Revelations that scores of journalists have been spied on by governments using NSO Group spyware have inflamed critics around the world, and hastened calls for investigations into the spying allegations.
Mexico’s president, Andrés Manuel López Obrador, known as Amlo, whose family, cardiologist, and political advisers had phone numbers in the leaked list while he was running for office, pledged to cancel any outstanding government contracts with the NSO Group.
That call came as Indian opposition politicians disrupted parliament on Tuesday to demand a full investigation into the government’s alleged use of Pegasus spyware on people who appeared in list, including Indian citizens, politicians, journalists and lawyers.
The Pegasus leaks have dominated the first two days of India’s monsoon session in parliament, and on Tuesday the house was adjourned twice due to uproar and protests by opposition politicians.
Members of the opposition Congress party, whose own Rahul Gandhi was among those whose name was on the list, held up placards in the chamber and shouted loudly, calling for the resignation of the home minister, Amit Shah, over the allegations of spying.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Congress and other opposition parties have also called for an independent investigation into the alleged use of Pegasus spyware by Narendra Modi’s government.
Congress spokesperson Shaktisinh Gohil said the government needed to clearly state whether or not it had purchased Pegasus software. “If yes, then the government should order a joint parliamentary committee probe to investigate the entire matter,” he said.
According to the leaks, those of Gandhi, along with several of his close associates and a political strategist who works for the Congress, were among 300 verified Indian numbers who appeared in the leaked data. Two of Gandhi’s telephone numbers were selected in 2017 and 2019 before the 2019 general elections, where Congress went on to suffer a major loss to Modi’s Bharatiya Janata party.
Others in the list included two ministers, more than 40 journalists, three opposition leaders, dozens of activists and one sitting judge.
The opposition has accused the Modi government of using the Pegasus software to spy on its political opponents, as well as lawyers, journalists and human rights activists whose work was critical of the government. On Monday it called it “an attack on the democratic foundations of our country”.
The Modi government has maintained that no unauthorised surveillance was done. The former IT minister, Ravi Shankar Prasad, said there was “not a shred of evidence linking Indian government or the BJP” to the allegations and was among several senior BJP figures to call the leaks an international plot to defame India.
The news came as prosecutors in Paris said on Tuesday that they had opened an investigation into allegations that the Moroccan intelligence services used the Israeli surveillance software Pegasus to spy on several French journalists.
Paris prosecutors will examine 10 different charges, including whether there was a breach of personal privacy, fraudulent access to personal electronic devices, and criminal association.
The investigative website Mediapart filed a legal complaint over the allegations, which Morocco has denied, after confirming that forensics showed that the phone of its editorial director and co-founder, Edwy Plenel, was selected as well as that of its gender editor, Lénaïg Bredoux, who has specialised in reporting on sexual violence and sexual harassment.
The French satirical weekly Le Canard Enchaîné has also said it plans to file a legal complaint.
Its former reporter Dominique Simonnot, currently head of France’s independent body which oversees prisons, confirmed to France Info that she had been selected while still working as a journalist, saying: “It’s a real scandal.”
The French government spokesman Gabriel Attal told French public radio: “These are extremely shocking acts and, if proven, are extremely serious.”
He said that France was “extremely attached to press freedom” and that any attempt to curtail journalists’ freedom to report was “very serious”.
In Brussels, the European Commission has promised to use “all possible tools” to gather information about spying on journalists after forensic analysis of mobile devices showed that Hungary’s government was using Pegasus spyware against investigative reporters.
The promised action from the commission is likely to disappoint some members of the European parliament, who were looking for a tougher response to the allegations against Hungary, already ensnared in numerous disputes with Brussels over democracy and human rights.
Didier Reynders, the EU commissioner in charge of data protection, said: “Any such spying on the media, if true, is simply unacceptable, so we will work to follow the investigations.”
He added that Brussels officials responsible for communications networks and technology were analysing the situation, but did not go as far as promising the full-scale investigation by the commission that members of the European parliament have demanded.
Dutch liberal MEP Sophie in ‘t Veld has tabled urgent questions to the commission, demanding to know whether it will “immediately investigate and assess whether or not Hungary has respected its obligations” under the EU treaties, charter of fundamental rights and law on data protection (GDPR).
The Hungarian government has taken a two-pronged response to the Pegasus reports. A blogpost released on Tuesday said that there had been no illegal surveillance in Hungary since Orbán came to power in 2010. It also quoted Hungary’s justice minister, Judit Varga, who told Hungarian media that states “must have the necessary tools to combat the many threats they face today”.
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
In Mexico, Obrador rejected calls for a criminal investigation into the revelations that the numbers of 15,000 Mexicans appeared in the data, even as he pledged to halt all use of the Israeli spyware.
He said: “[This investigation] is irrefutable proof that we were subjected to an authoritarian undemocratic government that violated human rights.”
Mexico was NSO’s first client in 2011, and at least three agencies – the secretary of defence, attorney general’s office and national intelligence agency – operated Pegasus during the previous government.
“I am absolutely sure that this government does not spy on anybody. If we find contracts, they will be cancelled. We do things differently in this government … we are transforming public life. We don’t spy on journalists, political opponents or activists,” Obrador said.