The hearing started unsurprisingly enough. Chaim Gelfand, the NSO Group lawyer, laid out the company line that Pegasus is designed for use against terrorists and other criminals. He promised that the company controlled its sales, developed human rights and whistleblowing policies, and took action against those governments that abused it. He wanted to “dispel certain rumors and misconceptions” about the technology that have circulated in “the press and public debate.” He made his case.

Then, surely from NSO Group’s perspective, it went downhill. MEP after MEP asked specific questions of NSO Group. For instance: if Pegasus is sold only to counter terrorism or serious crime, how did it come to be used in EU member states? How did it come to be used to eavesdrop on staffers at the European Commission, another public allegation? Can NSO provide examples of when it terminated contracts because a client misused Pegasus? Can NSO clarify what data it has on its clients’ uses of Pegasus? How does NSO Group know when the technology is “abused”? More personally: How come you spied on me?

MEPs were angry. Increasingly their questions became more intense, more personal, more laced with moral and legal outrage. And this tenor only deepened over the course of the hearing, as the NSO lawyer stumbled through his points and regularly resorted to the line that he could not speak to specific examples, cases or governments. Few, if any, seemed persuaded by the NSO Group claim that it has no insight into the day-to-day use of the spyware by the “end-user”. To the contrary, the PEGA hearing ended with one thing clear: NSO Group faces not only anger but the reality of an energized set of legislators.

More than a year after release of the Pegasus Project, the global reporting investigation that disclosed massive pools of potential targets for Pegasus surveillance, the momentum for action against spyware like Pegasus is gathering steam. 

Read CPJ’s complete special report: When spyware turns phones into weapons

In 2019, in my capacity as a U.N. Special Rapporteur, I issued a report to the United Nations Human Rights Council that surveyed the landscape of the private surveillance industry and the vast human rights abuses it facilitates, calling for a moratorium on the sale, transfer and use of such spyware. At the time, few picked up the call. But today, with extensive reporting of the use of spyware tools against journalists, opposition politicians, human rights defenders, the families of such persons, and others, the tide seems to be turning against Pegasus and spyware of its ilk.

The U.N. High Commissioner for Human Rights, several U.N. special rapporteurs, the leaders of major human rights organizations, and at least one state, Costa Rica, have joined the call for a moratorium. The Supreme Court of India is pursuing serious questions about the government’s use of Pegasus. The United States Department of Commerce placed NSO Group and another Israeli spyware firm on its list of restricted entities, forbidding the U.S. government from doing any business with them. Apple and Facebook’s parent company Meta have sued NSO Group for using their infrastructure to hack into individual phones.

All of these steps suggest not only momentum but the elements of a global process to constrain the industry. They need to be transformed into a long-term strategy to deal with the threats posed to human rights by intrusive, mercenary spyware. State-by-state responses, or high-profile corporate litigation, will generate pain for specific companies and begin to set out the normative standards that should apply to surveillance technologies. But in order to curb the industry as a whole, a global approach will be necessary. 

In principle, spyware with the characteristics of Pegasus – the capability to access one’s entire device and data connected to it, without discrimination, and without constraint – already violates basic standards of necessity and proportionality under international human rights law. On that ground alone, it’s time to begin speaking of not merely a moratorium but a ban of such intrusive technology, whether provided by private or public actors. No government should have such a tool, and no private company should be able to sell such a tool to governments or others.

In the land of reality, however, a ban will not take place immediately. Even if a coalition of human rights-friendly governments could get such negotiations toward a ban off the ground, it will take time.

Here is where bodies like the European Parliament and its PEGA Committee – and governments and parliamentarians around the world – can make an immediate difference. They should start to discuss a permanent ban while also entertaining other interim approaches: stricter global export controls to limit the spread of spyware technology; commitments by governments to ensure that their domestic law enables victims of spyware to bring suits against perpetrators, whether domestic or foreign; and broad agreement by third-party companies, such as device manufacturers, social media companies, security entities and others, to develop a process for notification of spyware breaches especially to users and to one another. 

Some of this would be hard to accomplish. It’s not as if the present moment, dominated as it is by tensions like Russian aggression against Ukraine, is conducive to international negotiations. Some steps could be achieved by governments that should be concerned about the spread of such technologies, already demonstrated by U.S. and European outrage. Either way, governments and activists can begin to lay the groundwork, defining the key terms, highlighting the fundamental illegality of spyware like Pegasus, taking steps in domestic law to ensure strict controls on export and use. 

There is precedent for such action in the global movement to ban landmines in the 1990s, which started with little hope of achieving a ban, focused instead on near-term controls. Ultimately human rights activists and like-minded governments were able to hammer out the Ottawa Convention to ban and destroy anti-personnel landmines in 1997. It is, at least, a process that activists and governments today could emulate and modify.

Human rights organizations and journalists have done the work to disclose the existence of a major threat to freedom of expression, privacy, and space for public participation. It is now the duty of governments to do something about it.

This content originally appeared on Committee to Protect Journalists and was authored by David Kaye.

The indignation and humiliation were from seeing himself and other prominent journalists included on a list of convicted criminals and known mob figures considered to be threats to Hungary’s national security. The pride was because the Hungarian government, which routinely ignored his reporting questions, thought it was worth spending tens, if not hundreds, of thousands of dollars on his surveillance; the relief was the validation that his earlier suspicions about being spied on were not a sign of paranoia.

Other Hungarian journalists targeted for surveillance expressed similarly ambiguous emotions in interviews with CPJ. And all were skeptical that any future recommendations by the European Parliament’s committee of inquiry into Pegasus and other spyware, expected next year, would bring much relief in a country where independent media face an increasingly hostile press freedom climate under the government of right-wing Prime Minister Viktor Orbán.

Panyi, who continues to relentlessly investigate the surveillance scandal, is one of the few journalists still giving regular interviews to Hungarian and international media about his surveillance. Three other CPJ interviewees said that while they were making an exception in talking to the organization, they’d otherwise stopped making public statements on their experience because they did not want their Pegasus targeting to define their lives.

Read CPJ’s complete special report: When spyware turns phones into weapons

The three – crime reporter Brigitta Csikász, Zoltán Varga, owner of one of the country’s biggest independent news sites, 24.hu, and a reporter who asked not to be identified for fear that further publicity would negatively impact his career – were named as targets in July 2021, when Panyi broke the story for Direkt36 as part of its reporting for the Pegasus Project, an international investigation that found the phone numbers of more than 180 journalists on a global list of potential spyware targets. (The NSO Group, which makes Pegasus, denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.)

Along with Panyi, all the journalists recounted signs that they were under physical and digital surveillance before they were aware of Pegasus being used against them, and all said that their private and professional lives had changed since the scandal broke last year.

Csikász, who covers corruption, told CPJ in a phone interview that she had seen numerous signs that people might be watching her and was warned by friends for years that her phone might be monitored. “I did not get a heart attack, I was not at all traumatized,” she told CPJ in a phone interview about her reaction to the news that Pegasus was used to monitor the contents of her phone between early April and mid-November 2019.   

Csikász has even managed to find some humor in her situation. “My friends took it real easy, most of them just crack jokes and my family took it as a sign of prestige and importance. For them, it is as if I was awarded with a special journalism prize,” she said. She added that the publicity surrounding the disclosures had even prompted some sources to contact her because they heard about her in the news. “I was not, and I have not, become paranoid,” she told CPJ.

Still, Csikász, who currently works for daily tabloid newspaper Blikk and was reporting for the investigative outlet Átlátszó, remains concerned about the intrusion. “As a journalist, I respect my country’s laws and my profession’s ethical standards and I consider the possibility of being spied on as part of my job,” she said. However, she would like to know which of her numerous investigations were considered threats to national security.

Varga told CPJ in a video interview that he’d attracted government attention when he started investing in media in 2014. This scrutiny increased, especially when he made it clear around 2017 that he would not be willing to sell his assets in spite of quiet threats and warnings from businesspeople linked to the government. In recent years, he said, he had spotted people sitting in cars parked outside his house and apparent eavesdroppers sitting next to his table at restaurants. He recalled that his phone calls were often interrupted, he once heard a recording of a call played back from the start, and at one point German tech experts provided proof that his android phone had been hacked.

Panyi’s investigation found Varga’s Pegasus surveillance started around the time he invited six people to a dinner in his house in Budapest in June 2018, two months after Orbán won a third consecutive term as prime minister. All seven participants of the dinner were selected as potential candidates for surveillance and at least one of their phones showed evidence of infection under Amnesty’s forensic analysis.  

“I was only surprised that the regime used this type of high-level technology to spy on an otherwise innocent gathering of intellectuals,” Varga told CPJ in a video call. “It was far from being a coup, it was just a friendly gathering. We discussed the very high level of corruption in Hungary’s ruling elite and how to find ways to expose it. Using this kind of technology in such a situation for me just shows how much the government is afraid of its opponents,” he said.

The reporter who spoke on condition of anonymity was also surprised that the government would deploy such high-tech spyware against journalists. Although he’d seen indications of occasional physical surveillance, the Pegasus infiltration “came out of the blue and was a real shock to me,” he said in a phone interview. His “dark period” only eased when the fact of his surveillance was publicly reported. “Since then, I prefer not to speak about it and share my experiences with anyone but my friends,” he told CPJ.

Panyi said that the way he communicates with sources has now become much slower and more complicated. “Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life,” he told CPJ in a phone interview. He uses various secure digital tools and applications, is mindful about what networks he connects to on his computer or mobile phone, regularly goes to meetings without his phone, and continues to take physical notes.

Varga says the spyware disclosures have harmed some of his business ventures. “The Pegasus scandal made it obvious for both my business and private contacts that it might be risky to talk to me and they might also get exposed, which people obviously try to avoid,” Varga told CPJ, adding that acquaintances now crack Pegasus “jokes” in most of his meetings. “As a result of this whole affair, I have much less phone calls, more walking meetings outside, without phones in the pocket,” he said.

Many companies, including advertising agencies and advertisers for his news site, seem to prefer to avoid doing business with him, and their loss is not offset by the small number of ad-buyers who now see the site as an important media voice, said Varga. “I have become kind of toxic for my environment,” he told CPJ. 

The reporter who preferred not to be named said that his phone now “stays outside” whenever he sees friends and family and he uses a special anti-tracking case when he attends professional meetings.

Hungary’s government acknowledged in November 2021 that it had bought Pegasus spyware, but says that its surveillance of journalists and political critics was carried out in accordance with Hungarian law.

A government spokesman said that journalists might have been monitored because some of their sources were under surveillance on suspicion of crimes or terrorist links, not because the journalists were the direct targets of the investigations.

In January, the Hungarian National Authority for Data Protection and Freedom of Information issued a 55-page report, which concluded that in all the cases they investigated, including those involving journalists, all legal criteria for the application of the spyware were met and the spyware was used to protect Hungary’s national interests.  

