The danger is still on our devices

Update (February 22): On Monday, February 21, Israel’s justice ministry contradicted the recent reporting by Calcalist, cited below, claiming that police in the country used Pegasus, a potent Israeli-made spyware tool, to warrantlessly surveil various public figures. Following an investigation, the ministry said that police never targeted the vast majority of names on the list published by Calcalist, and obtained judicial approval to target the others. Calcalist said that the ministry’s findings “require serious consideration and re-examination of the findings and allegations we published,” but also noted that the investigation “validates” the paper’s core claim that police have used spyware against Israeli civilians.

Last month, Calcalist, a business newspaper in Israel, reported that police in the country had used Pegasus, a potent spyware tool made by an Israeli company, to warrantlessly surveil cellphones belonging to political figures who were not under formal criminal investigation. Further reports about the surveillance dripped out in the weeks that followed; then, on Monday, Calcalist dropped a bombshell, publishing a list of individuals whose phones were targeted. Mayors and anti-government protesters, including disability-rights activists, were on the list, as were journalists and senior government officials suspected of leaking to the press. Media advisers to Benjamin Netanyahu, the former prime minister, were named. So was his son.

The list intensified what was already a scandal in Israel: a government minister pledged a formal inquiry; Naftali Bennett, who succeeded Netanyahu as prime minister last year, vowed that he would not allow the allegations to “go unanswered.” Not only are there obvious civil-liberties issues at stake, but the surveillance claims have also impacted the high-profile trial of Netanyahu, who has been accused, among other things, of offering media companies regulatory perks in exchange for pliant coverage. In addition to people close to Netanyahu, a key state witness in the trial was named on the list, as was a co-defendant whose husband (also indicted) owned Walla, one of the sites that Netanyahu is said to have influenced. Walla’s CEO and former editor in chief, as well as journalists from the site, were on the list as well, with Calcalist reporting that police hacked their phones in a bid to determine what pressure they were under, their credibility as witnesses, and whether they may be hiding evidence. After the list came out, the court ordered the prosecution to investigate whether any evidence was illegally obtained; if it was, Netanyahu could call for the case against him to be chucked (though in Israel, unlike in the US, such evidence is permissible in some circumstances). For now, his allies are using the list to attack the process and stall. Two hearings have already been postponed this week.

ICYMI: We know who Trump is already

Pegasus may be an Israeli-made tool, but it has long been embroiled in similar scandals all around the world. NSO Group, which created Pegasus, has insisted that it only licenses its software to governments for legitimate law-enforcement purposes, but authoritarian regimes have abused it to spy on opponents and critics as well. Last summer, a consortium of seventeen major news organizations led by Forbidden Stories, a Paris-based group that works to amplify the reporting of threatened journalists, obtained a list of more than fifty thousand phone numbers globally that NSO clients selected for possible surveillance. It’s not clear how many of those were actually targeted, but Forbidden Stories worked with researchers at Amnesty International to prove that dozens of listed phones had been successfully infected with Pegasus, including devices belonging to journalists in India, Hungary, Morocco, and elsewhere.

Since then, the fallout has continued. French intelligence authorities confirmed traces of Pegasus on the phones of three journalists, including a senior staffer at the international broadcaster France 24; India’s supreme court ordered an independent inquiry into that country’s alleged use of the tool, while targeted journalists in Hungary moved to sue both their government and NSO. Fresh allegations have come to light, too, many of them involving the press. In November, Apple warned two journalists in Uganda that their phones may have been compromised by state-sponsored actors. In December, the Washington Post reported that an agency in the United Arab Emirates put Pegasus on the phone of Jamal Khashoggi’s wife in the months before Khashoggi was murdered by the Saudi state. Last month, meanwhile, civil-society groups reported that Pegasus was used to hack dozens of female activists and journalists in Bahrain and Jordan as well as dozens of reporters in El Salvador, including more than half the staff of the renowned investigative outlet El Faro. (Implicated governments have routinely denied such allegations, as NSO has continued to insist that it has no oversight of their conduct.)

Sign up for CJR's daily email

In November, the Biden administration effectively blacklisted NSO, complicating the group’s access to US-made equipment used in its operations. Israeli officials were reportedly furious about the decision—not least because the US itself had previously tested Pegasus. According to a detailed recent report by Ronen Bergman and Mark Mazzetti in the New York Times Magazine, the FBI acquired the software in 2019; Israel initially banned NSO from allowing its tool to target US phone numbers, but it approved a special version of the software, known as Phantom, that would be able to hack American devices for the exclusive potential use of US law-enforcement agencies. The FBI eventually decided not to deploy NSO tools, but it continued to pay to license them for two years while it reached a decision. Bergman and Mazzetti also reported, meanwhile, that the CIA paid for the nation of Djibouti to acquire Pegasus despite human-rights concerns there, including the persecution of journalists and the torture of opponents.

