Pegasus project spyware leak suggests lawyers and activists at risk across globe
A leak of phone data suggests human rights lawyers, activists and dissidents across the globe were selected as possible candidates for invasive surveillance through their phones.
Their mobile phone numbers appeared in leaked records, indicating they were selected prior to possible surveillance targeting by governmental clients of the Israeli company NSO Group, which developed the Pegasus spyware.
The records were obtained by the nonprofit organisation Forbidden Stories and shared with a consortium of media outlets including the Guardian.
Quick GuideWhat is in the Pegasus project data? ShowWhat is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnestyâs Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSOâs government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the companyâs signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are âtechnically impossibleâ to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity â" in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnestyâs detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared âbackup copiesâ of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnestyâs forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Groupâs full statement here. The company has always said it does not have access to the data of its customersâ targets. Through its lawyers, NSO said the consortium had made âincorrect assumptionsâ about which clients use the companyâs technology. It said the 50,000 number was âexaggeratedâ and the list could not be a list of numbers âtargeted by governments using Pegasusâ. The lawyers said NSO had reason to believe the list accessed by the consortium âis not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposesâ. After further questions, the lawyers said the consortium was basing its findings âon misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologiesâ.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons â" unrelated to Pegasus â" for conducting HLR lookups via an NSO system.
NSO has repeatedly said Pegasus, which can access all data on a targetâs device as well as turn it into an audio or video recorder, is meant for use only against terrorists and serious criminals.
Bar graph grey versionThe selection of activists, dissidents and journalists by NSO clients paints a very different picture, though one that campaigners will say was grimly predictable given the tool has been sold to some of the worldâs most repressive regimes.
The activists at risk from surveillanceIn Azerbaijan, where the longtime dictator Ilham Aliyev tolerates little dissent, numerous activists appear in the data. Some found their personal correspondence or intimate photographs published online or on television.
The phone numbers of six dissidents or activists in the country whose private correspondence was featured on a muckraking television programme in 2019 are listed in the leaked records.
Female activists are often targeted with sexual kompromat. In one particularly egregious case in 2019, intimate photographs of the civil society activist and journalist Fatima Movlamli, then 18, were leaked on to a fake Facebook page.
It is not clear how the photographs were obtained, and Movlamli believes her private data was accessed when police seized her phone during a violent interrogation and forced her to unlock it. Her number was also in the records obtained by the consortium.
âAt an age when I didnât fully realise I was a woman, I was ashamed that I had a female body and that people saw it naked,â said Movlamli. She described the experience as âhard to bearâ and said it had led to suicidal thoughts. âIn this country, women are doomed to live within the limits of what men want, and they can lynch a woman just because they see her body.â
Without forensic analysis of a device, it is not possible to confirm a successful Pegasus attempt or infection. Movlamli said she regularly resets her phone or changes device, so analysis was not possible.
In India, the numbers of a variety of activists were found in the data.
Umar Khalid, a student activist at Jawaharlal Nehru University in Delhi and the leader of the Democratic Studentsâ Union, was selected ahead of a possible targeting in late 2018, shortly before sedition charges were filed against him. He was arrested in September 2020 on charges of organising riots, and police claimed the evidence against him included more than 1m pages of information gleaned from his mobile phone, without making it clear how the information was obtained. He is in jail awaiting trial.
The mobile numbers of writers, lawyers and artists who advocated for the rights of indigenous communities and low-caste Indians were also in the data. Members of the network have been arrested over the past three years and charged with terrorism offences, including plotting to assassinate the Indian prime minister, Narendra Modi. The network included an 84-year-old Jesuit priest, Stan Swamy, who died this month after contracting Covid-19 in prison.
The records show that several people accused of being Swamyâs accomplices, including Hany Babu, Shoma Sen and Rona Wilson, were selected for possible targeting in the months before and the years after their arrests.
Loujain al-Hathloul, the most prominent womenâs rights activist in Saudi Arabia, was selected for possible targeting just weeks before her 2018 abduction in the United Arab Emirates and forced return to Saudi Arabia, where she was imprisoned for three years and allegedly tortured. It is believed Hathloul was selected by the UAE, a known client of NSO and close ally of Saudi Arabia.