These responses have left the journalists who spoke to CPJ with little hope that anyone will be held accountable for the intrusion on their lives. Nor do they expect help from the institutions of the European Union, where officials themselves have been targeted by spyware as they grapple with mounting political pressure over how to hold member states accountable for any breaches of the rule of law.

As the European Parliament’s committee of inquiry looks at the mountain of evidence that surveillance spyware has been used in EU countries and against EU citizens, the EU Commission lacks the powers to hold member states to account, and has been forced to refer those seeking justice to their national courts.    

Surveilled journalists might eventually get EU relief if a new draft European Media Freedom Act, released on September 16, becomes law. The Act could give journalists a path to file a complaint to the EU’s Court of Justice if they or those close to them are subject to the unjustified use of spyware. However, the Act still has to be reviewed by EU institutions and member states and may not survive in its current form.  

Meanwhile, Panyi does not believe Hungary’s courts can provide any relief. “The laws regulating national security, including surveillance, are so broadly formulated that it is legal to wiretap and surveil anyone,” he told CPJ. Noting that there was no independent oversight of the surveillance process, he added that “legal” in these cases meant only that “everything has been properly documented, and the necessary stamps are where they should be.”

In June, Panyi saw his concerns confirmed when the Central Investigation Prosecutor’s Office announced it had terminated its own investigation into the allegations of illegal surveillance of journalists and opposition politicians, citing absence of a crime. “A broad investigation which included classified documents found no unauthorized and secretive collection of information or the unauthorized use of a concealed device,” said the investigators. 

Additional reporting by Tom Gibson in Brussels

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong/CPJ EU Correspondent.

Last July, when the Pegasus Project investigation revealed that imprisoned Moroccan journalist Soulaiman Raissouni was selected for surveillance by Israeli-made Pegasus spyware, the journalist could only laugh. 

“I was so sure,” his wife Kholoud Mokhtari said Raissouni told her from prison. 

Raissouni is one of seven local journalists named by the Pegasus Project – an investigative consortium of media organizations – as a potential or confirmed target of Pegasus spyware. The news only validated what Moroccan’s journalist community had long suspected: that the state’s vast intelligence apparatus has been monitoring some journalists’ every move. 

Moroccan journalists were among the first worldwide to complain of the use of spyware against reporters, pointing to digital surveillance as early as 2015. In 2019 and 2020, Amnesty International announced the findings of forensic analyses confirming that Pegasus had been used on the phone of at least two Moroccan journalists, Omar Radi and Maati Monjib. Subsequent state action against some of the surveilled journalists underscored the ongoing threat to Morocco’s independent media – and reinforced CPJ’s conclusion that spyware attacks often are precursors to other press freedom violations. 

Both Raissouni and Radi are imprisoned in Morocco for what family and colleagues describe as trumped up sex crimes charges. Taoufik Bouachrine, another journalist whom the Pegasus Project said was targeted with the spyware, is imprisoned on similar charges. 

Read CPJ’s complete special report: When spyware turns phones into weapons

The Pegasus Project was unable to analyze the phones of all of those named as surveillance targets to confirm the infection and the Moroccan government has repeatedly denied ever using Pegasus. However, many of the three journalists’ private pictures, videos, texts, and phone calls, as well as those belonging to family members, were published in pro-government newspapers and sites like Chouf TV, Barlamane.com, Telexpresse, and then later used as evidence against the journalists in court.   

Bouachrine, former editor-in-chief of local independent newspaper Akhbar al-Youm, was arrested in February 2018, and is serving a 15-year prison sentence on numerous sexual assault and human trafficking charges. His wife, Asmae Moussaoui, told CPJ in a phone call in May 2022 that she believes she was surveilled, too. 

In April 2019, Moussaoui said she called a private Washington, D.C.-based communications firm to help her run ads in U.S. newspapers about Bouachrine’s case, hoping that the publicity might aid efforts to free her husband. The next day, Barlamane published a story alleging that Moussaoui paid tens of thousands of euros to the firm, using money the journalist allegedly earned through human trafficking activities. Human Rights Watch describes Barlamane as being “closely tied with security services.” 

Suspecting she was being monitored, Moussaoui turned to one of her husband’s lawyers, who suggested the pair “pull a prank” that would help them detect whether authorities were indeed spying on her. The lawyer “called me and proposed that we speak with Taoufik’s alleged victims to reconcile, which we did not really intend to do. The next day, tabloids published an article saying that our family is planning to bribe each victim with two million dirhams [about $182,000] so they drop the case. I became very sure [of the surveillance] then,” Moussaoui told CPJ.

Moroccan journalist and press freedom advocate Maati Monjib, co-founder of the Moroccan Association for Investigative Journalism (AMJI), had a similar experience. Monjib was arrested in December 2020 and sentenced to a year in prison the following month after he was convicted of endangering state security and money laundering fraud. The latter charge stems from AMJI’s work helping investigative journalists apply for grants, Monjib told CPJ in a phone call. 

“During one of our meetings at AMJI in 2015, I mentioned that we need to look for grants to support more journalists. The next day, one of the tabloids published a story claiming that Maati Monjib is giving 5,000 euros [$4,850] to every journalist who criticizes the general director of the national security. This is a proof that they were listening to our meeting,” said Monjib. 

The revelations have forced journalists and their family members to take precautions against surveillance – no easy task given the difficulty of detecting spyware infection without forensic help. “[Raissouni] told me to try to be safe, so I am trying my best,” Mokhtari, Raissouni’s wife, told CPJ. 

“Other than the usual precautions I take to protect my phone, I regularly update it and I never keep any personal pictures or important messages or emails on it,” she said. “I also buy a new phone every three months and destroy the old one, which has taken a financial toll on my family. But honestly you can’t escape it. The most tech-savvy person I know is our friend Omar Radi. He took all the necessary precautions against hacking, and they still managed to infect his devices.” 

Monjib brings his devices to tech experts almost daily to check for bugs and to clean them, he told CPJ, adding that he also never answers phone calls, only uses the encrypted Signal messaging app, and always speaks in code.

Aboubakr Jamai, a prominent Moroccan journalist and a 2003 CPJ International Press Freedom Award winner, was selected for surveillance with Pegasus in 2018 and 2019 — and confirmed as a target in 2019 — even though he has been living in France since 2007, according to the Pegasus Project. He believes that the Moroccan government is to blame for the spyware attacks, and that the surveillance has effectively ensured the end of independent journalism in the country, he told CPJ in a phone call. 

“For years now, there haven’t been any independent media or journalism associations,” said Jamai. What’s left now is a handful of individuals who have strong voices and choose to echo it using some news websites, but mainly social media platforms.” 

CPJ emailed the Moroccan Ministry of Interior in September for comment but did not receive any response. 

Still, Jamai – who gave no credence to the government’s earlier denials of Pegasus use – did see one positive result from the spyware disclosures. “It publicly exposed Morocco’s desperation and the extent to which it is willing to go to silence journalists,” he said. “Now the whole world knows that the Moroccan state is using Pegasus to spy on journalists.”

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp.

Over five years have passed since Villarreal and Ismael Bojórquez, RíoDoce’s co-founder and editor-in-chief, received the suspicious text messages that experts said bore telltale signs of Pegasus, the now notorious surveillance software developed by Israeli firm NSO Group. Just this month, a joint investigation by three Mexican rights groups and the University of Toronto’s Citizen Lab found evidence of Pegasus infections on the devices of two Mexican journalists and a human rights defender between 2019 and 2021 – infiltration that occurred in spite of Mexican President Andrés Manuel López Obrador’s 2018 promise to end illegal surveillance. (López Obrador denied on October 4 that his administration had used Pegasus against journalists or political opponents, saying, “if they have evidence, let them present it.”)

The previous Mexican administration also denied using the technology on high-profile journalists, even after the Pegasus Project, a global consortium of investigative journalists and affiliated news outlets that investigated the use of the spyware, reported in 2021 that more than two dozen journalists in Mexico have been targeted with the spyware. Those named included award-winning investigative journalist Carmen Aristegui and Jorge Carrasco, the editor-in-chief of the country’s foremost hard-hitting investigative magazine Proceso. Yet although the surveillance caused considerable outrage, almost nothing has changed since 2017, according to Villarreal, who spoke to CPJ from Sinaloa’s capital, Culiacán.

Read CPJ’s complete special report: When spyware turns phones into weapons

In what CPJ has found to be by far the deadliest country for journalists in the Western Hemisphere, there remains no legal protection from intrusive surveillance, no recourse for its victims, and no repercussions for those in public office who facilitated the spying.  

López Obrador’s pledge to stop illegal surveillance was one of his first major undertakings after he took office in December 2018. Eleven months later, he assured Mexicans that the use of the Israeli spyware would be investigated. “From this moment I tell you that we’re not involved in this. It was decided here that no one will be persecuted,” he said.

But with just over two years left in office – Mexico’s constitution allows presidents to serve only a single six-year term – journalists, digital rights groups, and human rights defenders say little has come of the president’s promises. Not only has the investigation into the documented cases of illegal use of Pegasus shown no meaningful progress, the critics say, but also virtually nothing has been done to prevent authorities from continuing to spy. 

“Unfortunately, the regulatory situation and the authorities’ capacity to intercept communication have remained intact,” said Luis Fernando García of Red en Defensa de los Derechos Digitales (R3D), a Mexico City-based digital rights group that supports reporters targeted with Pegasus. “There’s very little transparency, very little publicly available information about the use of such technologies, which makes repetition a very real possibility.”

CPJ contacted the office of President López Obrador’s spokesperson for comment before publication of the October report about the most recent infections but did not receive a reply.

NSO says it only sells Pegasus to government and law enforcement agencies to combat terrorism or organized crime. But investigative journalists report that in countries like Mexico non-state actors, including criminal groups, can also get their hands on these tools even if they are not direct clients. This poses a major threat to journalists and their sources across the region, where CPJ research has found that organized crime groups are responsible for a significant percentage of threats and deadly violence targeting the press. At least one Mexican journalist who was killed for his work, Cecilio Pineda Birto, may have been singled out for surveillance the month before his death.

Villarreal and Bojorquez received the first Pegasus-infected text messages just two days after Javier Valdez Cárdenas, Riodoce co-founder and a 2011 recipient of CPJ’s International Press Freedom Award, was fatally shot on May 15, 2017, near the magazine’s offices in northern Sinaloa state. 

“Although it had all the hallmarks of Pegasus, it took us quite a while before we realized what was happening,” Villarreal recalled. “We were in a very vulnerable state after Javier’s death. It wasn’t until approximately a month later, after contact with press freedom groups, that we realized that it was Pegasus.”

A 2018 report by R3D, citing findings by Citizen Lab, stated that the likely source of Villarreal’s surveillance was the Agency of Criminal Investigation, a now-defunct arm of the federal attorney general’s office. Two autonomous federal regulators subsequently established that the attorney general’s office used Pegasus illegally and violated privacy laws.

