Initial protests demanding accountability for the tragedy have turned into a widespread movement against corruption and President Aleksandar Vučić’s increasingly authoritarian rule, and as a result, journalists have faced a surge in physical attacks, threats, online harassment, smear campaigns, and even spyware — often driven by Vučić’s supporters, government officials, and pro-government media.

Since the beginning of November, the Independent Journalists Association of Serbia (IJAS) has recorded 23 physical assaults. There have been 18 assaults so far this year, already surpassing the 17 in all of 2024. The IJAS has tallied a total of 128 of various types of attacks and threats so far this year, suggesting the overall number may soon exceed last year’s 166 cases.

“In the political crisis Serbia is going through since November, we are witnessing a sort of open warfare against independent media,” Jelena L. Petković, a freelance journalist specializing in covering media safety in the Western Balkans, told CPJ. “2025 might turn out to be the worst year on record for journalist safety in the country.”

Petković said U.S. President Donald Trump’s reelection, the rise of populist leaders like Viktor Orbán in neighboring EU states, and the crisis the USAID funding freeze has caused for Serbia’s independent media have emboldened Vučić to intensify his pressure on the press — frequently accusing journalists and civil society groups of being foreign agents and traitors. She noted that none of the attacks on journalists since last November have led to prosecutions, underscoring a broader pattern of impunity.

“This surge of attacks on independent journalists who hold the power to account in Serbia reflects a broader attempt to silence critical reporting amid a deepening political crisis,” said Attila Mong, CPJ’s Europe representative. “Serbian authorities must end the impunity for these attacks, take urgent steps to protect journalists, and put a stop to the hostile climate that emboldens those who seek to intimidate journalists.”

CPJ emailed questions to the press office of the presidency and to the Serbian Ministry of the Interior, which oversees the police, but did not receive any replies.

Below is a breakdown of the most serious attacks since November 1, 2024, based on CPJ’s review of cases documented by local press freedom groups:

Physical attacks

CPJ’s review of 15 physical attacks, affecting at least 23 journalists, found that the incidents mostly occurred during protests and ranged from attempts to snatch journalists’ phones to assaults that caused injuries. Some attackers were politicians or public officials, and several journalists reported that police failed to protect them.

• On May 17, 2025, an unidentified individual attempted to knock the phone of Južne Vesti journalist Tamara Radovanović from her hand while she was documenting a rally by the ruling Serbian Progressive Party (SNS) in the southern city of Niš. Instead of protecting her, police removed her from the scene to “reduce tension,” without taking action against her attacker, according to the journalist.

• On May 16, while filming an SNS event attended by party officials in the eastern village of Makovište, N1 TV camera operator Marjan Vučetić was attacked from behind by unknown individuals, who struck his back and neck, causing light injuries. Others insulted him, calling him a “traitor” and “foreign mercenary.”

• On April 12,  during an SNS rally in the capital Belgrade, pro-government supporters attacked a five-member KTV crew. Milorad Malešev, a technician, had three teeth knocked out, while others sustained scrapes and bruises. Police intervened only after camera operator Siniša Nikšić was assaulted, at which point they surrounded the journalists and told them to stop reporting, saying they couldn’t guarantee their safety.

• On March 23, Saša Dragojlo, a journalist for the Balkan Investigative Reporting Network (BIRN), was beaten while covering a protest by a man later identified by Serbian media as a former boxer and SNS activist in Belgrade. Despite Dragojlo identifying himself as press and requesting help, police intervened only to prevent further escalation, but failed to take action against the attacker. 

• On November 27, 2024, during a pro-government demonstration in Belgrade, supporters insulted an N1 news crew and attacked journalist Jelena Mirković, hitting her shoulder and knocking the microphone from her hand. Reporter Aleksandar Cvrkutić’s camera was also struck as he filmed the scene.

• On November 22, Nova TV reporter Ana Marković was lightly injured when demonstrators struck her phone from her hand while she was reporting in Belgrade.

• On November 6, while live streaming a municipal assembly session in the northerntown of Kovin, journalist Miloš Ljiljanić of Kovinske Info was physically attacked by an SNS councilor, who shoved him, tried to grab his phone, and twisted his arm.

• On November 5, in the northern city of Novi Sad, a group of masked individuals insulted an N1 TV crew and struck cameraperson Nikola Popović’s hand, causing him to drop and damage his camera. They also assaulted Euronews camera operator Mirko Todorović, knocking him to the ground. Police at the scene did not intervene.

