.
T

here is a good chance that you are reading this review on your phone. The smartphone is now ubiquitous in the modern world, indispensable to how we live, work, and love (for better or for worse). That it is an extension of ourselves is taken for granted. When its privacy is violated—by friends or loved ones, or the state or corporations—we too feel violated, and not without reason. Yet, it is rare that we take a step back and reflect on these electronic tethers to the modern world, and consider how much privacy we actually give up in the name of convenience. Short of becoming a digital Luddite, Big Tech has ways of tracking where you are, what you see, what you buy, and even how long you view content, all in the name of generating more revenue off of you. As the cliché goes, when the service is free, you’re the product.

Then there is the state itself. The likelihood that you, dear reader, will be subjected to state-backed surveillance is relatively rare.  Ironically enough, when law enforcement or intelligence does it, it’s a violation of privacy, but when a company (the most recent bête noire being TikTok, and with good reason) does it, it's just a business model. Yet that nexus of the commercial and the state is very real, as authors Laurent Richard and Sandrine Rigaud show in their book “Pegasus,” an exploration of the titular spyware crafted by the Israeli cybersecurity company NSO.

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy | Laurent Richard & Sandrine Rigaud | Henry Holt & Co.

At its core, “Pegasus” is the journalistic account of the painstaking work that the team of Forbidden Stories, Amnesty International’s Security Lab, and Citizen Lab undertook to track down those affected by NSO’s spyware. Having received a leak (from a source left anonymous by the researchers) of some 50,000 phone numbers, the journalists and supporting team sought to identify to whom those numbers belonged and forensically analyze their phones. Their work showed how the Pegasus software was used to target journalists, opposition figures, human rights advocates, and others. As a feat of journalism, it is an impressive undertaking. The team marshaled multiple journalistic teams across different national newspapers, all while working to not only protect the source of the leak, but the investigation itself.

The success of this endeavor is impressive: “Of the 50,000 phone numbers in the data, we had been able to verify, with multiple sources for each, the identities of more than 1,000 people from fifty countries.” According to Richard and Rigaud, “The count included more than 600 politicians and government officials, including 3 presidents, 10 prime ministers and 1 king.” NSO itself repeatedly denied any wrongdoing, stating that they complied with Israeli law and export restrictions, and were unable to see who the users of their exploits were monitoring. In a legal letter to Forbidden Stories, NSO wrote that the company “does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.”

Woven throughout this account are stories of the dissidents and human rights figures monitored through the use of Pegasus, and the impact it had on their lives, including horrific abuses, detention, and even murder. From Algeria to Azerbaijan, Mexico to India, NSO’s software was used to penetrate the phones and private lives of those who ostensibly presented a threat to the powers that be (as well as those legitimate targets, such as drug traffickers).

Unfortunately, the subtitle of the book leads readers to expect more than is ultimately delivered. As a journalistic account of the authors’ impressive investigation into NSO and Pegasus, it is exceptionally well done. As a reflection on the state of the cyber surveillance industry, the implications of digital surveillance, the future of journalism, or indeed “privacy, dignity, and democracy” (as its subtitle states), it falls short.

It very much feels like a missed opportunity to explore these subjects in greater detail, especially given the authors’ passion for the subject and the diligence with which they conducted their investigation. To be sure, there are interludes on the rise of NSO and Israel’s cyber security industry, but these feel more tacked on than integral parts of the story. Readers would do well to pick up Nicole Perlroth’s “This is How They Tell Me the World Ends,” which explores the zero-day arms market and more of the ecosystem’s complexities, as a superb example of this blending of reporting and reflection, or Matt Potter’s “We Are All Targets” for a more gonzo-journalist look at cyber war.

Had there been less focus on the day-to-day globe-trotting machinations of the investigations (which do, at times, feel a touch repetitive) and fewer of the lengthy profiles of the investigators themselves, there would have been greater room for these discussions. Yet, on reflection, this is somewhat forgivable. If I were involved in such a lengthy, complex, and risky investigation, I certainly would hope to receive at the very least a short pen-and-ink portrait noting my quirks (of which there are many) alongside the amount of energy I put into the project.

