El Faro Journalists Sue Developer of Pegasus Spyware
- November 30, 2022
- Clayton Rice, K.C.
Pegasus spyware, developed by Israeli technology company, NSO Group, can access stored data on a target’s mobile phone by a zero click exploit and activate the device’s microphone and camera converting it into a listening and surveillance tool. American journalist, Roman Gressier, who broke a series of stories for media outlet El Faro documenting corruption in the Salvadoran government of President Nayib Bukele, was one of a number of journalists and civil society members hacked by Pegasus over a two year period. Now the targets have initiated the first lawsuit in a U.S. court by journalists against the notorious spyware developer.
El Faro is an acclaimed digital newspaper based in El Salvador dedicated to the investigation of government corruption and human rights abuses. NSO Group develops spyware and sells it to governments worldwide including autocratic regimes implicated in serious human rights abuses. NSO Group’s signature software, Pegasus, can surreptitiously infect smartphones providing a software operator with access to a trove of private data including text messages, emails and GPS location. Represented by the Knight First Amendment Institute at Columbia University in New York, fifteen journalists and other members of El Faro filed a law suit today in the United States District Court, Northern District of California, claiming that attacks by Pegasus against them were part of a broader campaign against the press and members of civil society in which both individuals and organizations were targeted. (here) Carlos Dada, El Faro’s co-founder and one of the plaintiffs in the lawsuit, described the spyware attacks as “an attempt to silence our sources and deter us from doing journalism.” (here) “We are filing this lawsuit to defend our right to investigate and report, and to protect journalists around the world in their pursuit of the truth,” he added.
In an article titled A Hacked Newsroom Brings a Spyware Maker to U.S. Court, published by The New Yorker today, Ronan Farrow described Mr. Gressier’s work as “scrupulous and at times frightening.” (here) He produced articles about “the arrests of working-class Salvadorans attempting to flee to the U.S. and activists’ efforts to strengthen an anti-corruption commission.” One story covered the U.S. State Department’s decision to place President Bukele’s chief cabinet minister on a list of corrupt officials. Around the time the story was published by El Faro, Mr. Gressier’s iPhone was hacked. It was infected with Pegasus and would be hacked three more times according to a report by Citizen Lab at the Munk School of Global Affairs at the University of Toronto. Many of the targets have been forced to flee El Salvador and more than a dozen members of the El Faro newsroom told Mr. Farrow “the Pegasus hackings had impaired their ability to work as journalists and maintain sources’ trust.” Oscar Martinez, the executive editor of El Faro, said his phone was infected with Pegasus forty-two times between July 2020 and October 2021. “Sources, they were very upset with me,” Mr. Martinez said. “And they have the right to be. They just trusted me. And I failed them.”
2. Project Torogoz
On January 12, 2022, Citizen Lab released a report titled Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador with Pegasus Spyware. (here) The report positioned its findings against the backdrop of the Salvadoran Civil War and the election of the charismatic Nayib Bukele in 2019. He was elected on a platform that included a plan to reduce violence in El Salvador by encouraging cooperation between the armed forces and organized gangs. Although the murder rate in the country has declined, a 2021 report by the Foundation of Studies for the Application of Law (FESPAD) found that “pacts between gangs and state officials” have increased the number of forced disappearances. (here) In a piece titled Meet Latin America’s First Millennial Dictator published by Slate on August 26, 2021, Manuel Melendez-Sanchez described President Bukele as embodying a new type of “millennial authoritarianism” defined as “a distinctive political strategy that combines traditional populist appeals, classic authoritarian behavior, and a youthful and modern personal brand built primarily via social media.” (here)
The report contains the results of a collaborative effort between Citizen Lab and Access Now (here and here) and independently reviewed by Amnesty International’s Security Lab that confirmed the findings. (here) The investigation led to the identification of thirty-seven devices infected by Pegasus among members of El Salvador’s media and civil society. Here are the key findings:
- We confirmed 35 cases of journalists and members of civil society whose phones were successfully infected with NSO’s Pegasus spyware between July 2020 and November 2021. We shared a sample of forensic data with Amnesty International’s Security Lab which independently confirms the findings.
