Human rights experts at the United Nations issued a statement last week calling for a global moratorium on the sale and transfer of surveillance technology until regulations are in place that guarantee its use in compliance with international human rights standards. The call came against the backdrop of a sensational report released by Forbidden Stories and Amnesty International that military-grade Pegasus spyware developed by NSO Group had been used to target journalists, activists and heads of state. The Pegasus Project, a collaboration of media organizations and journalists, conducted forensic tests on mobile phones to identify traces of the spyware.

1. Introduction

The special procedures of the United Nations Human Rights Council are independent human rights experts with mandates to report and advise on human rights from a thematic or country-specific perspective. (here) They are elected for renewable three year terms. According to the Office of the High Commissioner for Human Rights, the special procedures include acting on individual cases of reported violations of international human rights standards and engaging in advocacy to raise public awareness and provide advice for technical cooperation.

On July 18, 2021, Forbidden Stories and Amnesty International exposed the widespread surveillance of the mobile devices of hundreds of journalists, human rights defenders and political leaders by the NSO Group’s Pegasus spyware. Forbidden Stories is a network of journalists based in Paris, France, whose mission is “to protect, pursue and publish the work of other journalists facing threats, prison, or murder.” (here) Amnesty International is a world-renowned organization situate in over 150 countries which campaigns for human rights. (here) NSO Group Technologies is a technology firm whose Pegasus spyware enables the remote surveillance of smartphones. It is based in Herzliya, near Tel Aviv, Israel. (here)

On August 12, 2021, the U.N. special procedures issued the statement urging the international community to adopt a global moratorium on the sale and transfer of surveillance technology pending the development of a regulatory framework to “prevent, mitigate and redress” the negative human rights impact of surveillance technology. “It is highly dangerous and irresponsible to allow the surveillance technology and trade sector to operate as a human rights-free zone,” the experts warned. (here) The statement was released following the denial by NSO Group of any involvement in unlawful practices. The experts called on NSO Group to disclose whether it had “conducted meaningful human rights due diligence” in compliance with the U.N. Guiding Principles on Business and Human Rights and to publish its findings. (here)

2. The Pegasus Project

An unprecedented leak of more than 50,000 phone numbers selected for surveillance by customers of NSO Group disclosed the breadth of the systemic abuse of the Pegasus spyware. The Forbidden Stories consortium and Amnesty International had access to records of phone numbers selected by NSO Group clients in over fifty countries dating back to 2016. According to a post to the Forbidden Stories website titled About The Pegasus Project, the leaked data showed that at least 180 journalists were selected as targets. Other targets included human rights defenders, lawyers, doctors, academics, union leaders, diplomats and heads of state. (here) The Pegasus Project media partners included The Guardian, The Washington Post, Le Monde, Die Zeit and Radio France.

The report “shines a harsh light” on the business of NSO Group. Despite claiming that it vets its clients based on their human rights track record, the company has sold its product to authoritarian regimes in Azerbaijan, the United Arab Emirates and Saudi Arabia. According to the post by Forbidden Stories, “[i]nsiders disclosed the important role played by the Israeli Ministry of Defense when it came to picking NSO Group’s clients.” Although NSO Group has denied taking direction from the Israeli government regarding customers, the U.N experts urged Israel, as NSO Group’s home country, to disclose any measures it took to review the company’s export transactions. It is the duty of states to verify that companies like NSO Group do not sell technology to states or entities “that are likely to use them to violate human rights,” the experts said.

According to Amnesty International, evidence also emerged during the investigation that family members of Saudi journalist, Jamal Khashoggi, were targeted before and after he was killed by Saudi operatives in Istanbul, Turkey, on October 2, 2018. (here) Amnesty’s Security Lab established that the spyware was installed on the phone belonging to Mr. Khashoggi’s fiancee, Hatice Cengiz, four days after his death. Here are four takeaways from Amnesty’s post to its website:

• In Mexico, journalist Cecilio Pineda’s phone was selected for targeting just weeks before his killing in 2017. The Pegasus Project identified at least 25 Mexican journalists were selected for targeting over a two-year period. NSO has denied that even if Pineda’s phone had been targeted, data collected from his phone contributed to his death.
• Pegasus has been used in Azerbaijan, a country where only a few independent media outlets remain. More than 40 Azerbaijani journalists were selected as potential targets according to the investigation. Amnesty International’s Security Lab found the phone of Sevinc Vaqifqizi, a freelance journalist for independent media outlet Meydan TV, was infected over a two-year period until May 2021.
• In India, at least 40 journalists from nearly every major media outlet in the country were selected as potential targets between 2017-2021. Forensic tests revealed the phones of Siddharth Varadarajan and M.K. Venu, co-founders of independent online outlet The Wire, were infected with Pegasus spyware as recently as June 2021.
• The investigation also identified journalists working for major international media including the Associated Press, CNN, The New York Times and Reuters as potential targets. One of the highest profile journalists was Roula Khalaf, the editor of the Financial Times. (here)

