John Scott-Railton is senior researcher and Ronald J. Deibert is professor and director at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto.
Mexican journalist Javier Valdez was the founder of RioDoce, a small, scrappy newspaper that investigates corruption, cartels and organized crime in Culiacan, Sinaloa, an epicentre in Mexico’s drug war. That’s earned him and his staff many threats.
On May 15, 2017, gunmen made good on those threats. As Mr. Valdez left the RioDoce office, he was shot 12 times. His killers pulled him from his car and dragged his body into the street before taking files, a laptop and his cellphone from his car.
But then, in the days after the killing, his colleagues started receiving strange text messages, promising information about the killing and the identity of the culprits. A week later, Mr. Valdez’s wife, journalist Griselda Triana, began receiving these messages, too.
Now, more than a year later, we know who sent these mysterious texts.
With the help of partners in Mexico, our investigation determined that the messages were designed to infect the recipients’ phones with Pegasus, a powerful piece of spyware manufactured by NSO Group, an Israel-based surveillance company. Once a phone is infected with Pegasus, it becomes a digital secret agent, capable of recording all the audio in a room, stealing private photos and messages, and eavesdropping on phone calls.
NSO Group markets their spyware as a tool limited to government agencies to assist in anti-terror and criminal investigations, and has sworn that it does extensive due diligence to prevent abuses. Our research has shown that the reality is far different.
Strong evidence, including leaked contracts, suggest that the sender of these messages about Mr. Valdez’s murder may have been the Mexican government, which had paid US$80-million to acquire Pegasus spyware. In Mexico, where journalists are frequent targets for physical violence and assassination and where officials have been reportedly involved in half of their killings, we unearthed at least 25 cases of abusive targeting of advocacy groups, lawyers, scientists and researchers, investigators into mass disappearances and media members. At least nine Mexican journalists were targeted with Pegasus, according to our peer-reviewed research. New York Times journalist Azam Ahmed also recalled receiving a similar message while working in Mexico. Some journalists’ family members were even targeted with the spyware. Radio journalist Carmen Aristegui’s child, a minor, was sent infection attempts while in boarding school in the United States.
Because of spyware such as Pegasus, borders and geographical distance do not provide protection; members of the civic media can be silently targeted halfway around the world, including on Canadian soil. In October, 2018, we reported that Omar Abdulaziz, a blogger critical of the Saudi government, was targeted with Pegasus while attending school outside Montreal. Mr. Abdulaziz was a close confidant of slain Washington Post opinion writer Jamal Khashoggi, and his targeting had occurred in the months prior to Mr. Khashoggi’s killing while the two were communicating plans for activism over what they thought were private messaging apps. Thanks to Pegasus, Saudi intelligence was silently eavesdropping on those plans.
Others critical of the Saudi regime, including a Britain-based satirist and a blogger, were also targeted. In fact, our research has shown that Pegasus has been used to infect devices in 45 countries worldwide, and has been operated by more than 30 countries. Many of NSO Group’s customers are chronic violators of human rights and press freedoms, including Bahrain, Kazakhstan, Morocco and the United Arab Emirates.
What is to be done about the harmful proliferation of commercial spyware such as Pegasus? Many point to the need for government regulations, such as tighter export controls. But lacking political will, these are unlikely to be properly enforced. As it stands, NSO Group’s sales are reportedly approved by the Israeli Ministry of Defence, and it did not appear to take issue with the company selling its products to a rogues’ gallery of autocratic rulers, in spite of widespread public reporting of abuse.
Litigation is another avenue that might help bring about reform of companies’ practices. NSO Group is currently embroiled in several lawsuits. Should those succeed and the company is penalized in a significant manner, its owners may decide that the liabilities are too steep to continue with business as usual.
Pressure over corporate ethics may also spur reform. The spyware market is highly lucrative and is attracting international investors – pension funds, banks, private-equity funds and the like – looking to make a big profit. However, as evidence of reckless abuse of the spyware mounts, investors should be getting nervous about the potential liabilities. For example, Novalpina, the British company that owns a majority stake in NSO, has had trouble finding partners willing to risk a stake. After reading an open letter from a coalition of NGOs, one investor said they wouldn’t touch the investment with a “barge pole.”
To be sure, there are legitimate arguments in favour of the lawful and accountable use of spyware to enable law enforcement to investigate crimes. No doubt there are cases where the spyware has been used for this purpose; NSO Group’s executives have asserted that Pegasus assisted in the arrest of Mexican drug lord Joaquin Guzman, known as El Chapo.
But we’ve also determined that Pegasus was used to target the phones of journalists whose colleague may have been murdered because of his investigations into El Chapo’s family. Commercial spyware is wreaking mounting havoc on civil society.
Without oversight to ensure Pegasus doesn’t get into the hands of unaccountable governments, we now face a crisis rich in terrible irony: a service marketed to governments to assist in “cybersecurity” is quickly becoming a source of insecurity, instead.