Parmy Olson: You're the co-authors of a new book, Pegasus: How a Spy In Your Pocket Threatens the End of Privacy, Dignity, and Democracy, which tells the story of Pegasus, a powerful spyware developed by the Israeli cybersecurity firm NSO Group. In recent years, a range of governments around the world purchased this technology, allowing them to gain remote-control access to people's mobile phones without their knowledge. In 2020, a secret source leaked a list to your team of investigative journalists in Paris that contained 50,000 phone numbers that NSO Group's clients wanted to spy on. Among the names on the list were French president Emmanuel Macron, the Saudi dissident Jamal Khashoggi and a raft of journalists, including your own colleagues.
Your book provides the inside account of how you led an international consortium of journalists that cracked open the story, a collaborative effort called The Pegasus Project. If readers could take away one idea from your book, what would it to be?
Laurent Richard: By gaining access to this list, we revealed, for the very first time, the true faces of the victims of cyber-surveillance. We showed how these technologies have been massively misused by state actors against journalists, human rights defenders, lawyers, political opponents -- and how the Pegasus spyware became a kind of magic tool for tyrants and dictators to track dissidents and any kind of people who might challenge their power.
Sandrine Rigaud: It's crucial for readers to understand the power of this tool. It can access everything you have in your phone, in a totally invisible way. You don't have to do anything wrong. You don't have to click on anything to get infected. Think about what's on your phone -- the results of your Google searches, your photos, your contact book, your location, your passwords. Everybody can appreciate how dangerous this kind of spyware could be in the hands of dictators and authoritarian regimes. Imagine how this can be used to silence journalists, to silence political opponents. That's why we consider it a major threat against democracy.
PO: Can you describe what it was like in the early days of your reporting to get this list of 50,000 names and then to find out how significant it was?
LR: As a journalist, it's the kind of thing that happens once in your life. A massive leak of phone numbers of persons who were potentially being targeted had fallen into our hands, and none of the victims were aware of it. But that was just the beginning, because the leak and the list weren't enough. We needed evidence. Over the course of our investigation, we were able to prove that thousands of people really were infected and that this spyware was gaining control over the communications of many political dissidents and journalists around the world. And we were able to prove that this misuse was a global issue, because this industry isn't regulated at all.
PO: When you talk about finding traces of "infection", it's clear you weren't engaged in the typical process of gathering research. You were doing forensic investigations at a time when some of your colleagues were being spied on by Pegasus. What were the biggest challenges each of you faced when researching and writing this book?
SR: When you're investigating the misuse of the most invasive and dangerous spyware that exists, at some point you have to assume that you are going to be targeted yourself. We also needed to contact and alert people who live under authoritarian regimes and were probably being spied on. But how do you contact those people if you can't use the phone and can't travel to meet them because of Covid? Those were some of the challenges we had to answer.
LR: When we started, we were investigating more than 10 countries who'd bought the Pegasus spyware. Some of them were very dangerous. We didn't want to be the next ones on the list. If one person in our group had been infected by Pegasus, then the project would be exposed. It would have been over immediately.
PO: Why kinds of tools did you use to avoid getting infected yourself?
SR: For security reasons, we can't explain specifically the tools we had to use. But what was clear is that we couldn't use our own phones anymore. We couldn't use our professional computers. Whenever we discussed anything with a source, we had to make sure there were no devices in the room or anywhere around us. It's a bit weird when you contact somebody and you ask them to leave their device in another room. They might think you're a bit paranoid, but then they understand very quickly how big this is and why it's so important.
PO: As I was reading this book, I kept wondering why NSO Group didn't draw stronger red lines for its clientele. What were the main factors that ultimately led to Pegasus being misused and abused?
LR: When you're sending spyware to a country like Azerbaijan or Saudi Arabia, you know that the customer has a bad record in terms of human-rights violations. The official narrative of NSO is they have an ethics board, they have some advisers, they have a human rights policy.
PO: I wondered about that ethics board. The fact that even had one was incredibly ironic.
LR: Yes. And when NSO sells the spyware, they tell the customer, "We will never know about your targets. We don't want to know and there is no technical way for us to know about who you are targeting". At the same time, they say, "If there's any kind of misuse and people have been targeted improperly, if this is used against people who aren't terrorists or criminals, we will investigate". But how can you investigate if you don't know who the targets are? There's also no transparency at all about how governments might be using this tool, because it's all under national-security classification. If you're a victim, you mostly don't know that you are a victim, because it's a "zero click" attack. And even if you know, you don't have any kind of mechanism to sue the state who was surveilling you, because they will deny it. You can try to sue NSO Group in Israel, but you'll likely lose your case.
PO: And yet Big Tech companies have been at the forefront of leading the fight against NSO -- and one of the arguments that Facebook has made is that NSO Group was an active participant in hacking into phones. As journalists who have looked into this more deeply than anyone, who should ultimately be accountable for the damage that has been done by Pegasus?
LR: NSO is the one selling the weapon, but it's not the one shooting. The state is accountable for that. At the same time, the US authorities have put NSO on the blacklist, banning US companies from selling technology to the company. That was really impactful. What Apple and other companies from Silicon Valley are doing, like notifying customers who've been under attack and suing NSO, may be even more impactful, because they're the companies who have the money. Maybe they can change the game a little bit.
PO: When people think about spies, they think about government agencies, but governments have increasingly been outsourcing surveillance to private contractors. Why has this market for contractors like NSO grown so much?
SR: Since 2015, smartphone spywares have become a very efficient tool for some regimes. That's creating demand. At the moment, NSO probably offers the most sophisticated tool, Pegasus, but there's other spyware available, as has been documented since we did the Pegasus Project. So even if a company like NSO ends up disappearing, there will be others offering the same service to the same countries. This is why the only answers will come from some kind of regulation.
PO: I'm curious about what's next for NSO and Pegasus. The company's valuation has gone from around $2 billion in 2021 to being deemed worthless a year later, after all the revelations driven by your reporting. The blacklisting by the US clearly hasn't helped its ability to operate. So how bad are things financially for NSO now?
LR: We don't know precisely. We know that some customers haven't renewed their contracts. They might have lost some business to competitors. The Pegasus Project affected the health and the situation of the NSO Group, but this industry is resilient. There are many other cyber-surveillance companies in Israel, and not only there. You can be 25 years old and get paid $30,000 per month (1 million baht) in these jobs. You have dictators, tyrants, and even democracies ready to pay millions to have access to this kind of surveillance solution. ©2023 Bloomberg
Parmy Olson is a Bloomberg Opinion columnist covering technology. A former reporter for the Wall Street Journal and Forbes, she is author of 'We Are Anonymous'.