On Sunday, a group of seventeen media organizations launched the Pegasus Project, a series of articles investigating the Israeli surveillance company NSO Group. The consortium of journalists, which works in conjunction with Amnesty International and the French nonprofit Forbidden Stories, found that dissidents, human-rights workers, and opposition politicians around the world have been tracked by an NSO Group spyware tool called Pegasus. Among the thousands of people targeted were reporters at the Times, political opponents of the Indian Prime Minister, Narendra Modi, and the two women closest to the murdered Saudi dissident Jamal Khashoggi.
One of the newspapers involved in the Pegasus Project is the Guardian. Its lead reporter on the series is Stephanie Kirchgaessner, who has written extensively about surveillance as the paper’s U.S. investigations correspondent. We spoke, by phone, on Monday morning, after the first wave of stories was released. (They will continue to be published throughout the week.) During our conversation, which has been edited for length and clarity, we discussed how the story came together, why the spyware industry remains so unregulated, and what role the Israeli government played in allowing this to happen.
The Guardian story that you published says very clearly that authoritarian governments were behind this surveillance. Some of the other stories, from other news organizations, say that the spyware was sold to authoritarian governments, but don’t actually say they know who used it. How certain are you that this is the work of governments specifically?
We do know that the NSO Group only sells to governments, and there has been a body of research before this project that has identified the countries that we believe are clients. Some countries deny that they are clients, but we have overwhelming evidence from groups like Citizen Lab. So we have known since 2016, for example, that the U.A.E. is a client of the NSO Group. Saudi Arabia, as well. And then there are other countries in our coverage this week. Rwanda adamantly denies that they are a client of the NSO Group, but we see Rwandans all over the world who are being targeted with this technology. So we feel comfortable naming those countries as clients.
The NSO Group saying that it only sells to governments puts the group into a logical pickle, because it implies that the governments are the ones doing the spying. But do we feel certain that the NSO Group is being honest about this, and really only does sell to governments?
I would say there is one anomaly, which is Mexico, where we think there were various actors who might have had access to the technology. [In a statement to The New Yorker, NSO Group said it exclusively licenses its technology to “vetted governments.”] And there are countries where there are various clients within the country. It is as if the F.B.I. were one client and the C.I.A. were another. I am not saying they specifically are—we have no evidence of that. It’s just an example of how you could have different clients within the same country with a different focus or emphasis.
So, in an authoritarian government, it wouldn’t necessarily just be the dictator or leader of the country. There could be multiple agencies within the government.
Yes. By the end of this week, you will see a situation where there is an authoritarian leader who we think used it for very personal reasons, to target his own family. It’s quite personal.
How did this consortium and these stories come together?
My colleague in New York, Martin Hodgson, got a call from Forbidden Stories, which is this organization that takes up stories from journalists who are killed or threatened and gets huge journalistic consortiums together to pursue them. I had worked with them before on the Daphne Caruana Galizia story, in Malta. It was all very secretive. We had to be very careful with our communication, because of the subject matter, which is surveillance. We were told the basic information about the project and were asked to come to Paris, where all these media partners would gather and hear the full details. So we went to Paris with a good idea, but we didn’t have access to the data at that point. And then we met all of our colleagues, including the Washington Post.
When you are referring to “the data,” you are referring to the list of fifty thousand or so phone numbers?
Yeah. So, in Paris, we had access to a list of records of phone numbers. We believe that those phone numbers are indicators of the individuals who were potential targets of the surveillance by NSO clients.
Do you have a sense of how Forbidden Stories got these records? And what made you certain they were a list of numbers that NSO clients may have been spying on?
I can’t answer the first question, I’m afraid. And the second question—once we had access to this list, we could identify a significant number of those phone numbers. You had journalists from all over the world, and people who have tons of contacts. You would just match them, and a lot of numbers were found out that way, in countries like India, for example, and Mexico. We had a technical partner on this project, the Amnesty International tech lab, and once we had identified many of those numbers we started carefully approaching individuals who were on the list and asking them if they would let us do forensic examinations on their phones. And that yielded results where we see a very high correlation in the phones that were tested between being on that list and hacks or attempted hacks using Pegasus malware.
Just to clarify something: When you said you could not answer the first part of the question, is that because you don’t know or because it is privileged information?
I just can’t answer it—and that’s all I have to say. I’m sorry.
It’s O.K. Can you talk a little bit about the spyware industry, and if there are any regulations on it?
The NSO Group has been my area of focus in terms of surveillance companies. There are others. Israel is really one of the leading makers of this kind of spyware. And, in Israel, you see a lot of intelligence officials who deal with spyware who then go into private industry. David Kaye, who has looked into this very closely in his previous role with the United Nations, would call it an “unregulated industry,” which means there are no rules globally, really, for how this technology is sold or how it can be used. There are countries who are attacking citizens in other countries with spyware, and hacking their phones. That can go against domestic laws, but it is being used regardless.
In other ways, NSO specifically is a regulated company, and, by that, I mean it goes through a licensing process with the Israeli government, and specifically the Ministry of Defense, which has to approve the export of this weapon, Pegasus, to other countries. Israel says it vets the clients that NSO sells to. And NSO says that. They also get a marketing license to market their product and sell it to other countries.
