The danger is still on our devices

Update (February 22): On Monday, February 21, Israel’s justice ministry contradicted the recent reporting by Calcalist, cited below, claiming that police in the country used Pegasus, a potent Israeli-made spyware tool, to warrantlessly surveil various public figures. Following an investigation, the ministry said that police never targeted the vast majority of names on the list published by Calcalist, and obtained judicial approval to target the others. Calcalist said that the ministry’s findings “require serious consideration and re-examination of the findings and allegations we published,” but also noted that the investigation “validates” the paper’s core claim that police have used spyware against Israeli civilians.

Last month, Calcalist, a business newspaper in Israel, reported that police in the country had used Pegasus, a potent spyware tool made by an Israeli company, to warrantlessly surveil cellphones belonging to political figures who were not under formal criminal investigation. Further reports about the surveillance dripped out in the weeks that followed; then, on Monday, Calcalist dropped a bombshell, publishing a list of individuals whose phones were targeted. Mayors and anti-government protesters, including disability-rights activists, were on the list, as were journalists and senior government officials suspected of leaking to the press. Media advisers to Benjamin Netanyahu, the former prime minister, were named. So was his son.

The list intensified what was already a scandal in Israel: a government minister pledged a formal inquiry; Naftali Bennett, who succeeded Netanyahu as prime minister last year, vowed that he would not allow the allegations to “go unanswered.” Not only are there obvious civil-liberties issues at stake, but the surveillance claims have also impacted the high-profile trial of Netanyahu, who has been accused, among other things, of offering media companies regulatory perks in exchange for pliant coverage. In addition to people close to Netanyahu, a key state witness in the trial was named on the list, as was a co-defendant whose husband (also indicted) owned Walla, one of the sites that Netanyahu is said to have influenced. Walla’s CEO and former editor in chief, as well as journalists from the site, were on the list as well, with Calcalist reporting that police hacked their phones in a bid to determine what pressure they were under, their credibility as witnesses, and whether they may be hiding evidence. After the list came out, the court ordered the prosecution to investigate whether any evidence was illegally obtained; if it was, Netanyahu could call for the case against him to be chucked (though in Israel, unlike in the US, such evidence is permissible in some circumstances). For now, his allies are using the list to attack the process and stall. Two hearings have already been postponed this week.

ICYMI: We know who Trump is already

Pegasus may be an Israeli-made tool, but it has long been embroiled in similar scandals all around the world. NSO Group, which created Pegasus, has insisted that it only licenses its software to governments for legitimate law-enforcement purposes, but authoritarian regimes have abused it to spy on opponents and critics as well. Last summer, a consortium of seventeen major news organizations led by Forbidden Stories, a Paris-based group that works to amplify the reporting of threatened journalists, obtained a list of more than fifty thousand phone numbers globally that NSO clients selected for possible surveillance. It’s not clear how many of those were actually targeted, but Forbidden Stories worked with researchers at Amnesty International to prove that dozens of listed phones had been successfully infected with Pegasus, including devices belonging to journalists in India, Hungary, Morocco, and elsewhere.

Since then, the fallout has continued. French intelligence authorities confirmed traces of Pegasus on the phones of three journalists, including a senior staffer at the international broadcaster France 24; India’s supreme court ordered an independent inquiry into that country’s alleged use of the tool, while targeted journalists in Hungary moved to sue both their government and NSO. Fresh allegations have come to light, too, many of them involving the press. In November, Apple warned two journalists in Uganda that their phones may have been compromised by state-sponsored actors. In December, the Washington Post reported that an agency in the United Arab Emirates put Pegasus on the phone of Jamal Khashoggi’s wife in the months before Khashoggi was murdered by the Saudi state. Last month, meanwhile, civil-society groups reported that Pegasus was used to hack dozens of female activists and journalists in Bahrain and Jordan as well as dozens of reporters in El Salvador, including more than half the staff of the renowned investigative outlet El Faro. (Implicated governments have routinely denied such allegations, as NSO has continued to insist that it has no oversight of their conduct.)

