Listen to this article:
New Delhi: For years, there had been lingering concern about the use of NSO group’s Pegasus software. But, the controversy over the military-grade cyber weapon erupted a year ago with the publication of the collaborative global investigation known as the Pegasus Project, led by Forbidden Stories and 16 other media organisations.
It led to an immediate reaction from most of the countries involved or were impacted through the use of Pegasus spyware. The NSO Group has denied the allegations of abuse of the spyware and asserted that it only licenses the powerful software to national governments.
The Wire has tracked the twists and turns in the diplomatic consequences of the Pegasus project in the last year.
United States – leading the front initially
The Israeli firm has repeatedly asserted that its tools do not track smartphones based in the United States. Not surprisingly, US numbers did not figure prominently in the leak of 50,000 potential targets of Pegasus.
But, that doesn’t mean that they were absent. The Biden administration’s lead Iran negotiator, Robert Malley, appeared on the list, as well as UN diplomats and Rwandan dissidents living in exile. There were also a dozen US citizens with overseas phone numbers, including journalists, aid workers and diplomatic staff. In India, two employees of the Centre for Disease Control and Prevention, including a US citizen, were on the list.
There was a political outcry from Democrats, with lawmakers calling for sanctions against the NSO group for helping the authoritarian government commit human rights abuses.
Even then, it was an extraordinary step for the US commerce department to blacklist the NSO group on November 3, 2011, for acting “contrary to the national security or foreign policy interests of the United States”. The New York Times called it a “remarkable breach with Israel” and the “strongest step” taken by an American president to curb abuses in the global cyberware market.
The Israeli government approached Washington to seek a reversal of this step. Since then, US media has reported that NSO has mounted a lobbying campaign to overturn the blacklisting.
So far, it has not been successful. The American private defence firm, L3Harris, ended talks with NSO for acquiring its hacking tools after the Biden administration raised intelligence and security concerns, Washington Post, Guardian and Haaretz reported this month.
Israel – in the eye of the storm
For Israel, the NSO group’s cyberhacking expertise had been a valuable diplomatic tool during Benjamin Netanyahu’s overseas outreach, whether to court Arab allies or India’s Modi government.
In July last year, Haaretz traced Netanyahu’s critical diplomatic visits and initiatives, which seemed to run parallel with the spread of the NSO group’s wares in those countries. Six months later, the New York Times also claimed that “Israel’s ability to approve or deny access to NSO’s cyberweapons” was a deliberate part of its diplomacy to influence countries, including India, to shift their positions on critical issues.
In the immediate aftermath of the Pegasus project revelations, the Israeli government had to deal with the diplomatic fallout, especially after it was reported that a number of world leaders had their phones hacked with NSO’s flagship hacking tool.
Even as Israel’s defence ministry reportedly began a review of its cyber export policy due to the Pegasus Project articles, the Israeli National Security Council also set up an inter-ministerial team to control the diplomatic damage.
With President Emmanuel Macron’s phone number on the leaked list, the Israelis had to make special efforts to mollify Paris, with the French President directly seeking clarifications from the Israeli prime minister.
Later, French security agencies found traces of Pegasus spyware on the phones of five current French cabinet ministers. A month later, Axios reported in October 2021 that Israel had offered to ban hacking of French mobile phone numbers in any deal between an Israeli firm and a third country.
The Pegasus controversy had also spilled over into Israeli domestic politics, after a media outlet claimed that police hacked the phones of 26 citizens, including Netanyahu’s son. It was used as an argument by Netanyahu to delay his corruption trial. This February, an official investigation found that while Israeli police did deploy the Pegasus malware against Israeli citizens, there was no evidence of illegality in the authorisation.
Meanwhile, Israel had been bracing for the impact of the Pegasus controversy over its most important external relationship. The blacklisting of NSO by the US in November last year came as a blow for Tel Aviv.
A week after the NSO group was barred, Israeli media reported that Tel Aviv had slashed the list of countries eligible to buy high-tech Israeli cyber technology from 102 to 37 nations. The banned countries apparently included Mexico, Morocco, Saudi Arabia and the United Arab Emirates, all of whom had been NSO clients.
