BY ALBERT FOX CAHN AND MAXWELL VOTEY
In 2021, we’ve almost become numb to the numbers from ransomware. Billions of dollars are being spent by companies, governments, and individual private citizens to buy back their own data—their hard drives held cryptographically hostage by criminals half a world away. But while ransomware may be the costliest form of cybercrime, it’s not the most dangerous. Especially for dissidents.
That is the latest finding from Amnesty International, which found that the secretive NSO Group, an Israeli-based security firm, had developed chilling new tools to track and target dissent. Governments that use NSO’s Pegasus spyware can access our entire virtual life—virtually every file and account on our phone. But even worse, Pegasus can transform our devices into real-time tracking machines to capture our conversations, follow our movements, and even record us when we sleep.
NSO claims to only sell this spyware to government users, but we only have their word for it. And even if governments are the only ones with access to these tools (currently), it’s clear they can’t be trusted with them. A review of 50,000 people apparently targeted by NSO found that Pegasus was tracking 65 executives, 85 activists, 189 journalists, and more than 600 government officials, including more than a few Americans.
While ransomware can cost us billions, spyware can undermine our democracy. NSO’s software may be one of the most alarming examples of this technology, but it’s far from the only one. In 2007, the FBI created a fake Seattle Times website to plant spyware on a suspect’s computer. The DEA routinely plants spyware-infected phones on surveillance targets. Reporting on NSO’s lobbying of American law enforcement agencies indicates that agencies did not decline to purchase NSO products out of ethical concerns, but because NSO’s spyware was too expensive.
Part of what makes Pegasus so pernicious is that it’s so hard to fend off. Many of us have been taught by our schools or employers to be suspicious of links, and rightfully so. Phishing attacks that trick users into installing malicious code by clicking a link or downloading a malicious attachment have long been one of the most effective ways to infect a targeted machine. But even the most vigilant users are at risk of NSO’s “zero-click” exploits, which leverage flaws in the phone’s operating system to enter our devices without any help.
Imagine how chilling this is for millions. Imagine if, unknown to you, the device you’re reading this article on were watching you, recording you, all for the benefit of an unseen intelligence service, and all without you ever knowing. The thought is creepy enough for those of us who have protections for free speech and the right to dissent. But the consequences can be deadly for those in authoritarian countries. On the apparent NSO client list are states like Azerbaijan, Rwanda, and Saudi Arabia, which have used spyware to target activists for years.
But abuses by governments abroad can still impact us in the United States. Perhaps the most chilling display of this comes from the state-sanctioned murder and dismemberment of Virginia-based journalist Jamal Khashoggi by the Saudi Arabian government. Reporting suggests that Pegasus was used to track Khashoggi in the months leading up to his death, compromising the devices of two women close to the late Washington Post columnist.
Predictably, NSO has denied the allegations made by Amnesty and others, but their denial is quite telling. NSO has repeatedly said that “our technology was not associated in any way with the heinous murder of Jamal Khashoggi.” The problem is that just a few lines after this denial the group goes on to claim, “NSO does not operate the system and has no visibility to the data.” These two assertions are fatally at odds: If NSO has no visibility into the data gathered by its users, then it has no way of knowing when it is and isn’t abused.
Even if you believe that it should be considered a legitimate business to sell such software to the highest bidder, few would agree that these private companies should be empowered to decide who can and can’t wield the master key to our digital locks.
So far, most of NSO’s impact has been felt outside of the United States, but that is more the product of luck than law. American law enforcement routinely works with a constellation of questionable IT firms to track and break into our devices. While some of these tactics may make sense in extreme circumstances, Pegasus-style malware is far too powerful to be entrusted to any agency. While we may not be able to stop foreign governments from using the tech to murder American residents abroad, as they did with Mr. Khashoggi, we can at least stop them from using this tech here at home.
Albert Fox Cahn (@FoxCahn) is the founder and executive director of the Surveillance Technology Oversight Project (S.T.O.P.), a New York–based civil rights and privacy group, and a fellow at Yale Law School’s Information Society Project and the Engelberg Center for Innovation Law & Policy at New York University School of Law.
Maxwell Votey is a legal intern at STOP, a law student at New York University School of Law, and a Student Fellow at NYU School of Law’s Privacy Research Group.