Message of the Day: Human Rights

Global Spyware Scandal: Exposing Pegasus, Frontline, PBS, 1.3.23 & 1.10.23

 

We begin 2023 with the programs that the PBS Frontline documentary series began the year with. It is one of their rare two-part longer series, with part two airing tonight on PBS nationwide.

Wherever you are, the chances are that your every private act, where you are at any moment, everthing you do and every bit of data you have online is being watched. If you are an activist, a journalist, a politician, or just a citizen at the wrong place at the wrong time, there has been a program to do all the above, often with the intention to kill. The overarching intention is to destroy human rights and democracy.

As we’ve said often in various ways, the programs tell the story, and if the above isn’t enough to get you to watch them, then the time for a mental inventory on survival is long overdue.

Our esteem for Frontline has been expressed for many years. We let the message for the beginning of this 40th anniversary year for Frontline from Raney Aronson-Rath, the executive producer and editor-in-chief, introduce the programs.

DECEMBER 29, 2022, by Raney Aronson-Rath

As 2022 draws to a close, I wanted to share a message of sincere gratitude with you, our FRONTLINE community.

Your belief in the power and necessity of investigative journalism is meaningful and sustaining — not just to me, but to our journalists and filmmakers all around the U.S. and the world.

Over the past 12 months, you’ve come along with us as we’ve worked to hold power to account. We’ve gone on the ground to investigate Vladimir Putin’s war on Ukraine, the Taliban’s crackdown on women in Afghanistan, and threats to democracy here in the U.S. We’ve probed our country’s decades-long failure to confront the threat of climate change and the role of the fossil fuel industry. We’ve examined the ways America’s history of racist violence impacts the present. We’ve asked tough questions about our country’s affordable housing crisis, ongoing struggles involving police accountability and reform, and fallout from America’s immigration policies.

And thanks to your support, our work continues.

We’ll begin 2023 — the year of our 40th anniversary on the air — with a two-part documentary series investigating the powerful spyware Pegasus, sold to governments around the world by the Israeli company NSO Group. Part of the Pegasus Project, this series from FRONTLINE and Forbidden Films investigates how the hacking tool was used on journalists, activists, the wife and fiancée of Saudi journalist Jamal Khashoggi, and others. Global Spyware Scandal: Exposing Pegasus premieres Jan. 3 and 10.

Also in January, we’ll bring you Putin and the Presidents, an investigation of the Russian president’s clashes with five American presidential administrations as he’s tried to rebuild the Russian empire. And a new documentary from FRONTLINE and The Associated Press that goes inside the early days of Putin’s invasion of Ukraine, 20 Days in Mariupol, will have its world premiere at the 2023 Sundance Film Festival in Park City, Utah. It is the first FRONTLINE or AP original documentary to debut at the world-renowned film festival.

We are deeply grateful for the chance to bring you journalism like this, year after year.

Thank you so much for your trust and your belief in us. It is what helps to make all of this work possible.

Here’s the online introduction to the program, the transcript, and the link to watch the two-part series:

FRONTLINE and Forbidden Films, the documentary arm of Forbidden Stories, investigate the powerful spyware Pegasus, sold to governments around the world by the Israeli company NSO Group. This two-part series, part of the Pegasus Project, examines how the hacking tool was used on journalists, activists, the wife and fiancée of Saudi journalist Jamal Khashoggi and others.

Transcript

Global Spyware Scandal: Exposing Pegasus

VIEW FILM

Part One

PAUL LEWIS, The Guardian:

Our phones are not just our phones. We call them phones, but they’re not phones, they’re computers, and they’re like extensions of our body; they’re with us all of the time. And if they are turned into a surveillance device, I don’t think it’s an exaggeration to say this was something that even George Orwell in “1984” couldn’t imagine.

PAUL LEWIS:

It’s beyond science fiction.

LAURENT RICHARD, Forbidden Stories:

[Speaking French] Let’s have a briefing.

In 2020, the journalism non-profit Forbidden Stories and Amnesty International got access to a leaked list of over 50,000 phone numbers.

LAURENT RICHARD:

[Speaking French] The database is really explosive.

They suspected the list contained numbers selected for potential surveillance with spyware sold to governments by the Israeli company NSO Group.

The spyware is called Pegasus.

OVERLAPPING VOICES:

Pegasus. Pegasus. Pegasus. Pegasus. Pegasus.

DANA PRIEST, The Washington Post:

This technology, it’s so far ahead of government regulation and even of public understanding of what’s happening out there.

Seventeen media organizations joined forces to investigate.

PAUL LEWIS:

All of us suspected that if NSO Group was giving authoritarian and repressive regimes such a powerful instrument of surveillance that it was pretty likely that this technology would be abused. But none of us had been able to prove it on a systemic scale.

A year later, they published.

MALE NEWSREADER:

[Speaking Spanish] According to an investigation by The Washington Post, The Guardian, Le Monde and other media—

FEMALE NEWSREADER:

A joint investigation by 17 news outlets—

MALE NEWSREADER:

Activists, lawyers and journalists are reportedly among those who’ve been targeted by the phone spyware—

MALE NEWSREADER:

—phone numbers belonging to some big-name politicians.

FEMALE NEWSREADER:

[Speaking Chinese] The cell phones of heads of state, members of royal families, governments, some journalists—

This is the story of the year-long investigation, filmed as it happened.

LAURENT RICHARD:

The device that you have in your pocket could be a spy that is spying on your life.

PARIS

June 2020

LAURENT RICHARD:

[Speaking French] We must turn off all our cell phones and put them in the next room. And if you can also turn off your computers.

FORBIDDEN STORIES OFFICE

LAURENT RICHARD:

[Speaking French] Sometimes it will be a bit restrictive in the coming months, but this is an extremely sensitive subject. We have a huge leak. There are numbers but no names. There is a lot of identification work through these numbers to find out who the target people are. The database is really explosive because there are many potential scandals.

Don’t talk about it with your closest friends. It is vital not to talk about it. It’s a subject where surveillance is involved. We are not in the lion’s den, but we are in the crosshairs and at some point we will be closely monitored, that’s for sure.

[Speaking English] The list doesn’t have any names. You have phone numbers, area country code, some time stamps as well. And it’s a list that is about 50,000 phone numbers from 2016 to 2020. We can’t explain where the list is coming from. We can’t, of course, reveal who is our source.

Officially the Pegasus spyware is not working on any plus-one U.S. phone numbers. It’s not possible.

The numbers, they are mostly in 10 countries, and most of these governments are known to be clients of NSO Group, who make Pegasus.

SANDRINE RIGAUD, Forbidden Stories:

Pegasus was designed to infect phones like iPhones or Androids. And once in the phone, it can extract and access everything from the device: the phone books, geolocation, the messages, the photos, even the encrypted messages sent by Signal or WhatsApp. It can even access the mic or the camera of your phone remotely.

LAURENT RICHARD:

It’s like a person over your shoulder, a person who will see what you are seeing, a person who would watch what you are watching—your emails, your encrypted communication, everything. So once you are infected, you’re trapped.

MALE VOICE [on video call]:

Hello, can you hear me?

SANDRINE RIGAUD:

I can hear you. I don’t see you.

FEMALE VOICE 1:

Hello, Paul.

FEMALE VOICE 2 [on video call]:

Laurent?

LAURENT RICHARD:

Hi, Dana.

DANA PRIEST [on video call]:

Oh, hi, how are you?

SANDRINE RIGAUD:

Hi, Dana.

LAURENT RICHARD:

Good, and you?

We decided to reach out to some partners—The Washington Post, The Guardian and many other ones.

We wanted to tell you about some information we have and about a new project we are starting.

SANDRINE RIGAUD:

We had no names attached to the numbers. We needed more journalists. We needed reporters on the ground who could reach out to some victims. We need people with tech expertise.

We still have to identify the numbers. Many of them actually haven’t been identified yet. So we need your help on this.

PAUL LEWIS:

The moment they mentioned the numbers of phone numbers that they had, the quantity of phone numbers, tens of thousands, I mean, my jaw just hit the floor.

SANDRINE RIGAUD:

There is a lot that concern India.

LAURENT RICHARD:

Some people in Mexico.

SANDRINE RIGAUD:

Information about Hungary.

LAURENT RICHARD:

Azerbaijan and Kazakhstan.