When the authors do offer up reflections, it is at the very end of the book, and incompletely executed. They write, “the demise of NSO is a cautionary tale for the current traffickers of these military-grade cyberweapons and the wannabe traffickers.” Except that it is not the cautionary tale that Richard and Rigaud suggest. NSO’s exposure and blacklisting merely illustrated the consequences of getting caught and the dangers of unwanted media exposure. The market for this software and this type of surveillance have not gone away. As the authors chronicle earlier in their book, the downfall of the Hacking Team, a one-time competitor to NSO, merely created new gaps in the market, gaps NSO was all too ready to fill.

“Pegasus” also highlights the uneasy relationship society has with tech companies. NSO, Hacking Team, and others are certainly the sharp end of cybersurveillance, offering bespoke tools for states to monitor terrorists and dissidents with equal measure. As they open the book, they write how our phones are almost an extension of our minds, containing our thoughts, secrets, contacts, and other sensitive and deeply personal information. Their penetration by the state feels illegal and improper, as in many ways it is, or certainly can be if abused or conducted outside of the law.

Yet, citizens willingly give up untold amounts of data and information to the private companies of Big Tech on a daily basis without a second thought. How much does Amazon, Google, Netflix, or even Tesla know about its users? How much data are users willingly surrendering to TikTok, knowing the direct linkage that exists with the Chinese Communist Party, all so they can see the next viral dance or a funny dog video?

Cyber surveillance and digital technology writ large are outpacing the ability of regulators to appreciate, let alone manage, the consequences. NSO is merely one company of a much broader ecosystem catering to the needs of states around the world. It is not just authoritarian (soft or otherwise) states that are seeking this technology. Democracies (however generous the description may be) such as India and Turkey are turning to these tools, as are law enforcement and intelligence organizations across the Western world for legitimate purposes. Here, the authors are perhaps too dismissive of claims by both NSO and cybersurveillance advocates about the benefits of these tools—the crimes prevented, terrorist plots disrupted, and the lives saved.

While the authors have understandable moral outrage at how these tools are used to stifle dissent and monitor members of their profession, the ultimate issue they identify is not the tool, but what the tool is used for: authoritarianism and repression.

The inclusion of Edward Snowden in both the investigation, and the narrative, is disappointing. The much-lauded “whistleblower” (traitor in practice) offers little more than confirmation bias for those predisposed against anything vaguely resembling state-backed cyber surveillance. If it is from the state, it is inherently illegitimate to him. His advocates and supporters would do well to remember that he now has Russian citizenship, if any further confirmation of where his loyalties currently lay, and likely have resided for far longer.

They continue, writing “NSO might be crippled, but the technology it engineered is not.” This is the truest statement of their conclusion. The technology will only improve and those on the offense will almost always have the advantage. Equally, though, as the authors recount, the human element is central to this story both as a target and as a vector. NSO’s penetration was not some high-tech Bluetooth exploit, or even a snatch-and-grab of the user’s phone, but a carefully written text message socially engineered to prompt a click and download. The human element will always remain the weak link in the cybersecurity chain.

The work of Richard and Rigaud is worth applauding, but in the end, they only identified a symptom of a much more complex and dynamic disease. “Pegasus” is a superlative account of their team’s herculean effort to uncover cyber surveillance that, by design, was meant to remain indefinitely hidden. Had their passion been equally focused on the broader questions they raise, “Pegasus” would have been more than the thrilling account of their investigation, becoming a meaningful contribution to a much-needed dialogue on privacy, technology, democracy, and authoritarianism.

About
Joshua Huminski
:
Joshua C. Huminski is the Senior Vice President for National Security & Intelligence Programs and the Director of the Mike Rogers Center at the Center for the Study of the Presidency & Congress.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

Surveillance via Smartphone

February 18, 2023

These days smartphones are ubiquitous and indispensable. We are generally aware of their privacy issues, but there is a nexus between state spying and commercial data gathering that threatens to end privacy, writes Joshua Huminski in his review of “Pegasus" by Laurent Richard & Sandrine Rigaud.

