The Media Today

Q&A: The Citizen Lab’s John Scott-Railton on tackling the ongoing threat of Pegasus

February 21, 2024
Via Pixabay

A year ago, we wrote in this newsletter about the ongoing threat to journalists posed by Pegasus, a highly sophisticated spyware tool made by the Israeli cyber firm NSO Group. NSO has claimed that it sells its product to state actors only for the purposes of investigating crimes and preventing terrorism, but researchers have found that the software has also been used to covertly monitor journalists, activists, and politicians. Since we wrote a year ago, Pegasus has been detected on the cellphones of journalists in the Dominican Republic, India, Jordan, Armenia, and Togo. It was also placed on the phone of Galina Timchenko, the founder of the exiled Russian outlet Meduza, perhaps by an EU member state.

In the same period, discussions around the regulation of Pegasus and similar spyware have intensified in some parts of the world. Earlier this month, the Biden administration announced a new policy that will restrict access to US visas for foreign individuals who are found to have misused commercial spyware. Such conduct, Antony Blinken, the secretary of state, said, “threatens privacy and freedoms of expression, peaceful assembly, and association,” and “has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”

The Citizen Lab, a research center based in the Munk School of Global Affairs and Public Policy at the University of Toronto, began tracking the use of NSO spyware against journalists and other civil-society actors after a discovery by senior researcher Bill Marczak in 2015. According to John Scott-Railton, a researcher in the lab who has been involved in the work, companies like NSO Group do not want to limit the sale of their product to the small number of democratic countries where enough oversight exists to ensure it is not leveraged to target dissidents. As a result, Scott-Railton said, “the abuse problem is baked into the business model.” 

Scott-Railton is optimistic about the recent steps taken by the Biden administration. But he wants others, including the European Union, to do more. Last week, I spoke with him about how the Citizen Lab discovers new infections, why regimes use spyware to target journalists, and the efforts to rein in the problem. Our conversation has been edited for length and clarity.

YTRG: Earlier this month, the Biden administration announced a policy that will impose visa restrictions on people who misuse commercial spyware. What impact do you think that will have on the viability of the sort of mercenary attacks that you investigate at the Citizen Lab?

JSR: It’s extremely welcome. For years, we’ve seen the US administration trying to pump the brakes on spyware proliferation. They’ve done this by focusing on companies using “entity listings,” which prevent US companies from doing business with a foreign company on the list. They’ve also used an executive order which prevents the federal government from doing business with companies engaged in bad behavior. This [new policy] focusing on individuals is like the third leg to this stool, and I think it’s critically important. Spyware companies often use corporate registrations and shell structures as flags of convenience—not so different from an oil tanker in China using a flag of a landlocked nation. Corporate structures can fold up their tents and disappear overnight, but the people and their desires to see Disney World or have their kids go to a US college, those things remain constant. Also, if investors see this business as something that could potentially directly impact [their ability to get a US visa], I think that it will help chill the investment interest that has fueled the proliferation problem.

Sign up for CJR's daily email

I remember when the Biden administration effectively blacklisted NSO Group in 2021. Did that have any noticeable impact on the proliferation of spyware?

If we take a look at NSO Group, our reports had some effect on them. But the thing that really caused a precipitous drop in [the company’s] debt valuation was the entity listing [by the US government], and that was the first sign that focusing on the financial underpinnings might make sense. 

Where I feel like more needs to happen is Europe, which has had more than its fair share of spyware scandals and still is struggling to do basic accountability work. Europe is the place for privacy protection and I am astonished by how little progress is happening there around accountability for spyware. This has a lot to do with the fact that the European Parliament is limited in talking about matters that states consider to be [questions of] national security, which is used as a fig leaf to cover a lot of abuses. The problem extends to the targeting of media in Europe. Access Now, in collaboration with the Citizen Lab, published a critical piece last year on the targeting of the director of a Russian independent media house who’s based in Europe. I think that is really the tip of the iceberg of the problem. And if Europe doesn’t deal with this, it’s going to become an increasingly less safe place to be a journalist.

One thing that I’m quite excited about is that in the last week, it’s become clear that the current Polish government is heading toward a serious national inquiry into the Pegasus spyware abuses that happened under the past government. I’m quite optimistic about where that will take us.