PAUL LEWIS:

If Forbidden Stories have got data that can identify not just who the customers of NSO are, but potentially point in the direction of who the targets are as well, this is a game changer. This could be transformative in terms of our understanding of the whole cybersurveillance industry.

DANA PRIEST:

I specialize in national security reporting, so surveillance is part of my beat, so to speak.

You could see patterns starting to emerge and you could almost like touch, “OK, that might be a story. Here’s something that’s happening in Azerbaijan. That might be a story. OK, I see what the Moroccan story might be.” It’s like watching a photo emerge in a darkroom.

PAUL LEWIS:

We at The Guardian have been reporting about NSO for a long time. We thought it was really important to hold this company to account.

Israel has become a world leader in this industry and exports these tools all over the world. And if you like, NSO Group was in many ways the jewel in the crown.

FEMALE NEWSREADER:

The NSO Group was recently valued at $1 billion. It is one of the most successful companies in Israel’s startup space.

MALE NEWSREADER:

NSO says they sell the software to governments around the world for legitimate purposes—fighting terrorism or violating local laws.

PAUL LEWIS:

Here was a company founded by three guys in 2010 that claimed to have 40 countries around the world buying its technology, that made bold claims about its technology being used to solve serious crimes and help facilitate national security inquiries. This was a big deal.

NSO Group declined to be interviewed for this project.

Publicly the company has insisted that it “does not operate the systems it sells” and that it investigates “all credible claims of misuse” by its government clients.

Israeli television interview

April 2020

SHALEV HULIO, Co-founder and CEO, NSO Group:

I can tell you on the last 10 years we only found three cases of misuse, and we took very serious action that we are always taking. And these serious actions meant that we shut down the system completely. We only sell it to governments or to entities that we know or we want to believe that they will not misuse the tools. And this is how we check the customer. This is how we diligence them. We have all the mechanism to make sure that they are not misusing the systems.

LE MONDE NEWSPAPER

PARIS

LAURENT RICHARD:

In the middle of Paris, in the middle of this big COVID crisis, we got everyone together to plan the investigation.

DANA PRIEST:

I’m Dana Priest at The Washington Post, and this is Craig Timberg who’s joining me.

MATHIEU TOURLIERE:

Here is Carmen Aristegui and Sebastián Barragán from Aristegui Noticias.

PAUL LEWIS:

This is Paul Lewis from The Guardian, and Steph, many of you will know, writes a lot about NSO.

MALE SPEAKER:

This is the Le Monde corner. This is Martin, Christophe and I am Damien.

PAUL LEWIS:

Usually we see reporters at other news organizations as our rivals. We compete against them. We never want to share information with them because we want to keep our stories to ourselves. And this is just a different way of operating. This seeing other journalists as partners.

LAURENT RICHARD:

We are really one group. One group with one goal: publish all those complex stories that—

We worked with more than 80 journalists. And we set a publication date of July 2021. That gave us about a year to investigate the list.

The main task for us and for all the partners was to identify the names behind the phone numbers. That was crucial. With phone numbers only, we can do nothing.

The data is the beginning of the project. We need to find sources. We need to go on the field. This project is about who is spying on who in many countries, and those countries, most of them are very dangerous.

PAUL LEWIS:

We had a kaleidoscope of potential victims. We have the data, but how do we prove that Pegasus was on the phones? And that was always going to be the hardest thing about this project, which was we had data, which is a very good indication of who the persons of interest were to these government clients of NSO, but we couldn’t know whether a phone had been hacked unless we conducted forensics on it.

BERLIN

SANDRINE RIGAUD:

Claudio Guarnieri is the head of Amnesty International Security Lab. He worked on creating a methodology, a platform that we could use during our investigation to have phones analyzed. He’s a key element of that investigation. Without his expertise, nobody in our team would have been able to detect traces of Pegasus in a phone.

CLAUDIO GUARNIERI, Amnesty International Security Lab:

It’s a piece of code that looks very similarly to all the others that you have running on your phone. It’s just designed to do something that it shouldn’t. Pegasus accesses the files on the device, accesses the records on the device, being from WhatsApp, being from the SMS database that you have on the phone, or access the GPS of the device, record the audio, access the webcam, these kinds of things.

Apple and companies like it try to create as many layers of complication as possible for an attacker.

But the unfortunate reality is that against capabilities like those that Pegasus customers have, there’s not much you can do from a digital security perspective. You can’t really stop them meaningfully. You can only try to make it more complicated.

LAURENT RICHARD:

At some point we discover a very crucial information, an information that change entirely the project.

For years we heard rumors about the Pegasus spyware might have been used against Jamal Khashoggi, who was killed in 2018 in the consulate of the Saudis in Istanbul.

WASHINGTON, D.C.

DANA PRIEST:

The minute we found out about this list, the first thing we all did was to check for any numbers related to Jamal Khashoggi or anyone we knew who was associated with him. And right away, we found two numbers associated with the two women closest to him in his life.

Jamal Khashoggi’s murder really in the history of the Post stands out. He was an opinion writer for The Washington Post. Very gentle, soft-spoken man. His voice became very important because he was the single most important dissident writing about the Saudi regime.

MEDHI HASSAN:

Jamal, let me start with you. You’ve compared your crown prince to Putin, to Iran’s supreme leader. You’ve said he’s creating, quote, “an interesting form of dictatorship.” How so?

JAMAL KHASHOGGI:

I still see him as a reformer, but he is gathering all power within his hand.

MOHAMMED BIN SALMAN

CROWN PRINCE OF SAUDI ARABIA

JAMAL KHASHOGGI:

As we speak today there are Saudi intellectuals and journalists jailed.

DANA PRIEST:

His murder was so cold-blooded. And we still don’t have the whole story. Jamal went to the consulate in Istanbul, and then he disappeared.

MALE NEWSREADER:

Senior Turkish officials have reported that he is in fact in the building and he is still here. His close friends and family are still trying to figure out what the situation is. They’re waiting on an official statement. I spoke to his fiancee who was also here, who told us that they came here to issue a number of documents so they could marry.

DANA PRIEST:

They dispatched an assassination team that landed in a plane in the airport and came in cars with tools to hack him up, to hack his bones and carry him out in a suitcase or suitcases.

Pretty soon after his murder, people started asking, “Was Pegasus used against Jamal?”

CBS 60 MINUTES

March 24, 2019

LESLEY STAHL:

The word is that you sold Pegasus to them and then they turned it around to get Khashoggi.

SHALEV HULIO:

Khashoggi’s murder is horrible. Really horrible. And therefore when I first heard there are accusations that our technology had been used on Jamal Khashoggi or on his relatives, I started an immediate check about it. And I can tell you very clear, we had nothing to do with this horrible murder.

ISTANBUL

DANA PRIEST:

I’m hoping that Hatice, Khashoggi’s fiancee, who we’d all gotten to know on television because she was outside the consulate when he didn’t reappear, I’m hoping that Hatice will let us do forensics on her phone to see for certain whether she was targeted and maybe, if we get lucky, whether we can see what they took out of her phone.

HATICE CENGIZ:

They killed my future. They killed my life. I felt inside me something changed and broke.

DANA PRIEST:

Do you feel like your phone is doing anything strange? Do you think it could be hacked? We can test it. So we could do that, if you wanted to do it?

HATICE CENGIZ:

OK, you can do that.

DANA PRIEST:

OK, that’d be great. We just need to plug your phone into our computer.

HATICE CENGIZ:

OK.

DANA PRIEST:

So maybe we do that. Great.

CLAUDIO GUARNIERI [on phone]:

Hello?

DANA PRIEST:

Claudio?

CLAUDIO GUARNIERI [on phone]:

Hi.

DANA PRIEST:

It’s Dana.

CLAUDIO GUARNIERI [on phone]:

Hi, how are you?

DANA PRIEST:

I don’t know, you tell me.

CLAUDIO GUARNIERI [on phone]:

So I checked both the uploads. The new one seems clean. The old one, however, has some traces. On the 6th of October of 2018 seems to have been a first compromise, which was followed by some additional traces on the 9th, and then on the 12th. There’s also an additional record in June of 2019, but that seems to be probably a failed attempt, and I don’t see anything following that.

DANA PRIEST:

OK.

The analysis proved that the phone belonging to Jamal Khashoggi’s fiancee had been infected with Pegasus. Then we find out the date, which is four days after his murder, when she’s still trying to figure out what’s happening. And it just seemed like such a ballsy move to surveil the person who has become the public face of his disappearance.

