The investigation was conducted by 17 different media organizations under the banner of the "Pegasus Project." The project aimed to sift through a massive data leak of more than 50,000 phone numbers. These numbers were selected for surveillance as "people of interest" by the clients of the aforementioned Israeli surveillance company, the NSO Group, since at least 2016.
The NSO Group insisted that its hacking spyware, called Pegasus, is only intended for use against terrorists and criminals. The reality shows that the company's clients have been targeting journalists, lawyers, human rights activists and anybody else considered enemies of the government.
"The Pegasus Project lays bare how NSO's spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril," said Amnesty International Secretary General Agnes Callamard. "These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology."
"While the company claims its spyware is only used for legitimate criminal and terror investigations, it's clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations," she added.
Amnesty International, a non-governmental organization dedicated to human rights, first gained access to the list along with Forbidden Stories, an NGO dedicated to the rights of journalists. They shared access to the list with their 17 media partners as part of the Pegasus Project.
The 50,000 phone numbers on the list given to the media outlets include hundreds of business executives, non-governmental organization employees, labor union officials, religious figures, academics and even government officials, such as members of legislatures, presidents and prime ministers. A forensic analysis of just a small number of the phone numbers on the leaked list showed a vast majority of them had traces of the Pegasus spyware in them.
The disclosures of the information found in the leak began on Sunday, July 18, after media outlets found the numbers of more than 180 journalists listed in the data, including reporters, editors and media executives.
The investigators even found the phone number of one freelance Mexican reporter, Cecilio Pineda Birto. The journalist was apparently a person of interest for one of the NSO Group's Mexican clients in the weeks leading up to his murder in 2017. His phone has never been found, so no forensic analysis could be conducted to establish whether the Pegasus spyware had infected it.
According to the information leaked to the NGOs and media outlets, the data identifies at least 10 governments who were direct clients of the NSO Group and who had entered phone numbers into their surveillance systems: the United Arab Emirates, Saudi Arabia, Rwanda, Morocco, Mexico, Kazakhstan, India, Hungary, Bahrain and Azerbaijan.
In Mexico's case, multiple government agencies bought the Pegasus system and turned over more than 15,000 phone numbers. This record is followed by the UAE and Morocco, which both selected more than 10,000 numbers for tracking.
The selected phone numbers were not necessarily from citizens of the countries that turned them over. They spanned more than 45 countries across four continents. The forensic analysis showed that more than 1,000 of the numbers turned over by the NSO Group's clients were from Europeans.
The analysis suggests Prime Minister Viktor Orban of Hungary used the Pegasus spyware to target investigative journalists in the country as well as the close circle of friends and confidants of one of the country's few independent media executives. (Related: Hungarian politician to submit law that will protect citizens from being censored or deplatformed by big tech on social media.)
The investigation also suggests the technology was used by Saudi Arabia and the UAE to target the phones of close associates of murdered journalist Jamal Khashoggi. The latter was believed to have been murdered by the order of Saudi Arabian Crown Prince Mohammed bin Salman.
Rwanda, Morocco, India and Hungary have published statements denying using Pegasus to hack the phones of individuals on the leaked list. The governments of the six other countries did not respond to invitations to comment on the matter.
In response to the report, the NSO Group released a statement through its lawyers denying the "false claims" made regarding the activities of its clients. But the company said it would investigate "all credible claims of misuse and take appropriate action."
The company maintains that it "does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers' targets." NSO Group claims it only sells its technology to military, law enforcement and intelligence agencies. It has clients in at least 40 unnamed countries. It claims countries have to go through rigorous vetting of their human rights records before they are sold the spyware.
In June, the NSO Group published a transparency report where it claimed without evidence to have an industry-leading approach to protecting human rights. It even published excerpts from some of its contracts with its clients stipulating that they can only use the spyware for criminal and national security investigations.
But as the recent investigation demonstrates, the company claims about how its software is being used may not exactly line up with reality.
Learn more about how governments around the world are illicitly surveilling their citizens by reading the latest articles at PrivacyWatch.news.