Police violence, obstruction, detention

• On May 17, 2025, police in Niš detained Nikola Doderović, a correspondent for Australian radio broadcaster SBS, as well as a journalism student accompanying him, for over an hour during a pro-government rally. After demanding their IDs, officers questioned them about their presence and activities, which Doderović said was unnecessary and arbitrary. Local press freedom groups called the detention a “clear form of intimidation.”

• On May 16, police in Novi Sad briefly detained freelance photojournalist Gavrilo Andrić for “identification,” even though his helmet was marked as “press.” Earlier, officers had beaten him along with some protesters while he was documenting a blockade of the court and prosecutor’s office.

• On April 28, police pepper-sprayed and beat journalist Žarko Bogosavljević of Razglas News while he was covering a protest, despite his wearing a press vest.

• On April 10, prosecutors in Belgrade detained Dejan Ilić, a columnist for news site Peščanik, for a day on criminal charges of “causing panic and disorder.” The charges stem from comments he made during a March 29 Nova TV talk show, where he discussed political alternatives for Serbia, including a transitional government.

• On March 14, several journalist crews traveling from neighboring Croatia and Slovenia to cover anti-corruption protests in Belgrade were briefly detained at the border and denied entry, before being sent back.

• On February 25, police raided the premises of the Center for Research, Transparency and Accountability, an NGO operating the fact-checking platform Istinomer, for 28 hours as part of a corruption probe tied to USAID funding — allegations that local press freedom groups have denounced as politically motivated.

• On January 17, police forcibly removed five journalists — with N1 TV, Nova TV, Radio 021, and the daily newspaper Danas — from Novi Sad City Hall, preventing them from covering an opposition-led protest.

Surveillance, spyware

• On March 27, BIRN reported that two of its journalists had been targeted with Pegasus spyware in February. The attempted “one-click” attack failed, as the journalists did not open the malicious link.

Other threats, smears

• In April 2025, a 60-minute video, produced by a pro-government NGO, aired on six national channels and circulated on social media, portraying journalists from N1 TV, Nova TV, and other outlets of publishing house United Group as foreign agents, extremists, and enemies of the state allegedly operating illegally in Serbia.

• In February and March 2025, National Assembly President Ana Brnabić accused N1, Nova S, and Danas of spreading hatred and lies. Facing critical questions, Vučić asked a reporter from investigative outlet KRiK how much money he had received from USAID and the National Endowment for Democracy. The president also blamed N1 TV and its Brussels correspondent Nikola Radišić of contributing to a “color revolution,” a reference to pro-democracy movements that have emerged in various Eastern European countries, which Vučić has portrayed as a Western attempt to undermine Serbia’s sovereignty. Radišić was excluded from a press conference in Brussels as well.

• Since November 2024, journalists working for independent media outlets N1 TV, Nova TV, and online platform Magločistač, as well as press freedom advocates, have received threats of physical violence and death.

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong/CPJ Europe Representative.

I did not know Israel was capturing or recording my face. [But Israel has] been watching us for years from the sky with their drones. They have been watching us gardening and going to schools and kissing our wives. I feel like I have been watched for so long.
— Mosab Abu Toha, Palestinian poet

If you want a glimpse of the next stage of America’s transformation into a police state, look no further than how Israel—a long-time recipient of hundreds of billions of dollars in foreign aid from the U.S.—uses its high-tech military tactics, surveillance and weaponry to advance its authoritarian agenda.

Military checkpoints. Wall-to-wall mass surveillance. Predictive policing. Aerial surveillance that tracks your movements wherever you go and whatever you do. AI-powered facial recognition and biometric programs carried out with the knowledge or consent of those targeted by it. Cyber-intelligence. Detention centers. Brutal interrogation tactics. Weaponized drones. Combat robots.

We’ve already seen many of these military tactics and technologies deployed on American soil and used against the populace, especially along the border regions, a testament to the heavy influence Israel’s military-industrial complex has had on U.S. policing.

Indeed, Israel has become one of the largest developers and exporters of military weapons and technologies of oppression worldwide.

Journalist Antony Loewenstein has warned that Pegasus, one of Israel’s most invasive pieces of spyware, which allows any government or military intelligence or police department to spy on someone’s phone and get all the information from that phone, has become a favorite tool of oppressive regimes around the world. The FBI and NYPD have also been recipients of the surveillance technology which promises to turn any “target’s smartphone into an intelligence gold mine.”

