Pegasus and Privacy

Pegasus spyware, developed by the NSO Group, an Israeli company, has provoked the ire of journalists, privacy advocates, the EU, UN, and U.S. Congress following revelations that the software was used to monitor over 50,000 cell phone numbers from individuals across 50 countries. Export licenses for this military-grade software must be approved by the Israeli Ministry of Defense. Pegasus is licensed exclusively for governments and intended to be used to track terrorists and catch criminals. Instead, the Pegasus Project revealed that the spyware was used to monitor at least 65 business executives, 85 human rights activists, 189 journalists, and 600 government officials. This should come as no surprise, since the Israeli Ministry of Defense has approved the export of this technology to authoritarian countries such as Azerbaijan, Bahrain, Hungary, Rwanda the UAE, and Saudi Arabia, among many others.

The software can infiltrate iPhones, Androids, and other devices without warning. It is nearly impossible to detect or remove Pegasus from any device. Once installed, the spyware can read or see anything on your device, activate your camera and microphone, and lift data. One of the most common vectors for Pegasus is WhatsApp, a messaging app used by approximately two billion people. WhatsApp sued the NSO Group in 2019 for targeting its software to plant malware on users’ devices. The case currently sits in the 9th Circuit, where NSO Group claims sovereign immunity because it licenses to governments who enjoy this right. Other tech companies like Microsoft, Google, Cisco, and VMware filed an Amicus Brief supporting WhatsApp in NSO’s appeal of the district court’s ruling denying NSO Group sovereign immunity.

The Pegasus revelations have revived the debate around the sale of invasive privacy technology that undercut democratic governments and national security interests. On a recent episode of the U.S. National Privacy and Cybersecurity Podcast, Jody Westby, CEO of Global Cyber Risk and Advisory Board Member at the Association for Data and Cyber Governance said, “I’ve known a number of CEOs that had technology that could be used for very intrusive purposes that went to the government to ask if they would need an export license and they were told no.” Absent adequate export controls, Westby explained that many CEOs, “determined there were certain governments they would not sell to because they were afraid it would be abused and they would end up in the headlines for helping governments’ oppress their people, which is exactly what’s happened here.”

Beyond private sector concerns, Representatives Malinowski (NJ-07), Porter (CA-45), Castro (TX-20), and Eshoo (CA-18) recently issued a letter calling on the United States government to publicly name companies that sell cyber-intrusion tools to governments with a history of misusing them, establish a sanctions regime to hold companies that sell these tools accountable and impose stronger export controls. The use by certain nation-states of private-sector cyber tools to violate individuals’ privacy and civil liberties elucidates the need for the United States and like-minded countries to more closely scrutinize the sale of such technologies to authoritarian regimes and possibly amend their export control regulations. Without substantive action, heavy-handed regimes will continue to use this technology to strip citizens of their civil liberties and erode democratic principles.