After news reports that some governments are using a military-grade surveillance tool to spy on human rights activists, journalists, and politicians, some privacy and cybersecurity advocates questioned if this type of spying can be stopped.
Israeli software firm NSO Group markets the Pegasus surveillance tool for law enforcement to conduct surveillance on terrorists and criminals. Last month, a coalition of media companies identified about 1,000 people in a list of 50,000 phones tracked by Pegasus, including 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials.
News reports suggested that smartphone users don’t even have to click on a link to have Pegasus installed on their devices. Pegasus can be installed through an unanswered call on WhatsApp, reports said. The best thing for users to do is to keep their smartphone operating systems and apps up to date so that vulnerabilities are eliminated, some security experts said.
The problem with Pegasus is that it’s used by governments and law enforcement agencies across the globe, some of which have no qualms about spying on journalists, politicians, and other law-abiding people, some privacy advocates said. Moreover, while there may be law enforcement uses for Pegasus, there are no global standards on privacy protections, such as court-ordered warrants, some said.
“The challenge is where some governments will use this outside of the accepted norms to repress dissent, affect freedom of the press, or for their own private uses,” said Bryson Bort, CEO of SCYTHE, a cybersecurity vendor.
It would be challenging to limit Pegasus’s use for only criminal and terrorist investigations, he told the Washington Examiner. “Any protections that were built into the platform could be removed, and the inherent operation of such a platform would be done without the vendor’s access or oversight,” he added.
NSO Group has called some of the reporting on Pegasus “full of wrong assumptions and uncorroborated theories.” The company has said the surveillance tool is used to break up pedophilia and sex-trafficking rings, locate missing children, and combat terrorism.
“We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts,” the company said in a statement. “NSO does not operate the system and has no visibility to the data.”
NSO Group also said it has no plans to stop selling Pegasus. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”
Some privacy advocates went so far as to say Pegasus shouldn’t exist. “I don’t think there is any justification for this type of surveillance, even if there is a warrant,” said Jesse The, president and CEO of Tauria, a vendor of privacy-focused collaboration tools. “No government in the world should have access to such powerful surveillance technology, especially if it’s without consent.”
Even when governments use military-grade surveillance tools to fight terrorism, “it opens up a can of worms in terms of which countries, law enforcement agencies, etc., will have access to it,” The told the Washington Examiner. “Simply put, I just don’t think there is a legal way of using Pegasus in its current incarnation.”
There doesn’t seem to be a role for Congress, given that NSO Group is an Israeli company and that most abusers of Pegasus appear to be organizations outside the United States, some privacy advocates said.
Congress has “virtually abdicated” its role to protect citizens from data collection by Big Tech firms, said Andrew Selepak, a social media professor at the University of Florida.
“What the Pegasus story has shown is that even Congress cannot protect Americans from Big Tech and spyware, just as they cannot protect American businesses from Russian, Chinese, Iranian, and North Korean hackers,” he told the Washington Examiner.
“Instead, it will be international tech companies that will have to play the biggest role of whack a mole to find vulnerabilities in their software and fix them from nefarious domestic and international groups trying to spy on people and exploit them through ransomware, spyware, and malware.”