Yet it’s not just military weapons that Israel is exporting. They’re also helping to transform local police agencies into extensions of the military.

According to The Intercept, thousands of American law enforcement officers frequently travel for training to Israel, “one of the few countries where policing and militarism are even more deeply intertwined than they are here,” as part of an ongoing exchange program that largely flies under the radar of public scrutiny.

A 2018 investigative report concluded that imported military techniques by way of these exchange programs that allow police to study in Israel have changed American policing for the worse. “Upon their return, U.S. law enforcement delegates implement practices learned from Israel’s use of invasive surveillance, blatant racial profiling, and repressive force against dissent,” the report states. “Rather than promoting security for all, these programs facilitate an exchange of methods in state violence and control that endanger us all.”

“At the very least,” notes journalist Matthew Petti, “visits to Israel have helped American police justify more snooping on citizens and stricter secrecy. Critics also assert that Israeli training encourages excessive force.”

Petti documents how the NYPD set up a permanent liaison office in Israel in the wake of 9/11, eventually implementing “one of the first post-9/11 counterterrorism programs that explicitly followed the Israeli model. In 2002, the NYPD tasked a secret ‘Demographics Unit’ with spying on Muslim-American communities. Dedicated ‘mosque crawlers’ infiltrated local Muslim congregations and attempted to bait worshippers with talk of violent revolution.”

That was merely the start of American police forces being trained in martial law by foreign nations under the guise of national security theater. It has all been downhill from there.

As Alex Vitale, a sociology professor who has studied the rise of global policing, explains, “The focus of this training is on riot suppression, counterinsurgency, and counterterrorism—all of which are essentially irrelevant or should be irrelevant to the vast majority of police departments. They shouldn’t be suppressing protest, they shouldn’t be engaging in counterinsurgency, and almost none of them face any real threat from terrorism.”

This ongoing transformation of the American homeland into a techno-battlefield tracks unnervingly with the dystopian cinematic visions of Steven Spielberg’s Minority Report and Neill Blomkamp’s Elysium, both of which are set 30 years from now, in the year 2054.

In Minority Report, police agencies harvest intelligence from widespread surveillance, behavior prediction technologies, data mining, precognitive technology, and neighborhood and family snitch programs in order to capture would-be criminals before they can do any damage.

While Blomkamp’s Elysium acts as a vehicle to raise concerns about immigration, access to healthcare, worker’s rights, and socioeconomic stratification, what was most striking was its eerie depiction of how the government will employ technologies such as drones, tasers and biometric scanners to track, target and control the populace, especially dissidents.

With Israel in the driver’s seat and Minority Report and Elysium on the horizon, it’s not so far-fetched to imagine how the American police state will use these emerging technologies to lock down the populace, root out dissidents, and ostensibly establish an “open-air prison” with disconcerting similarities to Israel’s technological occupation of present-day Palestine.

For those who insist that such things are celluloid fantasies with no connection to the present, we offer the following as a warning of the totalitarian future at our doorsteps.

Facial Recognition

Fiction: One of the most jarring scenes in Elysium occurs towards the beginning of the film, when the protagonist Max Da Costa waits to board a bus on his way to work. While standing in line, Max is approached by two large robotic police officers, who quickly scan Max’s biometrics, cross-check his data against government files, and identify him as a former convict in need of close inspection. They demand to search his bag, a request which Max resists, insisting that there is nothing for them to see. The robotic cops respond by manhandling Max, throwing him to the ground, and breaking his arm with a police baton. After determining that Max poses no threat, they leave him on the ground and continue their patrol. Likewise, in Minority Report, police use holographic data screens, city-wide surveillance cameras, dimensional maps and database feeds to monitor the movements of its citizens and preemptively target suspects for interrogation and containment.

Fact: We now find ourselves in the unenviable position of being monitored, managed, corralled and controlled by technologies that answer to government and corporate rulers. This is exactly how Palestinian poet and New Yorker contributor Mosab Abu Toha found himself, within minutes of passing through an Israeli military checkpoint in Gaza with his wife and children in tow, asked to step out line, only to be blindfolded, handcuffed, interrogated, then imprisoned in an Israeli detention center for two days, beaten and further interrogated. Toha was finally released in what Israeli soldiers chalked up to a “mistake,” yet there was no mistaking the AI-powered facial recognition technology that was used to pull him out of line, identify him, and label him (erroneously) as a person of interest.