In November, the Biden administration effectively blacklisted NSO, complicating the group’s access to US-made equipment used in its operations. Israeli officials were reportedly furious about the decision—not least because the US itself had previously tested Pegasus. According to a detailed recent report by Ronen Bergman and Mark Mazzetti in the New York Times Magazine, the FBI acquired the software in 2019; Israel initially banned NSO from allowing its tool to target US phone numbers, but it approved a special version of the software, known as Phantom, that would be able to hack American devices for the exclusive potential use of US law-enforcement agencies. The FBI eventually decided not to deploy NSO tools, but it continued to pay to license them for two years while it reached a decision. Bergman and Mazzetti also reported, meanwhile, that the CIA paid for the nation of Djibouti to acquire Pegasus despite human-rights concerns there, including the persecution of journalists and the torture of opponents.

Pegasus has truly terrifying surveillance capabilities, using bugs to reach almost every piece of data on a targeted phone and even to take over its camera and microphone. (Apple said last year that it has patched flaws in its devices that Pegasus exploited.) Its apparently widespread use against journalists by state actors comes against a backdrop of broader cybersecurity concerns that are only growing across the news industry, including in the US. American journalists have been advised to use burner phones while covering the ongoing Winter Olympics in Beijing; last week, meanwhile, News Corps advised journalists at its titles, including the Wall Street Journal, that they had recently discovered a long-time effort—that apparently was successful—to hack reporting materials and other documents related to topics of interest to Chinese intelligence. News Corp said that the threat appeared to have been contained, and vowed to provide staffers with more details and advice. Still, as CNN’s Oliver Darcy put it last week, cyberattacks “are really among the top fears—if not the top fear—of newsrooms in 2022.”

Taken together, all these stories show that this is a truly global fear, too. Pegasus, specifically, may not be able to target journalists with US phone numbers. But, as Forbidden Stories reported last summer, it has enabled authoritarian regimes to export surveillance, targeting expat reporters living overseas or apparently, in some cases, staffers at global news operations who are based outside the US. (Roula Khalaf, the editor of the Financial Times, has been listed as a possible Pegasus target, as have reporters with the Journal, the Times, and CNN.) The FBI may ultimately have decided not to use the software, but the fact that it considered using it is further proof that we shouldn’t view state-sponsored hacking as yet another abstract abuse of faraway autocracies. There’s nothing to suggest US agencies would have used Pegasus to target anyone other than criminals in line with NSO’s stated goals, let alone journalists. But once a spying capability is established, all it takes is for those lines to become a little blurred.

We’re seeing exactly that in Israel at the moment. The Israeli government’s regulatory role, and consequent national-security interest, in deciding who gets to use NSO products has been well-documented, including by Forbidden Stories and the Times, but until now, many Israeli citizens had not perceived it as a domestic threat to civil liberties—even though Pegasus and other tools have long been used domestically, to surveil Palestinian activists. As Anshel Pfeffer writes for Haaretz (an Israeli paper that partnered with Forbidden Stories on its Pegasus project), Israel is having “its Edward Snowden moment,” with privacy concerns driving a “feeding frenzy” across the country’s media and, with no little irony, among supporters of Netanyahu. “Finally, Pegasus is deemed worthy of main headlines,” Pfeffer writes. “It’s being used against us.”

Below, more on Pegasus and Israel:

• NYPDebrief: Yesterday, Motherboard’s Joseph Cox reported that a section of the New York City Police Department that focuses on intelligence-gathering also once received a Pegasus demo, with other regional law-enforcement agencies invited to attend. Cox has previously reported that NSO tried to sell its modified Phantom software to police officials in San Diego and Los Angeles. “In emails previously obtained by Motherboard, one San Diego Police Department officer described the tool as ‘awesome,’” Cox writes.
• Pushback: After Biden effectively blacklisted NSO, dozens of human-rights groups wrote to the European Union urging it to take similar action, arguing that EU rules allow the bloc to sanction NSO and curb the spread of its technology. (Hungary, which is an NSO client, is an EU member state.) European lawmakers previously debated Pegasus, while on the world stage, Michelle Bachelet, a top UN official, told a hearing focused on Pegasus that until human-rights concerns can be addressed, “governments should implement a moratorium on the sale and transfer of surveillance technology.”
• Private use: In November, law enforcement in Mexico arrested a businessman and charged him with using Pegasus to spy on a journalist; the authorities didn’t name the businessman, but news reports linked him to a company that acted as an intermediary between NSO and the Mexican government, which was an early NSO client. Thousands of Mexican phone numbers were on the possible-surveillance list obtained by Forbidden Stories and its partners, and numerous journalists in the country are known to have been hacked with Pegasus.
• “A Ruinous Obsession”: In 2019, Ruth Margalit profiled Netanyahu for CJR as the media-related case against him heated up. “Netanyahu has, perhaps to his ruin, built himself into the media’s omnipresent foil,” she wrote. “Among analysts of Israeli politics, the most common word used to describe Netanyahu’s view of the press is ‘obsession.’”