However, an ongoing federal investigation initiated under the previous government of President Enrique Peña Nieto has not led to any arrests of public officials. In December 2021, Mexican authorities requested the extradition from Israel of the former head of the criminal investigation agency, Tomás Zerón, in connection with various investigations – reportedly including the Pegasus abuses – but that request has not yet been granted. (CPJ contacted the federal attorney general’s office for comment on the extradition, but did not receive a reply.)

Concerningly, according to Proceso, investigators of the federal state comptroller revealed in the audit of the federal budget in October 2021 that the López Obrador administration had paid more than 312 million pesos (US $16 million) to a Mexican businessman who had facilitated the acquisition of Pegasus in the past.

The López Obrador administration has not publicly responded to Proceso’s findings or the state comptroller’s report, but the president did say during his daily press briefing on August 3, 2021, that there ‘no longer existed a relationship’ with the developer of Pegasus. The president’s office had not responded to CPJ’s request for comment on the payment by the time of publication.

Experts at R3D and Citizen Lab said Pegasus traces on a journalist’s phone indicated they were hacked as recently as June 2021, just after they reported on alleged human rights abuses by the Mexican army for digital news outlet Animal Politico. The journalist was not named in reports of the incident.

“I don’t think anything has changed,” Villarreal said. “The risk continues to exist, but the government denied everything.”

R3D, together with a number of other civil society groups, has also pushed hard for new legislation to curb the use of surveillance technologies by lobbying directly to legislators and via platforms like the Open Government Alliance. So far, the result has been disappointing. Even though López Obrador and his party, the Movement of National Regeneration (Morena), hold absolute majorities in both chambers of federal congress and have repeatedly acknowledged the need to end illegal surveillance, there has been no meaningful push for new legislation on either the state or the federal level.

“There is indignation about surveillance, but my colleagues aren’t picking the issue up,” said Emilio Álvarez Icaza, an independent senator who has been outspoken about surveillance. “It’s an issue that at least the Senate does not seem to really care about.”

R3D’s García warns that Pegasus is just a part of the problem. R3D and other civil society groups say they have detected numerous other technologies that were acquired by state and federal authorities even after the scope of Pegasus’ use became clear.

“We’ve been able to detect the proliferation of systems that permit the intervention of telephones and there are publicly available documents that provide serious evidence that those systems have been used illegally,” García said. “The [attorney general’s office], for example, has acquired the capacity to conduct more than 100,000 searches of mobile phone data, but only gave clarity about 200 of them.”

“Even with regulation, the Mexican justice state has a tremendous problem of lack of transparency and accountability. The entire system seems to have been constructed to protect public officials,” said Ana Lorena Delgadillo, a lawyer and director of the Fundación para la Justicia, which provides legal support to Mexicans and Central Americans searching for ‘disappeared’ family members. “This is why I believe it’s important that cases of this nature are ultimately brought to the Supreme Court, but it’s hard to find people willing to litigate.”

Villarreal said he will not be one of those afraid to speak out. “Ultimately we’ve left our cases in the hands of civil society organizations,” he said. “Thing is, the spyware is just a new aspect of a problem that has always existed. The authorities have spied here, they will continue to do so. We have to adapt to the reality that we’ll never know the extent of what’s going on.”

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen, CPJ Mexico Correspondent.

“Earlier it was just one conversation they [authorities] would tap into,” Venu told CPJ in a phone interview. “They wouldn’t see what you would be doing in your bedroom or bathroom. The scale was stunning.”

The Indian journalists were among scores around the world who learned from the Pegasus Project in July 2021 that they, along with human rights activists, lawyers, and politicians, had been targeted for possible surveillance by Pegasus, the spyware made by Israel’s NSO Group. (The company denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.) 

The Pegasus Project found that the phones of two founding editors of The Wire – Venu and Siddharth Vardarajan – were confirmed by forensic analysis to have been infected with Pegasus. Four other journalists associated with the outlet – diplomatic editor Devirupa Mitra, and contributors Rohini Singh, Prem Shankar Jha, and Swati Chaturvedi – were listed as potential targets.

The Indian government denies that it has engaged in unauthorized surveillance, but has not commented directly on a January New York Times report that Prime Minister Narendra Modi agreed to buy Pegasus during a 2017 visit to Israel. The Indian government has not cooperated with an ongoing inquiry by an expert committee appointed by the country’s Supreme Court to investigate illegal use of spyware. In late August, the court revealed that the committee had found malware in five out of the 29 devices it examined, but could not confirm that it was Pegasus.

However, Indian journalists interviewed by CPJ had no doubt that it was the government behind any efforts to spy on them. “This government is obsessed with journalists who are not adhering to their cheerleading,” investigative reporter Chaturvedi told CPJ via messaging app. “My journalism has never been personal against anyone. I don’t understand why it is so personal to this government.” For Chaturvedi, the spying was an invasion of privacy “so heinous that how do you put it in words.” 

Read CPJ’s complete special report: When spyware turns phones into weapons

Overall, the Pegasus Project found that at least 40 journalists were among the 174 Indians named as potential targets of surveillance. With six associated with The Wire, the outlet was the country’s most targeted newsroom. The Wire has long been a thorn in the side of the ruling Bharatiya Janata Party (BJP) for its reporting on allegations of corruption by party officials, the party’s alleged promotion of sectarian violence, and its alleged use of technology to target government critics online. As a result, various BJP-led state governments, BJP officials, and their affiliates have targeted the website’s journalists with police investigations, defamation suits, online doxxing, and threats.

Indian home ministry and BJP spokespeople have not responded to CPJ’s email and text messages requesting comment. However after the last Supreme Court hearing, party spokesperson Gaurav Bhatia criticized the opposition for “trying to create an atmosphere of fear” in India. “They [Congress party] were trying to spread propaganda that citizens’ privacy has been invaded. The Supreme Court has made it clear that no conclusive evidence has been found to show the presence of Pegasus spyware in the 29 phones scanned,” he said.

As in so many other newsrooms around the world, the Pegasus Project revelations have prompted The Wire to introduce stricter security protocols, including the use of encrypted software, to protect its journalists as well as its sources.

Ajoy Ashirwad Mahaprashasta, political editor at The Wire, told CPJ in a phone interview that as part of the new procedures, “we would not talk [about sensitive stories] on the phone.” While working on the Pegasus project, the Wire newsroom was extra careful. “When we were meeting, we kept our phones in a separate room. We were also not using our general [office] computers,” he said.

Venu told CPJ that while regular editorial meetings at The Wire are held via video call, sensitive stories are discussed in person. “We take usual precautions like occasional reboot, keep phones away when we meet anyone. What else can we do?” he asks.

Chaturvedi told CPJ via messaging app that she quickly started using a new phone when she learned from local intelligence sources that she might have been under surveillance. As an investigative journalist, her immediate concern following the Pegasus Project disclosures was to avoid compromising her sources. “In Delhi, everyone I know who is in a position of power no longer talks on normal calls,” she said. “The paranoia is not just us who have been targeted with Pegasus.”

“Since the last five years, any important source I’m trying to talk to as a journalist will not speak to me on a normal regular call,” said Arfa Khanum Sherwani, who anchors a popular political show for The Wire and is known as a critic of Hindu right-wing politics. Sherwani told CPJ that her politician sources were the first ones who moved to communicate with her on encrypted messaging platforms even before the revelations as they “understood that something like this was at play.”

Rohini Singh similarly told CPJ that she doesn’t have any conversations related to her stories over the phone and leaves it behind when she meets people out reporting. “It is not about protecting myself. Ultimately it is going to be my story and my byline would be on it. I’m essentially protecting people who might be giving me information,” she said. 

Journalists also say they are concerned about the safety of their family members.

“After Pegasus, even though my name per se was not part of the whole thing, my friends and family members did not feel safe enough to call me or casually say something about the government. Because they feel that they are also being audiographed and videographed [filmed or recorded],” said Sherwani.

Chaturvedi told CPJ that her family has been “terrified” since the revelations. “Both my parents were in the government service. They can’t believe that this is the same country,” she said.

Venu and Sherwani both expressed concerns about how the atmosphere of fear could affect coverage by less-experienced journalists starting out in their careers. “The simple pleasure of doing journalism got affected. This may lead to self-censorship. When someone gets attacked badly, that journalist can start playing safe,” said Venu.

Said Sherwani: “For someone like me with a more established identity and career, I would be able to get people [to talk to me], but for younger journalists it will be much more difficult to contact politicians and speak to them. Whatever they say has to be on record, so you will see less and less source-based stories.”

Ashirwad agreed. “I’m very critical of this government, which is known. My stand now is I shall not say anything in private which I’m not comfortable saying in public,” he said.  

This content originally appeared on Committee to Protect Journalists and was authored by Kunal Majumder/CPJ India Representative.

The report includes a global overview of spyware and how it’s used against journalists, as well as four case studies from India, Mexico, Hungary, and Morocco. Each provides first-hand accounts from journalists, digital privacy advocates, and others who were themselves targeted by spyware. The report also includes an opinion column by David Kaye, a former U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, on what he recommends global leaders should do to stop the abuse of spyware. 

The final piece offers concrete policy recommendations from CPJ experts to governments, corporate entities, and international human rights organizations to combat the arbitrary or unlawful deployment of spyware.

The full report will be available on Thursday, October 13 at 5:00am ET at: https://cpj.org/spyware-press-freedom

If you would like to speak with a CPJ expert about the report or about spyware’s impact on journalism more broadly, please contact Adam Peck at cpj@westendstrategy.com or at +1 202-531-6408.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

The Pegasus Project, an investigation by Amnesty International and a consortium of media outlets coordinated by Forbidden Stories, revealed in July 2021 that at least 180 journalists were among those from over 50 countries who may have been targeted with the sophisticated surveillance software.

Three journalists from the West African country of Togo were included on the Pegasus Project list. They told CPJ at the time about how the revelations had caused “nightmarish nights” and damage to their personal as well as professional lives. Twelve months on, they say the prospect of being monitored still generates pervasive paranoia and hinders their communications with sources.

“Since I heard this news until today I can no longer easily communicate with my phone,” Ferdinand Ayité, director of L’Alternative newspaper, recently told CPJ about the implications of his phone number being listed. “There is a kind of permanent fear that forces me to change my means of communication.”

That fear is aggravated as Togolese authorities intensify their crackdown on independent press since the Pegasus Project revelations.

NSO Group, the Israeli company that sells the Pegasus spyware, has denied any connection to the Pegasus Project list and has said it only sells spyware to governments to fight terrorism and crime. However, research shows that journalists and those close to them have been targeted, along with activists and politicians, around the world.