Drones

Fiction: In another Elysium scene, Max is hunted by four drones while attempting to elude the authorities. The drones, equipped with x-ray cameras, biometric readers, scanners and weapons, are able to scan whole neighborhoods, identify individuals from a distance—even through buildings, report their findings back to police handlers, pursue a suspect, and target them with tasers and an array of lethal weapons.

Fact: Drones, some deceptively small and yet powerful enough to capture the facial expressions of people hundreds of feet below them, have ushered in a new age of surveillance. Not even those indoors, in the privacy of their homes, will be safe from these aerial spies, which can be equipped with technology capable of peering through walls. In addition to their surveillance capabilities, drones can also be equipped with automatic weapons, grenade launchers, tear gas, and tasers.

Biometric scanners and national IDs

Fiction: Throughout Elysium, citizens are identified, sorted and dealt with by way of various scanning devices that read their biometrics—irises, DNA, etc.—as well as their national ID numbers, imprinted by a laser into their skin. In this way, citizens are tracked, counted, and classified. Likewise, in Minority Report, tiny sensory-guided spider robots converge on a suspected would-be criminal, scan his biometric data and feed it into a central government database. The end result is that there is nowhere to run and nowhere to hide to escape the government’s all-seeing eyes.

Fact: Given the vast troves of data that various world governments, including Israel and the U.S., is collecting on its citizens and non-citizens alike, we are not far from a future where there is nowhere to run and nowhere to hide. In fact, between the facial recognition technology being handed out to law enforcement, license plate readers being installed on police cruisers, local police creating DNA databases by extracting DNA from non-criminals, including the victims of crimes, and police collecting more and more biometric data such as iris scans, we are approaching the end of anonymity. It won’t be long before police officers will be able to pull up a full biography on any given person instantaneously, including their family and medical history, bank accounts, and personal peccadilloes. It’s already moving in that direction in more authoritarian regimes.

Predictive Policing

Fiction: In Minority Report, John Anderton, Chief of the Department of Pre-Crime, finds himself identified as the next would-be criminal and targeted for preemptive measures by the very technology that he relies on for his predictive policing. Consequently, Anderton finds himself not only attempting to prove his innocence but forced to take drastic measures in order to avoid capture in a surveillance state that uses biometric data and sophisticated computer networks to track its citizens.

Fact: Precrime, which aims to prevent crimes before they happen, has justified the use of widespread surveillance, behavior prediction technologies, data mining, precognitive technology, and snitch programs. As political science professor Anwar Mhajne documents, Israel has used all of these tools in its military engagements with Palestine: deploying AI surveillance and predictive policing systems in Palestinian territories; utilizing facial recognition technology to monitor and regulate the movement of Palestinians; subjecting Palestinians to facial recognition scans at checkpoints, with a color-coded mechanism to dictate who should be allowed to proceed, subjected to further questioning, or detained.

Making the Leap from Fiction to Reality

When Aldous Huxley wrote Brave New World in 1931, he was convinced that there was “still plenty of time” before his dystopian vision became a nightmare reality. It wasn’t long, however, before he realized that his prophecies were coming true far sooner than he had imagined.

Israel’s military influence on the United States, its advances in technological weaponry, and its rigid demand for compliance are pushing us towards a world in chains.

Through its oppressive use of surveillance technology, Israel has erected the world’s first open-air prison, and in the process, has made itself a model for the United States.

What we cannot afford to overlook, however, is the extent to which the American Police State is taking its cues from Israel.

As I make clear in my book Battlefield America: The War on the American People and in its fictional counterpart The Erik Blair Diaries, we may not be an occupied territory, but that does not make the electronic concentration camp being erected around us any less of a prison.

This content originally appeared on Dissident Voice and was authored by John W. Whitehead and Nisha Whitehead.

The report, “Exiled, then spied on: Civil society in Latvia, Lithuania, and Poland targeted with Pegasus spyware,” identified at least seven people whose devices were targeted between 2020 and 2023 by Pegasus, a form of zero-click spyware produced by the Israeli company NSO Group.

“Today’s report raises major concerns about the use of spyware against journalists and shows once again that the press is among the main targets of Pegasus spyware,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Journalists should not be spied on, and these new attacks mean that governments urgently need to implement an immediate moratorium on the development, sale, and use of spyware technologies.”