WASHINGTON, D.C.

DANA PRIEST:

We learned that Jamal had a complicated personal life. Hanan Elatr is probably the least known character in Jamal Khashoggi’s life. She’s actually his wife. And most people have not heard of her.

He had secretly married in the United States in an Islamic ceremony.

What I discovered is Hanan is living in hiding in the United States while she waits for her political asylum case. She was a flight attendant for Emirates airlines, and so she flew all over the world and she was communicating with him on foreign phones.

HANAN ELATR:

He was so happy, and I was so happy as well. This is his birthday in a restaurant in Washington and his friend Maggie behind us, the one she made the birthday party. There’s all of his friends around us, this last birthday in his life.

He was careful, but he didn’t realize maybe my device is much dangerous, and I didn’t know as well. He suspect, but he’s not sure, and I am not sure as well.

DANA PRIEST:

She allowed me to download her phone to send a copy to Claudio and to Bill Marczak at Citizen Lab, who also conducts forensic analysis.

BILL MARCZAK, Citizen Lab:

What I did is I analyzed all the available data on two Android phones and one laptop belonging to Hanan. On one of the phones, it appears that there were two separate links to the Pegasus spyware that were actually opened. That shows that she was—

DANA PRIEST:

Before Jamal’s murder, Hanan had been detained and interrogated in the United Arab Emirates, which is, of course, a close ally of Saudi Arabia.

HANAN ELATR:

They took me to an office in the airport. Then they took me to my house. They searched the whole house. They took my devices, my family devices. They have the password. I was in investigation for 17 hours, until I got tired. I slept on a floor.

DANA PRIEST:

What Bill discovered was when she was detained at the UAE airport, somebody who took her phone then opened a browser on her phone and then typed in a URL that then directed the phone to a website known to Citizen Lab as being a Pegasus website that activates the infection.

BILL MARCZAK:

The link to Pegasus was actually typed into the web browser, character by character. They made a couple typos, actually, while they were doing it, which tells me it was done manually.

We have the smoking gun from Hanan’s phone, which is the traces of the spyware. Almost certainly the spyware was installed and exfiltrated information from her phone. So she was, in my view, monitored.

HANAN ELATR:

He was telling me what he’s doing and what his connection, what he’s moving, what is his state of mind.

DANA PRIEST:

So you were communicating with him.

HANAN ELATR:

A lot. They tracked my husband through me, a long time back, before they kill him, because he was telling me—only me—everything.

I didn’t know this much detail came through me all the time. Why is this all coming in my life? They did track Jamal and to kill him through me, long time back.

Saudi Arabia has said claims that it used spyware are “baseless.”

The United Arab Emirates denied it was involved in surveillance of Hanan Elatr.

In response to our reporting, NSO said, “Our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information.”

LAURENT RICHARD:

Getting evidence on the device of Hanan, on the device of Hatice, all of that was breaking the narrative of the CEO of NSO Group, who told to the press that that spyware were never used against the Jamal or the relatives of Jamal.

MEXICO CITY

LAURENT RICHARD:

In the list, we saw more than 15,000 Mexican numbers. Mexico was among the very first customers of NSO Group. One of Mexico’s best-known journalists is Carmen Aristegui, and she was part of our investigation. She has maybe more followers than the president of Mexico. And we needed to understand who those phone numbers in Mexico belongs to.

ARTHUR BOUVART [on phone]:

[Speaking Spanish] Hi, Carmen, this is Arthur from Forbidden Stories. How are you?

CARMEN ARISTEGUI, Aristegui Noticias/CNN:

[Speaking Spanish] How are you? What a pleasure.

Forbidden had this mass of more than 50,000 numbers, but you had to know who they belonged to. They had to be investigated one by one.

ARTHUR BOUVART [on phone]:

[Speaking Spanish] Carmen, we found a lot of contacts from your directory on our list.

CARMEN ARISTEGUI:

Oh. OK.

ARTHUR BOUVART [on phone]:

[Speaking Spanish] Could you now enter these numbers into your phone to tell me who they belong to?

CARMEN ARISTEGUI:

[Speaking Spanish] Just give me a second.

I have a directory of journalists that’s pretty extensive. We cross-referenced that with the numbers on the Forbidden list.

The third is Sandra Nogales, who for many years was my assistant. Oh, my goodness! I have a surprise. The seventh number belongs to Karina Maciel. She is the producer of my show on CNN in Mexico. Another journalist colleague, from Proceso magazine, Alejandro Caballero.

From there, so many names came up. We thought, “But how far will this go?”

Oh, my God, Alejandro Encinas! He is a very important left-wing politician.

There were politicians, diplomats, lawyers, journalists, activists, human rights defenders.

[Laughs] Well, here is my sister’s number. That’s right, my sister, Teresa Aristegui Flores. My sister is not linked to any public activity.

I have the impression that no one is spared. They could have spied on their cat, their dog, their canary. [Laughs] Even their family.

LAURENT RICHARD:

We knew from a previous investigation that Carmen’s phone was heavily targeted with Pegasus in 2015 and 2016. So from that date, she is still investigating NSO Group, the Pegasus spyware, all the agents and operators who are using that in Mexico.

CARMEN ARISTEGUI:

[Speaking Spanish] During the years I was spied on we were conducting journalistic investigations in Mexico related to the so-called “White House” of President Enrique Peña Nieto.

ENRIQUE PEÑA NIETO

PRESIDENT OF MEXICO 2012-2018

CARMEN ARISTEGUI:

[Speaking Spanish] A house in a very luxurious area of Mexico City that the president of Mexico, Enrique Peña Nieto, and his family owned and that they could not justify the costs of. The president could not have bought it with his income as president or as governor, or as the son of a middle-class family.

The first time I suspected that my phone was being tapped as well as my son Emilio’s was when he, a minor, asked me, “Hey, Mom, do you know why I’m getting these strange messages?” I told him it was the same for me.

It told you to click for more information about problems with your visa to the United States.

EMILIO ARISTEGUI:

[Speaking Spanish] What could be wrong with my visa?

CARMEN ARISTEGUI:

[Speaking Spanish] It’s impossible not to click.

EMILIO ARISTEGUI:

[Speaking Spanish] I was looking at my visa and I was saying that it is valid. Outside of the validity period, what problem could it have? It’s impossible to avoid it.

CARMEN ARISTEGUI:

[Speaking Spanish] To click on it.

We know that Pegasus was sold to the attorney general’s office. Pegasus was sold to the army. Pegasus was sold to CISEN, the intelligence system. Pegasus was sold to public agencies.

Actor’s voice

DISTORTED VOICE:

[Speaking Spanish] I can’t give you my name, nor can I tell you which agencies I worked for. It would be dangerous for me to be recognized and make it known that I have, or have had, access to certain information.

The Pegasus system was new to us. The procedure was to have the target number do what was called social engineering, which is searching for information from open sources about the target in order to construct text messages that could be sent to the mobile device. You had to make one or two very precise attempts using information that was useful to the target so that they would want to click on the link.

If we succeeded in getting them to click on the message, that automatically installed the software on the mobile device and from then on, we could access all the information on the phone.

The results were incredible because once we managed to infect a target, we had full access to the mobile device.

Pegasus interface simulation

DISTORTED VOICE:

[Speaking Spanish] On a black screen, at the top left, we had the main display. On the right side and at the bottom were tabs where you had each of the applications from which information was extracted. For example, we had the icons for WhatsApp, Telegram. At the bottom we had the microphone, the cameras, the geolocation and depending on what we were interested in, we would click on it and it would appear on the main screen.

After infection, we can see even deleted information, whether that was photos or conversations, we could always have access to them.

CARMEN ARISTEGUI:

[Speaking Spanish] When you start to understand what Pegasus is, you pass out! You are naked in front of a power that you do not know who holds. You are vulnerable to someone who is watching you under a magnifying glass. They can be with you in the office, in the shower, in the kitchen with a friend or talking with a source. All the time.

Former President Enrique Peña Nieto has denied that his administration used Pegasus to spy on journalists.

He insists his family’s purchase of Casa Blanca was “fully legal.”

In response to our questions about Pegasus in Mexico, NSO said it would not confirm or deny which governments are its customers.

PARIS

LAURENT RICHARD:

All the time during this investigation, we tried every day to identify the person behind that phone number. This is what all the partners in Forbidden’s team were doing most of the time.