What about operating systems? Have they taken steps to prevent the abuse of spyware?

I’m excited about some of the steps that different device manufacturers and operating system developers have taken. Apple, for example, had been doing a cat-and-mouse game with technical control measures against spyware like Pegasus. When they would find [vulnerabilities that could be exploited by malware], they would patch them. They also turned to the courts and sued NSO Group. But they did more than that. They also released “lockdown mode,” which [disables riskier features like message attachments and] has been incredibly impactful in blocking attacks. 

One of the other big things that Apple, Meta, and Google have been doing is notifying victims [when their devices have been targeted]. When I think about the big scandals that have started to lead toward accountability since late 2021, when Apple did its first round of notifications, that contribution is huge. Thailand, Poland, and so many more [countries] have had their governments’ bad behavior with spyware first detected through the receipt of those notifications. This shows that big tech companies are leaning on a holistic approach and the recognition that making a more secure device is not going to be enough to stop the spyware industry alone. And that’s partly an indication of just how much interest and financial incentive there is to keep finding new holes in operating systems and new ways to hack people. The desire is always there.

How does the Citizen Lab find out about individual cases where spyware is being misused? 

Our research was broadly driven two ways. One is through internet scale analysis: that there might be infections in a particular country, for example, and then we would go and start working with people in civil society who we suspect might be likely targets, like journalists, high-profile dissidents, and other government critics. The other way is people would come knocking on our digital door and say, Hey, I think something’s going on; maybe we’re being targeted. The notifications [that Apple and others send out] added a whole host of cases where people would see these things land and then they might come to us—or to organizations like Access Now, Reporters Without Borders, and Amnesty International—and say, Hey, I got this notification. What does it mean? Should I be concerned? If you get such a notification, you should absolutely be concerned. This really changed the balance: the notifications mean that not every case has to be first surfaced through this incredibly long, ground-up search for victims. It really helps laser in on places where there may be bad things going on.

It also imposes real costs on NSO Group in some other interesting ways. Of course this triggers our investigations and leads to public revelations. But also, if you’re a customer of a company like NSO, your ability to keep your operations secret depends on every other customer not getting caught because the technology and infrastructure are shared across the whole customer base. If, say, Togo is a particularly reckless and abusive user and it gets caught, that discovery may lead to the winding up of everybody who’s using that particular exploit, that particular version of Pegasus. And so it imposes this very dramatic cost that is directly related to the problems of proliferation—if NSO wasn’t selling to so many countries, they wouldn’t get caught as much. The idea is that because there’s a lot of attention to this, it’s less commercially viable, less appealing to customers.

Mercenary spyware has been widely used to target journalists. Earlier this month, for example, Access Now published a paper on your collaborative investigation into a series of attacks on journalists in Jordan. What do malicious actors hope to achieve by targeting journalists in particular? 

Targeting journalists does a couple of things. Journalists seek out sources, even in the government, who are morally appalled by what’s going on and are talking about it. It helps governments find the people who are critical—find the anonymous voices, and bring consequences to them. The problem, though, goes beyond that. We’ve seen extremely troubling cases in Mexico where family members of journalists get targeted for hacking after cartel assassinations, for example, and other cases where journalists [were found to have been targeted] before they were killed. This speaks broadly to the fact that the complete breakfast of threats is now going to include digital targeting, with potentially disastrous consequences. For most journalists, their phone is an extension of their hand. It shows who they’re talking to, what they’re talking about, where they’re going, the kinds of things they’re searching for. States will spend a lot of money to gain access to those things. 

It’s also why we encourage any journalist that’s doing high-risk work not only to be in touch with organizations that help them secure themselves, but to experiment with lockdown mode on iOS. It profoundly increases their security. As many societies slide toward authoritarianism, the role of journalists couldn’t be more important. They may uncover facts that are threatening to autocratic regimes. Autocrats around the world live in fear of independent journalism.

Have you seen any significant changes in how attacks unfold during your time working on this issue?