T

here is a good chance that you are reading this review on your phone. The smartphone is now ubiquitous in the modern world, indispensable to how we live, work, and love (for better or for worse). That it is an extension of ourselves is taken for granted. When its privacy is violated—by friends or loved ones, or the state or corporations—we too feel violated, and not without reason. Yet, it is rare that we take a step back and reflect on these electronic tethers to the modern world, and consider how much privacy we actually give up in the name of convenience. Short of becoming a digital Luddite, Big Tech has ways of tracking where you are, what you see, what you buy, and even how long you view content, all in the name of generating more revenue off of you. As the cliché goes, when the service is free, you’re the product.

Then there is the state itself. The likelihood that you, dear reader, will be subjected to state-backed surveillance is relatively rare.  Ironically enough, when law enforcement or intelligence does it, it’s a violation of privacy, but when a company (the most recent bête noire being TikTok, and with good reason) does it, it's just a business model. Yet that nexus of the commercial and the state is very real, as authors Laurent Richard and Sandrine Rigaud show in their book “Pegasus,” an exploration of the titular spyware crafted by the Israeli cybersecurity company NSO.

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy | Laurent Richard & Sandrine Rigaud | Henry Holt & Co.

At its core, “Pegasus” is the journalistic account of the painstaking work that the team of Forbidden Stories, Amnesty International’s Security Lab, and Citizen Lab undertook to track down those affected by NSO’s spyware. Having received a leak (from a source left anonymous by the researchers) of some 50,000 phone numbers, the journalists and supporting team sought to identify to whom those numbers belonged and forensically analyze their phones. Their work showed how the Pegasus software was used to target journalists, opposition figures, human rights advocates, and others. As a feat of journalism, it is an impressive undertaking. The team marshaled multiple journalistic teams across different national newspapers, all while working to not only protect the source of the leak, but the investigation itself.

The success of this endeavor is impressive: “Of the 50,000 phone numbers in the data, we had been able to verify, with multiple sources for each, the identities of more than 1,000 people from fifty countries.” According to Richard and Rigaud, “The count included more than 600 politicians and government officials, including 3 presidents, 10 prime ministers and 1 king.” NSO itself repeatedly denied any wrongdoing, stating that they complied with Israeli law and export restrictions, and were unable to see who the users of their exploits were monitoring. In a legal letter to Forbidden Stories, NSO wrote that the company “does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.”

Woven throughout this account are stories of the dissidents and human rights figures monitored through the use of Pegasus, and the impact it had on their lives, including horrific abuses, detention, and even murder. From Algeria to Azerbaijan, Mexico to India, NSO’s software was used to penetrate the phones and private lives of those who ostensibly presented a threat to the powers that be (as well as those legitimate targets, such as drug traffickers).

Unfortunately, the subtitle of the book leads readers to expect more than is ultimately delivered. As a journalistic account of the authors’ impressive investigation into NSO and Pegasus, it is exceptionally well done. As a reflection on the state of the cyber surveillance industry, the implications of digital surveillance, the future of journalism, or indeed “privacy, dignity, and democracy” (as its subtitle states), it falls short.

It very much feels like a missed opportunity to explore these subjects in greater detail, especially given the authors’ passion for the subject and the diligence with which they conducted their investigation. To be sure, there are interludes on the rise of NSO and Israel’s cyber security industry, but these feel more tacked on than integral parts of the story. Readers would do well to pick up Nicole Perlroth’s “This is How They Tell Me the World Ends,” which explores the zero-day arms market and more of the ecosystem’s complexities, as a superb example of this blending of reporting and reflection, or Matt Potter’s “We Are All Targets” for a more gonzo-journalist look at cyber war.

