Much attention has been paid recently to bombshell allegations that Israeli-created spyware may have been used to target journalists, dissidents, and other enemies of the state. But the Pegasus scandal is a mere microcosm of the larger issue of governments using private companies for surveillance operations.
On July 18, the Guardian and 16 other media outlets began publishing a series of stories about the Israeli-based NSO Group, alleging that foreign governments used the company’s Pegasus software to surveil at least 180 journalists and numerous other targets around the world.
Developed by former members of the elite Israeli Unit 8200—comparable to the U.S. National Security Agency—the Pegasus software allegedly infects iPhones and Androids, enabling operators to extract messages, photos, and emails; record calls; and activate microphones in secret.
Alleged possible targets of Pegasus surveillance include the slain Washington Post writer Jamal Khashoggi, French president Emmanuel Macron, and Indian opposition legislator Rahul Gandhi, along with numerous others. NSO explicitly denies that its software was “associated in any way with the heinous murder of Jamal Khashoggi.”
Allegations about the NSO Group’s wrongdoing have been in the media for years. Facebook sued the NSO Group in federal court in 2019 for allegedly exploiting a vulnerability in WhatsApp allowing Pegasus users to spy on the calls and messages of victims, including journalists and human rights activists. This case is pending appeal in the 9th Circuit, where the NSO Group has argued that it should have sovereign immunity from civil litigation.
But while Pegasus was already public knowledge, this week’s reporting casts doubt on the NSO Group’s longstanding contention that it only intends for the software to be used in counterterrorism and other major criminal probes. The Guardian and other media reportedly obtained a copy of the NSO Group’s targeting database, which has a list of 50,000 phone numbers that clients may have targeted for surveillance—suggesting that the only way the NSO Group didn’t know the identity of its clients’ targets was through willful ignorance.
The NSO Group has continued to deny wrongdoing, saying that media outlets have misinterpreted the data.
“The [reports are] full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the ‘unidentified sources’ have supplied information that has no factual basis and are far from reality,” the NSO Group stated. “After checking their claims, we firmly deny the false allegations made in their report. Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims.
“In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit.”
Law enforcement in France and Hungary have already launched investigations into the use of Pegasus, and the Israeli Parliament’s Foreign Affairs and Defense Committee has formed a committee that will look into the matter.
The Moroccan government has hit back against some of the Pegasus reporting, filing a defamation lawsuit in Paris against two French-based organizations for allegedly publishing false claims that Moroccan investigators illegally used Pegasus to target government officials.
The Moroccan government “does not intend to let the multiple lies and fake news spread these past few days go unpunished,” the government’s lawyer reportedly said on July 22.
The NSO Group may be the object of wrath after this week’s reporting, but NSO is hardly the only company in the business of selling surveillance equipment to governments. Before the Pegasus scandal hit the headlines, the Canada-based research group Citizen Lab released a report on the Israeli company Candiru—named after the infamous fish known for swimming up a man’s urethra—alleging that the firm has engaged in many of the same activities as NSO.
Nor are private surveillance firms exclusive to Israel. In the United States, a company called Clearview AI has received notoriety over the past year, after The New York Times reported that the company was scraping billions of photos to develop facial recognition software for law enforcement organizations at home and abroad. It was also revealed last year that the Department of Homeland Security (DHS) and other agencies had been purchasing data in bulk from private companies.
Legal scholars have raised concerns that surveillance companies pose a particularly onerous threat to privacy in the United States, because the Fourth Amendment restrictions on surveillance don’t apply to private companies.
“If law enforcement agencies can buy their way around the Fourth Amendment’s warrant requirement, the landmark protection announced by the Supreme Court in Carpenter will be in peril,” the American Civil Liberties Union (ACLU) said in a public statement last December. “Despite federal agencies spending hundreds of thousands of dollars on access to cell phone location databases, those agencies have not publicly explained their legal justifications or internal limitations on access to this invasive information.”
Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) introduced legislation in April intended to address some of the constitutional issues presented by emerging surveillance technologies. Their Fourth Amendment is Not for Sale Act would place warrant requirements on government purchases of bulk data, and would take away the U.S. attorney general’s ability to give civil immunity to companies that unlawfully sell bulk data to government agencies.
But even though the Fourth Amendment is Not for Sale Act has the bipartisan support of 19 cosponsors, the measure has yet to receive a hearing.