- Targets included journalists at El Faro, GatoEncerrado, La Prensa Grafica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included Fundacion DTJ, Cristosal, and another NGO.
- The hacking took place while the organizations were reporting on sensitive issues involving the administration of President Bukele, such as a scandal involving the government’s negotiation of a “pact” with the MS-13 gang for a reduction in violence and electoral support.
- While evidence linking a particular infection to a particular Pegasus customer is often unavailable, in this case we identified a Pegasus customer operating almost exclusively in El Salvador since at least November 2019 that we called TOROGOZ, and have connected this operator to an infection attempt against El Faro. (at p. 1)
The conclusion of the report emphasized a “familiar pattern in authoritarian societies” involving the use of advanced technology to interfere with civil society organizations that are an essential component of a democratic society. “Especially troubling,” the report states, “is the pattern of targeting of independent Salvadoran media that this joint investigation has uncovered.” (at p. 9)
3. The Lawsuit
The Complaint begins with the assertion that NSO Group Technologies Limited and Q Cyber Technologies Limited develop “malicious surveillance software” and sell it to “rights-abusing governments.” These governments “surveil journalists, human rights advocates, and political opponents, often in the service of broader campaigns of political intimidation and persecution.” Here are five specific allegations:
- Defendants developed Pegasus, and deploy it, by repeatedly accessing computer servers owned by U.S. technology companies, including Apple Inc., a company based in Cupertino, California. As relevant to this case, Defendants accessed Apple servers to identify and exploit vulnerabilities in Apple software and services, to enable the delivery of Pegasus to targets’ iPhones, and to allow Pegasus operators to extract data from their targets’ iPhones and their targets’ cloud-based accounts. (para. 3)
- Between June 2020 and November 2021, at least twenty-two people associated with El Faro, including Plaintiffs, were the victims of Pegasus attacks. Their devices were accessed remotely and surreptitiously, their communications and activities monitored, and their personal data accessed and stolen. Many of these attacks occurred when they were communicating with confidential sources, including U.S. Embassy officials, and reporting on abuses by the Salvadoran government. (para. 5)
- […] The attacks have compromised Plaintiffs’ safety as well as the safety of their colleagues, sources, and family members. The attacks have deterred some sources from sharing information with Plaintiffs. Plaintiffs have […] expend[ed] substantial resources to protect their devices against possible future attacks, to ensure their personal safety, and to address serious physical and mental health issues resulting from the attacks. The attacks have undermined the security that is a precondition for the independent journalism that El Faro strives to provide its readers, as well as the ability of El Faro’s readers, including those in the United States, to obtain independent analysis of events in Central America. (para. 6)
- Defendants violated California Penal Code s. 502(c)(1) by knowingly and without permission accessing Plaintiffs’ devices and altering, damaging, or using those devices in order to wrongfully control the devices and obtain data from them. Analysis by the Citizen Lab confirmed that Defendants and their clients obtained data from at least nine of Plaintiffs’ devices. (para. 137)
- Defendants intentionally intruded into Plaintiffs’ private affairs by installing or causing to be installed malicious code on their devices. The installation […] gave Defendants and their clients essentially full control of the devices […] Although Pegasus attacks are designed to leave no trace, the Citizen Lab’s analyses confirmed that Defendants and their clients exfiltrated data from at least nine devices used and/or owned by Plaintiffs. (para. 150)
The Complaint alleges that NSO’s development and deployment of Pegasus software violated the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act. They seek injunctive and declaratory relief as well as compensatory and punitive damages.
According to Mr. Farrow, in his piece for The New Yorker, El Faro journalists “grappled with the decision of whether to join what may prove to be protracted and bruising litigation.” But several told him they believe the prospect of transparency is worth it. “What I really want to know is: Where is our information? Who has it?” said Julia Gavarrette who covers human rights issues at El Faro. “Because, at some point, they are going to use it.” Uncertainty also pervades the legal landscape. “There’s very little case law,” Jameel Jaffer, the executive director of the Knight Institute, said. “We see this kind of targeting not as a problem only for the political dissident and the journalist and the human-rights activist but as a problem for human rights and democracy more broadly.”