AUDREY TRAVÈRE, Forbidden Stories:

Basically the consortium had access to a list of potential targets.

Voice of dissident

DISTORTED VOICE [on phone]:

And they included my number?

AUDREY TRAVÈRE:

Exactly. To be sure that you was indeed infected or surveilled, we would have to run forensic analysis.

DISTORTED VOICE [on phone]:

When I hear this from you I was a little bit not sure to talk. And I don’t know if my giving a call to you it will help me. I don’t know, because I don’t trust the governments anymore. So I do not want to put myself or my family under risk. I hardly reach that stage. I realize—sorry. I realized this country cannot be trust. If you will ask me, I am very angry.

AUDREY TRAVÈRE:

Of course. Of course.

LAURENT RICHARD:

I saw one number in the list that belonged to a friend, a journalist in Azerbaijan.

MALE NEWSREADER:

Her name is Khadija Ismayilova. She’s an award-winning investigative reporter and an outspoken critic of the government, renowned for her exposés of corruption at the hands of the country’s president.

ILHAM ALIYEV

PRESIDENT OF AZERBAIJAN

LAURENT RICHARD:

Azerbaijan, you have a lot of oil and gas. It’s a dictatorship, and the dictator’s name is Ilham Aliyev. And this person and this state is extremely violent against dissidents, political opponents, journalists.

PAUL RADU, Organized Crime and Corruption Reporting Project:

I first met Khadija Ismayilova in Azerbaijan in about 2006, 2007. Khadjia Ismayilova relentlessly kept on exposing the wrongdoing and the corruption of the Aliyev regime. She showed how they were having their hands into a big chunk of the Azerbaijani economy. She was showing how they were taking money in a covert way, how they were stealing money, basically, from the people.

KHADIJA ISMAYILOVA:

[Speaking Azerbaijani] Don’t forget how you are treating those who defend your rights. Remember everything!

PAUL RADU:

And she kept on doing what she was doing, and she got arrested. She got thrown behind bars. After all this investigative reporting Khadija became a prime target for the government in Baku and for the Aliyevs.

LAURENT RICHARD:

I don’t know how to proceed with Khadija because I don’t want us to put Khadija in danger. The thing that is quite difficult is how to get in touch with Khadija without communicating on electronic device.

PAUL RADU [on video call]:

This is very sensitive, right? This is very, very sensitive, especially for her, because she’s basically on probation. That’s going to be a risk anyway.

LAURENT RICHARD:

We learned that Khadija was about to go to Turkey for some personal reasons, and so we set up immediately a team who went to Turkey to meet Khadija once she landed in the airport.

ANKARA

PAUL RADU:

Now I’m nervous. [Laughs]

MIRANDA PATRUCIC, Organized Crime and Corruption Reporting Project:

I’m nervous, too. I cannot stand still.

PAUL RADU:

There she is.

MIRANDA PATRUCIC:

Khadija!

KHADIJA ISMAYILOVA:

It’s been so many years!

We can take it off, right?

MIRANDA PATRUCIC:

So we have about 1,000 numbers from Azerbaijan, and you are among them.

KHADIJA ISMAYILOVA:

Oh!

MIRANDA PATRUCIC:

And then we also have some people who are your friends.

KHADIJA ISMAYILOVA:

And what does that program do?

MIRANDA PATRUCIC:

So what the program does is it basically, without you knowing, it installs things on your phone and then it allows—

KHADIJA ISMAYILOVA:

Even if I didn’t click on anything?

MIRANDA PATRUCIC:

Yes, so the secrecy of this, it’s called Pegasus, and the secrecy of it is that you don’t actually see or you don’t do anything. So before, you had to click on something to be infected.

KHADIJA ISMAYILOVA:

Yeah.

MIRANDA PATRUCIC:

In this case, it all happens in the background and you have no idea that you are infected. And when you’re infected it’s transmitting your messages, your images, everything that’s happening on your phone, including on Signal, because they have the phone itself.

KHADIJA ISMAYILOVA:

And it’s legal to sell it?

MIRANDA PATRUCIC:

Yes. So what we know is that most likely, sometimes in 2018, the government got it.

KHADIJA ISMAYILOVA:

OK.

MIRANDA PATRUCIC:

And we have a lot of data from 2019. And you know that was a big year of protest. You were on a hunger strike with other people. You guys had a woman march. You were leading the march.

KHADIJA ISMAYILOVA:

S—. [Laughs]

PAUL RADU:

It’s kind of the most in the country.

MIRANDA PATRUCIC:

So one way for us to verify that, what exactly was done in your case, would be to do forensic on your phone.

KHADIJA ISMAYILOVA:

Yes, why not.

Is there any way to avoid this surveillance?

MIRANDA PATRUCIC:

Yes, we will set you up with a new device that you will be able to use.

MALE VOICE:

But I mean, on a phone there will always be some way to do it. But there are other ways to communicate.

KHADIJA ISMAYILOVA:

It’s like—it makes you to want to live in the bubble, but then—so no one can enter. Some sort of—but then, living inside the condom, but then you cannot reproduce.

BERLIN

MIRANDA PATRUCIC:

This is her phone. You don’t need any cables?

CLAUDIO GUARNIERI:

No. Do you know if she still has a backup of the phone?

MIRANDA PATRUCIC:

Yes, she does. Yes, she does.

CLAUDIO GUARNIERI:

Well, right now I’m trying to jailbreak the phone. Hopefully it works.

So right now I am navigating through the phone. So I’m looking for things that might have executed, network activity that is connectable to the company, any leftovers of malicious executions, accounts that we know of. Anything essentially that tells me the history of this phone.

That’s interesting. That’s not something I’ve seen before. We see processes that we know are connected to Pegasus. We see some iMessage accounts that are connected to the attacks. Because this might indicate what was the entry point. Oh, was Apple Music—what the f—?

MIRANDA PATRUCIC:

Oh, really?

CLAUDIO GUARNIERI:

That’s weird.

MIRANDA PATRUCIC:

So they might have started using Apple Music to exploit it?

CLAUDIO GUARNIERI:

I have to do some more digging on this because I need to look at what specifically these applications are. She’s definitely among the ones most targeted.

It’s important to rectify this story, which is that these technologies are exclusively used for good purposes and for fighting evil and for fighting crime and terrorism and all that.

ANKARA

FEMALE VOICE:

OK, so now Khadija is coming. [Laughs]

KHADIJA ISMAYILOVA:

Hi, Claudio.

CLAUDIO GUARNIERI [on phone]:

Hi.

KHADIJA ISMAYILOVA:

So now tell me how bad it is.

CLAUDIO GUARNIERI [on phone]:

There are definitely some records that indicate various points where the phone seemed to have been compromised.

[Interview] So I started feeling like a plague doctor in the 1300s. I’m basically kind of just keeping the death count. I’m contributing to creating a trauma here, and I can see it in many cases. I can see that they are—right now, they’re going through a traumatic moment and I’m that person in the room that is breaking it.

[On phone] There are also some more recent records, from even as recent as early May of this year, so until a couple of weeks ago. But all in all, it seems like this probably extended between 2019 and 2020. 2020 at the very least.

KHADIJA ISMAYILOVA:

I’ve been told that you will not know what exactly had been monitored or recorded.

CLAUDIO GUARNIERI:

Yeah. With this kind of monitoring technology, the point where they have that level of access to the device, virtually everything is possible, so—

FEMALE VOICE:

Yeah, thank you. Have a good day. Bye-bye.

KHADIJA ISMAYILOVA:

Bye.

MALE SPEAKER:

That’s not great news.

KHADIJA ISMAYILOVA:

All night I’ve been thinking about what did I do with my phone. And I feel guilty. I feel guilty for the messages I’ve sent. I feel guilty for the information sources, who send me, thinking that some encrypted messaging ways are secure. They did it and they didn’t know that my phone was infected. My family members are also victimized. The sources are victimized. Everyone. People I’ve been working with, people who told me their private secrets are victimized. Everyone. It’s not just me. I put so many people in danger. And I’m angry. Again, I’m angry. I’m angry with the government, I’m angry with the companies that produce all these tools and sell it to the bad guys like Aliyev’s regime. It’s really—it’s despicable. It’s heinous.

Azerbaijan has publicly called the Pegasus allegations a “baseless fabrication.”

NSO did not respond to specific questions about Azerbaijan and Pegasus.

