Reading Pegasus by Laurent Richard and Sandrine Rigaud for New Scientist, 1 February 2023.
“Fifty thousand?”
Edward Snowden’s 2013 leaks from the US National Security Agency had triggered a global debate around state surveillance — and even he couldn’t quite believe the scale of the story as it was described to him in the summer of 2021.
Whistle-blowers had handed French investigative journalists Laurent Richard and and Sandrine Rigaud a list of 50,000 phone numbers. These belonged to people flagged for attack by a cybersurveillance software package called Pegasus.
The journalistic investigation that followed is the subject of this non-fiction thriller: a must-read for anyone remotely interested in cryptography and communications, and a dreadful warning for the rest of us. “Regular civilians being targeted with military-grade surveillance weapons — against their will, against their knowledge, and with no recourse — is a dystopian future we really are careening toward,” the authors warn, “if we don’t understand this threat and move to stop it.”
Pegasus offers a fascinating insight into how journalism has evolved to tackle a hyper-connected world. Eye witnesses and whistle-blowers have better access than ever before to sympathetic campaigning journalists from all over the world. But of course, this advantage is shared with the very governments and corporations and organised crime networks that want to silence them.
To drag Pegasus into the light, Laurent’s Forbidden Stories consortium choreographed the activities of more than eighty investigative journalists from seventeen media organisations across four continents and eight languages.
The consortium got together in March 2021 knowing full well that they would have to conclude their investigation by June, by which time Pegasus’ creators at the Israeli company NSO were bound to twig that their brainchild was being hacked.
The bigger the names on that phone list, the harder it would be to keep any investigation under wraps. Early on the name of Jorge Carrasco cropped up: the lead partner in Forbidden Stories’ massive cross-border collaboration to finish the investigations of murdered Mexican journalist Regina Martínez. Then things just got silly: a son of Turkish president Recep Erdogan turned up; and then the names of half the French cabinet. Also the cell number for Emmanuel Macron, the president of France. Laurent Richard recalls, “Macron was the name that made me realise how truly dangerous it was to have access to this list.”
In a pulse-accelerating account that’s never afraid to dip into well-crafted technical detail, the authors explain how Pegasus gains free rein on a mobile device, without ever tipping off the owner to its presence. Needless to say it evolved out of software designed to serve baffled consumers waiting in long queues on tech support call lines. Shalev Hulio and Omri Lavie, who would go on to found NSO and create Pegasus, cut their teeth developing programmes that allowed support technicians to take charge of the caller’s phone.
It was not long before a European intelligence service came calling. Sold and maintained for more than sixty clients in more than forty countries, Pegasus gave security services an edge over terrorists, criminal gangs and paedophiles — and also, as it’s turned out, over whistleblowers, campaigners, political opponents, journalists, and at least one Emirati princess trying to get custody of her children. This book is not a diatribe against the necessary (or at any rate ubiquitous) business of government surveillance and espionage. It is about how, in the contest between ordinary people and the powerful, software is tilting the field wildly in the latter’s favour.
The international journalistic collaboration that was the Pegasus Project sparked the biggest global surveillance scandal since Snowden; it’s led to a European Parliament inquiry into government spyware, legal action from major technology companies, government sanctions against the NSO Group and countless individual legal complaints. But the authors spend little time sitting in their laurels. Pegasus may be dead, but demand for a successor is only growing. In the gap left by NSO, certain governments are making offers to certain tech companies that add zeroes to the fees NSO enjoyed. Nor do the authors expect much to come out of the public debate that has followed their investigation: “The issues… might have been raised,” they concede, “but the solutions are not even in the works.”