Other notable stories:

• Sarah Palin’s libel trial against the Times continued yesterday with James Bennet, the paper’s former opinion editor, taking the stand; under tough questioning, he took full responsibility for inserting the suggestion that Palin incited a mass shooting into a 2017 editorial and insisted that it was never his intention to directly link Palin to the attack, testifying that his experience working as a Middle East correspondent left him with a broad definition of the term “incitement.” The Post’s Erik Wemple writes, meanwhile, that the Palin case is revealing how top outlets rush to filter breaking news through a “both sides” template, and that the practice is coming away “looking tattered.”
• The New Yorker’s Isaac Chotiner assessed the journalist Vicky Ward’s claims that Graydon Carter killed her reporting on sexual-abuse allegations against Jeffrey Epstein in 2003, when Ward and Carter worked at Vanity Fair. Chotiner concludes that “Ward has repeatedly misrepresented her reporting on Epstein, changing her story from year to year and at times from day to day, and was a far less heroic actor than she would have her audiences believe.” Ward accused The New Yorker of “malicious inaccuracies” and argued that it has a conflict of interest since, like Vanity Fair, it is owned by Condé Nast.
• According to Politico’s Erin Banco, Biden administration health officials are working to refine the way they collect COVID hospitalization data, asking hospitals to differentiate between patients who are admitted because of COVID and those who test positive for COVID after being admitted for another reason. One health expert warned Banco that this will not be an easy task since it’s often hard to pinpoint the role COVID played in an admission. (I wrote about this, and other false COVID dichotomies, two weeks ago.)
• For the newsletter Creative Contemplation, Catherine Yeo explores the difficulty of getting Wikipedia to recognize prominent online content creators. “Unlike other professions, creators establish their own notability,” and yet Wikipedia’s notability standards tend to recognize mainstream-media attention over online virality. This creates a “broken loop,” Yeo writes, since journalists rely on Wikipedia as well as vice versa.
• Dave Portnoy, the founder of Barstool Sports, is suing Insider after the site published a pair of stories in which multiple women accused him of sexual abuse; Portnoy claims that the articles defamed him and violated his privacy, fed into a “climate of fear and ‘cancel culture’ permeating the media,” and were timed to hurt the stock price of one of Barstool’s owners. Insider denies this and plans to “defend the case vigorously.”
• Reporters at the Financial Times followed up on a “#MeToo moment” at Axel Springer, the German media giant that fired a top editor following a report in the Times last year, just as the company was finalizing a big-money move for Politico. At the time, bosses suggested that the Times had brought new details about sexual wrongdoing to their attention, but the FT reports that they had long been aware of the editor’s conduct.
• For the Committee to Protect Journalists, Ann Cooper spoke with Olga Rudenko—the editor of the Kyiv Independent, a news site founded by staffers who were abruptly fired from the Kyiv Post in somewhat murky circumstances last year—about her nascent site’s coverage of the rising Russian threat to Ukraine. The story is “taking a toll on people emotionally,” she said. “This is not just a story that we cover, it’s a story that we live.”
• Readers who recall the “WAGatha Christie” libel case in the UK will be pleased to hear that it is back in court. (For the uninitiated: Rebekah Vardy, a soccer star’s wife, is suing another star’s wife who accused Vardy of leaking stories about her to the press.) Texts disclosed in court suggest that Vardy and her agent often discussed leaking. Other texts have gone missing. The agent said that she accidentally dropped her phone in the sea.
• And law enforcement in New York arrested Ilya Lichtenstein and Heather Morgan, a couple who allegedly conspired to launder billions of dollars in stolen bitcoin. Investigators didn’t share much background on the pair, but reporters soon discovered that Morgan raps under the alias “Razzlekhan” and has contributed articles to Forbes. One of her stories? “Experts Share Tips to Protect Your Business From Cybercriminals.”

On the podcast: George Packer on a dishonorable ending in Afghanistan