LAURENT RICHARD:

Khadija is not a terrorist. Khadija is not a criminal. She’s a journalist that is taking a lot of risk to write some stories to make sure people will get access to independent information. So that was one more evidence of the global misuse of that spyware.

PAUL LEWIS:

Powerful governments manage to retain their power by seeing off threats from people who are campaigning for democracy or holding them to account, telling the truth. And here is a company that gave them a tool to do that.

LAURENT RICHARD:

It’s a military weapon used against civilians, and the civilians, they don’t have any mechanism to help them in seeking justice, any mechanism to find some traces, any mechanisms to know that at least they are the target.

DANA PRIEST:

You got a real sense that it was a free-for-all. There is no control over how countries use it, and they have been using it in the worst way you could imagine.

LAURENT RICHARD:

Even after months of investigating, we kept discovering new things: New names from the list. Politicians. Heads of state. Even a princess.

LATIFA AL-MAKTOUM:

Hello, my name is Latifa al-Maktoum. And I’m making this video because it could be the last video I make. Yeah. [Sighs]

Part Two

PAUL LEWIS, The Guardian:

When you have your hands on a technology like this, the power must be quite intoxicating. You can get into the phone of most people in the world and no one’s looking over your shoulder.

LAURENT RICHARD, Forbidden Stories:

[Speaking French] Let’s have a briefing.

In 2020, the journalism non-profit Forbidden Stories and Amnesty International got access to a leaked list of over 50,000 phone numbers.

LAURENT RICHARD:

[Speaking French] The database is really explosive.

They suspected the leaked list contained numbers selected for potential surveillance with powerful spyware sold to governments by Israeli company NSO Group.

The spyware is called Pegasus.

OVERLAPPING VOICES:

Pegasus. Pegasus. Pegasus. Pegasus. Pegasus.

LAURENT RICHARD:

It’s like a person over your shoulder, a person who will see what you are seeing, a person who would watch what you are watching—your emails, your encrypted communication. Everything. So once you are infected, you’re trapped.

This is the continuing story of the investigation, jointly conducted by 17 media organizations …

DANA PRIEST, The Washington Post:

It was against so many people in civil society who clearly were not terrorists or criminals. And you got a real sense that it was a free-for-all.

… and the fallout from the revelations.

MALE NEWSREADER:

[Speaking Spanish] According to an investigation by The Washington Post, The Guardian, Le Monde and other media—

FEMALE NEWSREADER:

A joint investigation by 17 news outlets and Forbidden Stories—

MALE NEWSREADER:

Activists, lawyers and journalists are reportedly among those who’ve been targeted by the phone spyware—

MALE NEWSREADER:

—phone numbers belonging to some big-name politicians.

FEMALE NEWSREADER:

[Speaking Chinese] —heads of state, members of royal families, governments, some journalists—

MALE NEWSREADER:

NSO says they sell the software to governments for legitimate purposes, fighting terrorism or violating local laws.

SEN. RON WYDEN, (D) Oregon:

You have here a go-to spy service for tyrants.

Paris

Five months before publication

Forbidden Stories office

SANDRINE RIGAUD, Forbidden Stories:

When we started analyzing the list we saw a lot of French numbers, more than 1,000, potentially targeted by Morocco. There were journalists, lawyers, activists, but not only. We also saw members of the French government and the president, Macron himself.

Emmanuel Macron

President of France

SANDRINE RIGAUD:

We immediately realized that this story would be huge.

[Speaking French] Maybe I can explain. These are the phone numbers. This is in the database.

DAMIEN LELOUP, Le Monde:

Edouard Philippe.

MARTIN UNTERSINGER, Le Monde:

[Speaking French] Ah, Gérard Darmanin, ah, Le Drian. Annick Girardin, too. It’s crazy. It’s sick. [Laughs] The question is going to be, “Who have they missed?”

SANDRINE RIGAUD:

We knew politicians were on the list, and to prove that they had actually been infected with Pegasus we needed their phones. But politicians wouldn’t hand you their phone that easily, specifically if you’re an investigative journalist.

Le Monde newspaper HQ

DAMIEN LELOUP:

[Speaking French] I understand completely if you don’t want to do it. That’s your right.

I think he’s going to say no.

It turns out that among the people on the list, there is a former minister who is no longer in government and therefore has a form of freedom a little greater than someone who is still in power. It’s François de Rugy.

François de Rugy

Government minister, 2018-19

DAMIEN LELOUP:

[Speaking French] So we contacted François de Rugy, explaining to him that we wanted to talk about something extremely confidential.

You are not the only minister involved. There are 14 in all.

To his credit, he finally agreed. We met again to carry out the technical analysis of his phone, which allowed us to confirm that indeed he had been targeted and that he had been targeted by the client that we had identified as being the Kingdom of Morocco.

He didn’t seem surprised when I told him about the country.

MARTIN UNTERSINGER:

[Speaking French] Really?

DAMIEN LELOUP:

[Speaking French] He told me that he had met the king. That’s the best way to get on the radar of these people.

The phone number assigned to Emmanuel Macron—The first step was to check if he was still using that number at the time he was targeted. The easiest way to verify if he’s still using it was to write to him. We’re going to send a text to Emmanuel Macron.

MARTIN UNTERSINGER:

[Speaking French] “Mr. President of the Republic—”

MALE REPORTER:

[Speaking French] “We are publishing an international investigation on cyber surveillance, which you, yourself have been the target of.”

FEMALE REPORTER:

[Speaking French] “Of which you, yourself have been the target.” It’s clearer, let’s be clear. Besides, that’s what you’re going to tell him. Of which you were the target.

MARTIN UNTERSINGER:

[Speaking French] It’s sent.

DAMIEN LELOUP:

[Speaking French] Emmanuel Macron does not respond directly to this text. But one or two hours after sending the text, the Elysée Palace called us back about the text that was sent to him. So he did receive it. The phone is still active.

MARTIN UNTERSINGER:

[Speaking French] Well, we’re going to the Elysée Palace now.

DAMIEN LELOUP:

[Speaking French] A few hours after sending the text to Emmanuel Macron, we received an invitation to the Elysée Palace to discuss what we had found.

MARTIN UNTERSINGER [on phone]:

[Speaking French] Our meeting this morning, the impression it gave us all was really one of panic. Not panic like, “Oh, my God, it’s horrible, what could have happened?” But rather, “Oh, my God, all the potential implications of this case on all fronts—judicial, diplomatic, security.” That’s it, and that they’re basically locking down communication.

DAMIEN LELOUP:

[Speaking French] Quite quickly, state experts will confirm that there were indeed attempts at infection or infections in some cases on the phones of some ministers and on the phones of a number of very senior French officials. But the results of the analysis of the president’s telephone are classified as top secret and will probably never be made available.

LAURENT RICHARD:

We don’t know exactly who in Morocco was using Pegasus. There were Moroccan dissidents on the list, even the king of Morocco himself was on the list. But we do know that NSO only sells to governments and government agencies.

We were reaching out to another dimension of the project. We were at this stage entering a space, a dangerous space, where we were talking about a country, a state, attacking another one.

The government of Morocco says it’s not a client of NSO Group and denies using Pegasus to spy on French politicians.

NSO declined to be interviewed for this project, but denied that President Macron and other French officials were ever Pegasus targets.

The company said its technology has prevented terrorism and serious crime and it investigates all credible claims of misuse.

London

PAUL LEWIS:

Each time you look at how a client of NSO Group used the technology, it tells you something about that government. In the UAE, Sheikh Mohammed bin Rashid al-Maktoum is prime minister, vice president and, of course, the ruler of Dubai. Here is an autocratic leader. Massively powerful.

Mohammed bin Rashid al-Maktoum

Prime Minister of United Arab Emirates

PAUL LEWIS:

Princess Latifa is the daughter of Sheikh Mohammed. She had for a long time been, by her account, unhappy about her life in Dubai. She had been incarcerated, effectively, by her father’s regime.

LATIFA AL-MAKTOUM [on video]:

I’m making this video because it could be the last video I make. Yeah. This video can help me because all my father cares about is his reputation. He will kill people to protect his own reputation. He only cares about himself and his ego.

PAUL LEWIS:

Princess Latifa concocted this extraordinary attempt at an escape that involved jet skis, a yacht and a trip to the Indian Ocean. I mean, it’s an audacious thing to do, incredible even that she attempted it. I think remarkable that it nearly succeeded.

