The use of spyware and surveillance tools has been described as ‘the most serious crisis in civil society’. As part of the ARTICLE 19’s Boundaries of Expression series, Jo Glanville explains why these technologies not only threaten the journalists, activists, politicians, and lawyers who are targeted, it has an impact on everyone’s right to free expression.
In 2016, Ahmed Mansoor, a highly respected human rights defender, received suspicious text messages on his phone. The texts offered information about detainees tortured in prison in the United Arab Emirates, where Mansoor is based, and contained a hyperlink to a website. Mansoor was suspicious. He had already been targeted on a number of occasions by surveillance software and forwarded the texts to Citizen Lab, a leading research centre in Toronto that specialises in investigating digital espionage against civil society. Mansoor had been targeted by Pegasus, spyware developed by NSO Group in Israel. Citizen Lab had been investigating NSO Group for a while. But this was the first time its researchers, Bill Marczak and John Scott-Railton, in collaboration with Lookout Security, were able to identify how Pegasus operated. It was a new level of sophistication in surveillance never seen before, described as a ‘remote jailbreak’, that enables the spyware to bypass iPhone security measures and take control of the phone. If Mansoor had clicked on the link, the spyware would have been able to use his iPhone’s camera and microphone to follow his activities, record his calls and track his movements.
Pegasus’s reach and impact is now infamous, and Citizen Lab has remained at the forefront in investigating its use and abuse. Last year, the Pegasus Project, a consortium of media partners in partnership with Forbidden Stories and Amnesty International, exposed the scale of Pegasus’s operations in a leak of more than 50,000 phone numbers that had been targeted for surveillance by clients of NSO Group. Citizen Lab’s latest revelations in April led to the sacking of Spain’s intelligence chief: more than 60 Catalan politicians, lawyers and activists had been targeted by Pegasus. It later emerged that the prime minister, interior minister and defence minister of Spain had also been victims. Ronald Deibert, director of Citizen Lab, describes the impact of Pegasus, and other spyware as, ‘the most serious crisis in civil society’.
‘We’re seeing a real chilling effect,’ he says. ‘People are fearful they don’t know whether they can trust their device that’s in their hand. There’s somebody watching, listening in on them. This is like putting sand in the machinery of civil society, slowing everything down, confusing people, spreading fear and paranoia. We’re seeing every sector of civil society, lawyers, journalists, human rights defenders, environmental activists being targeted by their adversaries using these techniques.’
One of Citizen Lab’s own researchers, Elies Campo, was targeted. When it proved impossible to infect his phone, his parents were targeted instead – both eminent doctors in Spain, with highly confidential and sensitive information on their phones.
Protection against surveillance has an impact on us all
The impact of Pegasus, and other spyware, affects all of us – even if we are not doing work that depends on the protection of confidentiality where lives may be at risk. The philosopher Quentin Skinner observed nearly ten years ago that the very existence of surveillance deprives us of our liberty, because we are all ‘at the mercy of arbitrary power’ and may censor our communications in fear of being hacked.
The leak last year revealed Mexico as the most significant target, with 15,000 numbers selected for surveillance. The numbers belonged to human rights defenders, relatives of the 43 students from Ayotzinapa Rural School who were disappeared and shockingly murdered in 2014, researchers from the Inter-American Commission on Human Rights working on the Ayotzinapa investigation and more than 25 journalists. Five years ago, there had been a national scandal when Citizen Lab published an investigation, in collaboration with ARTICLE 19, R3D and SocialTIC, revealing that lawyers, activists, journalists and politicians had been targeted by Pegasus. So far there has been just one arrest, despite a long-running investigation. ARTICLE 19 has criticised the lack of significant advances in the case. The human rights group is calling for a renewed independent investigation, for the contracts and information relating to surveillance to be made transparent and for a reform agenda to establish democratic controls.
