Pegasus, a ‘spyware’ application from Israeli software company NSO Group, is sold as a tool to help governments crack down on terrorists, paedophiles and other criminals. But, as a recent exposé revealed, it is also used by authoritarian regimes to spy on journalists, activists and opposition politicians. Not only does spyware endanger liberty and human rights, experts warn, it would prove disastrous for cybersecurity should it fall into criminal hands.
What is spyware?
NSO Group touts Pegasus as a tool for monitoring “individual, pre-identified suspected criminals and terrorists”. It exploits zero-day security flaws in platforms including WhatsApp and Apple’s iMessage to give users ‘zero-click’ access – meaning targets do not need to click a link or download a file to be compromised. Once installed on a device, the application can intercept communications that are otherwise encrypted.
The company portrays encryption as a boon to criminals, and its software as a way to crack it. “Terror organisations, drug cartels, human traffickers, paedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications,” the company says. “These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”
But the software is also being used by governments to spy on journalists, politicians and human rights activists, according to an exposé by The Guardian, Amnesty International and non-profit Forbidden Stories. A leaked list of mobile numbers, reportedly targeted by NSO Group clients, included FT editor Roula Khalaf and investigative journalists covering corrupt and authoritarian regimes around the world. (NSO denies that the list of numbers reveals its clients’ targets).
Despite encryption’s vital role in securing digital transactions, many governments seek to limit its use. Encryption is subject to ‘widespread restrictions’ in countries including India, China and Russia, according to research by digital rights think tank Global Digital Partners. The UK, Australia and much of Europe have ‘some restrictions’ in place.
Last year, an open letter from the Five Eyes security alliance, made up of Australia, Canada, New Zealand, the United Kingdom and the United States, recognised the importance of end-to-end encryption but called for the ability for law enforcement to access “content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight”.
The Pegasus scandal reveals how measures to circumnavigate encryption can be abused. And portraying it as a tool for criminals and terrorists gives authoritarian regimes license to spy on their citizens and political opponents, says Natalia Krapiva, tech legal counsel at digital rights campaign group Access Now. “In certain countries, folks get very swayed by this rhetoric of terrorism and child molesters, thinking ‘of course, we don’t want that’, and then, somehow they are willing to give up their basic rights and freedoms without a second thought.”
Spyware and its threat to cybersecurity
But as well as threatening human rights, the global backlash against encryption could empower the criminal forces it claims to target. Once systems such as Pegasus are created, they are likely to end up in criminal hands, says Toni Vitale, partner at Gateley Legal. “The problem is, in relation to any type of spyware like this, as soon as it’s out there, there’s peer-to-peer sharing of that technology,” he says. “Then it can get used for terrorism, or for raising finance through fraud or simply to be disruptive to businesses.”
The problem is, in relation to any type of spyware like this, as soon as its out there, there’s peer-to-peer sharing of that technology. Toni Vitale, Gateley Legal
The degree of access granted by spyware systems makes them potent tools for cybercriminals. “If they have a bug that allows them to get into the kernel of the system, there’s literally no limit to what they can do,” says Jon Callas, director of technology projects at the Electronic Frontier Foundation. “They could in many cases get into things that were presumed to be secret, including files, conversations and anything else.”
‘Zero-click’ malware infection would be especially effective in cyberattacks against businesses, says Vitali. “You only need to target a couple of key individuals and it could potentially destabilise the whole organisation,” he says.
Perhaps the greatest threat posed by the existence of spyware is that it falls into the hands of the ransomware gangs terrorising businesses and governments around the world, says Callas. “I believe this is the biggest danger,” he says. “[Spyware] would give them great power to do what they are doing in different ways.”
Indeed, spyware poses such a threat that it should be considered a weapon, says Callas. “These really are information economy weapons and they are being developed for governmental use, and those are not what we would like to see on the international stage.”