Citizen Lab, a University of Toronto-based research group, found Togolese clergy had been selected for Pegasus surveillance in 2019. Similarly, Amnesty International reported that a Togolese human rights defender, who requested anonymity for security reasons, had been targeted with a different, Indian-made spyware in late 2019 and early 2020.

Ayité, like other journalists whose phones were reportedly listed for potential surveillance in countries ranging from Morocco to Mexico to India to Hungary, said the disclosures had affected their ability to work. “Sources treat us differently. Several people are reluctant to take our phone calls, and we are forced to proceed otherwise,” he said. “Personally, I no longer call certain sources…To this day I continue to think that my communications are always followed and listened to and this has a negative impact on the work.”

Ayité and two other journalists⁠—Komlanvi Ketohou and Luc Abaki⁠—whose contacts featured among the over 300 Togolese phone numbers on the Pegasus Project list, have not confirmed if their devices were ever infected with the spyware. But they told CPJ how the threat of surveillance shaped their broader concerns about freedom of expression in Togo. Spyware was just one of the reasons the Togolese Press Patronage (PPT), a local association of media owners, called 2021 the “darkest [year] of the democratic era in Togo in terms of press freedom.”

Days after he learned that his number had been listed, Ayité told CPJ he was not surprised and described himself as “a journalist on borrowed time.” Less than six months later, in early December 2021, police arrested Ayité and Fraternité newspaper director Joël Egah, and detained them for over 20 days on accusations of “contempt of authorities” and “propagation of falsehoods.” Ayité said authorities retained his passport until mid-June; Egah died of a heart attack in March.

In May, Ayité and his newspaper lost their appeal of a separate defamation case. The ruling they sought to reverse had ordered them each to pay 2 million West African francs (US $3,703) in damages over a June 2020 report accusing a local official of embezzlement. Ayité said he and his legal team were preparing to appeal again to Togo’s Supreme Court.

Ketohou, who also uses the first name Carlos, told CPJ that even a year after learning his number was listed, people still worried about being in contact with him.

“They have fear to speak with me,” Ketohou said. “Fear that what they say will be listened to by Togolese authorities.”

Even when people do agree to speak with him over the phone, Ketohou said they often request a video call to be able to see that it’s really him on the other end of the line. Ketohou recognized that this would not necessarily protect against spyware that can grant remote access to a phone’s microphone and camera, but people were looking for ways to build confidence in their communications with him.

Reached by phone on July 15, Togo communication minister Akodah Ayewouadan said the government had no connection with the NSO Group, “has not used that [Pegasus] spyware and we have not communicated on it.” Ayewouadan requested that he be sent questions in writing, but as of Monday, July 18, CPJ had not received any response to those written questions.

Months before learning his number was listed, Ketohou was arrested by Togolese police and detained for several days over a report published by his L’Indépendant Express newspaper alleging corruption by government ministers. That paper was barred from publishing following his release and he fled the country amid ongoing threats against him and his family, setting up the L’Express International news site in exile.

Living outside Togo, Ketohou told CPJ that he has remained worried about the transnational reach of the Togolese government. He said in recent months he had received video calls from numbers he did not know, which he refused to answer. Even without evidence to suggest the callers wished to harm him, Ketuhou said he feared they sought to confirm visually that it was his phone and to collect information about his location.

Luc Abaki, who works as a freelance reporter, told CPJ that while being listed in the Pegasus Project leak didn’t significantly change his private life, “certain people, especially close to power carefully avoid my calls, in particular telephone. This means that I no longer have access to certain information that is sometimes essential for the work that I do as a journalist.”

“I work conscientiously with the main objective of aiming for the common good,” Abaki said. “I always observe prudence.”

This content originally appeared on Committee to Protect Journalists and was authored by Jonathan Rozen/CPJ Africa Research Associate.

On November 23, the Fundación para la Justicia y el Estado Democrático de Derecho, a Mexico City-based legal nonprofit, revealed in the Washington Post that the Mexican federal attorney general’s office (FGR) had in 2016 opened an “organized crime” and “kidnapping” investigation into Turati, the nonprofit’s director Ana Lorena Delgadillo, and Argentine forensic anthropologist Mercedes Doretti.

The investigation into the three women was part of a broader probe into the 2011 mass disappearance of almost 200 people in San Fernando, in the northern Mexican state of Tamaulipas, which Turati reported on for Mexico City weekly Proceso. Mexican federal authorities alleged that Los Zetas, one of the country’s most notorious and violent criminal gangs, was behind the disappearances.

If being investigated wasn’t shocking enough, Turati also learned that authorities had surveilled her as part of the probe. According to the foundation, the federal attorney general’s office obtained phone and geolocation data on the women without a court order. It was able to do that because Mexican law compels mobile phone operators – in Turati’s case, Movistar – to cooperate with federal authorities in organized crime probes.

The revelation came shortly after Turati learned that she was one of at least 25 journalists in Mexico who had been selected for potential surveillance with Pegasus phone hacking technology, according to a report by investigative journalism nonprofit Forbidden Stories. NSO Group, the Israeli company that makes Pegasus and sells it to government clients, disputes the report.

FGR has not commented publicly on the case. CPJ sent a request for comment to the assistant of Raúl Tovar, the chief spokesperson for the FGR and attorney general Alejandro Gertz Manero via messaging app, but did not receive a reply.

CPJ spoke with Turati about how the discovery of the investigation has impacted her and what it means for investigative reporting in Mexico, which is, according to CPJ research, the deadliest country for journalists in the Western Hemisphere. The interview has been edited for length and clarity.

What was your initial response to learning you were investigated by federal authorities?

It came as a huge shock to me, because I saw my photo, my digital fingerprint, contact I had with my family, my address, everything. First I felt very angry, then I felt scared and, exposed, especially after I was told earlier this year that I was also targeted with the Pegasus spyware. If that was successful, then they have also had access to my messages, email, and photos.

I’m also angry for what this means for investigative journalism in Mexico. It’s as if they have exposed my professional secrets as a journalist. Ultimately what they did was send an analysis to the Federal Police to see how many times I met my sources. They also looked into calls I made to the lawyer of the families, that I had covered Ayotzinapa [the abduction of 43 students of a rural teachers’ college in the southern Mexican state of Guerrero in 2014, which authorities said was possibly a mass murder]. We haven’t seen a lot of the documents yet, but we’re talking about some 500 pages about my life. I’m really worried about what else may turn up.

FGR specifically labeled the investigation as one into “organized crime” and “kidnapping” in the case file —how does this ease its ability to surveil you?  

They did it to trick the system. When a person disappears in Mexico and they urgently request mobile phone data to track calls, it can take months to obtain the information. In our case they got the data in just 24 hours. They can skip the judge [by tagging an investigation as “organized crime”]. They didn’t create a separate case file about us, but they included us in a case as if we were suspects.

What does the inclusion of your name in this federal organized crime probe mean for Mexican journalists who cover human rights abuses?

This happened in 2015 and 2016, under a different government than that of President Andrés Manuel López Obrador, but the investigator who requested the data is the same who handed the case file to the foundation in May [in compliance with a Mexican Supreme Court ruling, according to the Washington Post]. He still works at the attorney general’s office, and there are the others who have a copy, who signed off. They’re all still there.

There are a lot of things that go through my mind. As happened with the Pegasus spyware case, the people who did this are still working there. We haven’t been shown that the FGR has been purged. This is very serious. It can still happen; we really only found out about this case by accident. How many others are there?

Another thing is that, if a journalist can’t keep her sources secret, it’s like taking us out of the water we swim in. You take away the right of people to report abuses. I felt that this is not just something they did to me. They abuse the state apparatus; the FGR was involved, federal police, forensic investigators, and the highest officials were informed, because they received copies of the case file.

Do you have any faith that the López Obrador administration will take steps to prevent this from happening again?

I’m not sure. Alejandro Encinas, the undersecretary for Human Rights, condemned it and promised that it would be investigated, but he’s not the one with the authority to do something about this. The FGR hasn’t said anything. They can change the story. They can end impunity in this case by sanctioning the officials who were responsible if they want to. But we don’t know what’s going on.

Will this change the way you work as a reporter?

I do everything by myself, but since Pegasus I ask myself how it’s possible to defend yourself against this. Would I have to stop using smartphones and do things like they did with Watergate, leaving a ribbon on my balcony so sources know that I want to talk with them? Even if you use different phones and take courses in cybersecurity, how much can one really do? How can you do journalism without speaking with a source of the telephone, if you can’t be sure that they’re not spying on you?

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen/CPJ Mexico Representative.

The move represented a relatively new use for the Entity List for Malicious Cyber Activities, a tool used by the department’s Bureau of Industry and Security to limit a designee’s access to U.S. exports,lawyer Douglas Jacobson, who specializes in export control and sanctions, told CPJ in a recent phone call. Economic sanctions, a stricter control, are more common in response to human rights concerns, but export restrictions could have limited impact on the company, he said.

Commerce listed three other companies in its November 3 press release. NSO, however, is the best known of the group for its development of advanced Pegasus spyware which can infiltrate individual cellphones for surveillance purposes. The company says it sells to vetted government clients for law enforcement purposes and investigates reports of abuse – but forensic experts say dozens of journalists are among the targets. In July, reporting by 17 global media outlets found that at least 180 journalists were possible targets of surveillance by government clients of NSO. CPJ has found that some of those, such as the jailed Moroccan journalist Omar Radi, face severe reprisals for their work.

NSO told CPJ it was dismayed by the U.S. listing, and that its “rigorous compliance and human rights programs” have led to “multiple terminations of contacts with government agencies that misused our products.” The company has previously told CPJ that it investigated allegations that Pegasus was used to surveil Omar Radi, without elaborating on its findings.  

The Commerce Department linked one of the other three newly-listed companies, Israel-based Candiru, to spyware used to target journalists. The University of Toronto-based Citizen Lab reported in July that Candiru appeared to be responsible for malware attacks Microsoft described as targeting “more than 100 victims around the world,” including unnamed journalists and human rights activists. CPJ attempted to reach Candiru for comment, but the company does not have a website and Eitan Achlow, who was identified as the CEO in news reports, does not allow messaging on his LinkedIn profile. 

CPJ spoke to Jacobson about what the export restriction could mean for NSO Group. The interview has been edited for length and clarity.

What are the practical implications of being on the entity list?

[It] imposes a license requirement, but the U.S. is not penalizing NSO or Candiru or any of these other companies. They are just restricting their access to certain goods that are known to be subject to the Export Administration Regulations [everything that’s in the US or manufactured in the US, including software]. U.S. companies can [still] import goods from these companies if they want to.

The license requirement [could apply] to something as mundane as [the] desk chair you’re sitting on. A furniture company would need a license to export office furniture to the NSO Group. The license review policy is one of presumption of denial – if I wanted to submit a license on behalf of the client to NSO Group for office furniture, then I would have to convince the [Bureau of Industry and Security] to overcome this presumption of denial. It is intended to prevent them from getting certain technologies.  

