On Sunday, a group of seventeen media organizations launched the Pegasus Project, a series of articles investigating the Israeli surveillance company NSO Group. The consortium of journalists working with Amnesty International and the French non-profit Forbidden Stories found that dissidents, human rights activists and opposition politicians around the world were being tracked by an NSO Group’s spyware tool called Pegasus. Thousands of victims included Times reporters, political opponents of Indian Prime Minister Narendra Modi and the two women closest to the murdered Saudi dissident Jamal Khashoggi.
One of the newspapers involved in the Pegasus project is the Guardian. The main reporter for the series is Stephanie Kirchgaessnerwho wrote extensively about surveillance as a US investigative correspondent for the newspaper. We spoke by phone on Monday morning after the first wave of stories was released. (They will continue to be released later this week.) During our conversation, which was cut for length and clarity, we discussed how the story came about, why the spyware industry remains so unregulated, and what role the Israeli government played in it to allow this to happen.
The guard story which you published clearly states that authoritarian governments were behind this surveillance. Some of the other reports from other news organizations say the spyware was sold to authoritarian governments, but don’t say they know who used it. How sure are you that this is specifically the work of governments?
We know the NSO Group only sells to governments, and prior to this project there was a series of research that identified the countries that we believe are customers. Some countries deny they are customers, but we have overwhelming evidence from groups like Citizen Lab. For example, we have known since 2016 that the UAE is a customer of the NSO Group. Saudi Arabia too. And then there are other countries in our coverage this week. Rwanda stubbornly denies it’s a customer of the NSO Group, but we see Rwandans around the world being targeted with this technology. Therefore we feel comfortable naming these countries as customers.
The NSO Group’s statement that it only sells to governments brings the group to a logical conclusion as it implies that the governments are the ones doing the espionage. But are we sure the NSO Group is honest and really only sells to governments?
I would say there is an anomaly, Mexico, where we believe different actors have had access to the technology. [In a statement to The New Yorker, NSO Group said it exclusively licenses its technology to “vetted governments.”] And there are countries where there are different customers within the country. It’s like the FBI is one customer and the CIA is another. I’m not saying they are special – we have no evidence of that. This is just one example of how you can have different customers in the same country with different focuses or areas of focus.
So in an authoritarian government, it wouldn’t necessarily just be the dictator or leader of the country. There could be multiple agencies within the government.
Yes sir. By the end of this week, you will experience a situation where there is an authoritarian leader who we believe used to target his own family for very personal reasons. It’s very personal.
How did this consortium and these stories come together?
My colleague in New York, Martin Hodgson, received a call from Forbidden Stories, an organization that picks up stories of killed or threatened journalists and brings together huge journalistic consortia to pursue them. I’ve had with them before The story of Daphne Caruana Galizia, on Malta. It was all very mysterious. We had to be very careful with our communication because of the surveillance issue. We were given the basic information about the project and asked to come to Paris where all these media partners would come together and find out all the details. So we went to Paris with a good idea, but at the time we had no access to the data. And then we met all of our colleagues, including the Washington Post.
When you refer to “the data,” are you referring to the list of about fifty thousand phone numbers?
Yes. So in Paris we had access to a list of phone numbers. We believe these phone numbers are indicative of the people who have been potential targets for surveillance by NSO customers.
Do you have a sense of how Forbidden Stories got these records? And what made you sure it was a list of numbers NSO clients may have been spying on?
Unfortunately, I cannot answer the first question. And the second question: once we had access to this list, we were able to identify a significant number of these phone numbers. They had journalists from all over the world and people with many contacts. You would just match them, and many numbers have been found that way, in countries such as India and Mexico. We had a technical partner for this project, Amnesty International’s tech lab, and after identifying many of these numbers, we cautiously approached the people on the list and asked if they could do forensic investigations would have their phones carried out. And that led to results where we see a very high correlation between being on this list and hacks or attempts at hacking with Pegasus malware on the phones we tested.
Just to be clear, when you said you couldn’t answer the first part of the question, is that because you didn’t know or because it was privileged information?
I just can’t answer it – and that’s all I have to say. I’m so sorry.
It’s OK Can you talk a little about the spyware industry and whether there are any regulations about it?
The NSO Group has been my focus when it comes to surveillance companies. There are others. Israel is really one of the leading manufacturers of this type of spyware. And in Israel you see a lot of intelligence agents dealing with spyware that then go into the private sector. David Kaye, who was very careful about this in his previous role at the United Nations, would call it an “unregulated industry,” which means that there are no real rules in the world about how this technology can be sold or used. There are countries that attack citizens in other countries with spyware and hack their phones. This can violate national laws, but is used anyway.
In other ways, NSO is specifically a regulated company, and by that I mean it is going through a licensing process with the Israeli government, and specifically the Ministry of Defense, which must approve the export of this weapon, Pegasus, to other countries. Israel says it is reviewing the customers NSO sells to. And that’s what NSO says. They also get a marketing license to market their product and sell it to other countries.