Despite her release from jail in February 2021, the Saudi activist is not permitted to speak to journalists or move freely within Saudi Arabia and is still subject to a travel ban. Her mobile phone could not be obtained or tested for evidence that it had been infected or hacked.
Hathloul had previously revealed her emails had been hacked. âMy assumption is that they were hacking her to know the networks of people she is organising with,â said Hala al-Dosari, a US-based Saudi activist who communicated with Hathloul before her 2018 arrest.
Dosari said Saudi authorities had gained non-public information about per diem payments of about â¬50 (£43) a day that had been made to Hathloul in connection to her advocacy, possibly via her mobile phone.
In Mexico, the data shows widespread selection of campaigners, lawyers and rights defenders for possible targeting, including Eduardo Ferrer Mac-Gregor Poisot, a judge who was the president of the Inter-American court of human rights and Alejandro Solalinde, a Catholic priest and champion of migrantsâ rights.
Solalinde said he believed the previous Mexican government was âlooking for something to damage my reputation and use as blackmailâ due to his support for a political rival, and said he had been warned by a former national intelligence agency (Cisen) agent that he was under surveillance .
John Scott-Railton of Citizen Lab, which released a report on the targeting of the Emirati activist Ahmed Mansoor with Pegasus in 2016, said: âThe targeting of dissidents [should] sit in the same mental box as the targeting of heads of state, the targeting of ambassadors, as the targeting of big corporations and defence contractors.â
The lawyers at risk from surveillanceLawyers also feature heavily in the leaked data.
Rodney Dixon, a prominent London-based lawyer, who has taken on numerous high-profile human rights cases, was selected for targeting in 2019. Forensic analysis of his device showed Pegasus-related activity but no successful infection.
His clients have included Matthew Hedges, a British doctoral student jailed in the UAE, and Hatice Cengiz, the fiancee of the murdered Saudi journalist Jamal Khashoggi. She was also targeted with Pegasus, with forensics showing evidence of a successful infection.
Dixon said: âNo one should be targeted in this fashion. For lawyers it is particularly concerning as it violates the fundamental principles of lawyer-client privilege and confidentiality, which are central to fair and just legal proceedings.â
Forensic analysis on the phone of the French human rights lawyer Joseph Breham shows it was compromised multiple times with Pegasus in 2019, and the leaked records suggest he had previously been selected for potential targeting by Morocco.
âThere is no possible justification for a foreign state to listen to a French lawyer. There is no justification on a legal, ethical or moral level,â he said.
Two lawyers who are bringing a lawsuit against NSO on behalf of Omar Abdulaziz, a Saudi living in exile in Canada, also had their numbers appear in the leaked data. Abdulaziz was a close collaborator and friend of Khashoggi.
Analysis of both lawyersâ mobile phones did not find evidence of any attempt to use the Pegasus software against them.
âNot only do they hack people because of their political activities, but if these [victims] are seeking any kind of accountability, they will go after the people helping them,â said one of the lawyers, who asked not to be named.
A spokesperson for the Indian government said: âThe allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever.â The governments of Morocco, Azerbaijan and Mexico did not respond to requests for comment by the time of publication.
Map graphic grey versionNSO Group has claimed it will cut off clients if they misuse Pegasus. In a response to the consortium, it denied the leaked records were evidence of targeting with Pegasus and said it âwill continue to investigate all credible claims of misuse and take appropriate action based on the result of these investigationsâ.
The use of spyware and hacking in a country such as Azerbaijan, where compromising activists appears to be government policy, can have a chilling effect not just on those targeted, but across civil society.
Samed Rahimli, an Azerbaijani human rights lawyer, whose own number was in the data, said the use of kompromat had made life difficult for the countryâs activists, especially female activists. âMany people are afraid to live their personal lives in a normal way. Many also face psychological problems and they have sought professional support.â
0 Response to "Pegasus project spyware leak suggests lawyers and activists at risk across globe"
Post a Comment