The day after Princess Latifa went missing from Dubai we saw her number entered into the list. And in the days after that, as she was traveling toward India on this yacht, her friends, people she knew, people within her orbit, their phone numbers also appeared on the list. If you look at the dates and times that her number and those of people close to her were entered into the system, you have something that has to be more than a coincidence.

Eight days after her escape Indian special forces boarded the yacht and then the princess was forcibly returned to Dubai.

We don’t know exactly why the attempted escape didn’t succeed, but NSO’s technology was, it seems, from the evidence we’ve seen, one of the tools that was being used by the state in a desperate attempt to find Princess Latifa, kidnap her and return her back to Dubai.

We tried hard to get hold of a phone that Latifa had used, but we couldn’t. So we contacted her friends and her associates to ask if we could check their phones to see if they had been targeted with Pegasus.

Given how much David Haigh was working on the Latifa case, it wasn’t a surprise when we discovered that there was Pegasus activity on his phone.

Cornwall

United Kingdom

DAVID HAIGH:

I was infected on 3rd of August 2020 with Pegasus, I believe at 3 a.m. in the morning, and the next day as well. The fact that you can be hacked on British soil and that they can do that, it’s frightening. It really is.

My name is David Haigh from Detained International. We founded the campaign to free the Dubai princess, Princess Latifa, in 2018.

PAUL LEWIS:

David Haigh was actually imprisoned in Dubai for alleged fraud, and it was after his release that he became a human rights campaigner. Princess Latifa began to message him after her failed attempt at escape.

DAVID HAIGH:

This is a picture that Latifa drew of the jail villa, Villa 96 in Jumeirah, Dubai, near the Burj Al Arab. And you can see here, “beach this direction,” where she was held captive.

LATIFA AL-MAKTOUM [on video]:

This villa has been converted into a jail. All the windows are barred shut. I can’t open any window. There’s five policemen outside and two policewomen inside the house. I don’t know what can happen to me and how long this will last and if they decide to release me how my life will be. But I’m not safe at all.

DAVID HAIGH:

That week before I was hacked, our secret contact with Latifa had stopped suddenly. The several hours became a day, and then two days, and then we start to worry because that was not normal. We had recorded a lot of videos and a lot of evidence Latifa had that could be used to tell the world about her predicament, the fact that she’s been held hostage.

At the time I was hacked, we were in London with the videos that Latifa recorded, the evidence, to meet media to decide if we were going to use it at that time or not. It was effectively dynamite evidence on that phone.

The fact that they know your location, that someone could be listening to us now and seeing what we’re doing. And it’s that, sitting in the back of your head every day.

We can’t let NSO and the governments that abuse their system get away with what they’ve done. Because if we do and if nothing happens and people are not brought to justice, people are not put in jail, and people are not taken to court, the next company and the next company and the next company, wherever they may be, will do exactly the same, and it will just carry on but get worse.

Sheikh Maktoum’s lawyers have denied he was involved in any attempted hacks.

NSO did not respond to questions about the use of Pegasus against Princess Latifa and her associates.

Tel Aviv

AMITAI ZIV, Former Haaretz journalist:

[Speaking Hebrew] The main activity of the company is to find the vulnerabilities. You take an iPhone, for example, designed by the best engineers in the world, and you find a method to hack it.

There is a well-established mechanism to recruit soldiers who’ve served in army computer units into civilian high-tech companies. Unit 8200 is very important within the army. It deals with cyberattacks by the Israeli army. If we have to find information on our enemies, they are the ones providing it. These 18-year-olds are trained quickly and thoroughly. Then they put this know-how into practice. It is unique in the whole world.

Actor’s voice

FORMER 8200 MEMBER:

Israel has this advantage of not only developing new technologies and weaponry, but testing it live. And this is something Israel knows it can use to sell outside.

When you want to control a huge population like we do with Palestinians, you have to have assets everywhere. So everyone can be a target because you don’t want only the terrorist from Hamas, but also maybe his neighbor or his cousin or the person who sells milk on the corner of the street. If you want to recruit human agents, you need to collect their weaknesses, things that you can use to blackmail. And so part of what 8200 does is to collect this blackmail potential information about everybody. If you’re gay, or if you have a special medical condition, or you have financial problems, or someone from your family has one of those, then that’s something we can use against you to blackmail you and get you to cooperate.

DANA PRIEST:

Israeli intelligence has a strategic view of how their employees should be used after they leave their employ. They promote them. They want them to start these companies. And they see a deep communications, a continued relationship between the government and their former employees as valuable to Israel’s national security interest.

PAUL LEWIS:

There’s a lot of evidence to suggest that NSO Group had the direct backing and support of Bibi Netanyahu’s government.

Benjamin Netanyahu

Prime Minister of Israel

PAUL LEWIS:

In order to sell its product to governments around the world it required permits, effectively licenses from the Israeli Defense Ministry.

BENJAMIN NETANYAHU:

I decided several years ago to turn Israel into one of the five cyber powers of the world.

January 2019

BENJAMIN NETANYAHU:

In order for the companies to develop, they need to make—what do they need to make? Money! They need to make money. Now the easiest way to make sure that they don’t make money is one, high taxes, right? What’s the other one? Regulations. Have you ever heard of regulations? We have a problem with regulations. So the policy we have is keep taxes low and keep regulations low. Minimize regulations. There is no industry more susceptible and more inviting of regulations than cybersecurity. It’s like weapons. It is a weapon.

AMITAI ZIV:

[Speaking Hebrew] The use of weapons as an instrument of diplomatic negotiation is not new in Israel. There is even an expression for this, “Uzi diplomacy.”

We found a correlation between Netanyahu’s visits to certain countries or foreign leaders’ visits to Israel and the first day of implementation of the NSO system in the countries in question. Sometimes the implementation preceded the visit, sometimes the opposite. But the correlation can’t be ignored.

One example: Hungary. Under right-wing populist Prime Minister Viktor Orban, the country has become one of Israel’s strongest allies in the EU.

[Speaking English] The timeline for Hungary is that the visit was in July 2017 and the operation of Hungary we know almost the exact date by the database of Forbidden Stories is February 2018, so, similarities.

[Speaking Hebrew] There are numbers on the leaked list from Morocco, Bahrain, from UAE, from Saudi Arabia. Israel wanted a rapprochement with them, an improvement in relations. We do not have any photo of Netanyahu in Saudi Arabia since it is not yet official.

Israel understood the value of NSO technology, of Pegasus, for countries whose intelligence services are weak and which do not have good technological capabilities. Israel uses Pegasus as a diplomatic currency. It provides it to the countries from which it wants to obtain something. This allows diplomatic rapprochement, progress in negotiations.

This is my small contribution to Pegasus Project.

A spokesperson for Benjamin Netanyahu denied that he offered Pegasus spyware to foreign leaders for diplomatic purposes.

NSO Group said that the company is not a “tool of Israeli diplomacy,” is not a “backdoor for Israeli intelligence” and “does not take direction from any government leader.”

Mexico City

SANDRINE RIGAUD:

Going through all the numbers on the list was a huge job. More than 15,000 of the numbers were in Mexico. And one of those numbers belonged to a journalist who was murdered just weeks after he was put on the list.

Was Pegasus used in that case to spy on a journalist or to geolocate him?

Voice of Arthur Bouvart

Forbidden Stories journalist

ARTHUR BOUVART [on phone]:

[Speaking Spanish] You know that Cecilio Pineda is also on the list?

CARMEN ARISTEGUI, Aristegui Noticias / CNN:

[Speaking Spanish] The one who was murdered?

ARTHUR BOUVART [on phone]:

[Speaking Spanish] Yeah, he’s on the list.

CARMEN ARISTEGUI:

[Speaking Spanish] That’s crazy.

State of Guerrero

Mexico

CARMEN ARISTEGUI:

[Speaking Spanish] In Mexico, the way in which Pegasus was used is a very serious matter. I want to bring up the case of Cecilio Pineda. The Pegasus Project showed that his phone was entered days or weeks before the murder was committed.

The state of Guerrero is one of the entities most impacted by organized crime. There are places where the state literally no longer has control. The authorities are actually mixed-up with organized crime and there is drug trafficking. There is a variety of criminal activity.

MALE NEWSREADER:

[Speaking Spanish] According to the police report, several gunmen entered a car wash where the journalist Cecilio Pineda was waiting for his van and shot him.

