“How Democracies Spy on Their Citizens”
The New Yorker, April 18, 2022
By Ronan Farrow
“The inside story of the world’s most notorious commercial spyware and the big tech companies waging war against it.”
The parliament of Catalonia, the autonomous region in Spain, sits on the edge of Barcelona’s Old City, in the remains of a fortified citadel constructed by King Philip V to monitor the restive local population. The citadel was built with forced labor from hundreds of Catalans, and its remaining structures and gardens are for many a reminder of oppression. Today, a majority of Catalan parliamentarians support independence for the region, which the Spanish government has deemed unconstitutional. In 2017, as Catalonia prepared for a referendum on independence, Spanish police arrested at least twelve separatist politicians. On the day of the referendum, which received the support of ninety per cent of voters despite low turnout, police raids of polling stations injured hundreds of civilians. Leaders of the independence movement, some of whom live in exile across Europe, now meet in private and communicate through encrypted messaging platforms.
One afternoon last month, Jordi Solé, a pro-independence member of the European Parliament, met a digital-security researcher, Elies Campo, in one of the Catalan parliament’s ornate chambers. Solé, who is forty-five and wore a loose-fitting suit, handed over his cell phone, a silver iPhone 8 Plus. He had been getting suspicious texts and wanted to have the device analyzed. Campo, a soft-spoken thirty-eight-year-old with tousled dark hair, was born and raised in Catalonia and supports independence. He spent years working for WhatsApp and Telegram in San Francisco, but recently moved home. “I feel in a way it’s a kind of duty,” Campo told me. He now works as a fellow at the Citizen Lab, a research group based at the University of Toronto that focusses on high-tech human-rights abuses.
Campo collected records of Solé’s phone’s activity, including crashes it had experienced, then ran specialized software to search for spyware designed to operate invisibly. As they waited, Campo looked through the phone for evidence of attacks that take varied forms: some arrive through WhatsApp or as S.M.S. messages that seem to come from known contacts; some require a click on a link, and others operate with no action from the user. Campo identified an apparent notification from the Spanish government’s social-security agency which used the same format as links to malware that the Citizen Lab had found on other phones. “With this message, we have the proof that at some point you were attacked,” Campo explained. Soon, Solé’s phone vibrated. “This phone tested positive,” the screen read. Campo told Solé, “There’s two confirmed infections,” from June, 2020. “In those days, your device was infected—they took control of it and were on it probably for some hours. Downloading, listening, recording.”
Solé’s phone had been infected with Pegasus, a spyware technology designed by NSO Group, an Israeli firm, which can extract the contents of a phone, giving access to its texts and photographs, or activate its camera and microphone to provide real-time surveillance—exposing, say, confidential meetings. Pegasus is useful for law enforcement seeking criminals, or for authoritarians looking to quash dissent. Solé had been hacked in the weeks before he joined the European Parliament, replacing a colleague who had been imprisoned for pro-independence activities. “There’s been a clear political and judicial persecution of people and elected representatives,” Solé told me, “by using these dirty things, these dirty methodologies.”
In Catalonia, more than sixty phones—owned by Catalan politicians, lawyers, and activists in Spain and across Europe—have been targeted using Pegasus. This is the largest forensically documented cluster of such attacks and infections on record. Among the victims are three members of the European Parliament, including Solé. Catalan politicians believe that the likely perpetrators of the hacking campaign are Spanish officials, and the Citizen Lab’s analysis suggests that the Spanish government has used Pegasus. A former NSO employee confirmed that the company has an account in Spain. (Government agencies did not respond to requests for comment.) The results of the Citizen Lab’s investigation are being disclosed for the first time in this article. I spoke with more than forty of the targeted individuals, and the conversations revealed an atmosphere of paranoia and mistrust. Solé said, “That kind of surveillance in democratic countries and democratic states—I mean, it’s unbelievable.”
