Democracies are having a reckoning with mercenary spyware

Off-the-shelf spyware has long been associated with abuses by autocratic regimes, but in recent years it’s democracies who are reckoning with the their own potential abuse of such surveillance tools. 

Sophisticated digital surveillance tools were once only available to a handful of government intelligence operations. But mercenary software-as-a-service operations like Pegasus, from Israeli firm NSO Group, have made such powers accessible to practically any government willing to pay.

And many have been, including regimes who appear to have used it as a tool of digital oppression. 

“What we've seen in recent years is that actually it may not just be autocrats and dictators” who seek these services, John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, told The Record. “Clearly the temptation to use this spyware is very great even in democracies — it’s an irresistible temptation.”

The spyware allows attackers to target victims' smartphones — which are now often treasure troves of information about all aspects of our lives and contain microphones and cameras that can be used for intimate surveillance. 

In Mexico, Pegasus has been the subject of repeated controversy and political discord. Earlier this month, President Andrés Manuel López Obrador disputed a report claiming that Pegasus use continued after he took office, while spreading misleading messaging about Citizen Lab’s results. His attorney general then announced his office was investigating the legality of the purchase of the spyware by the previous regime. 

On Tuesday, opposition lawmaker Agustín Basave Alanís said his phone had been infected with Pegasus just last year. Citizen Lab confirmed the infection. 

“I think we haven't seen the last of these cases,” Scott-Railton said. “It's pretty clear that Mexico, again, has a Pegasus problem and it's unfortunate that the state is choosing an approach of distraction.”

The European Parliament is also investigating Pegasus and similar tools. And the White House last week cited countering commercial spyware, alongside digital authoritarianism, as part of its National Security Strategy. 

Last year, the Pegasus Project, a reporting collaboration that reviewed a leak of more than 50,000 phone numbers targeted by the spyware, found the tool was “widely misused” — identifying at least 180 journalists as well as “human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states” who were targeted. 

In Europe, multiple countries have been linked to alleged use of Pegasus or similar spyware — including Spain, Greece, Poland, and Hungary.

But as lawmakers around the world learn more about how such tools have already been used, they’re still grappling with how to respond. 

“Who do you turn to? Do you turn to the very same state institution that you think spied on you?” Hannah Neuman, a German Member of the European Parliament, asked earlier this month during a hearing which featured five members of that body surveilled via spyware. 

The hearing was part of a series held by a committee launched in March by the European Parliament to probe spyware use. It has a year-long mandate and an extensive report is expected from committee rapporteur Sophie in 't Veld in November. 

However, the committee has limited investigatory powers and the global scale of the issue complicates building a legal framework to effectively prevent future abuse of such tools. 

Meanwhile, victims of abusive deployment of spyware currently lack meaningful options of redress — something that must change, according to Rand Hammoud, surveillance campaigner at digital human rights organization Access Now. 

“Those who have been spied upon must be able to get redress from both the governments who do the illegal spying and the companies that knowingly provide them with the specific tools to do so,” said Hammoud. “Both parties must be able to provide adequate compensation or other forms of effective redress.”

Pegasus in Mexico

Reports of abuse involving Pegasus in Mexico emerged years before the Pegasus Project was published — and are still coming.

The University of Toronto’s Citizen Lab reported in 2016 that Pegasus was used to target Mexican journalist Rafael Cabrera, and subsequent research in partnership with Mexican digital rights organizations R3D, ARTICLE 19, and SocialTIC showed that the software was being used to target lawmakers and those involved in major corruption investigations. 

But despite the opening of an official probe, civil liberties groups say there has been little accountability. 

On October 2, the researchers released additional reporting documenting that two Mexican reporters and a human rights defender were infected with Pegasus between 2019 and 2021 — after López Obrador had assured the public his government was no longer using the system.

“Even in the face of global scrutiny, domestic outcry, and a new administration that pledged to never use spyware, the targeting of journalists and human rights defenders with Pegasus spyware continued in Mexico,” Citizen Lab reported. 

The report from Mexican rights’ groups included documentation of Mexico’s Secretariat of National Defense (SEDENA) contracting with a company licensed to sell access to Pegasus, and laid out how the agency sought to hide that relationship. 

In response, López Obrador disputed the spying and SEDENA released a statement saying its contract for Pegasus ran from June 27, 2011 to August 24, 2013. 

On October 14, the Twitter account for the government of Mexico also tweeted an apparent attempt at damage control, highlighting that Citizen Lab found no specific technical forensic link between SEDENA and Pegasus in the recent report. Scott-Railton clapped back — citing records indicating the Mexican Army contracted with firms that appear to be proxies for Pegasus service.

