Spyware needs more and better oversight

Activists, academics, business people and journalists operating in autocratic states have long suspected that security agents eavesdrop on their phone calls. In face-to-face meetings, mobiles are turned off during sensitive conversations and stuffed under cushions for fear they are being used as listening devices. But allegations that military-grade spyware developed by the Israeli company NSO Group has been used to hack 37 reporters, activists, executives and two women close to murdered Saudi journalist Jamal Khashoggi, is shocking and deeply concerning.

If proven, it is a deplorable invasion of privacy. NSO’s Pegasus spyware enables the user to penetrate the darkest corners of smartphones — personal data, private messages, pictures and contact lists. It can turn on cameras and recorders to livestream conversations. The technology was designed to target terrorists and criminal groups, but has allegedly become a tool for states to spy on critics, dissidents and others. Governments implicated in the allegations include Saudi Arabia, the United Arab Emirates and Hungary.

The phones of the 37 were forensically tested by Amnesty International, which conducted the investigation into the hacking in collaboration with Forbidden Stories, a Paris-based non-profit group, and 17 media outlets. The 37 were identified from a list of 50,000 phone numbers in dozens of countries known to have used NSO’s products. NSO, a leader in its craft, said it would “investigate all credible claims of misuse”. It denied what it said were “false allegations” in the “Pegasus Project”.

There is history here. NSO is already fighting court cases over allegations that its software was used to spy on journalists, activists and others. WhatsApp is suing over allegations that NSO sent malware to more than 1,000 customers using the messaging app.

Governments have legitimate reasons for using technological advances to combat genuine security threats, such as organised crime and terrorism. And autocracies are not alone in infringing citizens’ rights, as evidenced by the Edward Snowden leaks eight years ago. The former National Security Agency contractor exposed the scale of the US’s own surveillance programmes. There are no grounds, however, to surveil those advocating for human rights, or journalists. Yet the revelations reinforce the suspicion that NSO’s spyware has been used for malicious, state-sponsored purposes.

Most smartphone users are protected. The challenge for tech companies, such as Apple, arises when individuals are targeted by software developed by groups like NSO, whose entire purpose is to breach tech companies’ defences. The latest revelations suggest there is more scope for collaboration between tech groups and governments to identify vulnerabilities, share findings and ensure users’ protection.

As distasteful as it is, it is not surprising that autocratic regimes deploy spyware to monitor and intimidate. But it is time for Israel — a hub for spyware development — to take these allegations seriously. The defence ministry approves exports. The allegations, however, imply that neither the ministry nor the companies pay sufficient heed to how the technology is deployed. The same oversight that is theoretically used for arms sales should apply.

Israel should suspend NSO’s export licence while the allegations are thoroughly and transparently investigated. Western capitals also have a role to play, as most of the states implicated are considered partners. They should make clear that such behaviour as alleged in the Pegasus Project will not be tolerated. Fundamental rights to privacy must be protected.