“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media,” said Agnes Callamard, the Secretary General of Amnesty International. “It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice.” French President Emmanuel Macron headed the list of fourteen current or former heads of state who may have been targeted. However, none of the heads of state would provide access to their smartphones for forensic testing. “The unprecedented revelation […] should send a chill down the spine of world leaders,” Ms. Callamard said. (here)

Amnesty International and Forbidden Stories requested that Citizen Lab of the Munk School of Global Affairs and Public Policy, at the University of Toronto, undertake an independent peer review of a sample of their forensic evidence and their general methodology. In a post to its web site titled Independent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware by Bill Marczak, John Scott-Railton, Siena Anstis and Ron Deibert dated July 18, 2021, Citizen Lab reported that it “independently validated” Amnesty International’s forensic methodology and “determined that their overall methodology is sound.” (here) Professor Deibert, the director of Citizen Lab, said spyware-for-hire companies effectively allow governments to “purchase their own NSA”. (here)

The quip by Professor Deibert is not that much of an exaggeration in light of the significant intrusiveness of the Pegasus software that I also discussed in a previous post to On The Wire. (here) It can be installed on mobile phones and other devices running iOS and Android operating systems. It is capable of infecting all versions of iOS up to iOS 14.6 through a zero-click iMessage exploit. Pegasus can read text messages, track calls, access the infected device’s microphone and camera, and harvest location data and information from apps. NSO Group claims that Pegasus is only used to “investigate terrorism and crime” and “leaves no traces whatsoever”. (here and here) In the report by Amnesty International’s Security Lab titled Forensic Methodology Report: How to Catch NSO Group’s Pegasus dated July 18, 2021, Amnesty concluded that “neither of these statements are true.” (here)

3. The Sprawling List

The details of the list of leaked phone numbers are murky. In a piece summarizing key takeaways from the investigation by The Washington Post, it was emphasized that the list of 50,000 numbers “does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.” (here) The numbers on the list, described as “sprawling” by the Post, are “unattributed” and its purpose “could not be conclusively determined.” The Post also emphasized that the numbers on the list associated with thirty-seven smartphones “fuels the debate whether Apple has done enough to ensure the security of its devices”. Thirty-four of the thirty-seven phones were iPhones.

4. Conclusion

The statement by the U.N. experts was not the first call for a global moratorium on surveillance technology. It mirrored the previous statement by Ms. Callamard of Amnesty International when the Pegasus Project report was released. “Until [NSO Group] and the industry as a whole can show it is capable of respecting human rights,” she said, “there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology.” But that is not the end of the story.

In an article titled Pagasus spyware found on journalists’ phones, French intelligence confirms, published in The Guardian edition of August 2, 2021, Kim Willsher reported that French intelligence investigators confirmed that Pegasus spyware was found on the phones of three journalists including a senior staff member of the international television station, France 24. It was the first time that an “independent and official authority” corroborated the findings of the Pegasus Project. (here) France’s national agency for information systems security (Anssi) identified traces of the spyware on the television journalist’s phone and provided the information to the Paris prosecutor’s office which is overseeing an investigation into possible hacking.

Three days later, on August 5, 2021, Reporters Without Borders (Reporters sans frontiers, RSF) reported that seventeen journalists listed as potential or actual victims of Pegasus spyware also filed complaints with prosecutors in Paris. (here) RSF is an international non-governmental organization that defends the rights to freedom of information and expression. (here) It has consultative status at the United Nations, UNESCO, the Council of Europe and the Organisation internationale de la Francophonie. “All of these plaintiffs know or have serious grounds for fearing that they were spied on by their governments as a result of having carried out independent journalistic reporting in the public interest,” RSF said. The complaints have also been referred to four United Nations special rapporteurs – the rapporteurs on freedom of opinion and expression, the right to privacy, human rights defenders, and protecting human rights while countering terrorism – requesting they seek explanations from the governments suspected of using Pegasus to target journalists.