Seventeen international news organizations dropped the results of a sprawling and detailed investigation over the weekend. The Pegasus Project found that Israeli surveillance tech firm NSO Group sold its software to clients who used it to spy on human rights activists, journalists and politicians.
One surveillance tool, called Pegasus, could infect people’s smartphones, sometimes just by sending a text. It could collect emails, calls, social media posts, passwords, even activate the camera or microphone.
NSO disputes much of the reporting and says it’s not responsible for clients who abuse the tool. But NSO also told The Washington Post it will investigate the allegations.
“Marketplace Tech” host Molly Wood joined me to provide more context. The following is an edited transcript of our conversation.
Molly Wood: What we have found out, through leaked documents, is that this surveillance was much broader than anyone expected and that it’s been used to target people far beyond what we would consider traditional law enforcement targets, such as people who were connected with the late Washington Post columnist Jamal Khashoggi. And to be honest, I don’t think any security professionals are surprised that there’s been a misuse of this particular tool. That’s actually something that a lot of security professionals have argued about and against. They’ve said, “If you create a tool like this, it is going to be abused, whether you have terms of service or not.”
Kimberly Adams: One of the things that’s been interesting about this reporting is that a lot of Apple phones were targeted in various places around the world. Apple has long marketed its products as being more private and more secure than, say, Android-based phones. What does this all mean for that narrative?
Wood: Yeah, this goes to show you that anything can be hacked. What I find interesting about this, is that Apple itself, when the federal government was pressuring Apple to create backdoors into its own encryption in the wake of the  San Bernardino [California] shootings, Apple’s argument was, if we create a tool like this, there’s no way that it will be confined to just use by our government for perfectly legal reasons. They basically made the argument that is being proven today with this leaked database of targets who were victims of this kind of spying. It’s gonna happen.
Adams: And that did happen to journalists and activists and political figures all over the world. But what about people who maybe don’t think they’re particularly high-profile? What does this mean for them?
Wood: Yeah, this has been an ongoing conversation. There are plenty of people in the world who say, “It’s fine with me if these tools exist because I haven’t done anything wrong, so what do I have to worry about?” And it is true that most of the people who are purchasing this software, in theory, are trying to use it for law-enforcement reasons. It’s clear from these leaks that there’s been some mission creep, to say the least. What it means, though, is that a threat to anyone is a threat to all. For example, malicious hackers could get ahold of this software, try to reverse engineer it, and use it to steal people’s identities at a broad scale. While the company has tried to claim that the use of this software is targeted to specific individuals, people of interest by law enforcement, the fact is, it can be used on anyone. We should really be asking ourselves if tools this powerful should just be allowed to be built and sold to anybody who wants to buy it.
Adams: Right, and a person of interest could be a human rights activist in China or a journalist in Turkey who maybe hasn’t committed any technical crime.
Wood: Right. Or for example, we just heard a story about Facebook firing a whole bunch of engineers who were essentially looking up girls they were interested in using the company’s internal tools. So, there is a multitude of reasons that these kinds of tools could be used to spy on someone, anyone, whether that is an activist or a woman who has spurned someone’s interest.
Adams: Can the U.S. government or other governments do anything about this? What responses are even available?
Wood: Currently, not very many. As far as U.S. citizens go, we do have federal laws that restrict the surveillance of citizens based on phone number, and that is apparently one reason that NSO has not necessarily sold a lot of the software here — although there are reports that this company has approached U.S. law enforcement. As long as a private company is out there creating and selling this technology, there’s not that much that a specific country can do to stop it. Certainly they can say, that company is not allowed to do business here, but there are calls today for some sort of international moratorium on developing commercial software like this and selling it globally.
Adams: Is just the fact that anybody could hack into your phone kind of the cost of using these products, at this point?
Wood: It is probably long past time for consumers to understand that everything can be hacked. We don’t take security hygiene very seriously. As we see across platforms, we’re careless with our bank passwords. We don’t lock our PCs. We do everything and put everything on our phone, sometimes without even so much as a numerical pin to protect it, let alone encryption on the device or other kinds of security that could protect us. You should protect yourself just like you would lock your door when you leave the house.
Related links: More insight from Kimberly Adams
The Washington Post and The Guardian have extensive reporting from this project, with several stories detailing how software got onto phones and what we know so far about which countries used it and against whom. The Post has a particularly interesting piece on how hard NSO has worked and how much money it has spent trying to get contracts in the U.S. (Millions.)
The Guardian also has an interview with whistleblower Edward Snowden, who argues for a global moratorium on international trade in spyware.
Amnesty International, which was part of the project, has a technical document on how to spot when a phone has been infected by Pegasus spyware.
All this certainly has privacy implications, but the stakes are much higher for many journalists and activists living and working under authoritarian or autocratic regimes, where the government finding out what’s on your phone could be the difference between life and death.
The future of this podcast starts with you.
Every day, Molly Wood and the “Tech” team demystify the digital economy with stories that explore more than just “Big Tech.” We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.