The saga of the NSO Group’s invasive Pegasus spyware continues, with yet another victim confirmed this month by the University of Toronto’s Citizen Lab and digital rights group, R3D. The organisations said Mexican opposition politician Augustín Basave Alanís was targeted in September 2021, making him the fourth person allegedly hacked during Andrés Manuel López Obrador’s presidency.

Spyware like Pegasus enables complete control of a target’s phone. It gives the intruder remote access to the device’s microphone, camera and almost all of the data stored on the device.  “This is a very powerful tool… a violation of my most personal spaces and communications,” Alanís told reporters.

Earlier this month, Citizen Lab and R3D said that two journalists and a human rights defender had also been recently targeted in Mexico, while last year it was reported that 50 people close to the president may have been selected for monitoring between 2016-17. Despite mounting evidence, the president has denied the most recent allegations.

A year on from the Pegasus Project revelations, and the number of people allegedly targeted by spyware continues to rise. But so too does the number of official investigations into the industry, with former United Nations Special Rapporteur David Kaye writing that “the elements of a global process to constrain the industry” are now emerging.

The word Pegasus and binary code are displayed on a smartphone which is placed on a keyboard in this illustration taken May 4, 2022. REUTERS/Dado Ruvic

Continued misuse of spyware

Authorities in Mexico are definitely not alone in facing accusations of misusing spyware. A few weeks ago, it was revealed that several Indonesian officials had been targeted by similar technology, while politicians in the United States, India and across Europe have also reportedly been affected.

Most governments have remained tight-lipped about their acquisition of the tech. Some have defended its use for national security purposes.

Leaks, technical studies and investigative reporting continue to shed light on the topic. Last week, for example, the Organized Crime and Corruption Reporting Project (OCCRP), unearthed contracts between India’s Intelligence Bureau and the NSO Group for equipment that appears to be required to run Pegasus.

Evidence of the misuse of spyware has become so overwhelming that Amnesty International, along with over 100 other organisations, called for a temporary ban on the sale, transfer and use of the technology.

“A culture of impunity specific to targeted digital surveillance has developed that must be urgently countered,” they wrote in an open letter last year. “Our rights and the security of the digital ecosystem as a whole depend on it.”

Surveillance cameras (CCTV) are seen in Bangkok, Thailand, June 1, 2018. REUTERS/Athit Perawongmetha

Growing challenges to spyware

Since then, several governments have launched investigations that may curb the spread of the technology in the future.

In Mexico, the attorney general’s office recently said it was looking into the previous administration’s procurement of Pegasus. Prosecutors are investigating a contract worth 457 million pesos ($23 million) between the former attorney general’s office and the Israeli company.

India’s supreme court has launched an independent investigation into the use of the spyware, while in Spain a series of probes into the use of Pegasus to spy on Catalans surrounding the 2017 independence referendum were launched.

The European Parliament also recently set up a new committee to investigate the use of spyware by member states, saying it would “investigate alleged breaches of EU law” and in June, NSO’s lawyer appeared at a hearing of the committee. Officials at the U.N. have also repeatedly raised concerns about the technology.

The impact of these interventions is yet to be fully felt, but it’s undeniable that international pressure is mounting on companies and officials responsible for making and using these invasive surveillance products.

Is this the end of the spyware industry?

There are signs that the increased scrutiny is having a material impact on NSO Group. The company laid off 100 employees in August, and CEO Shalev Hulio also stepped down. The company was blacklisted in the United States and Apple, along with Meta, have launched lawsuits against the firm.

But even if recent allegations effectively curb the influence of NSO Group, that will by no means represent the end of the industry. Although NSO Group has gained a huge amount of attention recently, they are far from the only company involved in developing this type of technology. In fact, there’s a chance that there are companies building and selling very similar technology that we’ve never heard of.

Recent revelations from Mexico and Indonesia suggest there is likely more to come and, with each new report, international pressure will only increase further. As awareness of the ways the technology poses a threat to human rights increases, so too does the likelihood of passing meaningful regulations.

It’s now up to governments to follow through with their investigations and intervene accordingly.

We’re always happy to hear your suggestions about what to cover in this newsletter – drop us a line: [email protected]

Recommended Reading (and watching): 

Fred Guterl, Special report: When spyware turns phones into weapons, Committee to Protect Journalists (CPJ), Oct. 13, 2022

An in-depth investigation into the many ways spyware has been used to threaten journalists, their sources, and media freedom globally. The report concludes with a range of insightful recommendations on how to curb the influence of the industry.

Ronan Farrow, How Democracies Spy on Their Citizens, The New Yorker, Apr. 18, 2022

A fascinating and powerful piece of journalism that illuminates the inner workings of NSO Group and the big tech companies waging war against it. One of the best reports to show that it’s not just authoritarian regimes misusing the tech.

Donncha Ó Cearbhail & Bill Marczakl, Exploit archaeology: A forensic history of in-the-wild NSO Group exploits, YouTube, Oct. 24, 2022 

Citizen Lab’s Bill Marczak and Amnesty International’s Donncha Ó Cearbhail discuss their new report at the VB2022 conference in Prague recently. It covers their forensic analysis of compromised devices and provides technical details about the attacks.

David Kaye, Here’s what world leaders must do about spyware, CPJ, Oct. 13, 2022

Kaye has long been a proponent of restricting the use of spyware tech. As a U.N. Special Rapporteur, he called for a global moratorium on the use, sale, and transfer of the technology back in 2019. This article explores what’s happened since and what needs to happen next to limit its misuse.

Any views expressed in this newsletter are those of the author and not of Context or the Thomson Reuters Foundation.