The targets included four named journalists and one Lithuania-based exiled Russian journalist whose device was targeted in June 2023 around an event in Riga, Latvia, and who requested to remain anonymous. The report describes the following attacks on the four named journalists:

• Latvia-based exiled Russian journalist Maria Epifanova’s device was infected in August 2020, “the earliest known use of Pegasus to target Russian civil society,” the report said. Epifanova is the CEO of independent news outlet Novaya Gazeta Europe, which Russian authorities outlawed as “undesirable” in June 2023. The report said the infection occurred when Epifanova was chief editor of Novaya Gazeta Baltija — which covers Latvia, Lithuania, and Estonia — and “shortly after she received accreditation to attend exiled Belarusian democratic opposition leader Sviatlana Tsikhanouskaya’s first press conference in Vilnius,” the capital of Lithuania.  

“Regardless of who is behind this attack, invasion in private life is unacceptable. I am now working with a lawyer to decide on the next steps and will do my best to bring more light onto my own case and cases of my colleagues,” Epifanova told CPJ.

• Latvia-based exiled Israeli-Russian journalist Evgeniy Erlich’s device was infected in late November 2022 while on vacation in Austria, the report said. Erlich, an independent producer, has worked with various media outlets, including broadcaster Current Time TV and Votvot, an on-demand Russian-language streaming platform. Both outlets are affiliated with the U.S. Congress-funded broadcaster Radio Free Europe/Radio Liberty (RFE/RL).

Erlich told CPJ that “we will most likely never know” who ordered the attacks.

• Latvian journalist Evgeniy Pavlov’s device was targeted in November 2022 and April 2023. Pavlov, a former correspondent with Novaya Gazeta Baltija and a freelance journalist for Current Time TV’s “Baltija” program, told CPJ that he was in Latvia at both times. Access Now was unable to confirm if the attempts were successful.

“If the intelligence services of any country can interfere with the activities of journalists in this way, it poses a very great threat to free and safe journalism. And to free speech in general,” Pavlov told CPJ.

• Poland-based exiled Belarusian journalist Natalya Radina’s device was infected twice in December 2022 and once in January 2023, the report said. The first infection occurred the day after the journalist participated in an anti-war conference in Vilnius. Radina is the editor-in-chief of independent news website Charter 97 and a CPJ 2011 International Press Freedom Awardee.

“My phone was illegally tapped in Belarus, where I was persecuted for political reasons, prosecuted, and imprisoned by the KGB [Belarusian national security service],” Radina told CPJ. “I know that…my absolutely legal journalistic activity can be of interest only to Belarusian and Russian special services, and I am only afraid of the possible cooperation in this matter of the present operators, whoever they are, with the KGB or the FSB [Russian Federal Security Service].”

In an email response to CPJ, the vice president of global communications for NSO group, Gil Lainer, maintained that the organization complies with all laws and regulations, emphasizing that it only sells to vetted intelligence and law enforcement agencies, and to allies of Israel and the United States. Lainer added that NSO group investigates all credible claims of misuse, adding that a number of investigations resulted in the suspension or termination of accounts.

A 2022 CPJ special report noted that the development of high-tech “zero-click” spyware like Pegasus — the kind that takes over a phone without a user’s knowledge or interaction — poses an existential crisis for journalism and the future of press freedom around the world. The report included CPJ’s recommendations to protect journalists and their sources from the abuse of the technology and called for an immediate moratorium on exporting this technology to countries with poor human rights records.

CPJ has also joined other rights groups in calling for immediate action to stop spyware threatening press freedom.

In September 2023, an investigation released by Access Now and Citizen Lab revealed that the phone of Galina Timchenko, the head of independent Russian-language news website Meduza, who has lived in Latvia since 2014, was infected by Pegasus while she was in Germany in February 2023.

The next day, Epifanova, Pavlov, and Erlich said Apple had notified them that their phone could have been targeted by hacker attacks.

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

Access Now’s report does not name the other 12 journalists and media workers, and CPJ was unable to immediately identify them. Previously, in 2022, CPJ called for an investigation into the use of Pegasus spyware on two Jordanian journalists, including Suhair Jaradat.

“The new revelations that journalists and media workers in Jordan have been targeted with Pegasus spyware underscores the need for an immediate moratorium on the use and sale of this technology, and a ban on vendors facilitating abuses,” said Sherif Mansour, CPJ’s Middle East and North Africa program coordinator, in Washington, D.C. “Journalists are not legitimate surveillance targets, and those responsible for these attacks should be held accountable.”

According to the report, phones belonging to Sabbagh and Dihmis, who cover the Middle East and North Africa as a senior editor and an investigative reporter, respectively, at the Organized Crime and Corruption Reporting Project (OCCRP), were targeted with Pegasus spyware.

