Every once in awhile the topics of information security and privacy that typically frame this opinion piece hit close to home. I’ve written about online scammers who pilfer credit card data and recreate the card itself, instead of the lazier route of simply using the numbers online. That happened to me. I’ve described how digital forensics tools can dig into every part of your computers or mobile phones, a subject that I teach and research. There have been entries surrounding anti-fraud efforts, many of which I’ve used in practice and have taught about.
Here, as the writer of this standing, weekly piece, I might be identified as a columnist, which is different and lesser, in at least one sense, than a journalist. Still, in the broader range of its definition I’m a journalist in this role. My news reporting colleagues at the Times-Tribune are clearly journalists in the more exact and excellent manner of the word’s meaning. No matter the label, I have a connection to this imperative part of a free, democratic society. I possess a zealous yearning to protect and advance the work done by journalists. Anything that stymies that freedom, that chills my journalistic colleagues’ work, or that impedes the Constitutional rights incumbent to reliable and valid journalism is offensive to me, and should be to you too.
Precisely that offense found its way into the same journals that it was meant to stymy and chill. Spyware is a subset of the family of malware, which as the sandwiched words imply surrounds malicious software. The spyware variety is extra malicious, if there are degrees, because it infects a computer or smartphone with software that gathers information from the device and its user. Spyware as a term and a hacker’s strategy seems relatively new in computing since its mainly been within the 21st century that we’ve researched and written about it. For the uninitiated, you’ll be intrigued by the fact that one of the earliest examples of spyware was found buried in the software programming of none other than Mattel’s Reader Rabbit educational toys. In 2000 Mattel was caught using spyware in Reader Rabbit to gather marketing data about its childish users.
How do these topics—journalism and spyware—intersect? In the most unsavory and undemocratic manner. The Washington Post and over a dozen additional news outlets exposed the nation-state-level spyware scheme last week. An Israeli technology company, NSO Group, developed the spyware, named Pegasus, as a military-grade surveillance tool. Its target market aims at governments whose intelligence agencies ostensibly would be using it for national security and defense purposes. NSO Group stays firm that Pegasus, albeit intentional spyware, is not meant to be used outside of the scope of its licensing agreement with these customers. The scope seems to limit the deployment of Pegasus to track only terrorists, criminals, or other parties that might implicate the various governments’ security or defense concerns.
Surveilling journalists, human rights activists, or international business leaders would fall outside the scope, of course. Yet, that’s what was discovered. Certain countries known to surveil their private citizens, and known NSO customers, amassed a register of 50,000 out-of-scope Pegasus targets. Forensics researchers in the ensuing investigation identified Mexico, Middle East governments such as United Arab Emirates and Saudi Arabia, India and dozens more believed to be Pegasus users whose targets span at least 50 countries’ private citizens.
The governments are tracking journalists, and you can conclude some of the reasons to do so on your own if you can employ an objective or even cynical view of the scenario. The Associated Press, CNN, the New York Times, the Financial Times in the U.K., and Al Jazeera among other outlets had their staff’s phones hacked with Pegasus. Pegasus lets the governments track human rights activists as well. Amnesty International is among the most affected of these not-for-profits. This is unsurprising, again with a cynic’s lens, since Amnesty tried to convince the Israeli government to rescind NSO Group’s export license based on its spyware business and products. Several reporters and their family members related to the investigation and Amnesty’s lawsuit were found to have Pegasus loaded onto their iPhones or Android devices. Pure illegal, unethical retaliation. At least 65 high-level business executives around the world also were found to have had their devices infected with Pegasus.
Without going too deeply, Pegasus works thusly. The governmental hacker sends a communication to a specific number. It could be a text message, an email, DM. No matter the channel, the communication includes a link that the user is persuaded to click. It’s the same approach I’ve described as phishing, which baits an email user in that more traditional scheme. When the user clicks the malicious link, Pegasus thereafter takes over the phone’s basic functions and captures and copies data. The governmental hacker can then record remotely from the smartphone’s camera or microphone, even if those are seemingly disabled. Pegasus lets them follow the user by way of location data. The criminals can learn contacts and see call logs. It’s a real takeover.
NSO Group claims that its spyware products, including Pegasus, cannot be levied against American smartphones. Ri-i-i-ight. Maybe that’s the case, after all, and in spite of my incredulity at the statement. The forensic researchers working on this case did not find Pegasus successfully loaded onto any device with a U.S. country code.
We still have much to learn about these crimes and the Pegasus capabilities. Note that Pegasus is just one such piece of spyware that we are even aware of. You can only guess about other risks when it comes to this type of government surveillance. Need to upset an election, misrepresent a person, or dig up dirt? Deploy Pegasus. For now, the burden is heavy enough against a democratic society that depends on the power and purpose of a free press.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.