Had there been less focus on the day-to-day globe-trotting machinations of the investigations (which do, at times, feel a touch repetitive) and fewer of the lengthy profiles of the investigators themselves, there would have been greater room for these discussions. Yet, on reflection, this is somewhat forgivable. If I were involved in such a lengthy, complex, and risky investigation, I certainly would hope to receive at the very least a short pen-and-ink portrait noting my quirks (of which there are many) alongside the amount of energy I put into the project.

When the authors do offer up reflections, it is at the very end of the book, and incompletely executed. They write, “the demise of NSO is a cautionary tale for the current traffickers of these military-grade cyberweapons and the wannabe traffickers.” Except that it is not the cautionary tale that Richard and Rigaud suggest. NSO’s exposure and blacklisting merely illustrated the consequences of getting caught and the dangers of unwanted media exposure. The market for this software and this type of surveillance have not gone away. As the authors chronicle earlier in their book, the downfall of the Hacking Team, a one-time competitor to NSO, merely created new gaps in the market, gaps NSO was all too ready to fill.

“Pegasus” also highlights the uneasy relationship society has with tech companies. NSO, Hacking Team, and others are certainly the sharp end of cybersurveillance, offering bespoke tools for states to monitor terrorists and dissidents with equal measure. As they open the book, they write how our phones are almost an extension of our minds, containing our thoughts, secrets, contacts, and other sensitive and deeply personal information. Their penetration by the state feels illegal and improper, as in many ways it is, or certainly can be if abused or conducted outside of the law.

Yet, citizens willingly give up untold amounts of data and information to the private companies of Big Tech on a daily basis without a second thought. How much does Amazon, Google, Netflix, or even Tesla know about its users? How much data are users willingly surrendering to TikTok, knowing the direct linkage that exists with the Chinese Communist Party, all so they can see the next viral dance or a funny dog video?

Cyber surveillance and digital technology writ large are outpacing the ability of regulators to appreciate, let alone manage, the consequences. NSO is merely one company of a much broader ecosystem catering to the needs of states around the world. It is not just authoritarian (soft or otherwise) states that are seeking this technology. Democracies (however generous the description may be) such as India and Turkey are turning to these tools, as are law enforcement and intelligence organizations across the Western world for legitimate purposes. Here, the authors are perhaps too dismissive of claims by both NSO and cybersurveillance advocates about the benefits of these tools—the crimes prevented, terrorist plots disrupted, and the lives saved.

While the authors have understandable moral outrage at how these tools are used to stifle dissent and monitor members of their profession, the ultimate issue they identify is not the tool, but what the tool is used for: authoritarianism and repression.

The inclusion of Edward Snowden in both the investigation, and the narrative, is disappointing. The much-lauded “whistleblower” (traitor in practice) offers little more than confirmation bias for those predisposed against anything vaguely resembling state-backed cyber surveillance. If it is from the state, it is inherently illegitimate to him. His advocates and supporters would do well to remember that he now has Russian citizenship, if any further confirmation of where his loyalties currently lay, and likely have resided for far longer.

They continue, writing “NSO might be crippled, but the technology it engineered is not.” This is the truest statement of their conclusion. The technology will only improve and those on the offense will almost always have the advantage. Equally, though, as the authors recount, the human element is central to this story both as a target and as a vector. NSO’s penetration was not some high-tech Bluetooth exploit, or even a snatch-and-grab of the user’s phone, but a carefully written text message socially engineered to prompt a click and download. The human element will always remain the weak link in the cybersecurity chain.

The work of Richard and Rigaud is worth applauding, but in the end, they only identified a symptom of a much more complex and dynamic disease. “Pegasus” is a superlative account of their team’s herculean effort to uncover cyber surveillance that, by design, was meant to remain indefinitely hidden. Had their passion been equally focused on the broader questions they raise, “Pegasus” would have been more than the thrilling account of their investigation, becoming a meaningful contribution to a much-needed dialogue on privacy, technology, democracy, and authoritarianism.

About
Joshua Huminski
:
Joshua C. Huminski is the Senior Vice President for National Security & Intelligence Programs and the Director of the Mike Rogers Center at the Center for the Study of the Presidency & Congress.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.