Is Anyone Surprised by Pegasus Project Revelations?

I do hope you already know about the Pegasus Project, an exercise in investigative journalism that followed a whistleblower’s leak of 50,000 telephone numbers spied upon using software created by NSO Group and bought by various governments. The original leak was received by human rights campaigners Amnesty International and nonprofit media organization Forbidden Stories, but then the data was shared with news providers in multiple countries so they could follow up. All the researchers are in agreement: zero-click spyware has been installed on the iPhones of a wide variety of politicians, journalists and other people who are not suspected of committing any crime. The code allows spies to remotely access the phone’s microphone, camera, location and all of its files. Hacking the phone means any subsequent encryption of communications is rendered irrelevant. This was how Saudi agents intercepted Whatsapp messages sent to journalist Jamal Khashoggi, leading to his murder. Other governments accused of using the software include those of Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda and the United Arab Emirates. And yet the NSO Group offers a simple defense for making and selling their spyware: they are not responsible if governments abuse tools that should have been targeted at terrorists and criminals.

If you are not aware of the revelations then please educate yourself without delay. You might want to read:

When you have finished learning about the extent to which NSO Group’s software has turned modern communications technology into the servant of surveillance agencies, I want you to also do something else. I have a lot of sympathy for the arguments presented by NSO Group. A large number of people would agree it is legitimate to use software like theirs if it prevented a terrorist attack or led to the arrest of a pedophile. The manufacturers of a gun do not tell customers to shoot up schools any more than a car manufacturer tells drivers to speed into crowds. Physicist Richard Feynman was excited about doing calculations that led to the development of the first atomic weapons, but later suffered depression over the nuking of Japan. A new invention cannot be uninvented but the person who makes a tool can provide instructions for its responsible use. Those instructions cover not just the technical operation but also the purposes for which the tool is used. These may not serve as a legal prohibition but they have moral force. A recent announcement by NSO Group said they “will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary”. If NSO Group are true to their word then they are more moral than several well-known members of the professional community that reads Commsrisk. So my request to you is: think about the people you know who profit from risk and security technology being exploited for surveillance.

I have a website and a big mouth, so there are limits to what people are prepared to tell me about how they run their business. But even I know things that will not be published on Commsrisk because statements can be defamatory even if they are true. It eats me up inside to see yet another feelgood social media post about work-life balance from a jackass who prostituted himself to the Iranian regime in order to win a contract to ‘analyze’ who was calling whom. Was that system being sold to tackle telecoms fraud? That is one possible use, but you would have to be dangerously naive to believe that was all it would be used for. And I would love to tell you about the nerve of one salesman who accused a telco’s employees of racism because they rejected a suspiciously cheap revenue assurance system. Telcos have to keep their own governments happy, so only the most moronic exec would be intimidated into effectively giving sensitive data about people’s movements to a software company with obvious links to the security forces of a hostile nation. I know about immoral business practices, and there is a good chance many readers know about them too, but we all tend to pretend nothing is amiss when another hypocrite steps up to receive the award they just paid for. It is almost impossible to be only a little corrupt but many of us have felt the need to turn a blind eye to wrongdoing because we lack the means to stop it.

The power to spy on others can come through various methods, including the interception of specific radio signals, installing software on a handset, or by observing patterns in large volumes of data. The techniques vary, but they all attract nefarious people with bad motives. The shame is that neither you nor I know what to do about it. Amnesty International’s Pegasus Project dossier will shock some, but the least shocking section lists their tepid and unconvincing recommendations for how governments and individuals should respond. A world where North Korea learned how to make nuclear warheads and ballistic missiles to deploy them is not going to impose an effective “moratorium on the sale, transfer, and use of spyware technology” nor will investors stop the rise of the next NSO Group by determining “whether private equity funds under consideration for investment, or other investment vehicles, include or plan to include surveillance companies within their portfolios”. Half the sponsors of Commsrisk make products that could be used for surveillance.

Amnesty International’s unrealistic proposals are what you get from people who have the luxury of being full-time charity do-gooders that never deal with the messy realities of why so many businesses stray into the gray area between good and bad. But if you think about the people you know, and how far some of them are prepared to go to make money, then maybe you will exert influence over them at a crucial moment. Nobody else will learn how you sought to make the world a better place, though you will have the comfort of knowing that you strived to prevent the next surveillance scandal.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.