Vladimir Cortés, digital rights programme officer at ARTICLE 19 in Mexico, points out that surveillance has an insidious personal cost, as well as being a threat to the individual’s communications, including their confidential sources and contacts. ‘Being spied on or knowing you have been spied on is shocking,’ he says, ‘because they are accessing your whole life, your intimate space, your private space regarding your family in terms of all the things you are as a human being.’
Following the data leak last year, Mexico’s Public Security Ministry revealed that the governments of Enrique Peña Nieto and Felipe Calderón had signed 31 contracts for Pegasus totalling $61m. Vladimir Cortés believes that the admissions do not go far enough. ‘They revealed part of the information,’ he says. ‘There is still information regarding the army and intelligence which we don’t have. It was significant and important, but in the end why are they not providing the rest and in particular in regards to the army, which for a long time has been pointed to as deploying and using [Pegasus]?’
A ‘pioneering approach’ to undermining rights?
NSO Group claims that Pegasus is used exclusively by government intelligence and law enforcement agencies to fight crime and terror. On its website, it states that it takes ‘a pioneering approach to applying rigorous, ethical standards to everything we do’. It also claims to have a strict licensing process and an in-depth, internal review under its human rights policy.
‘Clearly they’re not doing what they say they’re doing,’ says Ronald Deibert. ‘And then this argument that they only sell to governments to investigate matters of crime and terrorism is faulty logic, because for the government of the United Arab Emirates Ahmed Mansoor is a terrorist. Anyone who’s expressing their political will in Catalonia is a seditionist. So the problem is that these terms sound on the face of it to be reasonable limitations, but in practice they’re usually employed in such a broad manner to include journalists, human rights defenders, activists and the political opposition.’
In 2019, David Kaye, then UN special rapporteur on freedom of expression, called for tighter regulation of surveillance exports and restrictions on their use and an immediate moratorium on the global sale and transfer of the tools of the private surveillance industry until rigorous human rights safeguards are put in place. He noted that a comprehensive system for control and use of targeted surveillance technologies ‘hardly exists’ and advised that states limit the uses of surveillance technologies to lawful ones only, requiring the private sector to comply with human rights norms.
Following the data leak last year, there has been some progress. Ronald Deibert believes that governments are now recognising that it’s not just a human rights problem, it’s a national security issue too – the mobile numbers of President Macron and most of his cabinet were included in the leak. So the crisis is now being given a level of attention it hadn’t received before and which is long overdue. In December, Australia, Denmark, Norway, and the United States committed to setting up a code of conduct to use export control tools to prevent the proliferation of software and other technologies used to enable serious human rights abuses. In the US, the Commerce Department has blacklisted NSO Group, and other spyware firms, preventing them from purchasing technology from American companies without a licence. The FT has described this as a ‘crippling blow’, since the company’s operations depend on US technology. In April, the European Parliament began an investigation into Pegasus. Meta and Apple are both suing NSO Group, alleging that its spyware hacked their users.
The threats from spyware have become even more deeply chilling. It is now possible to take control of devices without any interaction from the victim who has been targeted. ‘There’s no visible indication of tampering so a government client using this can simply point their spyware at any phone in the world hypothetically and take it over without the user even knowing,’ says Ronald Deibert. ‘So that’s like a nuclear version of spyware.’
As Citizen Lab has pointed out, spyware like Pegasus is often developed in democracies, which are not only exporting it to countries with a history of human rights abuse but using it themselves, an unprecedented intrusion that uniquely exposes almost every detail of our lives, shattering the possibility of confidentiality. We are all potential victims of a tool that was once a mark of totalitarianism. It is one of the greatest challenges to our essential rights to privacy and freedom of expression.
More Boundaries of Expression:
Plus: Listen to ARTICLE 19’s Boundaries of Expression podcasts, presented and written by Jo Glanville
Jo Glanville is a journalist and editor. Her writing has appeared in the Guardian, London Review of Books and the Observer, among other publications. She is editor of Looking For An Enemy: eight essays on antisemitism (Short Books, UK; WW Norton, US, August 2022).