(New York) – Recent reports that NSO Group’s Pegasus spyware has been used for surveillance of dozens of journalists, human rights activists, and others demonstrate the urgent need for governments to suspend the trade in surveillance technology until rights-protecting regulatory frameworks are in place, Human Rights Watch said today. Governments should immediately cease their own use of surveillance technologies in ways that violate human rights. Pegasus is privately developed and sold by NSO Group, which is based in Israel. Numerous media outlets have recently reported that Pegasus software was used to infiltrate the devices of activists and journalists, and people close to them.
The reporting by the Pegasus Project was based on a leak of a list of 50,000 phone numbers, which media have reported are concentrated in countries known to engage in unlawful and arbitrary surveillance of their citizens and also known to have been clients of NSO Group. “Disturbing reports about Pegasus again highlight the harm this opaque industry causes when spyware ends up in the hands of governments that abuse it,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “NSO Group and its competitors cannot regulate themselves, and governments should urgently suspend sales and transfers of surveillance technology while they investigate and regulate this industry.” NSO Group has repeatedly denied the news reports, claimed that the reporting is “erroneous and false,” and said it “will no longer be responding to media inquiries on this matter.” Previously the company claimed that the reporting was based on “wrong assumptions and uncorroborated theories.” However, none of the Pegasus Project partners have retracted their reporting. For years, human rights organizations have been raising the alarm about the proliferation and abuse of commercial spyware and the need for stronger regulations to control the export of such technology that ensure compliance with international human rights standards. Human Rights Watch reporting has linked the use of NSO Group’s spyware, as revealed by Citizen Lab, to government efforts to crack down on journalists, activists, and independent thinkers in multiple countries.
The Pegasus Project is a collaboration of more than 80 journalists from 16 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based nonprofit media organization, with the technical support of Amnesty International, which conducted forensic tests on mobile phones to identify traces of the Pegasus spyware. Forbidden Stories and its media partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE). NSO has said it only sells the technology to government clients.
The number of people targeted for this surveillance may be much larger than the dozens of confirmed cases and could be massive in scale. Human Rights Watch is working to confirm whether Pegasus was installed or attempted to be installed on the devices of its staff members whose numbers appear on the list. Israel’s Defense Ministry is responsible for issuing export licenses for NSO’s spyware.
The Ministry has stated that Israel approves the export of cyber products “exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counter terrorism” and “[i]n cases where exported items are used in violation of export licenses or end use certificates, appropriate measures are taken.” However, this has not prevented Pegasus from ending up in the hands of governments that have abused it.
There has been some progress in strengthening the European Union's export control regime. And senior executives at the French spyware firm Nexa Technology (formerly Amesys) have recently been indicted for the company’s sale of surveillance software to the governments of Libya and Egypt, which the complainants say could have resulted in the torture and enforced disappearance of dissidents. However, the industry as a whole is still unaccountable and does not carry out sufficient human rights due diligence to prevent or mitigate the adverse human rights impacts linked to their products or services.
The Pegasus Project revelations should be a wake-up call for governments around the world, Human Rights Watch said. “Commercial spyware has been repeatedly used to target activists and journalists, and when left to their own devices, companies continue to sell these technologies to governments known to engage in abuses, including arbitrary surveillance, against perceived opponents,” Brown said. “These allegations need to be investigated and companies need to be held accountable for human rights violations they facilitated by selling their spyware to governments likely to abuse it.” NSO Group has recognized that it has a responsibility to respect human rights under the UN Guiding Principles on Business and Human Rights through its own human rights policy. However, companies in this sector, including NSO, have failed to effectively regulate themselves. Many sell these products to governments that offer little to no transparency or oversight over their use and few, if any, privacy or procedural safeguards, and where victims have no meaningful access to a remedy. In such contexts these highly invasive technologies are easily misused to violate the rights of journalists, activists, and government critics, as evidenced by the growing volume of reporting. Pegasus is surreptitiously introduced on people’s mobile phones. It turns an infected device into a portable surveillance tool by gaining access to its camera, microphone, and text messages, enabling surveillance of the person targeted and their contacts. This surveillance not only affects those targeted directly, but also has a chilling effect on advocates or journalists who may self-censor out of fear of such surveillance and on sources, including victims of abuse, who fear the possibility of surveillance and loss of confidentiality if they share information with journalists and human rights organizations. Information obtained through arbitrary surveillance can be used to prosecute or detain human rights defenders or dissidents, and to monitor and harass those who might dare to stand in the way of government officials or powerful figures. International human rights law establishes a right to privacy and bars arbitrary or unlawful infringements on the right. Restrictions on privacy are only permissible if they are necessary and proportionate to achieve a legitimate purpose, and provided for in law. Pegasus spyware has been used to illegally or arbitrarily surveil activists or journalists, violating their rights to privacy, undermining free expression and association, and threatening their personal security and lives.
The Pegasus Project’s reporting revealed evidence, for example, that the wife and the fiancée of the murdered Saudi journalist, Jamal Khashoggi, were targeted with Pegasus software before and after his murder in Istanbul on October 2, 2018 by Saudi operatives. Citizen Lab’s previous reporting showed that Saudi intelligence targeted a close confidant of Khashoggi, using Pegasus. NSO Group has repeatedly denied that its products were used to target Khashoggi or his family members. Governments should heed the calls from a broad array of human rights organizations to regulate this trade and hold companies accountable for their sales and actions. Human Rights Watch joins other groups in urging that at a minimum: “The Pegasus revelations illustrate how the lack of control over the trade in and use of spyware has facilitated human rights violations,” Brown said. “Governments need to step in, put an end to these abuses, and remedy them.” .
Read the full article at the original website