Pegasus has truly terrifying surveillance capabilities, using bugs to reach almost every piece of data on a targeted phone and even to take over its camera and microphone. (Apple said last year that it has patched flaws in its devices that Pegasus exploited.) Its apparently widespread use against journalists by state actors comes against a backdrop of broader cybersecurity concerns that are only growing across the news industry, including in the US. American journalists have been advised to use burner phones while covering the ongoing Winter Olympics in Beijing; last week, meanwhile, News Corps advised journalists at its titles, including the Wall Street Journal, that they had recently discovered a long-time effort—that apparently was successful—to hack reporting materials and other documents related to topics of interest to Chinese intelligence. News Corp said that the threat appeared to have been contained, and vowed to provide staffers with more details and advice. Still, as CNN’s Oliver Darcy put it last week, cyberattacks “are really among the top fears—if not the top fear—of newsrooms in 2022.”

Taken together, all these stories show that this is a truly global fear, too. Pegasus, specifically, may not be able to target journalists with US phone numbers. But, as Forbidden Stories reported last summer, it has enabled authoritarian regimes to export surveillance, targeting expat reporters living overseas or apparently, in some cases, staffers at global news operations who are based outside the US. (Roula Khalaf, the editor of the Financial Times, has been listed as a possible Pegasus target, as have reporters with the Journal, the Times, and CNN.) The FBI may ultimately have decided not to use the software, but the fact that it considered using it is further proof that we shouldn’t view state-sponsored hacking as yet another abstract abuse of faraway autocracies. There’s nothing to suggest US agencies would have used Pegasus to target anyone other than criminals in line with NSO’s stated goals, let alone journalists. But once a spying capability is established, all it takes is for those lines to become a little blurred.

We’re seeing exactly that in Israel at the moment. The Israeli government’s regulatory role, and consequent national-security interest, in deciding who gets to use NSO products has been well-documented, including by Forbidden Stories and the Times, but until now, many Israeli citizens had not perceived it as a domestic threat to civil libertieseven though Pegasus and other tools have long been used domestically, to surveil Palestinian activists. As Anshel Pfeffer writes for Haaretz (an Israeli paper that partnered with Forbidden Stories on its Pegasus project), Israel is having “its Edward Snowden moment,” with privacy concerns driving a “feeding frenzy” across the country’s media and, with no little irony, among supporters of Netanyahu. “Finally, Pegasus is deemed worthy of main headlines,” Pfeffer writes. “It’s being used against us.”

Below, more on Pegasus and Israel:

  • NYPDebrief: Yesterday, Motherboard’s Joseph Cox reported that a section of the New York City Police Department that focuses on intelligence-gathering also once received a Pegasus demo, with other regional law-enforcement agencies invited to attend. Cox has previously reported that NSO tried to sell its modified Phantom software to police officials in San Diego and Los Angeles. “In emails previously obtained by Motherboard, one San Diego Police Department officer described the tool as ‘awesome,’” Cox writes.
  • Pushback: After Biden effectively blacklisted NSO, dozens of human-rights groups wrote to the European Union urging it to take similar action, arguing that EU rules allow the bloc to sanction NSO and curb the spread of its technology. (Hungary, which is an NSO client, is an EU member state.) European lawmakers previously debated Pegasus, while on the world stage, Michelle Bachelet, a top UN official, told a hearing focused on Pegasus that until human-rights concerns can be addressed, “governments should implement a moratorium on the sale and transfer of surveillance technology.”
  • Private use: In November, law enforcement in Mexico arrested a businessman and charged him with using Pegasus to spy on a journalist; the authorities didn’t name the businessman, but news reports linked him to a company that acted as an intermediary between NSO and the Mexican government, which was an early NSO client. Thousands of Mexican phone numbers were on the possible-surveillance list obtained by Forbidden Stories and its partners, and numerous journalists in the country are known to have been hacked with Pegasus.
  • “A Ruinous Obsession”: In 2019, Ruth Margalit profiled Netanyahu for CJR as the media-related case against him heated up. “Netanyahu has, perhaps to his ruin, built himself into the media’s omnipresent foil,” she wrote. “Among analysts of Israeli politics, the most common word used to describe Netanyahu’s view of the press is ‘obsession.’”


Other notable stories:

On the podcast: George Packer on a dishonorable ending in Afghanistan

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Jon Allsop is a freelance journalist whose work has appeared in the New York Review of Books, Foreign Policy, and The Nation, among other outlets. He writes CJR’s newsletter The Media Today. Find him on Twitter @Jon_Allsop.