploited by corrupt and unaccountable governments. Article 2 of the International Covenant on Civil and Political Rights imposes a duty on the states not only to refrain from interfering with their citizens’ privacy and expression, but also take positive action to protect such rights of their citizens from third parties such as corporate entities like the NSO Group. In the whole Pegasus scandal, governments not only failed in their obligation to protect their citizens from such unwanted and illegitimate surveillance but were also perpetrators in multiple instances. While changes and regulation are possible, the picture presented is grim and there is a long way to go before human rights are ensured – where targets such as journalists and activists can be sure that their phones are not recording nor tracking them when simply having dinner with friends.