“What bothered me most was the impact of the surveillance on my sources, and friends, and relatives,” said Sabbagh, who is also the co-founder of Arab Reporters for Investigative Journalism. “Because of the nature of OCCRP’s work, it is a principal target for surveillance agencies. They wish to keep crime and criminality hidden. We work to expose it. And with this type of work comes a very high price.”

Dihimis called the revelation “quite the violation,” adding that “as a journalist, it was a reminder of the importance of being cautious in terms of secure communication — to protect yourself but also your sources and colleagues. As a person, it spurred a lot of paranoia,” she added.

Kuttab, a Palestinian-American journalist based in Jordan and a 1996 recipient of CPJ’s International Press Freedom Award, was targeted by Pegasus spyware multiple times, according to the report.

On March 8, 2022, two weeks after the first incident, Kuttab was arrested when he arrived at Queen Alia International Airport outside of Jordan’s capital, Amman. He was detained under the Cybercrime Law for an article written in 2019 and was released a few hours later on bail, the report said.

The report detailed seven other attempts to infect Kuttabʼs mobile device with Pegasus, including a 2023 attempt in which the attacker impersonated a journalist from media outlet The Cradle asking questions about Jordanʼs cybercrime law while sending malicious links.

“I will not be intimidated, and I will not censor myself,” Kuttab told CPJ. “It is highly irritating to be spied on, but that also comes with the job nowadays. Whatever I know, I publish, but my only concern is my sources and their protection.”

Gharaibeh, director of Jordan’s Radio Husna, and the host of its morning talking show, was targeted successfully multiple times and there were also several failed attempts to infiltrate his phone, the report said.

When asked by CPJ about the apparent reason behind the recurrent attacks, Gharaibeh said that “it could be anything from monitoring the journalists and their sources to exploiting the journalists and silencing them.”

According to Access Now, the victims in the report were targeted using Pegasus with both zero-click attacks, in which spyware takes over a phone without the user’s knowledge, and attacks in which a user has to click a link. 

CPJ has documented the use of Pegasus to target journalists around the world in order to monitor their phones’ cameras, microphones, emails, texts, and calls. Journalists have been targeted with the software in Jordan, Morocco, the United Arab Emirates, and Saudi Arabia, among other countries.

CPJ emailed NSO Group for comment, but received no response. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On Tuesday, press freedom group Reporters Without Borders published findings that phones belonging to Lawson and Sossou had been infected with Pegasus. Those findings were independently confirmed by Amnesty International, the report said.

Pegasus spyware, produced by the Israeli company NSO Group, can take over a phone without a user’s knowledge or interaction. CPJ has documented how this zero-click spyware poses an existential crisis for journalism and press freedom around the world.

Lawson is the publisher of the newspaper Flambeau des Démocrates, and Sossou is a freelancer who has reported for various outlets, including as a correspondent for the Belgian investigative website L-Post and a commentator for the Togolese satellite broadcaster New World TV. He also publishes commentary on Facebook. Both journalists currently face criminal prosecution for their work and told CPJ they were surprised to learn they had been targeted.

“The targeting of journalists Loïc Lawson and Anani Sossou with Pegasus spyware makes even more real the fear of surveillance felt by many journalists in Togo, the existential threat that spyware poses to press freedom, and the imperative for an immediate moratorium on the use and sale of this technology,” said Angela Quintal, CPJ’s Africa program coordinator. “Lawson and Sossou currently face criminal prosecution for their reporting and now have to grapple with the fact that they were targeted with some of the world’s most aggressive spyware. They should have never had to deal with either of these threats.”

In mid-November 2023, Togolese authorities arrested and charged Lawson and Sossou with disseminating false news and attacking the honor of a minister, before granting them provisional release on December 1. Sossou was also charged with inciting a revolt. Their arrest and prosecution relate to a complaint by Togo’s Minister of Urban Planning and Land Reform, Kodjo Sévon-Tépé Adédzé, over posts by the journalists on social media—which have since been deleted—about the alleged theft of a large sum of money from Adédzé’s home.

Lawson and Sossou appeared in court on January 3 and January 17, when their case was transferred to the court of appeal in Lomé, the capital, according to media reports. The next hearing date has not been set.

In 2021, the phone numbers of at least three other Togolese journalists—Ferdinand Ayité, Luc Abaki, and Komlanvi Ketohou, who goes by Carlos—appeared on the Pegasus Project list of phone numbers allegedly selected for surveillance with Pegasus spyware, but the use of the spyware on those journalists’ phones was not confirmed. Ketohou told CPJ that the thought of his private activities in the hands of strangers was “torture,” and Ayité described the looming threat of surveillance as a “permanent fear.”