ISRAEL FLORES, Journalist and Pineda’s friend:

[Speaking Spanish] I am not surprised that Cecilio Pineda was on this list because he was investigating very sensitive issues.

CECILIO PINEDA [on video]:

[Speaking Spanish] We are tired of violence. No one is safe. In this region, we are alone. The authorities here do not support the people. Here you have to defend yourself with your own fingernails.

March 2, 2017

CECILIO PINEDA [on video]:

[Speaking Spanish] Hello, friends of Tierra Caliente. I have just returned from two municipalities in the region and this is the situation.

ISRAEL FLORES:

[Speaking Spanish] Cecilio had made a video. He was driving and wanted to give a preview of what he would present later. He said that a few hours later he was going to show a video about the relationship between the state government and the Tequileros gang. After that, he did not present anything. He was murdered.

MARISOL TOLEDO, Cecilio Pineda’s widow:

[Speaking Spanish] That day—When we arrived at the clinic, I wanted to go and see him. A lady told me that he was being looked after. So I thought he was going to be fine. Three minutes later, the doctor came out and said that he had passed away. That was the only time in my life that I fainted. When I came to, I was told again that he was dead and that he was almost dead when he arrived.

SANDRINE RIGAUD:

You can only prove infection if you do forensics on the phone and find traces of Pegasus. But in many cases, the phone was not findable. That was the case of Cecilio Pineda.

CARMEN ARISTEGUI:

[Speaking Spanish] It can’t be said for certain that what was obtained from the possible espionage was what provoked the murder. But we can’t be naive either.

Lawyers for NSO did not comment on whether Cecilio Pineda’s phone was targeted, but said that even if it was, “that does not mean that the NSO Group client or data collected by NSO Group software were in any way connected to the journalist’s murder the following month.”

The Guerrero state government did not respond to questions about the killing.

Forbidden Stories office

LAURENT RICHARD:

We were able to set up a date where we all agreed that will be the day of the publication, in 2021, July 18. We knew that the most dangerous phase was those two weeks before the publication, when you knock on the door of the NSO Group to say, “Hey, we are Forbidden Stories. We are 80 reporters, we investigate your businesses and we have evidence of a global misuse that is threatening democracy.”

[Speaking French] We’re entering the unknown phase, and perhaps there will be a real strategy to discredit everything we’ve done.

[Speaking English] They can blackmail the source. They can hack me, one of the person of the team. They can follow us. They can come into our offices.

SANDRINE RIGAUD:

By now the members of the consortium had managed to do forensics on over 60 phones connected to numbers on the list, and we had forensic proof that at least 37 phones had been targeted or infected with Pegasus.

The more publication day was approaching, the more paranoid we all became. Before publication we already had that habit to switching off the phones or even our computers before having any conversation about the investigation, so most of the day we were living and working without our phones or even our computers. So we had different ways of working. We had other devices we could work on.

LAURENT RICHARD:

[Speaking French] —and we can expect that even our partners will have reservations, because NSO will have approached them or those close to NSO will have approached them to tell them that in fact we got it all wrong.

[Speaking English] I remember that day clicking on the button, sent. I was sending the official request for comment from the 80 reporters, with dozens of questions inside. We were giving a deadline to the NSO Group and to all the state actors, and we were expecting some answers.

Four days before publication

LAURENT RICHARD:

This is Laurent Richard from Forbidden Stories. How are you doing?

NSO GROUP REPRESENTATIVE [on phone]:

Well, I am good.

LAURENT RICHARD:

Yeah, thank you for taking the time to answer. I was just wondering if you are planning to answer our questions.

NSO GROUP REPRESENTATIVE [on phone]:

Yeah, you can see it in your email now. Yeah?

LAURENT RICHARD:

OK, I see it.

NSO GROUP REPRESENTATIVE [on phone]:

Thank you, ciao.

LAURENT RICHARD:

Thank you, bye. OK.

What we got is an email from the NSO Group saying that all you think is wrong. Thank you. Best regards.

[Reading email] “NSO Group firmly denies false claims made in your report, which many of them are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.” [Speaking French] That’s incredible.

SANDRINE RIGAUD:

[Speaking French] Crazy.

LAURENT RICHARD:

But then when I woke up in the next morning, I opened my phone and I saw that NSO had sent letters from lawyers to most of the partners, on all continents, to threaten them and to tell them that if you publish anything, we will sue you.

London

PAUL LEWIS:

It’s a bit tense here, if I’m honest.

MALE REPORTER [on video call]:

Yeah.

PAUL LEWIS:

We’ve had a provisional response from NSO to The Washington Post and we will have the formal— another response from them to us in about 15, 20 minutes, so we’re going to keep this call really quick.

The stakes are really high when you do this kind of reporting. Here was a company valued at over $1 billion. And the NSO Group and its clients, these governments, were not going to put their hands up and confess to this activity. They were fighting it as hard as they possibly could.

All going well. If we’re proceeding with this project, I think the crunch point really is going to be in the next 12 hours.

FEMALE REPORTER [on video call]:

What do you mean in the sense of “if we are proceeding,” Paul?

PAUL LEWIS:

Yeah.

FEMALE REPORTER [on video call]:

Is that in doubt?

PAUL LEWIS:

Well, it’s always—it’s never confirmed until it’s confirmed, right?

July 18, 2021

Publication Day

DAMIEN LELOUP:

Oh, f—. [Reading email] “We can confirm at least [speaking French] three names in your investigation, Emmanuel Macron, King Mohammed VI and Tedros Ghebreyesus, are not and were never targets or selected as targets by clients of NSO Group.”

We have NSO denying by name the president of the republic, Mohammed VI and the WHO guy. I’m on my way to the executive office. [Laughs] See you in a bit.

FEMALE REPORTER:

[Speaking French] In March 2019, while President Macron was closely following the political crisis in Algeria, one of his numbers was logged by a Moroccan service.

CRAIG TIMBERG [on video call]:

So Paul, just to be 100% clear, you guys are ready to hit the button on a version of the story in 42 minutes?

PAUL LEWIS [on video call]:

Of the heads of state story.

CRAIG TIMBERG [on video call]:

Heads of state only.

PAUL LEWIS [on video call]:

We’re not ready now, but in 42 minutes we will be ready. [Laughter]

Here we were simultaneously publishing 17 different media outlets all over the world in several different languages, all at the same time, at the same minute of the same day, after months of investigating.

FEMALE SPEAKER:

[Speaking French] It is 58, we are good!

FEMALE REPORTER, The Guardian:

—an investigation into the NSO Group.

MALE SPEAKER:

And this?

FEMALE REPORTER:

That’s OK. I would just say “and its clients.”

MALE VOICE 1:

[Speaking French] —five, four, three, two, one, zero, fire.

FEMALE VOICE:

[Speaking French] Here we go.

PAUL LEWIS:

And we’ve done it. So the story’s now live.

FEMALE NEWSREADER:

An explosive investigation from The Washington Post and a consortium of media partners—

MALE NEWSREADER:

Activists, lawyers and journalists are reportedly among those—

CARMEN ARISTEGUI:

[Speaking Spanish] The use of Pegasus in the world—

FEMALE REPORTER:

[Speaking French] The Elysée takes it very seriously.

FRANÇOIS DE RUGY:

[Speaking French] Things mustn’t fall back to what they were in a few days.

MALE VOICE:

[Speaking French] Pegasus is used by states to target journalists, politicians and even heads of state.

SEN. RON WYDEN, (D) Oregon:

What can be done to protect our country from commercial spyware, the kind of threat that is now being reported at the top of the news across the nation?

DANA PRIEST:

There had been reporters who’d been doing stories on Pegasus for years. This sort of tipped the scale because it was in so many countries, it was against so many people in civil society who clearly were not terrorists or criminals. And you got a real sense that it was a free-for-all.

We even found out afterwards that the FBI considered using a version of Pegasus that could hack into U.S. phones. But that fell apart and the Biden administration actually blacklisted NSO Group.

They’ve made a bigger deal than I would have expected against not just an Israeli company, but really they’re criticizing the Israeli government for allowing this to happen, because it actually could not happen without the Israeli government’s permission.

RON WYDEN:

You have here a go-to spy service for tyrants. What the executives of these companies and the engineers are hoping for most is to make a whole lot of money and do it in a way where there’s minimal regulation and minimal oversight.

