It’s never been easier for governments covertly to access and monitor the phones of activists, journalists, dissidents, politicians, and, well, anyone they want. “Zero-click” tools, easily purchased from private corporate developers, allow authorities to hack victims’ phones in surreptitious ways, even if the target doesn’t click a link. This technology has been repeatedly used to spy on and harass innocent people around the world, often with impunity. Associates of Jamal Khashoggi, the murdered Saudi journalist, are perhaps the most notable recent victims of these practices, but there are hundreds, or even thousands, more.
The public knows more than we ever have about the underground world of corporate-assisted surveillance, thanks to a wide-ranging new investigation from more than 100 journalists at 17 news organizations into NSO Group, an Israeli purveyor of surveillance technologies. A French journalism nonprofit called Forbidden Stories and Amnesty International obtained a list of 50,000 phone numbers believed to be targeted for surveillance by NSO Group customers and shared them with media outlets in 10 countries. (The provenance of the list of targeted numbers hasn’t been reported.)
The dozens of resulting stories show how one of the tech industry’s most amoral actors—fueled by Israeli military and technological expertise, private equity funding, and a tide of digitally empowered authoritarianism sweeping the world—have come to dominate the newly privatized global security state. They also show how NSO Group enabled the world’s most vicious governments: Among those targeted by the company’s malware were allies of Khashoggi, who were zeroed in on by Saudi Arabia for surveillance days after the journalist’s murder at the hands of state agents. Most worryingly, these stories reveal a clandestine industry that remains unregulated, in part because many governments seem to prefer it that way. Like Peter Thiel’s Palantir, NSO Group has become one of the paradigmatic tech companies of the new era of cyber-surveillance, fusing private capital and intelligence connections to achieve startling power. Whether it can be reined in at all is an open question.
“No one is safe from the out-of-control designer spyware industry,” wrote surveillance whistleblower Edward Snowden on Twitter, where he dubbed the leak the story of the year. “Export controls have failed as a means of regulating this easily abused technology. Without an immediate global moratorium on the trade, this will only get worse.”
The global surveillance industry has made a mockery of the claims of companies like NSO, which says that it only sells to recognized government and law enforcement entities for criminal investigations, counterterrorism, and other “legitimate” uses. In practice, many of NSO Group’s clients are dictatorships, corrupt security agencies, or other undemocratic forces. Rather than aiding legal investigations, the company is facilitating oppression on a global scale—and bringing in huge financial returns. (Although hampered by the pandemic economic crunch, NSO Group reported $243 million in revenue in 2020.)
Named after NSO Group’s flagship product, the Pegasus Project is a wide-ranging and accomplished feat of reporting that, taken as a whole, reveals the astonishing global scope of the surveillance industry. From Gulf dictatorships to Central Asian despots to unnamed political forces in Algeria, the NSO Group’s client list is vast. The list of phone numbers reportedly contains 15,000 from Mexico alone, including dozens of people in the inner circle of current president Andrés Manuel López Obrador while he was running for office.
The targets range from journalists—some of them since killed—to nongovernmental organization employees to politicians to even the king of Morocco. Some of the phone numbers on the list, like one used by former Italian Prime Minister Romano Prodi, appear to be still in use. In some cases, unsuspecting victims clicked on corrupt links that caused their phones to download malware; in others, targets were caught completely unaware as surveillance went on for months.
Although NSO claims its technology doesn’t work against U.S. phone numbers, the latest reporting finds that it has been used to target U.S. citizens and foreigners based in the United States who use foreign cell phones. The company has repeatedly pitched its software to U.S. law enforcement agencies (some of whom apparently balked at the price tag). While a private entity, NSO is believed to have close ties to Israeli intelligence, and Israel’s regulatory authorities must approve the company’s exports. An investigation by Haaretz, the Israeli newspaper, found that countries like Hungary, India, Rwanda, Azerbaijan—all of them in the grips of some degree of authoritarianism—purchased NSO products after visits by then–Prime Minister Benjamin Netanyahu. “Markets dictate what works, I don’t dictate … the only place I have actually intervened … is cybersecurity,” said Netanyahu during a 2017 press conference in Hungary. Other reporting has revealed that Israel encouraged NSO Group to sell its tools to Saudi Arabia, despite the dictatorship’s complete criminalization of dissent.
While NSO may not yet have clients in the U.S., it retains a U.S. subsidiary, Westbridge Technologies, and employs a roster of well-connected American lawyers, lobbyists, and politicos to advance its interests here. Rod Rosenstein, Tom Ridge, Juliette Kayyem, Jeh Johnson—these are a few of the security state veterans (who served under both parties) who have pocketed fees from NSO Group. NSO, which exports from Bulgaria, Cyprus, and Israel, is a subsidiary of OSY Technologies and Q Cyber Technologies, of which a majority stake is owned by Novalpina Capital, a London-based private equity firm. NSO Group’s founders also repurchased a stake in the company in 2019. The tangled globalized ownership structure, cutting through major power centers and tax havens alike, is reflective of the style in which NSO operates. Rarely furnishing its executives for interviews, and operating out of unmarked offices, NSO is as opaque and secretive as the illiberal governments it serves—and the apartheid state from which it emerged.
In mining these connections, NSO Group has become a fully paid-up member of the global political and security establishment, which will make it all the harder to uproot. NSO is an industry leader but not an outlier. Israel, in particular Unit 8200, a branch of Israeli intelligence, has become an incubator for high-tech surveillance firms. Companies occupying this murky-but-profitable space include phone-hacking specialists Cellebrite, the spyware merchant Candiru, facial recognition startup AnyVision, and another startup called Bsightful that reportedly seeks to use smartphone ad data to track users. And of course there’s Black Cube, the Israeli-founded private intelligence firm notorious for being hired by Harvey Weinstein to squash news stories about his serial abuse of women.
If NSO is dismantled, one of these competitors will surely take its place. What’s needed to stop NSO is something much more difficult and ambitious: a global campaign against surveillance and digitally enabled authoritarianism; new standards in personal technology that place privacy and security first; and democratic governments recommitting themselves to protecting their citizens from spying, not enabling it. This is a tall order, a generational struggle for civil libertarians. But Project Pegasus might be the first step.