Citizen Lab, a University of Toronto-based research group, previously found other Togolese civil society members, including clergy, had been targeted with Pegasus in 2019. An unnamed Togolese activist was also targeted with a different spyware in late 2019 and early 2020, according to Amnesty International.

NSO Group, which produces and sells Pegasus spyware, previously told CPJ that it licenses Pegasus to investigate serious crime and terrorism. The company has said it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access.

CPJ’s calls to Yawa Kouigan, Togo’s minister of communication and media, as well as a spokesperson for the government, rang unanswered.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On Tuesday, press freedom group Reporters Without Borders published findings that phones belonging to Lawson and Sossou had been infected with Pegasus. Those findings were independently confirmed by Amnesty International, the report said.

Pegasus spyware, produced by the Israeli company NSO Group, can take over a phone without a user’s knowledge or interaction. CPJ has documented how this zero-click spyware poses an existential crisis for journalism and press freedom around the world.

Lawson is the publisher of the newspaper Flambeau des Démocrates, and Sossou is a freelancer who has reported for various outlets, including as a correspondent for the Belgian investigative website L-Post and a commentator for the Togolese satellite broadcaster New World TV. He also publishes commentary on Facebook. Both journalists currently face criminal prosecution for their work and told CPJ they were surprised to learn they had been targeted.

“The targeting of journalists Loïc Lawson and Anani Sossou with Pegasus spyware makes even more real the fear of surveillance felt by many journalists in Togo, the existential threat that spyware poses to press freedom, and the imperative for an immediate moratorium on the use and sale of this technology,” said Angela Quintal, CPJ’s Africa program coordinator. “Lawson and Sossou currently face criminal prosecution for their reporting and now have to grapple with the fact that they were targeted with some of the world’s most aggressive spyware. They should have never had to deal with either of these threats.”

In mid-November 2023, Togolese authorities arrested and charged Lawson and Sossou with disseminating false news and attacking the honor of a minister, before granting them provisional release on December 1. Sossou was also charged with inciting a revolt. Their arrest and prosecution relate to a complaint by Togo’s Minister of Urban Planning and Land Reform, Kodjo Sévon-Tépé Adédzé, over posts by the journalists on social media—which have since been deleted—about the alleged theft of a large sum of money from Adédzé’s home.

Lawson and Sossou appeared in court on January 3 and January 17, when their case was transferred to the court of appeal in Lomé, the capital, according to media reports. The next hearing date has not been set.

In 2021, the phone numbers of at least three other Togolese journalists—Ferdinand Ayité, Luc Abaki, and Komlanvi Ketohou, who goes by Carlos—appeared on the Pegasus Project list of phone numbers allegedly selected for surveillance with Pegasus spyware, but the use of the spyware on those journalists’ phones was not confirmed. Ketohou told CPJ that the thought of his private activities in the hands of strangers was “torture,” and Ayité described the looming threat of surveillance as a “permanent fear.”

Citizen Lab, a University of Toronto-based research group, previously found other Togolese civil society members, including clergy, had been targeted with Pegasus in 2019. An unnamed Togolese activist was also targeted with a different spyware in late 2019 and early 2020, according to Amnesty International.

NSO Group, which produces and sells Pegasus spyware, previously told CPJ that it licenses Pegasus to investigate serious crime and terrorism. The company has said it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access.

CPJ’s calls to Yawa Kouigan, Togo’s minister of communication and media, as well as a spokesperson for the government, rang unanswered.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

A district court in the capital of Baku on Tuesday ordered that Hasanli and Vagifgizi remain in custody for four months on charges of conspiring to bring money into the country unlawfully, Abzas Media reported. If found guilty, they face up to eight years in prison under Article 206.3.2 of Azerbaijan’s criminal code.

Individuals in plainclothes who did not identify themselves took Kekalov from his home in Baku on Monday along with his laptop and cell phone, according to news reports and a source familiar with the case who spoke to CPJ on condition of anonymity, citing fear of reprisal. As of Tuesday evening, Kekalov’s whereabouts remained unknown.