FEMALE NEWSREADER:

A U.S. appeals court is allowing WhatsApp messaging service to move forward with a lawsuit against NSO Group over allegedly targeting—

LAURENT RICHARD:

Silicon Valley has a big role to play. Company like WhatsApp, company like Apple, they are suing NSO. They are the ones with money. They are the ones who promise you safety and security.

WILL CATHCART, Head of WhatsApp:

All we’ve seen NSO Group is deny, deny, deny, and that showed up entirely through the legal process as well.

The way I think about it is tech companies can and should do everything they can to make their software as secure as possible. But at the end of the day, if there’s no consequences for people who try to break that software to commit human rights abuses, then there will always be people trying to do it. It’s just like the only solution to stopping bank robbery is not to have the best technology in banks. Yes, you do that, too. It’s also that bank robbers get caught and have consequences for trying to rob banks. And we need that for the spyware industry.

Brussels

MALE NEWSREADER:

Pegasus spyware is once again back in the spotlight, this time for targeting pro-independence supporters in Spain’s Catalonia.

FEMALE NEWSREADER:

Several members of Poland’s opposition have produced evidence they were hacked by Pegasus software.

MALE NEWSREADER:

This scandal is being dubbed the “Polish Watergate.”

SANDRINE RIGAUD:

In Europe, we were discovering new victims of the spyware and new countries were accused of using Pegasus to spy on their opponents. At the European Parliament, representatives from NSO agreed to answer questions from politicians. It was the first time they’d done this.

HANNAH NEUMANN:

[Speaking German] I am Hannah Neumann, member of the European Parliament. I am vice-chair of the Human Rights Committee. It has been a long road to get to this committee of inquiry. The main challenge will be to know to what extent these players will cooperate with us.

[Speaking English] We know that NSO is now on the market, so maybe they are trying to polish their image. That would be interesting to see.

EU Parliament

Pegasus Committee of Inquiry

June 21, 2022

CHAIM GELFAND, Gen. counsel, NSO:

Thank you, Mr. Chairman. On behalf of NSO, I want to thank the members of the Committee of Inquiry for having us here today.

Before we begin, we should note that there are limits to the information we can share with the committee and others. As you know, NSO is a private company providing export-controlled cyber-intelligence technologies only and exclusive to government agencies for the purpose of preventing and investigating terrorism and other serious crimes. As a result, we are unable to share details about our customers as well as the crimes prevented and criminals tracked and apprehended using our technologies or trade secrets of the technology.

It is not true that NSO Group operates Pegasus and collects information about individuals. It is not true that NSO Group sells its technology to private companies.

The issues that came up about Jamal Khashoggi, about President Macron—the system was not used on those numbers.

COMMITTEE CHAIRMAN:

I will go immediately into the Q&A session of today’s meeting. We already have about 15 members who’ve asked for the floor.

HANNAH NEUMANN:

Have you ever terminated a contract with an EU member state?

CHAIM GELFAND:

We have terminated contracts with EU member states. But to get into, again, exact numbers would be—

HANNAH NEUMANN:

That’s fine. Thank you. Next question. If a country does not give you a permission to audit, is that a reason for you to terminate a contract? Yes or no?

CHAIM GELFAND:

As stated before, if they do not allow us to do the audit and do not participate and provide us with the information needed in our investigation, yes, that is a reason to terminate a contract. I can state that we’ve terminated eight customers over the past several years.

HANNAH NEUMANN:

Have United Arab Emirates and Saudi Arabia ever gone through your due diligence check and had they passed it?

CHAIM GELFAND:

As I said, I’m not going to respond to questions regarding specific potential customers.

HANNAH NEUMANN:

Given that UAE and Saudi Arabia have been using Pegasus software, who are legitimate actors to issue warrants in these countries, according to your checks?

CHAIM GELFAND:

Again, I repeat it again, and I’m not going to respond to questions regarding specific customers.

BARTOSZ ARLUKOWICZ, Member, European Parliament:

[Speaking Polish] Hello, sir. Hello, sir. I’m from Poland. Were you aware of the spying on the head of the election campaign in Poland in 2019 that was revealed by the media?

CHAIM GELFAND:

I cannot—and again, I repeat, I cannot, because of various confidentiality and secrecy issues, I cannot get into specific questions regarding specific customers or specific cases.

SÁNDOR RÓNAI, Member, European Parliament:

[Speaking Hungarian] My questions are: do you still have a contract with the Hungarian government? If not, when and for what reason was it terminated? And is there a possibility that the Hungarian government will enter into a new contract with NSO Group?

CHAIM GELFAND:

First of all, every customer that we sell to goes through the due diligence review in advance, and if—and very often if concerns are raised regarding the rule of law, because what we’re looking at is also rule of law, and any country that we’ve decided to sell to has been approved in this manner.

SÁNDOR RÓNAI:

Please, please, stop the storytelling. I’m going to continue in Hungarian. [Speaking Hungarian] I am talking about Hungary. If this country is constantly criticized for violations of the rule of law, how can you consider it a safe country? That is my question. Thank you very much.

HANNAH NEUMANN:

Good question.

CHAIM GELFAND:

Again, I said I’m not—

SÁNDOR RÓNAI:

Not “again.” It was a new question, so please.

CHAIM GELFAND:

I have not—we have not said that we have determined recently that Hungary is or is not a secure country.

SOPHIA IN ‘T VELD, Member, European Parliament:

You did consider it secure because you sold the stuff to them.

CHAIM GELFAND:

I said “now.”

COMMITTEE CHAIRMAN:

Excuse me. Excuse me, colleague. Excuse me, colleague, let’s keep a little bit of order in the meeting as well. I understand there is frustration, but you have the concrete question, we have a concrete answer, and please.

SOPHIA IN ‘T VELD:

You keep repeating the same thing, and there seems to be a complete disconnect between reality and between what you’re saying. This is like—It’s an insult to our intelligence, sorry.

Tel Aviv

AMITAI ZIV, Tech 12:

[Speaking Hebrew] Today, NSO executives are leaving the company. This is critical for the future of NSO. Their cash flow has been hit. Employees are leaving and there is a large debt to pay off.

MALE REPORTER:

[Speaking Hebrew] Those who read the newspapers think that half the world’s population is being spied on by Pegasus.

SHALEV HULIO, CEO, NSO Group:

[Speaking Hebrew] I tell you that nobody listened to the president of France, nor to the French deputies. Our tools and technology had nothing to do with anything, not the assassination, not Khashoggi, not his entourage—

MALE REPORTER:

[Speaking Hebrew] His fiancée, friends?

SHALEV HULIO:

[Speaking Hebrew] No, I know that this has been published and I repeat: It is a blatant lie. We have proven time and time again that it is not true. This lie must be stopped once and for all.

In August 2022, Shalev Hulio resigned as CEO of NSO Group.

AMITAI ZIV:

[Speaking Hebrew] What did Israel do once the Pegasus affair was revealed? On a formal level, a subcommittee was established within the Knesset’s Foreign Affairs and Defense Committee which was headed by Ram Ben Barak. The meetings are held behind closed doors. We don’t know what is said. We don’t have access to the minutes. We are not invited to participate and we don’t know what decisions are made.

RAM BEN BARAK:

[Speaking Hebrew] My name is Ram Ben Barak. I had a long career in Mossad. I reached the position of deputy director of Mossad. I am currently the chairman of the Knesset’s Foreign Affairs and Defense Committee.

I have examined Israeli regulations to make sure they are effective enough to avoid cases like this. I believe there will be some improvements. But basically, I think our method is good and extremely strict.

Our main parameter is being sure we can trust the country to stick to its commitments and not break them. It’s like selling an F-35 to a country that bombs civilians in another democratic country. Are we going to say we should boycott Lockheed Martin because someone has misused its planes?

DANA PRIEST:

The bottom line is nobody regulates these companies. That’s the bottom line. Technology is just so far ahead of government regulation and even of public understanding of what’s happening out there.

LAURENT RICHARD:

It’s a Wild West. And this is where we are when you have a private, secret company meeting state actors with no regulation in the cyber-civilian space and when it’s possible to use military weapons against civilians.

PAUL LEWIS:

In some ways, we can talk about the impact on the company and say it’s been really profound. A more pessimistic view would be to look at the entire industry, which remains unreformed, pretty wild, unregulated. NSO may vanish. But I feel no more secure talking in front of my phone now than I did when we first published. I don’t think these issues have gone away.