I would imagine this would have a negative impact on NSO, because this will limit their ability to acquire even a new Windows laptop computer, for example.

Will it be crippling? Doubtful. There are certainly many workarounds that companies could use in order to acquire what they need. The U.S. is no longer the only producer of high-tech knowledge, and many U.S. [goods] may not even be subject to [these export regulations] because they’re manufactured [abroad]. But I think that this is a high-profile action.

Somebody asked me yesterday, is this really something that would make a [supplier] think twice? If I was advising a German company [on whether to] sell to NSO, I [would] say that’s a business decision. Your goods are not subject to [U.S. export regulation], so you wouldn’t be violating US law by doing that.

But for certain suppliers, it’s a PR risk?

Correct. [In case] the Wall Street Journal or whomever did an exposé and said, “This company in Germany or this company in Japan continues to sell to NSO.”

Is there a penalty from Commerce if they catch a U.S. company supplying someone on the entity list without a license?

Absolutely. The maximum civil penalty for violations of the [export regulations] is the greater of $308,901 per violation or twice the value of the transaction that is the basis of the violation.

Does this export restriction include services such as web hosting, training, service maintenance?

This does not apply to services at all. [The export regulations] only govern the export of tangible goods, software, or technology information. If you’re just going to repair something that is broken, for example, and a repairman goes to Israel [to repair] a server and they’re not having to provide the company with any information or replacement parts, then that would not be prohibited. And “technology” is broad – there’s a definition of technology in the Export Administration Regulations, but it doesn’t cover everything.

Senator Ron Wyden told The New York Times that sanctions should be applied to NSO Group under the Global Magnitsky Act. Is that possible?

The Global Magnitsky sanctionsare administered by the U.S. Department of Treasury’s Office of Foreign Assets Control, or OFAC, and can be applied to companies. That’s human rights related, and that would have a much bigger impact on NSO.

[Economic sanctions like these] prohibit financial transactions by U.S. persons, company, or citizen. They are broad; they prohibit the export of U.S. goods, they prohibit payments to those individuals, and they also prohibit services [provided to them].

The Commerce Department announcement lists a number of subsidiaries for Candiru, but none of the known subsidiaries for NSO Group are listed. Does that mean those subsidiary companies would not be considered during implementation?

[It] doesn’t apply to any of their affiliates unless they are named. However, a company [supplying exported goods] has to be very careful because that affiliate may be a conduit by which the main prohibited company is acquiring goods that they shouldn’t be acquiring.

Something else that struck me about this listing was the reasoning that it was a consequence for human rights violations, particularly about journalists being maliciously targeted. Is that a normal reasoning to get a company on this list?

The criteria [include] reasonable cause to believe that the entity has been involved in activities that are contrary to the national security or foreign policy interest of the U.S.

Foreign policy is a broader, more amorphous term, of course. That is what is being used as the basis for these human rights designations, which is, relatively, a broader interpretation of foreign policy [in the context of the entity list].  

How often is this list reviewed? What is the process?

The process is not an easy one, particularly when it comes to human rights issues. [China’s] Huawei has been on it for [almost] three years. There doesn’t appear to be much of an off-ramp for Huawei because of the national security issues – but there is an off-ramp. It does take time, [but] parties are removed from the entity list periodically. A company does have a chance to appeal their listing.

The problem is, [the group that would remove them is] the same group that added them. This is called the End-User Review Committee, which is an interagency group chaired by the Department of Commerce. There has to be some change in behavior or [proof] that they didn’t do what they were alleged to have done.

This content originally appeared on Committee to Protect Journalists and was authored by Alicia Ceccanese.

Journalists in India have been aware of the threat since 2019, when WhatsApp notified several that a Pegasus operator had tried to exploit the messaging app to access their phones; a former home secretary told CPJ at the time that Pegasus was “available and used” in India. In July 2021, when allegations of Pegasus surveillance surfaced across the globe, Indian news website The Wire partnered with Amnesty International and the investigative journalism group Forbidden Stories to reveal the names of 161 possible Pegasus targets in India, including 29 journalists. 

NSO has disputed the allegations by WhatsApp (the company is fighting a lawsuit WhatsApp filed against it in a U.S. federal court) and said the Pegasus Project allegations are false. CPJ emailed the company’s press email to request comment about sales to India, but received an error message.

Indian government officials also said the Project’s reporting had no substance, and five of those affected – freelance journalists Paranjoy Guha Thakurta, S.N.M. Abdi, Prem Shankar Jha, Rupesh Kumar Singh, and activist Ipsa Shatakshi – petitioned the Supreme Court to intervene.Three were suspected targets, while Amnesty confirmed traces of Pegasus infection on phones belonging to Guha Thakurta, a former editor of the Economic and Political Weekly journal, and former Outlook journalist Abdi,according to The Wire.

Ajay Prakash Sawhney, secretary of India’s ministry of electronics and information technology, did not immediately respond to CPJ’s email requesting comment.

Lawyer Apar Gupta, who has argued before the Supreme Court and is the executive director of the local digital rights group Internet Freedom Foundation, spoke to CPJ by phone about the Supreme Court’s move, and what will happen next. The interview has been edited for length and clarity.

Why should journalists, in India and elsewhere, be paying attention to the Supreme Court’s initial judgment?

The petitioners who have approached the court include senior journalists as well as journalists who work in rural districts. This issue concerns much more than surveillance – democratic processes will be subverted once controls are exerted over [journalists] or information gathered on them in a clandestine manner.

[The Supreme Court] stated that working journalists’ ability to gather information and talk to their sources will be impacted by surveillance. It has also stated that such surveillance brings into focus the larger public injury of self-censorship – which is essentially any person fearing that they can be infected [with spyware], thereby causing a chilling effect in which people don’t express criticism or displeasure against government policies.

Is this good news for the petitioners?

It is premature to have any celebrations. It is only the commencement of the process of investigation and we are quite distant from any kind of accountability.

The court has directed an independent committee to probe into two clear aspects. First, the committee should inquire about certain questions, and second, make recommendations towards accountability and changes in law.

What are your expectations from the committee?

While some commentators are a bit more cynical about the committee, I do hold some hope [for] a positive outcome, because it is headed by a retired supreme court judge [Justice R.V Raveendran]who has a fairly good reputation. Further, it comprises of a technical expert [Sundeep Oberoi] in the domain of cybersecurity, alongside a former senior civil servant [from the] intelligence services, Alok Joshi, [formerly] the head of the Research and Analysis Wing, which is a powerful policing and surveillance body in India.

The court has also crafted well-structured terms of reference which are direct as well as expansive, so they give [the committee] ample powers and flexibility.

[However,] the committee could have included voices from civil society who have been at the forefront [of anti-surveillance campaigns] or digital rights experts who understand Pegasus spyware.

The Indian government has been largely unresponsive on this important issue. What is your reading of the court’s judgment on this matter?

The judgment notes the non-cooperation of the [central] government in providing even the most basic information beyond what it calls a “limited affidavit” – which was essentially two pages, and annexed a pre-existing statement made by [Ashwini Vaishnaw], the minister of electronics and information technology, before parliament on July 18.

The court states that facts [in the petitions] are not just reliant on newspaper reports, but on actual forensic reports. The nature of such allegations requires a specific response. The court expresses dissatisfaction [with the government’s affidavit] and provides further time to the government to look at the petitions factually and specifically. The government fails to do this.

The court notes that these are serious violations because of the impacted parties, including Rupesh Kumar Singh, a journalist from Jharkhand. [Spyware surveillance] would not only cause him mental duress and anxiety, but would also have a direct impact on [his] freedom of speech and expression, given that he is a working journalist and it will compromise his sources.

The government’s [claim is] that talking about this issue will impact national security, and terrorists will get to know how we procure technologies and how we use them. The court goes on to say: “National security cannot be the bugbear that the judiciary shies away from by the virtue of its mere mentioning.”

These are significant observations, which, if followed as legal precedent, will help check the rampant use of national security as a [cover] for state impunity, in which legal examination is prevented in courts and tribunals in India.

At an advanced stage of the hearing, [the government] offered to set up [its own] expert committee. The court notes that there is reasonable apprehension expressed by the petitioners: given that Pegasus can only be purchased by governments, there is a real possibility of its use by an Indian state agency. Secondly, it notes that there is a lower degree of confidence in the government, given that there is lack of progress in any official investigation regarding the first Pegasus disclosures in November 2019. That’s why it sets up a committee independent of the government.

Another independent investigation, under a parliamentary standing committee headed by opposition lawmaker Shashi Tharoor, stalled. Why do you think this committee will be any different?

As per media reports, the standing committee had a high degree of division along political lines. One of the sittings could not be conducted, as lawmakers from the ruling Bharatiya Janata Party refused to sign the attendance register. This is symptomatic of the polarization which has impeded the functioning of this committee. The committee which has been set up by the Supreme Court does not have such limitations.

[Editor’s note: BJP lawmaker Nishikant Dubey, a member of the parliamentary standing committee on information technology, did not immediately respond to CPJ’s email requesting comment.]

Has the court set any time frame for the committee’s inquiry?

No time frame has been set for the committee. On the contrary, [it] has been given full liberty to devise its own process and procedure. However, the [Supreme Court] has kept [its own] judgment pending on the Pegasus petitions, which will come up for hearing after eight weeks. At that point of time, we will get to know much more.

This content originally appeared on Committee to Protect Journalists and was authored by Kunal Majumder/CPJ India Correspondent.

The revelation came via the Pegasus Project, a collaborative global media investigation detailing how thousands of leaked phone numbers, including many that belonged to journalists, were allegedly selected for potential surveillance by clients of the Israeli firm NSO Group. In addition to Ketohou, Togolese journalist Ferdinand Ayité, director of L’Alternative newspaper, was also on the Pegasus Project list, according to Forbidden Stories, one of the project’s partners. A third Togolese journalist, freelancer Luc Abaki, was similarly selected as a potential spyware target, according to a representative from Amnesty International, another of the project’s partners, who confirmed his number’s listing to Abaki and then to CPJ.

Ferdinand Ayité (left), director of Togolese newspaper L’Alternative, and freelance reporter Luc Abaki (right) learned that their phone numbers were allegedly selected for potential surveillance. (Photos: Ferdinand Ayité and Luc Abaki)

The use of NSO Group’s Pegasus spyware on these journalists’ phones has not been confirmed and NSO Group denied any connection to the list. But the three journalists told CPJ in multiple interviews conducted via email, phone, and messaging app that learning of their status as potential surveillance targets heightened their sense of insecurity, even as they continue to work in the profession.

“I spent nightmarish nights thinking about all my phone activities. My private life, my personal problems in the hands of strangers,” Ketohou said. “It’s scary. And it’s torture for me.”