But as global geopolitical priorities have changed direction since the Ukraine invasion, the US has relegated its concerns over the NSO group much below its to-do list for West Asia.
Ahead of US President Joe Biden’s visit to the region, there was media commentary about Washington’s dilemma on whether to raise the concerns about the use of spyware during his meetings in Israel and Saudi Arabia. Politico had observed that “strong public pressure to bring down the price of gas by strengthening ties with Saudi Arabia, and a wish to foster peace in Israel, could force Biden to push spyware down the list of priorities”.
In Israel, it is not clear from media reports whether either side even brought up the issue of the NSO group’s activities and blacklisting during talks. Earlier, the NSO group had been actively working to ensure that this was discussed during the meeting of President Biden and Prime Minister Yair Lapid, as per media reports.
Saudi Arabia – a ‘pariah’ is embraced again
Biden’s next stop in Riyadh also raised the spectre of Pegasus. The US intelligence community had formally attributed the responsibility of the murder of Jamal Khashoggi to Crown Prince Mohammed bin Salman. The Pegasus Project had also proved that the phones of Khashoggi’s fiancée and close associates had been contaminated with Pegasus before his murder in the Saudi consulate in Istanbul.
US President claimed that he told Prince Salman that the latter was “personally responsible” for the Washington Post columnist’s murder. While calling the killing a “terrible mistake”, the Saudi junior minister for foreign affairs, Adel al-Jubeir, disputed the conversation and said both countries had moved on. The Khashoggi murder had become a mere diplomatic hiccup of the past.
Europe – hope for accountability
Last year, Polish and Hungarian governments were documented to have used Pegasus against political dissidents and opposition politicians. The German government also informed a parliamentary panel that it had brought the Pegasus software in 2019.
In April this year, Citizen Lab disclosed that more than 60 Catalan politicians, academics and lawyers were targeted or infected with the Pegasus software, with circumstantial evidence pointing towards the Spanish government as the NSO client.
Besides, at least four European countries have admitted that their senior government functionaries and politicians were targeted through Pegasus software.
For activists, the European parliament’s activism has been a sign of hope for regulating digital spyware. A debate in the European Parliament plenary in September 2021 saw lawmakers making a case for stringent action against the NSO group. In October 2021, the European Parliament awarded the first Daphne Caruana Prize for Journalism to the Pegasus Project consortium. There was also another plenary debate on Pegasus in May this year.
“Any indication that such intrusion of privacy actually occurred needs to be thoroughly investigated and all responsible for a possible breach have to be brought to justice,” asserted EU justice commissioner Didier Reynold.
However, the EU may not have much teeth to take any action. While European Commission spokesperson Johannes Bahrke said that the abuse of spyware was “unacceptable”, he underlined that any prosecution would have to be undertaken by national governments.
“Let me clarify that the Commission has no role in the supervision of national security services or national investigations,” he told journalists.
In January, the national investigation by Hungarian authorities concluded that while thousands of citizens were targeted with Pegasus software, they were legally justifiable.
While the Commission has dithered, the launch of the special inquiry committee by the EU parliament on the use of Pegasus by European governments has raised hopes of transparency.
At a committee hearing, the NSO group said that at least five EU countries had used its software and it has terminated at least one contract with an EU member country over violating the rules of using Pegasus spyware.
Algeria – “hostile actions”
In August last year, Algeria foreign minister Ramdane Lamamra announced that his country was snapping diplomatic ties with Morocco. Along with supporting separatist groups, Lamamra accused Morocco of using Pegasus spyware against its officials.
“The Moroccan kingdom has never stopped its hostile actions against Algeria,” he said.
The Pegasus Project reported that more than 6000 Algerian telephone numbers were likely selected for targeted by an NSO client based in Morocco. The North African kingdom was also suspected of having targeted the French President’s personal phone. The Moroccan government denied the allegations and sued Forbidden Stories, Amnesty International, Süddeutsche Zeitung and Spanish media outlets for defamation.