How democracies spy on their own citizens
Commercial spyware has grown into an industry estimated to be worth twelve billion dollars. It is largely unregulated and increasingly controversial. In recent years, investigations by the Citizen Lab and Amnesty International have revealed the presence of Pegasus on the phones of politicians, activists, and dissidents under repressive regimes. An analysis by Forensic Architecture, a research group at the University of London, has linked Pegasus to three hundred acts of physical violence. It has been used to target members of Rwanda’s opposition party and journalists exposing corruption in El Salvador. In Mexico, it appeared on the phones of several people close to the reporter Javier Valdez Cárdenas, who was murdered after investigating drug cartels. Around the time that Prince Mohammed bin Salman of Saudi Arabia approved the murder of the journalist Jamal Khashoggi, a longtime critic, Pegasus was allegedly used to monitor phones belonging to Khashoggi’s associates, possibly facilitating the killing, in 2018. (Bin Salman has denied involvement, and NSO said, in a statement, “Our technology was not associated in any way with the heinous murder.”) Further reporting through a collaboration of news outlets known as the Pegasus Project has reinforced the links between NSO Group and anti-democratic states. But there is evidence that Pegasus is being used in at least forty-five countries, and it and similar tools have been purchased by law-enforcement agencies in the United States and across Europe. Cristin Flynn Goodwin, a Microsoft executive who has led the company’s efforts to fight spyware, told me, “The big, dirty secret is that governments are buying this stuff—not just authoritarian governments but all types of governments.”
NSO Group is perhaps the most successful, controversial, and influential firm in a generation of Israeli startups that have made the country the center of the spyware industry. I first interviewed Shalev Hulio, NSO Group’s C.E.O., in 2019, and since then I have had access to NSO Group’s staff, offices, and technology. The company is in a state of contradiction and crisis. Its programmers speak with pride about the use of their software in criminal investigations—NSO claims that Pegasus is sold only to law-enforcement and intelligence agencies—but also of the illicit thrill of compromising technology platforms. The company has been valued at more than a billion dollars. But now it is contending with debt, battling an array of corporate backers, and, according to industry observers, faltering in its long-standing efforts to sell its products to U.S. law enforcement, in part through an American branch, Westbridge Technologies. It also faces numerous lawsuits in many countries, brought by Meta (formerly Facebook), by Apple, and by individuals who have been hacked by NSO. The company said in its statement that it had been “targeted by a number of politically motivated advocacy organizations, many with well-known anti-Israel biases,” and added that “we have repeatedly cooperated with governmental investigations, where credible allegations merit, and have learned from each of these findings and reports, and improved the safeguards in our technologies.” Hulio told me, “I never imagined in my life that this company would be so famous. . . . I never imagined that we would be so successful.” He paused. “And I never imagined that it would be so controversial.” [Continue reading…]