Commercial spyware has grown into an industry estimated to be worth twelve billion dollars. It is largely unregulated and increasingly controversial. In recent years, investigations by the Citizen Lab and Amnesty International have revealed the presence of Pegasus on the phones of politicians, activists, and dissidents under repressive regimes. An analysis by Forensic Architecture, a research group at the University of London, has linked Pegasus to three hundred acts of physical violence. It has been used to target members of Rwanda’s opposition party and journalists exposing corruption in El Salvador. In Mexico, it appeared on the phones of several people close to the reporter Javier Valdez Cárdenas, who was murdered after investigating drug cartels. Around the time that Prince Mohammed bin Salman of Saudi Arabia approved the murder of the journalist Jamal Khashoggi, a longtime critic, Pegasus was allegedly used to monitor phones belonging to Khashoggi’s associates, possibly facilitating the killing, in 2018. (Bin Salman has denied involvement, and NSO said, in a statement, “Our technology was not associated in any way with the heinous murder.”) Further reporting through a collaboration of news outlets known as the Pegasus Project has reinforced the links between NSO Group and anti-democratic states. But there is evidence that Pegasus is being used in at least forty-five countries, and it and similar tools have been purchased by law-enforcement agencies in the United States and across Europe. Cristin Flynn Goodwin, a Microsoft executive who has led the company’s efforts to fight spyware, told me, “The big, dirty secret is that governments are buying this stuff—not just authoritarian governments but all types of governments.”
NSO Group is perhaps the most successful, controversial, and influential firm in a generation of Israeli startups that have made the country the center of the spyware industry. I first interviewed Shalev Hulio, NSO Group’s C.E.O., in 2019, and since then I have had access to NSO Group’s staff, offices, and technology. The company is in a state of contradiction and crisis. Its programmers speak with pride about the use of their software in criminal investigations—NSO claims that Pegasus is sold only to law-enforcement and intelligence agencies—but also of the illicit thrill of compromising technology platforms. The company has been valued at more than a billion dollars. But now it is contending with debt, battling an array of corporate backers, and, according to industry observers, faltering in its long-standing efforts to sell its products to U.S. law enforcement, in part through an American branch, Westbridge Technologies. It also faces numerous lawsuits in many countries, brought by Meta (formerly Facebook), by Apple, and by individuals who have been hacked by NSO. The company said in its statement that it had been “targeted by a number of politically motivated advocacy organizations, many with well-known anti-Israel biases,” and added that “we have repeatedly cooperated with governmental investigations, where credible allegations merit, and have learned from each of these findings and reports, and improved the safeguards in our technologies.” Hulio told me, “I never imagined in my life that this company would be so famous. . . . I never imagined that we would be so successful.” He paused. “And I never imagined that it would be so controversial.”
About the Author:
Ronan Farrow is an investigative reporter and a contributing writer to The New Yorker. He is also currently producing documentaries for HBO. His stories for The New Yorker exposed the first sexual-assault allegations against the movie producer Harvey Weinstein and the first misconduct allegations against CBS executives, including then C.E.O. Leslie Moonves. He was also responsible for the first detailed accounts of payments made by the National Enquirer’s parent company in order to suppress stories about Donald Trump during the 2016 Presidential campaign. For his reporting on Weinstein, Farrow won the Pulitzer Prize for public service, the National Magazine Award, and the George Polk Award, among other honors. He previously worked as an anchor and investigative reporter at MSNBC and NBC News, with his print commentary and reporting appearing in publications including the Wall Street Journal, the Los Angeles Times, and the Washington Post. Farrow is the author of “War on Peace: The End of Diplomacy and the Decline of American Influence” and “Catch and Kill: Lies, Spies, and a Conspiracy to Protect Predators.” He is a graduate of Yale Law School and a member of the New York Bar. He recently completed a Ph.D. in political science at Oxford University, where he studied as a Rhodes Scholar. Prior to his career in journalism, he served as a State Department official in Afghanistan and Pakistan. He lives in New York.
“Ronan Farrow: How Democracies Spy on Their Citizens” | Amanpour and Company, PBS. April 25, 2022.
- Pegasus Project (investigation), Wikipedia.
- The Pegasus Project – The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world. It was coordinated by Forbidden Stories, a French nonprofit that focuses on telling the stories of journalists under threat. Amnesty International’s Security Lab provided technical support. (A project of The Organized Crime and Corruption Reporting Project.)
- BTW, NSO = Niv + Shalev + Omri = The Niv Karmi + Shalev Hulio + Omri Lavie Group.