When we first started looking into mercenary spyware on phones, it took us a long time to find the first cases. Now we seem to find them wherever we scratch. We’re in a period of profound reckoning and accountability around the mercenary spyware industry. We’re also in the heyday of spyware abuses. It means, at this point, that people doing journalism should consider themselves potential targets who need to take the same kind of steps that they would take if they were worried that a government were surveilling their physical meetings. Fortunately, over the past ten years, newsrooms have really come to see digital security as an important thing. The next step is personal device security and the protection of phones, which doesn’t always get addressed by newsrooms, especially because many journalists use a mixture of personal and work devices in their reporting. Then there are freelancers and others who don’t have the benefit of a big newsroom behind them, but who face the same threats, just with many fewer resources to mitigate them.

I’ve read that companies like NSO Group have gone to some extreme lengths to thwart your investigations. Can you tell me about that?

In 2019, the Citizen Lab was targeted by [an intelligence agency called] Black Cube, according to reporting by Ronan Farrow in The New Yorker. They appear to have been seeking out information about our investigative work on NSO Group. We don’t know for sure who commissioned Black Cube to do that but it’s pretty clear that their interest was focused around our work on NSO Group, trying to get secrets and trying to discredit us. After that report became public, it was clear that other entities that had done investigative work or represented spyware victims had also been targeted, either with NSO’s Pegasus spyware themselves, or with this sort of shady, in-person, mercenary surveillance operation. I think what is very clear is that companies like NSO Group really don’t want to be exposed to accountability and consequences. That’s why we’re in such an important moment, because various sectors, beyond just the familiar human-rights organizations and researchers and even tech companies, are recognizing that this is a problem. That’s why recent actions by the Biden administration have been so welcome.

Other notable stories:

  • Yesterday, a spokesperson said that the Biden administration is preparing “major sanctions” against Russia following the death in prison last week of Alexei Navalny, the opposition leader (and sometime journalist, as we wrote on Monday). Elsewhere, X (formerly Twitter) restored the account of Yulia Navalnaya, Navalny’s widow, after briefly suspending it; the platform said that the suspension was a mistake. In Russia, a court upheld the pretrial detention of the jailed Wall Street Journal reporter Evan Gershkovich, ensuring that he will pass the one-year mark in prison in the country. And Russian officials declared Radio Free Europe/Radio Liberty—a US-backed broadcaster whose journalist Alsu Kurmasheva is also in jail in Russiato be an “undesirable organization.”
  • Last week, US law enforcement arrested Alexander Smirnov, a former FBI informant, on charges that he fabricated bribery allegations against President Biden and his son Hunter; yesterday, in a court filing, prosecutors noted a claim by Smirnov that officials involved with Russian intelligence had passed him a story about Hunter, but also painted Smirnov as “a serial liar incapable of telling the truth about even the most basic details of his own life,” the Times reports. The bribery allegations were hyped by Congressional Republicans to justify their impeachment probe into Biden—as well as by right-wing media figures including the Fox host Sean Hannity. Media Matters for America has more.
  • For Reading the Pictures, Michael Shaw (who has written for CJR about the use of images in news coverage) argues that major outlets demonstrated ageism in how they illustrated stories about the recent special counsel report that took aim at Biden’s mental faculties. “Regardless of whether the articles defend Biden or take a more objective view, the photo editing all too often depicts Biden as distracted, confused, or struggling with his memory,” Shaw writes. One image published in the Times constituted “a symbolic enactment of a cognitive eclipse, a leader there in body but not in mind.”
  • Recently, we wrote about a report recommending that lawmakers in Illinois consider various forms of legislation to support local news. Now a local TV journalist turned state senator has introduced a pair of bills that would force big tech firms to pay local outlets and offer the latter “a broad array of incentives, tax breaks and scholarships,” the Medill Local News Initiative’s Mark Caro reports. One expert told Caro that the bills constitute the “most ambitious package of local journalism policy that I’ve seen.”
  • And Jordan Green, an investigative reporter for Raw Story, wrote about what happened after he started investigating a neo-Nazi group and its “multi-state campaign of racist, antisemitic and homophobic violence.” Green was harassed online, then over the phone; eventually, six white supremacists turned up outside his home, where they brandished traffic flares and gave Nazi salutes. One held a sign warning Green of “consequences.”

New from CJR: Why Drill Rap Is a Form of Journalism

Yona TR Golding is a CJR fellow.