Invasive Israeli Spyware Endangers Human Rights Advocates Globally

An investigation led by Forbidden Stories in July of 2021 found that an Israeli tech company, the NSO Group, was behind the creation of an invasive spyware program called Pegasus. Pegasus works by bypassing security measures within a phone’s operating system or mobile applications, tracking otherwise sensitive and personal information. Further, according to the Washington Post, this malicious spyware hacked into the mobile devices of public officials, journalists, and activists around the world – all without their knowledge. This surveillance technology has severe implications for human rights, free speech, and data privacy. 

The NSO Group (a name based on the company’s founders, Niv, Shalev, and Omri) states that they are a “cyber intelligence” company, supporting governments in preventing “terrorism and crime” internationally. Upon the release of recent investigations, the NSO Group maintained their innocence, arguing that they “lacked the capabilities,” to target individuals. However, these investigations are not the first time the NSO Group faced scrutiny for cybersecurity-related issues. A closer look into NSO’s ongoing and past allegations highlight worries about its role in assisting public actors, particularly repressive regimes, in undermining human rights. 

Amnesty International’s Security Lab “performed deep forensic analysis” of human rights defenders’ phones from different countries in its latest findings. Amnesty found common traces of NSO’s Pegasus spyware when comparing the data stored within devices, such as in iPhones. These indicators came in the form of suspicious URL links that allow Pegasus to monitor the phone when clicked by the user. Others were more hidden. 

Forbes and Amnesty state that Pegasus “leveraged a vulnerability in the iOS (iPhone Operating System),” and disguised itself as a system update when invading a user’s phone. Through these methods, the user is entirely unaware of the presence of the spyware. Similarly, in another investigation in 2019, Reuters reported that a Facebook-owned company, WhatsApp, accused the NSO Group of “helping government spies… break into the phones of roughly 1,400 users.” Thus, research from separate sources depicts a disturbing trend where NSO has been the epicentre of several cybersecurity concerns. 

Ultimately, the invasion of Pegasus into a personal phone is extremely dangerous for activists. According to The Guardian, once the spyware infiltrates the device, hackers can access all “messages [that we’re] ever received or sent,” record screens, “turn on [one’s] camera, microphone,” and pinpoint specific locations using the phone’s GPS – all undetected by the user. These cyber-attacks are speculated to be backed by repressive governments aiming to limit free speech and political opposition. For instance, data collected from “over 50,000 phone numbers,” by Forbidden Stories show that activists from countries Azerbaijan, India, Saudi Arabia, and Mexico may have been targets of Pegasus. Therefore, though NSO purports that its technologies only monitor heinous crimes, its surveillance patterns contradict its stated goal. 

These events then lead to the question: what are potential ways to preserve human rights backers’ digital safety and integrity backers globally? 

In the past five years, some United Nations member states have pushed to create a global treaty regarding cybercrime. However, a new international treaty presents many problems. For instance, according to the Human Rights Watch, many repressive governments have frequently used the term ‘cybercrime’ to silence dissidents. The process involves “criminalizing online expression, association, and assembly.” 

One example includes Maria Ressa, a Philippine journalist who has been outspoken about President Rodrigo Duterte’s policies. In 2020, she was found guilty of ‘cyber libel,’ a newly imposed crime that many say limits written opposition against the government online. As seen in Ressa’s case, using a digital platform to write about human rights abuses in the country was easily criminalized. Furthermore, having one treaty addressing cybersecurity may inflict more harm. Due to varied interpretations of what “cybercrime” can entail, nation-states can exploit the treaty to justify silencing any form of dissent online. 

Though traditional human rights frameworks may complicate cyber-criminality, collaboration in the private sector may offer a potential solution. After all, NSO’s monitoring technologies depend on weaknesses of phone systems and vulnerabilities of applications. Thus, strengthening these systems while holding hackers accountable will be vital for technology companies to eliminate liabilities and potential lawsuits from their stakeholders. Further, in 2019, WhatsApp filed a lawsuit against the NSO Group to compromise 1,400 users’ data. In 2020, other big tech companies such as “Google, Cisco, VMWare…[and] Microsoft,” have supported WhatsApp’s claims. As of 2021, the NSO Group continues to be tried under Three Ninth Circuit judges, appealing for immunity. However, doing so proves to be a difficult task for the company because of continued legal pressure. 

In all, cybersecurity and cybercrime still hold vague legal definitions on an international scale. This ambiguity, in turn, makes populations more susceptible to harmful digital practices and laws that can compromise their physical safety and psychological well-being. Therefore, in partnership with civil society, companies must find ways to adapt to these new challenges. Ensuring that online platforms and mobile devices are safe to use will protect those conducting important – but risky – human rights work.