The potential use of Pegasus spyware to surveil journalists in Togo adds to an already lengthy list of the country’s press freedom concerns. In recent years, journalists in Togo have been arrested and attacked, had their newspapers suspended over critical coverage, and struggled to work amid disrupted access to internet and messaging apps, CPJ has documented.

NSO Group has said it only sells its spyware, which allows the user to secretly monitor a target’s phone, to governments for use investigating crime and terrorism. Yet Pegasus has been repeatedly used to target members of civil society around the world, including Togolese clergy in 2019, according to Citizen Lab, a University of Toronto-based research group which investigates spyware. Over 300 Togolese numbers appeared on the Pegasus Project list of potential targets, Le Monde, another partner in the project, reported.

“I was very afraid,” Ketohou told CPJ after he said he was informed by Forbidden Stories that his number was listed in 2017 and 2018. He said it confirmed his decision to go into exile, where he started a new news site, L’Express International, after Togo’s media regulator barred L’Independant Express from publishing in early 2021 as CPJ documented. He asked CPJ not to disclose his location for security reasons.

Ketohou told CPJ that he couldn’t point to a specific article that may have triggered potential surveillance, but said that at the time his phone was selected his newspaper was reporting on nationwide protests—which began in 2017—opposing President Faure Gnassingbé’s rule. His position at the time as president of the Togolese Press Patronage, a local media owners association, and membership in the Togolese League for Human Rights (LTDH) advocacy group may have contributed to interests in having his phone monitored, Ketohou added.

L’Alternative director Ayité told CPJ that he was not certain what caused his phone number to be selected in 2018, as Forbidden Stories informed him, but that year his newspaper published what he described as “sensitive” reports on the political crisis surrounding the protests and the mediation efforts by surrounding countries.

He said the selection of his number for potential surveillance fit a pattern of Togolese authorities’ efforts to intimidate him and L’Alternative.

In February, CPJ documented how Togo’s media regulator for the second time in less than a year suspended L’Alternative; Ayité told CPJ in late July that the suspension ended in June. In a separate incident, in November 2020 a local court ordered Ayité and L’Alternative each to pay 2 million Western African francs (US$3,703) in damages to a Togo official who complained that their reporting on his alleged embezzlement violated the country’s press code; Ayité told CPJ that he has appealed the court order and that the next hearing is scheduled to be held on October 10.   

Unlike the other two journalists, Abaki said he was taking a break from journalism in 2018, the year he was listed for potential targeting, according to the Amnesty International representative.

But Abaki, who has been freelancing since last year, has also had his journalism impeded by authorities. In 2017, Togo’s media regulator closed La Chaîne du Futur and City FM, the television and radio stations he directed at the time, over alleged administrative issues, according to the government of Togo’s website. Abaki told CPJ that the closure was a political reprisal against a local politician who owned the station.

CPJ’s questions to Togo’s Broadcast and Communications High Authority, sent via the contact page on its website, as well as by text message to its president, Willybrond Télou Pitalounani, went unanswered.

Abaki said that being listed for surveillance was “extremely traumatic,” adding “there is no private life.”

“I told myself that I could have died, since the other journalists targeted from the other countries were murdered,” Ketohou told CPJ.

The Guardian reported that around the time Saudi Washington Post columnist Jamal Khashoggi was killed in 2018, phones belonging to his associates and family, including his wife and fiancée, were targeted with Pegasus spyware. Separately, The Guardian also reported that freelance Mexican journalist Cecilio Pineda Birto was selected for surveillance with the spyware a month before his assassination in 2017. Spyware attacks often occur alongside other press freedom violations, CPJ has found.

“There is a huge psychological impact of knowing that someone in this country is taking control of your phone, violating your privacy,” Ayité told CPJ, adding that his broader safety and privacy concerns had already caused him to limit his dating and other personal relationships. “I will be even more careful and vigilant you never know where the fatal blow will come from. I am a journalist on borrowed time.”

CPJ’s calls to Akodah Ayewouadan, Togo’s minister of communication and spokesperson for the government, rang unanswered. In July, President Gnassingbé said he “can’t confirm” the use of Pegasus spyware to target his political opponents, according to Le Monde. “Each sovereign state is organizing itself to face what threatens it with the means at its disposal,” he said.

In an email to CPJ, NSO Group said that “NSO will thoroughly investigate any credible proof of misuse of its technologies” and “will shut down the system where necessary.” NSO did not directly respond to CPJ’s questions about the mental health implications of its technology’s sale and use.

Meanwhile, Ketohou has vowed to plow ahead with his journalistic work. “I have increased security around me, my internet activities, my work,” he said. But the experience, he added, “did not deter or intimidate me in my work as a journalist or human rights defender.”

This content originally appeared on Committee to Protect Journalists and was authored by Jonathan Rozen/CPJ Senior Africa Researcher.

The risk was reaffirmed this month with the release of the Pegasus Project, collaborative reporting by 17 global media outlets on a list of thousands of leaked phone numbers allegedly selected for possible surveillance by government clients of Israeli firm NSO Group. According to the groups involved in the project, at least 180 journalists are implicated as targets.   

NSO Group denied any connection with the list in a statement to CPJ; it says that only vetted government clients can purchase its Pegasus spyware to fight crime and terrorism.

Among the outlets analyzing the data is the global journalism network Organized Crime and Corruption Reporting Project, which, as of July 29, had listed 122 of those journalists on its website.

Not all of those focus on corruption, Drew Sullivan, OCCRP co-founder and publisher, told CPJ in a recent video call. But several of OCCRP’s own partners in corruption reporting featured, he said, listing people who have worked for Azerbaijan’s independent outlet Meydan TV and Hungary’s investigative outlet Direkt 36 as examples.

“People who are looking at problems with these administrations — which tend to be somewhat autocratic — in a lot of countries they were perceived as enemies of the state because they were holding governments accountable,” he said.   

At least four corruption reporters whose cases CPJ has been tracking for years — in Mexico, Morocco, Azerbaijan, and India — appeared in the Pegasus Project reporting as possible spyware victims. Their inclusion in the project adds a new dimension to their stories of persecution, suggesting governments are increasingly willing to explore controversial technology as yet another tool to silence corruption journalism.

Here’s how the Pegasus Project revelations have shed new light on these four cases: 

Freelance journalist Cecilio Pineda Birto, killed in Mexico

(Forbidden Stories/Youtube)

What we knew: Pineda endured death threats and a shooting attempt to continue posting on crime and corruption to a news-focused Facebook page he ran, but was gunned down at his local car wash in 2017. He was one of six journalists killed in retaliation for their reporting in Mexico that year.    

New information: Pineda’s phone number was selected for possible surveillance a month before his death; he had recently told a federal protection mechanism for journalists that he believed he could evade threats because potential assailants would not know his location, according to The Guardian.  

The government’s response: Mexican officials said this month that the two previous administrations had spent $300 million in government money on surveillance technology between 2006 and 2018, including contracts with NSO Group, according to The Associated Press. CPJ emailed Raúl Tovar, director of social communication at the office of Mexico’s federal prosecutor, and Jesús Ramírez Cuevas, spokesperson for President Andrés Manuel López Obrador, for comment on the use of spyware against journalists, but received no response.

Le Desk reporter Omar Radi, imprisoned in Morocco

(Reuters/Youssef Boudlal)

What we knew: On July 19, 2021 – as many of the Pegasus Project stories were still breaking – a court sentenced Radi to six years in prison on charges widely considered to be retaliatory; he was jailed one year earlier, possibly to prevent completion of his investigation into abusive land seizures. Like fellow Moroccan journalists Taoufik Bouachrine and Soulaiman Raissouni, who are serving sentences of 15 years and 5 years, respectively, Radi was convicted of a sex crime, which journalists told CPJ was a tactic to dampen public support for the accused.  

New information: Amnesty International had already performed forensic analysis of Radi’s phone in 2019 and 2020 and connected it to Pegasus spyware, as outlined in the Pegasus Project reporting. Now we know that Bouachrine and Raissouni were also selected as potential targets, according to Forbidden Stories.

The government’s response: The Moroccan state has instructed a lawyer to file a defamation suit against groups involved in the Pegasus Project in a French court, according to Reuters.  CPJ requested comment from a Moroccan justice ministry email address in July but received no response; CPJ’s past attempts to reach someone to respond to questions about spyware at the ministries of communications and the interior were also unsuccessful.

Investigative reporter Khadija Ismayilova, formerly imprisoned in Azerbaijan

(AP Photo/Aziz Karimov)

What we knew: Ismayilova, a prominent investigative journalist, is known for her exposés of high-level government corruption and alleged ties between President Ilham Aliyev’s family and businesses. She was sentenced to seven and a half years in prison on a raft of trumped up charges in December 2014 and served 538 days before her release.  

New information: Amnesty International detected multiple traces of activity that it linked to Pegasus spyware, dating from 2019 to 2021, in a forensic analysis of Ismayilova’s phone after her number was identified on the list. Ismayilova subsequently reviewed other Azerbaijani phone numbers identified by the Pegasus Project and recognized some belonging to her niece, a friend, and her taxi driver, OCCRP reported.   

The government’s response: CPJ requested comment from Azerbaijan state security services via a portal on its website on July 28 but received no response; CPJ’s request regarding the alleged surveillance of Meydan TV journalist Sevinj Vagifgizi last week was also unacknowledged.

Economic and Political Weekly journalist Paranjoy Guha Thakurta, subject to legal harassment in India

(Photo: Paranjoy Guha Thakurta)

What we knew: Guha Thakurta, a journalist and author, has faced a protracted criminal and civil defamation suit dating from 2017, along with three colleagues at the academic journal Economic and Political Weekly – and was recently threatened with arrest when he refused to attend a hearing across the country during the pandemic. That suit — brought by the Adani Group conglomerate following an article that described how the company had influenced government policies — was one of several legal actions he has faced, actions he characterized to CPJ as an intimidation tactic and way to harass reporters.

New information: Amnesty International detected forensic indications connected to Pegasus spyware in an analysis of Guha Thakurta’s phone, dating from early 2018. In a personal account published by Mumbai daily The Free Press Journal, Guha Thakurta noted he had been writing about Prime Minister Narendra Modi and the governing Bharatiya Janata Party’s use of social media for political campaigning at the time, as well as investigating a wealthy Indian business family’s foreign assets – but he still didn’t know why his phone was apparently tapped.

The government’s response: Ashwini Vaishnaw, the minister for information technology, has called the latest revelations about Pegasus “an attempt to malign Indian democracy,” and said illegal surveillance was not possible in India, according to The Hindu national daily. CPJ emailed Vaishnaw’s office for comment, but received no response. A former Indian government official has told CPJ that Pegasus is “available and used” in India and a committee was formed to investigate alleged Indian spyware targets in 2020, but CPJ was unable to reach someone to confirm the status of that committee in January this year.

