Last week, Facebook’s WhatsApp whispered out a warning to update the mobile messaging app after learning that it had a vulnerability that really deserved to be shouted from the rooftops: a zero-day vulnerability that allowed hackers to silently install government spyware onto victims’ phones had been exploited in the wild.
The zero day meant that with just one call, spies could access your phone and plant spyware – specifically, the notorious Pegasus software.
Pegasus has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.
WhatsApp quickly patched the vulnerability.
Just as quickly, Amnesty International filed a lawsuit that seeks to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.
Last Monday, Amnesty announced that it’s taking the Israeli Ministry of Defense (MoD) to court to force it to revoke NSO Group’s export license.
Thirty members and supporters of Amnesty International Israel and others from the human rights community are alleging that NSO Group’s spyware has been used to surveil Amnesty staff and other human rights defenders, thereby putting human rights at risk.
Referencing the June 2018 spearphishing attack on an Amnesty staff member, Danna Ingleton, Deputy Director of Amnesty Tech, said in an affidavit that the attack was “the final straw.”
NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw.
The Israeli MoD has ignored mounting evidence linking NSO Group to attacks on human rights defenders, which is why we are supporting this case. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.
How Pegasus flies
As Ingleton described in the affidavit, a Pegasus infection can happen in several ways. Most commonly, a target clicks on an exploit link, often sent as a text message. That triggers the download onto a mobile device.
Once installed, Pegasus turns into what Citizen Lab has called a “silent, digital spy.” It can get at everything – including contacts, photos, call history and previous text messages – regardless of encryption or other protections. It also allows its operator the ability to remotely operate a device’s camera and microphone, enabling remote eavesdropping on conversations, as well as passive or active tracking of a target’s location data.
When Amnesty’s technology team analyzed the rigged link that had been sent via a WhatsApp message in the June 2018 spearphishing attack, they found that it was connected to a domain known to distribute and deploy NSO Group’s Pegasus spyware. Had the staff member clicked on the link – which they did not – they would have been taken to a site that would have attempted to install the spyware on their device.
In fact, the domain that hosted the link is part of a network of more than 600 suspicious domains used to trigger Pegasus infection, according to the affidavit.
Although the targeted Amnesty employee hadn’t clicked on the boobytrapped link, they were still horrified that they’d been targeted on the basis of their human rights work, in “clear violation of the right to freedom of opinion, freedom of expression, and the right to privacy, guaranteed under the International Covenant on Civil and Political Rights,” the affidavit said.
The fear is lingering: the employee has declined to have their name released in the aftermath. But he or she is only one of scores of targets: Citizen Lab has traced use of Pegasus spyware to 45 countries where its operators may have been using it in surveillance campaigns between August 2016 and August 2018.
Off-label use of government spyware?
NSO Group’s response to incidents of operators unlawfully using its software to persecute dissidents, activists and journalists has been consistent: it repeatedly points out that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists. From the statement it put out after the June 2018 spearphishing attack on Amnesty:
NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.
In the lawsuit filed last week, Amnesty says that NSO Group has been ignoring the “foreseeable risk” that governments would misuse its spyware to unlawfully surveil human rights defenders.
There is no evidence that NSO Group refused to sell its products to those governments, ascertained that those governments had proper legal frameworks and oversight mechanisms for the use of spyware in place prior to any sale, or revoked access to its products after evidence emerged of their misuse.
NSO Group claims that its Business Ethics Committee reviews and approves all transactions and that it conducts investigations into allegations of misuse. Yet it hasn’t disclosed what factors it considers when choosing who to sell to, doesn’t disclose much of anything with regards to the results of its investigations into misuse, and has failed to demonstrate what, if anything, it’s done to mitigate the risks of misuse, the affidavit says.
At a minimum, NSO Group could review the human rights record of a prospective client country. It could also monitor use of products post-sale, Amnesty says.
Trampling on human rights
The legal action is being brought by Amnesty International as part of a joint project with New York University (NYU) School of Law’s Bernstein Institute for Human Rights and Global Justice Clinic. Faculty Director Margaret Satterthwaite:
The targeting of human rights defenders for their work, using invasive digital surveillance tools, is not permissible under human rights law. Without stronger legal checks, the spyware industry enables governments to trample on the rights to privacy, freedom of opinion and expression.
The Israeli government needs to revoke NSO Group’s export license and stop it profiting from state-sponsored repression.