The danger on our devices

In 2017, Laurent Richard, a French journalist, launched Forbidden Stories, a project that would aim to amplify and continue the work of murdered, or otherwise threatened, reporters around the world. “There is danger all the time. There is danger on the computer, there is danger on the devices, there is legal danger,” Richard told me at the time. “The best protection for this dangerous mission is a collaborative aspect. If we are together we are stronger.” In 2018, Forbidden Stories worked with news organizations around the world to dig into the murder of Daphne Caruana Galizia, a Maltese investigative journalist; in 2019, the group exposed the environmental damage done by mining companies on three continents, and the harassment faced by reporters investigating it. Last year, Forbidden Stories produced the Cartel Project, which picked up on the work of Regina Martínez—a journalist who covered crime and corruption for Proceso, in Mexico, before she was murdered at her home, in 2012—and highlighted threats to Mexican reporters more generally, including that of digital surveillance: at least ten journalists, including Jorge Carrasco, who worked on the Panama Papers and is now Proceso’s top editor, had had their phones targeted with Pegasus, a potent spyware tool marketed by an Israeli firm.

Yesterday, Forbidden Stories and sixteen media partners—including the Washington Post, PBS, the Organized Crime and Corruption Reporting Project, and outlets in the UK, France, Germany, Belgium, Mexico, India, Hungary, and Lebanon—dropped a new project focused much more closely on the “danger on the devices,” and on Pegasus, in particular. The group was able to review a leaked list containing more than fifty thousand phone numbers that state clients of NSO Group, the developer of Pegasus, marked for possible surveillance in countries around the world, including numbers belonging to at least a hundred and eighty journalists, as well as activists, businesspeople, and politicians, up to and including heads of state. The provenance of the list remains murky, and it’s not clear how many of the phones that appear on it were actually compromised—but an analysis by Amnesty International’s Security Lab confirmed the infiltration or attempted infiltration with Pegasus of thirty-seven listed phones, as well as a close correlation between those attacks and timestamp data on the list. “By sharing access to this data with the other media organizations in the Forbidden Stories consortium,” Richard and his colleague Sandrine Rigaud write, “we were able to develop additional sources, collect hundreds of documents, and put together the harrowing evidence of a surveillance apparatus that has been wielded ferociously against large swaths of civil society—outside of all legal restrictions.”

ICYMI: Cuba’s internet and journalism blackouts

NSO Group has pushed back sharply on the reporting of Forbidden Stories and its partners in the “Pegasus Project.” The company has always maintained that it only licenses Pegasus for state actors to use against terrorists and other serious criminals, that it does not have insight into clients’ use of the software, and that it has moved to revoke access in cases where it has been shown to be abused. (It has also claimed that it takes human rights into account when licensing Pegasus to governments, despite its clients including repressive regimes such as Azerbaijan and Saudi Arabia; Forbidden Stories reports that Israel’s defense ministry pushed NSO to sell to the Saudis, a dynamic that NSO has denied.) In response to the Pegasus Project, NSO pledged to investigate the new claims of abuse. The company also, however, cast doubt on the project’s reporting, including the authenticity of the list of numbers. “Your sources have supplied you with information that has no factual basis,” NSO said. “NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred.”

The journalists identified by the Pegasus Project as possible targets for surveillance work in twenty countries, many of which are known for their repressive (often increasingly so) climates for independent journalism. At least forty journalists in India were named as possible targets, including Siddarth Varadarajan and other reporters associated with The Wire, and Paranjoy Guha Thakurta, whose phone was hacked in 2018, while he was investigating the finances of a man who, prior to his death, was once India’s richest. In 2019, Szabolcs Panyi, an investigative reporter at Direkt36, in Hungary, was targeted with Pegasus. (Varadarajan and Panyi both contributed to the Pegasus Project.) An NSO client that appears to be the government of Morocco selected thirty-five journalists as possible targets, including Taoufik Bouachrine, a newspaper editor who is serving a prison sentence on rape charges that his supporters say were politically motivated; his wife’s number was also listed as a possible target, as were the numbers of at least five of his accusers, two of whom retracted their testimony. It had already been reported that Omar Abdulaziz, a friend of the Saudi journalist Jamal Khashoggi, was targeted with Pegasus prior to Khashoggi’s murder by the Saudi state, in 2018. The Pegasus Project found that other people close to Khashoggi were targeted, too, including, in the days after the murder, Hatice Cengiz, his fiancée. (NSO has denied any link to Khashoggi’s killing.)

As the Pegasus Project shows, spyware seems to be allowing authoritarian regimes to expand the scope of their repression overseas. The project’s analysis found that the phone of Hicham Mansouri, another Moroccan journalist, was infected with Pegasus more than twenty times this year, even though he now lives in exile in France; the phone of Edwy Plenel, a French journalist with Mediapart, was compromised in 2019, right around the time he visited Morocco to attend a conference, during which he criticized the Moroccan government. According to The Guardian, an NSO client that appears to be the government of the United Arab Emirates selected several foreign journalists as possible surveillance targets—including Roula Khalaf, the editor in chief of the Financial Times; Gregg Carlstrom, a Middle East reporter at The Economist; and Bradley Hope, an investigative reporter, then of the Wall Street Journal, who co-wrote a book about corruption in Malaysia that implicated a senior Emirati royal. Other possible targets on the list include reporters who have worked for the New York Times, CNN, the Associated Press, Reuters, Bloomberg, Voice of America, Al Jazeera, and Agence France-Presse.

Sign up for CJR's daily email

When Carrasco, the Mexican journalist who worked on the Panama Papers, was targeted with Pegasus, in 2016, the attack took the form of a weird text message asking him to click through on a link—a mode of delivery that naturally strikes at least some targets as suspicious. Since then, Pegasus has become much more sophisticated; now it can compromise phones without the need for the target to click on a link, often exploiting a device’s hidden bugs in ways that can go completely unnoticed by its owner. Once installed, the spyware can access your messages, your location data, even your phone microphone and camera. The ramifications are truly chilling—as Khadija Ismayilova, an Azerbaijani journalist who was targeted, put it, “We’ve been recommending each other this tool or that tool, how to keep our phones more and more secure from the eyes of the government,” but “I realized that there is no way—unless you lock yourself in an iron tent—there is no way that they will not interfere into your communications.” Fighting back, it seems, requires the opposite of the iron-tent approach—the conviction that strength can be found in journalistic numbers, rather than working alone. As Richard has believed since the birth of Forbidden Stories, collaboration is a great shield against danger, however it manifests. 

Below, more on press freedom around the world:


Other notable stories:

ICYMI: New details on the friction Trump caused inside Facebook

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Jon Allsop is a freelance journalist. He writes CJR’s newsletter The Media Today. Find him on Twitter @Jon_Allsop.