Subscriber OnlyTechnology

Surveillance tools like Pegasus should not be for sale

Net Results: Targeting of Palestinian activists’ phones is the latest evidence of abuse

“I felt violated, insecure. I feared for the safety of my family, kids and wife. I also thought about the diplomats and activists I was in contact with.”

Palestinian human rights defender Ubai Al-Aboudi, executive director at Bisan Center for Research and Development in Ramallah, was telling me of his profound shock at learning that his iPhone was one of six belonging to Palestinian activists compromised with the controversial spyware tool Pegasus, from Israeli company NSO.

The affected phones were discovered by Dublin-based international human rights organisation Front Line Defenders (FLD), which issued a report on Monday that swiftly made international headlines. FLD's findings were verified by two independent forensic labs, Citizen Lab in Toronto and Amnesty International's Security Lab.

Pegasus gives broad access to information on a phone. It’s designed to take advantage of the capabilities of modern phones as powerful computing and communication devices. Once installed, the software can reveal a phone’s messages, emails, media, passwords, voice calls (including over encrypted messaging apps), location data and contacts. Pegasus also enables a phone’s microphone and camera to be controlled remotely.


NSO is increasingly viewed as a pariah, with the Palestinian cases only the latest glimpse into a shady world of commercial sellers of powerful digital surveillance programmes

“The effect is not just on the human rights defenders but their family, their contacts, their international community that they communicate with, their staff, their colleagues, their friends,” FLD’s digital protection co-ordinator, Mohammad Al-Maskati, told me.

Al-Maskati uncovered the digital traces of Pegasus infections after Ghassan Halaika, a field researcher for a well-known and globally respected Palestinian human rights organisation, Al-Haq, suspected his phone had been compromised.

“He was suspicious about some stuff that was running in his phone,” Al-Maskati says. “So we scanned the phone, and it was Pegasus.”

Six target groups

The other affected person named was lawyer Salah Hammouri, a field researcher at Addameer Prisoner Support and Human Rights Association in Jerusalem. The Irish Government gives funding support to both Addameer and Al-Haq.

The three Pegasus-targeted groups are among six the Israeli government unexpectedly claimed were terrorist organisations last month, a move swiftly condemned by the US, EU and UN for lack of evidence.

The use of Pegasus against the activists aroused further anger, including in the Israeli media, with one Haaretz journalist arguing that only the Israeli government – which must approve NSO sales of Pegasus – could be utilising Pegasus against the activists.

"Even if the Palestinian individuals and the organisations which discovered the Pegasus spyware on their phones and the journalists who reported it can't prove who is behind it, it's clear to everyone that it was Israel – or in other words, the Shin Bet security service," wrote Haaretz's Amira Hass.

However, Israel has denied involvement, and attribution remains uncertain. Numerous organisations, including FLD, have called for an international investigation to determine which NSO customer deployed Pegasus against the activists.

NSO is increasingly viewed as a pariah, with the Palestinian cases only the latest glimpse into a shady world of commercial sellers of powerful digital surveillance programmes. NSO claims Pegasus is only sold to legitimate governments for use against terrorism and serious crime, but a growing mountain of evidence indicates otherwise – that it is obtained by malign governments and rich and powerful individuals to use against whomever they wish.

Media investigation

A major summer investigation into Pegasus by 17 global media organisations grabbed headlines with its disclosures about the range of international politicians, human rights workers, lawyers, journalists and their extended networks of contacts that Pegasus seems to have been used to surveil.

Among them were 10 prime ministers, three presidents, a king, 189 journalists and 85 human rights activists. The list included two close contacts of murdered Washington Post journalist Jamal Khashoggi.

NSO was blacklisted last week by the Biden administration for selling a tool “to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers”. We may soon learn more. This week a senior US judge cleared the way for a case to proceed against NSO that will allow for extended “discovery”, a pre-trial phase in which internal documents and records can be requested and generally, must be produced.

This week, Sarah Leah Whitson, executive director of the organisation set up by Jamal Khashoggi, Dawn (Democracy for the Arab World Now), called for any Israeli officials "found to have participated in the decision to license and use the Pegasus software on human rights activists" to be subjected to a Biden administration sanction enacted in February, called Khashoggi's Ban. The ban restricts visas for "individuals who, acting on behalf of a foreign government, are believed to have been directly engaged in serious, extraterritorial counter-dissident activities."

However, the most pressing international issue remains not NSO alone, but the commercial creation and commercial availability of such technology. We know that at least one example of such technology, Pegasus, is used to breach human and civil rights norms and laws. Commercial restrictions and Israeli state oversight haven’t prevented it from ending up in the hands of malevolent private individuals and rogue states.

As FLD’s Al-Maskati says: “We need to stop selling advanced software to repressive governments.” Surveillance tools this powerful should not be commercial products. At all.