New Delhi: In its response to questions sent by the Pegasus Project, the Israel-based NSO Group issued multiple responses, some in the form of direct communication to the 17 media organisations; others in the form of letters from its legal counsel, who warned that in the event of publication, the consortium’s media partners could be sued for defaming the Tel Aviv-based maker of sophisticated spyware.
Thomas Clare – a US-based attorney who specialises in libel cases and whose firm has been engaged by the NSO – said in a letter to The Wire that the consortium had “apparently misinterpreted and mischaracterized crucial source data on which it relied” and that our sources had supplied us with information that had no “factual basis”.
Crucially, Clare wrote that the NSO Group had reason to believe that the records of thousands of phone numbers that the Pegasus Project’s media partners examined were not a list of Pegasus targets of various governments, but instead was part of a larger list of numbers that “might have been used by NSO Group customers for other purposes”.
“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” Clare wrote.
Unpacking this statement is crucial to understanding the implications of the Pegasus Project’s findings.
Firstly, the consortium has not implied and does not believe that all phone numbers present on the leaked list witnessed infiltration attempts or were successfully snooped upon by governments using the Pegasus spyware.
There are multiple takeaways from our investigation of the list of the phone numbers.
Firstly, among those that were verified and identified by media partners, a majority of them fall in geographical clusters in which experts have in the past identified Pegasus infections and the active functioning of a Pegasus operator.
Secondly, and more importantly, the forensic analysis of 37 phones shows a strong correlation between the time a phone number appears in the leaked record records and the beginning of surveillance. The gap usually ranges between a few minutes, or a couple of hours. In some cases, including forensic tests conducted for two India numbers, the time between a number appearing on the list and the successful detection of a trace of Pegasus infection is just seconds.
While not all phones whose numbers were verified could undergo forensic analysis – for a wide range of reasons, which are laid out in our FAQ – the above-mentioned correlation suggests that for a small cross-section of numbers, their presence on the list was linked to surveillance by a client of the NSO group.
In his letter, the NSO’s Group’s attorney has attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on earlier reports.
This boilerplate denial, which contains no specific grievances, is typical of the Israeli firm’s response to reports that have been put out in the past by other organisations. In December 2020, Citizen Lab, a digital surveillance research institute based out of the University of Toronto, released a report that identified how government operatives had used Pegasus to hack into the phones of 36 journalists at Al Jazeera. At the time, Citizen Lab noted that the NSO Group had yet to “seriously engage” with the organisation’s past research, which indicated that it “does not take allegations of human rights abuse seriously”.
But if the list was used by the NSO Group’s clients for “other purposes’, as suggested by the company’s lawyer, what purpose could this be?
When asked, the Israeli-based firm changed course, noting that it believed the list was “based on leaked data from publicly accessible, overt sources, such as the HLR Lookup service, which have no bearing on the list of numbers targeted by governments using Pegasus”.
The term ‘HLR’ refers to Home Location Register – used by companies that help operate cellular phone networks. Such databases keep records on the networks of cell phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. HLR lookup services operate on the SS7 system that cellular carriers use to communicate with each other.
Several experts told the Pegasus Project that generally speaking, these services can be used as a step toward spying on targets.
Telecommunications security expert Karsten Nohl, ex chief scientist for Security Research Labs in Berlin, who prefaced his remarks by saying he had no direct knowledge of the NSO system, noted that that HLR lookups and other SS7 queries are widely and inexpensively used by the surveillance industry – often for just tens of thousands of dollars a year.
“It’s not difficult to get that access. Given the resources of NSO, it would be crazy to assume that they don’t have SS7 access from at least a dozen countries,” Nohl said. “From a dozen countries, you can spy on the rest of the world.”