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.

The Pegasus Project, an investigation released July 18 by Forbidden Stories with the support of Amnesty International in collaboration with 16 media organizations around the world, identified at least 180 journalists in 20 countries as potential surveillance targets by clients of NSO Group. According to the letter, NSO says it sells only to government clients. NSO has repeatedly told CPJ in the past that it licenses Pegasus to fight crime and terrorism.

CPJ has documented how spyware is being sold to governments with poor press freedom records and is used to target journalists and those close to them. The Pegasus Project reporting expands the known number of countries that may target journalists with spyware.

As journalists rely on mobile devices to communicate with sources and publish news, spyware threatens their ability to do so privately and securely, and therefore threatens the public’s right to access information. CPJ has called on governments to bar the use of spyware against journalists and media outlets, and establish legal frameworks to regulate its sale, transfer, and use.

The joint statement can be found here.

This content originally appeared on Committee to Protect Journalists and was authored by Michael De Dora, CPJ Washington Advocacy Manager.

Cathcart has been outspoken about threats to security, including so-called backdoors, which governments argue would give law enforcement much-needed access to encrypted communications, but which would also be vulnerable to malicious hacking. Cathcart has also been highly critical of the NSO Group, the Israeli firm that has marketed Pegasus spyware to governments around the world. Pegasus can be surreptitiously implanted on smartphones, giving governments unfettered access to all communications on the phone—and bypassing the encryption that WhatsApp and other secure apps like Signal apply to messages in transit.

NSO group says Pegasus is a critical tool that governments use to combat crime and terror. But a recent report dubbed the Pegasus Project—published jointly by 17 media organizations and based on a leaked list of 50,000 phone numbers allegedly selected by NSO clients—revealed that possible targets included hundreds of journalists and human rights defenders, not to mention senior political leaders such as French President Emmanuel Macron.

NSO has told CPJ it has no connection to the list of phone numbers, that it vets all clients and investigates credible allegations of abuse, and that it cannot access customer data except in the course of an investigation. In a statement to the Guardian, the company denied that Macron had been targeted by any of its customers.

CPJ spoke with Cathcart via Zoom on July 23. The interview has been edited for clarity and length. NSO’s responses relating to some of his comments appear at the end.

Right after the Pegasus Project was published, you put out a tweet storm. You posted a thread with your own reaction and you retweeted some interesting folks, everyone from David Kaye to Edward Snowden. Tell me why you responded the way you did.

The issue of spyware, especially unaccountable spyware, is a huge problem. And it’s being used to undermine freedom. We detected and defeated an attack from NSO Group in 2019. And we worked with Citizen Lab who helped us analyze the 1,400 or so victims we saw then, and discovered over 100 cases of clear abuse, including journalists and human rights defenders. The new reporting shows the much, much larger scale of the problem. This should be a wake-up call for security on the internet.

You mentioned the 2019 attack, which resulted in WhatsApp filing a lawsuit [in U.S. federal court] against the NSO Group. Your Washington Post op-ed in which you lay out the rationale is pinned to the top of your Twitter feed. What made you decide to take on the NSO Group?

When we saw the attack and defeated it in 2019, we decided we needed to get to the bottom of what had happened. These were not, as has been claimed, clear law enforcement operations. This was out-of-control abuse.

We felt we needed to be very loud about what we saw, because we knew that even if we had fixed the issue, there still exist vulnerabilities in people’s mobile phones. The operating systems have bugs that are still being exploited. So even though we’d stopped the attack from our perspective, it’s still a problem. If you’re a journalist, if you’re a human rights defender, if you’re a political dissident, you still have to be worried. So yeah, absolutely, we sued the NSO Group. They broke the law. We want to hold them accountable. We think their behavior needs to be stopped.

There’s clearly a business interest here. One of the selling points of end-to-end encryption is the security that it provides. If there’s spyware out there that’s seeking to subvert that security, it’s a threat to the business model. But do you see this as a matter of principle as well? How do those two things relate to each other?

This is a threat to end democracy. What we offer is a service for having private, secure communication. The reason everyone at WhatsApp gets up every day excited about working on that and fighting to defend it, is we believe it enables really important things. We believe journalists being able to talk to each other, and [to] sources, [to] bring out critical stories on governments or companies is a fundamental element of a democracy. We believe, in democracy, you need to have opposition. We believe human rights defenders all around the world do really, really important work. WhatsApp is popular in a lot of countries around the world that don’t have as robust traditions of freedom and liberal democracy. We’re popular in a lot of places where the ability to communicate securely is critical to someone’s safety.

You’ve been very outspoken about your concerns. What would you like to see from the tech community at large?

I would love to see all the other tech companies stand up, talk about this problem, talk about the victims, talk about the principles at stake, and do everything they can to put a stop to it. I was really excited to see Microsoft, when they discovered some spyware from a different company a few weeks ago, they were loud about it. They worked with Citizen Lab to understand the victims. I think that needs to be the model. I don’t think it is okay, when you find these vulnerabilities and you find these attacks to say, “Well, it’s disappointing, but it only affected a few people.” An attack on journalists, an attack on human rights defenders, an attack on political figures in democracies, that affects us all.

You’ve recognized the communications needs of journalists and human rights defenders, particularly those working in high-risk environments. But some security experts believe that phones just aren’t secure anymore. Do you still feel confident that WhatsApp is a secure form of communication for vulnerable individuals, given this emerging security threat of spyware?

Well, the mobile phone is the computer for most people. It’s the only computer most people have ever experienced. We need to make it secure. We need mobile operating systems to invest a lot more in security to fix these vulnerabilities. That’s why we defend end-to-end encryption [and] privacy. This is a moment where governments should stop asking us to weaken end-to-end encryption. That is a horrible idea. We have seen the damage that comes from this spyware with the security we have today. We should be having conversations about increasing security.

Within WhatsApp, your messages are extremely secure when they’re being delivered from you to the person you’re talking to. What other forms of security can we add? I’m not sure it’s good for everyone to keep a copy of every conversation on their phone forever. Because what if your phone gets stolen? What if someone forces you to open the phone for them? So we added, late last year, the ability for you to have messages disappear after a week. If someone gets your phone, all you have is the last week’s worth of messages.

We haven’t added this yet, but we’re working on the ability for you to send a photo that the recipient can only see once. We’re working on the ability for you to change a setting in your WhatsApp account to say, “I want every thread that I create, or that someone creates with me, to disappear by default.” I think there’s a lot more we can do to help protect people – but it takes the whole industry saying, “We need to make the phone secure.”

You’ve called for import controls and other kinds of regulations to rein in a spyware industry that’s out of control. But if you look at the way technology develops, things get cheaper and easier over time. What makes you think that even if the current generation of spyware purveyors are somehow put out of business, they won’t be replaced by others who are even more ruthless? Or by state level technology from Russia, China, the U.S. for that matter? Can the spyware threat be defeated through regulation or import controls?

Well, I think all of it helps. If you think about people breaking into our homes, obviously that’s still a problem. But we have locks on the doors. We have burglar alarms. We also have accountability. If someone breaks into my home, hopefully I can go to the police, I can go to the government, they’ll hold them accountable. If governments were actually holding people accountable when [spyware attacks] happen – that makes a huge difference. There will always be bad people out there. There will always be hostile governments out there. You’ve got to have as much security as possible in defense.

You’ve emphasized WhatsApp’s commitment to privacy, to operating within the human rights framework. But WhatsApp is owned by Facebook. You worked at Facebook for many years. Facebook is involved in a huge public controversy, and was recently accused by President Biden of “killing people [in relation to COVID-19 vaccine disinformation].” Their business model is based on monetizing data. And there’s a huge amount of concern about misinformation circulating on the platform. Of course, people raise those concerns about WhatsApp as well. Does the relationship with Facebook complicate your messaging about privacy and human rights?

We added end-to-end encryption to WhatsApp as part of Facebook. We’ve been very consistent on that and very supportive across the whole company – about the importance of that, why that’s the right thing, why that protects people’s fundamental rights, including journalists. Obviously, there are a lot of issues. But they’re different products. Take misinformation, for example. The question of what you do about misinformation on a large public social network is very different from how you should approach it on a private communication service. We think on a private communications service, you should have the right to talk to someone else privately, securely without a government listening in, and without a company looking at it. That’s different than if you’re broadcasting something out to every single person on a public social network.

We’ve talked today about spyware. But are backdoors an even greater threat to secure online communication?

Absolutely. Security experts who’ve looked at this agree. If you look at the threat from spyware, they’re having to go to each phone individually and compromise it. If you talk about holding a backdoor into any encryption, you are creating a centralized vulnerability in the whole communications network. And the scenario you need to be worried about is: what if a spyware company, what if a hostile government, what if a hacker, accessed all of the communications? It’s why, honestly, the proposals from some governments to weaken end-to-end corruption are just terrifying. They aren’t grappling with the nightmare scenario of everyone’s communications in a country being compromised.

If this was a big wake up call, what are you planning to do next? What should the industry do next? What can people who are concerned about this do to fight back?

We’re continuing to add security and privacy to WhatsApp, continuing our lawsuit in our push against NSO Group. We’re hoping more of the industry joins, and that more of the industry is loud about the problem. But what’s most important is governments. Governments need to step in and say this was not okay. Who was behind it? Who were the victims? What’s the accountability? Governments need to step in and have a complete moratorium on the spyware industry. It’s got to stop.

[Editor’s note: CPJ emailed NSO with a request for comment on the WhatsApp lawsuit and the attack Cathcart attributed to NSO, but did not hear back before publication. The company denied the WhatsApp allegations when the lawsuit was announced, as CPJ noted at the time, and is challenging the suit in court, arguing it should be immune on grounds that its clients are foreign governments, according to the Guardian.]

This content originally appeared on Committee to Protect Journalists and was authored by Joel Simon.

Sevinj Vagifgizi, a correspondent for the Berlin-based, Azerbaijan-focused independent media outlet Meydan TV, was targeted by Pegasus from 2019 to 2021, according to the international network Organized Crime and Corruption Reporting Project (OCCRP), which analyzed Vagifgizi’s phone. Meydan TV is a member of the OCCRP.

According to the OCCRP, the journalist was previously in Azerbaijani authorities’ crosshairs. She was banned from leaving the country from 2015 to 2019 after authorities told her Meydan TV was under investigation in a criminal case, and in 2019 she faced libel charges after she reported on people voting with government-issued prefilled ballots.

Vagifgizi spoke to CPJ via phone about her experience of being hacked from Berlin, where she is currently based as part of Time Out and Research Scholarship program of Reporters Without Borders Germany.

CPJ send an email request to NSO Group for comment for this piece but did not receive a reply. In a rebuttal published online, the company said the Pegasus Project’s allegations were false. The company has told CPJ that it will “investigate credible claims of misuse” and that it vets its clients. CPJ also requested comment from Azerbaijan’s state security service via its website, but it was not returned.