Dear @GobiernoMX,

You neglected to mention the evidence suggesting that the #Pegasus victims would have been of intense interest to your armed forces.

...and that the timing of the hacking reinforces this impression.

Moreover... 1/ pic.twitter.com/7zYlZx7g6A

— John Scott-Railton (@jsrailton) October 15, 2022

In the October 16 statement announcing the inquiry into the legality of Pegasus purchases by the prior administration, Attorney General Alejandro Gertz Manero referenced the sole arrest in the government’s investigation of Pegasus use so far — that of a technician working for the firm that licensed the software on behalf of NSO Group. 

“In this case, evidence has been presented to the judicial authority indicating that the NSO Group company was illegally selling the ‘PEGASUS’ system while, at the same time, using it on its own to deliver the information to other people,” the statement, translated from Spanish, said. 

Scott-Railton sees three potential options, given the Mexican government’s response to the report: President López Obrador knows Pegasus is being deployed and is denying it; it’s being deployed and he doesn’t know it; or victims were targeted by another party — which still represents a national security threat for Mexico. 

NSO Group has long said, including in sworn testimony, it only sells its product to governments. (The company did not respond to a request for comment for this story.)

This week’s announcement from Basave, the Mexican opposition lawmaker whose device was infected, suggests political motivation behind the spying. He is close to a potential 2024 presidential candidate, Luis Donaldo Colosio Riojas, and a member of the Chamber of Deputies, the lower house of Mexico’s federal legislature. 

He was notified of a potential Pegasus infection by Apple last year and decided to come forward publicly in light of the recent revelations, R3d reported. Citizen Lab confirmed the infection occurred in September of 2021 — at a time where Colosio Riojas was visiting the Chamber of Deputies, according to R3d.

A global problem

Mexico is far from alone in dealing with NSO Group controversy. 

The United States sanctioned the company along with a handful of other commercial spyware vendors in November of last year, citing human rights abuses tied to the tools. Weeks later, Apple announced a lawsuit against Pegasus-maker NSO Group. 

However, in January the New York Times reported that the FBI previously had obtained licenses for the spyware — although the bureau said the acquisition was for testing purposes and the technology was not deployed in the field. 

Congress has continued to investigate spyware like Pegasus in hearings this year and the Biden administration remains engaged on the issue.

"We will also work to counter the exploitation of Americans’ sensitive data and illegitimate use of technology, including commercial spyware and surveillance technology, and we will stand against digital authoritarianism,” the White House said in its recent National Security Strategy.

In February, Europe’s top privacy watchdog, the European Union Data Protection Supervisor, recommended banning Pegasus. The European Parliament’s committee is still investigating a number of alleged abuses, including numerous incidents involving targeting or infection of political dissidents in member countries, as well as parliamentarians and the body’s own staff.

"These are really concerning, troubling cases and none of them seem to be anywhere near resolved,” Scott-Railton told The Record. 

The scope of the issues is vast, but not always easy to access. 

In Hungary for example, an official confirmed in November of last year that his government bought and used Pegasus after closed hearings about the technology. The details of the proceedings are sealed until 2050.

The Hungarian Civil Liberties Union announced a legal campaign on behalf of activists and journalists surveilled with the spyware in January. The head of Hungary’s Data Protection Authority later said his agency’s investigation, which is not available to the public, found deployment of the spyware was justified in all cases. 

In Spain, an investigation by Citizen Lab and local civil society groups this April revealed a campaign targeting “European Parliament, Catalan Presidents, legislators, jurists, and members of civil society.” Strong circumstantial evidence linked the campaign, dubbed CatalanGate, to Spanish authorities. 

Alleged use of spyware in Greece also led to a hearing from the European Parliament committee last month. 

“I have so much information, I'm not even sure how I'm going to integrate all that into one report,” committee rapporteur in 't Veld told the Washington Post earlier this month. “And the picture is becoming pretty complete, and it's not a pretty picture,” she added. 

The committee is expected to make recommendations based on its findings — and many human rights observers are hoping it stakes out a strong anti-spyware position, such as a full ban, that can help reset regional and international practices. 

“What is absolutely clear is that the abuses have far outpaced the oversight and may have far outpaced the rule of law and that has to be rectified,” Scott-Railton told The Record. 

He and others who have long warned about the risks posed by tools like Pegasus see momentum building.  

According to Hammoud, many of the apparent abuses already violate international and local norms around human rights. 

“The tide has turned for the spyware industry and the world is realizing that no entity can fully be trusted to employ this technology while upholding human rights under international law.”