Her answers were edited for length and clarity.     

How did you find out you were surveilled?

In June, my colleagues from the Organized Crime and Corruption Reporting Project contacted me and said that we should meet. They came to Berlin. During the meeting, they said: “We have bad news for you, we should take your phone because we have information that the government bugged your phone.” After they checked my phone, they told me that my phone had been targeted with the Pegasus program since 2019. They said with this program, [the Azerbaijani authorities] could listen and record all audio and video, including private videos and photos, get all the information about my contacts, and have access to all my text and voice messages. I was also told that they knew my location at any point in time.

How did you feel at that moment? What were your main concerns?

I was astonished, I felt awful. I was always aware that the [Azerbaijani] security service listens to our phone calls, but I never imagined that they could access anything through the internet and can record voices and take videos, and listen to and read everything I write or say.

I was concerned about my sources who didn’t want the authorities to know that they were in touch with me. I was also concerned about my colleagues who didn’t want the authorities to know about them because if the authorities find out who they are, it may cause problems for them.

You are currently in Berlin but are set to return to Baku in late August. Are you concerned about going back to Azerbaijan? 

My main concern is that the authorities will bar me from traveling abroad again. I was under a travel ban for four years, from 2015 through 2019. I went through all appeal stages [in Azerbaijan] and then went to the European Court of Human Rights. The European Court ruled that the travel ban was unlawful, and the [Azerbaijani] government paid me a compensation and lifted the travel ban in 2019. I was able to come to Berlin this spring because I am not barred from leaving Azerbaijan anymore. I am concerned that the ban may return. I am also worried that now the authorities know who provided information to Meydan TV [because of the surveillance] and may bar them from leaving Azerbaijan too.

Do you know what triggered the surveillance? Was it a specific investigation or your work in general?

I’ve worked as a journalist since 2010. Before joining Meydan TV, I also worked with independent newspaper Azadliq. I have reported on social issues and human rights violations. I often covered political prisoners’ plights. I also did an investigation for OCCRP on [alleged] official corruption in Azerbaijan. But the time they bugged my phone coincided with the lifting of my travel ban.

Do you know which government agency may have procured the Pegasus spyware to hack your phone?

I don’t have any exact information on that but my colleagues and I assume it’s the state security service of Azerbaijan.

How would authorities have gotten ahold of your number?

It’s easy to find my number because as a journalist I contact a lot of people. Many people want to talk to me, tell me about their problems, so I can prepare reports on those issues as a journalist. Therefore they have or can easily find my number. Other journalists, including those who work for state media outlets, also have my contacts. So, it wasn’t hard.

What is next for you? What do you want to do about the surveillance?

We are going to take the case to an [Azerbaijani] court. We want to find out what explanation the Azerbaijani government can offer for targeting us. We are determined to go to the European Court [of Human Rights] too.

As a journalist, I am determined to continue my work because people need us, because people don’t have [many] sources to get truthful information about the real situation in the country. My colleagues and I will keep working. I know that the government will continue surveilling us, but they won’t stop us. 

This content originally appeared on Committee to Protect Journalists and was authored by Gulnoza Said/CPJ Europe and Central Asia Program Coordinator.

“I’ve had many experiences of these – sometimes clumsy – surveillance attempts,” Hope said.   

More recently, Hope may have been singled out for more sophisticated surveillance. A veteran newspaper reporter specializing in complex international stories, Hope was identified by investigative collaboration the Pegasus Project as one of nearly 200 journalists potentially targeted by clients of the Israel-based technology company NSO Group, which manufactures Pegasus spyware to help governments and law enforcement secretly infiltrate cellphones.

The Guardian, which contributed to the Pegasus Project, reported that a client believed to be the UAE began selecting Hope’s phone number for possible surveillance while he was working for The Wall Street Journal in London in early 2018.

Hope has since left the Journal to launch his own investigative project with his reporting collaborator Tom Wright. It’s dubbed Project Brazen, he said, after the codename the pair used while uncovering a corruption scandal implicating former Malaysian Prime Minister Najib Razak in the embezzlement of funds from the 1Malaysia Development Berhad (1MDB) company. That investigation became the focus of their September 2018 book, “Billion Dollar Whale,” a story that led them to conspirators in the UAE.  

Hope spoke to CPJ about the press freedom implications of the Pegasus Project’s list – which also includes some of slain Saudi journalist Jamal Khashoggi’s close associates. Khashoggi’s violent 2018 death features in Hope’s second book, “Blood and Oil,” on Saudi Crown Prince Mohammed bin Salman, whom the CIA has concluded ordered the journalist’s murder.

This interview has been edited for length and clarity. CPJ asked NSO Group to comment on Hope’s remarks; in an emailed statement, a spokesperson said “any claim that a name on the list was necessarily related to a Pegasus target or Pegasus potential target is erroneous and false. NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.” The company has told CPJ that it investigates credible claims of misuse made against its vetted clients.

CPJ emailed requests for comment to the Saudi Center for International Communications under the media ministry; the UAE’s ministry of foreign affairs and international cooperation; and the Chinese ministry of foreign affairs but received no responses before publication.

How did you learn you were on the list that is the focus of the Pegasus Project?  

The Guardian contacted me and let me know that I was a target. We did some forensic analysis of my current phone which was considered clean. I was changing my phone frequently when I was a reporter at The Wall Street Journal – I was not particularly worried about the UAE, but more concerned about other characters in the 1MDB case who have a lot of money and a lot of reasons to try and sabotage our reporting. I used best practices to avoid this kind of risk, so if it’s true that they infiltrated a phone of mine, it would have been for a short period.

I was disappointed on one level. I try and have a relationship with all parties that I’m covering, even people that hate my coverage. I always try and [let] them put their point of view. I don’t rush them at the last minute, I give them more time than you would think to respond to anything. I would hope that the UAE would continue to engage me at that level rather than resorting to black ops techniques.

In a way I was surprised that it was NSO software that was allegedly used. They had been briefing many journalists – some that I know – saying that this software couldn’t be used on U.S. or U.K. numbers. I’ve seen in the press recently that they referred only to U.S. numbers, but I’ve heard that they disable its use against U.K. numbers [like the one Hope was using at the time]. I’ve never been a fan of this kind of software but [that idea] was some tiny bit of reassurance.

I wasn’t worried about NSO, I was worried about [actors] that are not well known that have similar software or employ hackers. When it turned out to be the most well-known company – that was surprising.      

Jamal Khashoggi, whose associate Omar Abdulaziz was targeted with Pegasus spyware, features prominently in “Blood and Oil.” Were you surprised to learn that more of his connections, including his fiancée Hatice Cengiz, were also listed?

From the perspective of people like myself, in America or Europe, he was a Saudi commentator writing opinion pieces. From the perspective of Saudi Arabia, he was a traitor for a variety of reasons. So knowing that, I’m not surprised that they would be trying to find [proof] that he was working for other countries.

The classic technique to find out about someone is to go through family members. In this case they might have been targeted after he was killed. It would be partially because they’re trying to understand what countries are working with those family members to elevate that story or whether his family members were being paid or anything like that – evidence for what they believe to be true. 

What were you working on yourself?

I was doing some reporting that would have been viewed in Abu Dhabi by some parties as problematic. We wrote a series of stories [for the Journal] about the UAE’s main conspirator in the 1MDB scandal. That would likely be very annoying for different parties in the UAE.

The fact-checking part of [“Billion Dollar Whale”] was the culmination of all that, where we really laid out all the damaging things we had found. That would have been reason for somebody in the UAE potentially to put my phone number on a list because they’d be wanting to know, “Who are the sources for this journalist?” They’d be wondering what other country was supplying this information – even though it was never the case, many people in the government would think that way.  

After the prime minister of Malaysia was voted out of office, all these documents were released [including] talking points between China and the Malaysian government. Chinese officials offered to penetrate [“Billion Dollar Whale” co-author] Tom [Wright]’s devices and do physical surveillance of him in Hong Kong, where he lived at the time. Another time when Tom was reporting in Malaysia, a source close to the bad guy called us and said they were thinking about arresting him and he had to escape through Singapore very rapidly.

I never once really worried about physical threats in my career particularly because I was an American journalist at a major international newspaper. But cybersecurity [threats] I was always afraid of, and things like [the Pegasus Project], they kind of highlight it.   

[Editor’s note: In January 2019, Hope and Wright reported in the Journal that a Chinese domestic security official had established “full scale residence/office/device tapping, computer/phone/web data retrieval, and full operational surveillance,” in order to “establish all links that WSJ HK has with Malaysia-related individuals.” Neither that official nor the Chinese government information office responded to their requests for comment at the time.]

Where were you at the time you could have been targeted, and how does that factor into the risk of surveillance?

I would have been mostly located in the U.K. [with a U.K. number] at that time. I didn’t travel to the Middle East. If I was in the country, it would be a lot easier to insert something [on the device].

In many countries in the world – Gulf countries, countries in Asia like China – there is no safe way to travel there with any of your technology. If you’re doing reporting in those places you have to leave everything behind and not log into anything while you’re there. I would bring a new phone. [When you leave] you have to assume that everything you’ve taken with you is no longer usable. You have to have a temporary set of equipment. 

If you’re reporting on anything that relates to the leadership of those countries, I would argue it’s too dangerous to do any reporting on the ground [if] you’re not comfortable leaving a trail. It would be very hard to ask people in those countries [questions] about the leadership. It’s a funny situation. If you’re the Saudi bureau chief you’re actually restricted in what you could find out. The best place to report on the UAE, Saudi Arabia for example, would be London.  

[Those] Middle Eastern countries [that] are not developing tools themselves are having to go and buy them which increases the risk to them of being exposed. In China we hear all the time about Chinese hacking initiatives, mostly through U.S. federal lawsuits that name and shame them, explaining what they did and who they hacked within America. We don’t hear about them buying the software because they develop it all within China.

The Gulf states are essentially buying those things – everything from intelligence work to cyber intrusion, and that’s much easier to get exposed, whereas China is much better at keeping a tight lid on what’s going on in China.

What does this mean for journalists?

The arms race for intrusion is so profound, there’s no real stopping it. There’s always going to be someone out there with this kind of equipment. It’s a wake-up call for journalists. We love our phones, all this high-tech stuff, using Signal – but there’s no way to protect yourself enough.

The toolbox for journalists has to change. I hope that Apple and others take up the challenge to make phones more secure, but ultimately if you’re dealing with any story where someone’s life is at risk, you have to go lo-fi and take really annoying, time-consuming steps to protect people – meeting people and leaving your phone behind. Giving your source an old-fashioned pay-as-you-go phone that you only use to plan the meeting. Tools like Signal have been such a boon for journalists, but if your phone itself is vulnerable it doesn’t help.  

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.