“The remand terms handed to Ulvi Hasanli and Sevinj Vagifgizi only serve to underline authorities’ real goal, which is to silence Abzas Media’s bold anti-corruption reporting,” said CPJ Advocacy and Communications Director Gypsy Guillén Kaiser, in New York. “Azerbaijani authorities should release Vagifgizi and Hasanli immediately, provide information on Mahammad Kekalov’s whereabouts, and allow Abzas Media to continue its vital public interest reporting.”

Police arrested Hasanli on Monday, November 20, raided his apartment, and searched the Baku office of independent investigative website Abzas Media, where they said they found 40,000 Euros (US$43,770). Officers took a computer, cell phone, iWatch, and hard disk from the apartment and confiscated a microphone and hard disk from the office, Zibeyda Sadygova, the journalist’s lawyer, told CPJ.

Police arrested Vagifgizi at Baku airport at 1:30 a.m. on Tuesday as she returned from a work trip abroad and searched her home.

Hasanli and Vagifgizi have denied the charges, calling them retaliation for Abzas Media’s investigations into alleged corruption by relatives of Azerbaijan President Ilham Aliyev and state officials. Hasanli said he believes police planted the money in order to fabricate a case, according to a video posted by Abzas Media.

Abzas Media is one of a handful of independent outlets that remain in the country following a series of raids, arrests, and criminal investigations against independent media and press freedom groups since 2014.

In 2021, Vagifgizi was one of several Azerbaijani journalists whose phones were found to be compromised by Pegasus, spyware produced by the Israeli company NSO Group. Hasanli’s name was also on a leaked list of individuals targeted with Pegasus, according to the global investigative network Organized Crime and Corruption Reporting Project.

CPJ’s emails to the Baku Police Department and the Ministry of Internal Affairs did not receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Müller, a staff reporter with the weekly French magazine Marianne, and Di Campo, a freelance photojournalist, had arrived in Morocco on September 15, a week after an earthquake killed at least 3,000 people. Moroccan authorities have been widely criticized for their slow response to the disaster.

Marianne said in a statement that the expulsion of the two journalists was politically motivated, and in response to the magazine’s February 16 issue on worsening tensions between France and Morocco.

Morocco recalled its ambassador to France in February, without sending a replacement, and Moroccan authorities denied media reports in 2021 that its intelligence service had a list of potential Pegasus surveillance spyware targets that included French President Emmanuel Macron.

Morocco’s government spokesperson, Mustapha Baitas, said in a September 21 press briefing that the journalists were expelled because they did not seek media accreditation.

CPJ’s emails to Morocco’s Ministry of Interior for comment did not receive any response. 

Three journalists were imprisoned in Morocco on December 1, 2022, when CPJ conducted its most recent annual prison census.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

CPJ’s call follows reports on Thursday—a day after the disclosure that the phone of exiled Russian journalist Galina Timchenko had been infected by Pegasus spyware—that three Latvia-based journalists said Apple had notified them that their phone could have been targeted by hacker attacks.

The three were named as Latvian journalist Evgeniy Pavlov and exiled Russian journalists Evgeniy Erlich and Maria Epifanova.

“The growing reports of possible hacker attacks against at least three independent journalists based in Latvia are all the more worrying given the recent revelation that exiled Russian journalist Galina Timchenko’s phone was infected with Pegasus spyware,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Latvian authorities must conduct a swift and transparent investigation into these allegations and ensure the digital and physical safety of journalists who are temporarily or permanently residing in their countries.”

On Wednesday, September 13, an investigation released by rights group Access Now and research organization Citizen Lab revealed that the phone of Timchenko, the head of independent Russian-language news website Meduza, who has lived in Latvia since 2014, was infected by Pegasus, a form of zero-click spyware produced by the Israeli company NSO Group, while she was in Germany in February. 

Apple had warned Timchenko in June that her device may have been targeted with state-sponsored spyware. The Access Now/Citizen Lab investigation reported that the attack could have come from Russia, one of its allies, or a European Union state.

Apple sent email and text alerts to Erlich’s iPhone while he was in Poland, traveling by car from Latvia to Germany on August 29, warning that “state-sponsored attackers” might be targeting his device, the journalist told CPJ via messaging app.

Erlich is the former chief editor of a regional program for Current Time TV, and an independent producer with Votvot, an on-demand Russian language streaming platform, who moved to Latvia in 2014. Current Time TV and Votvot are affiliated with the U.S. Congress-funded broadcaster Radio Free Europe/Radio Liberty (RFE/RL).

On August 29, Apple warned Epifanova, who moved to Latvia in 2016, that her iPhone may have been hacked by “state-sponsored hackers.” On September 3, the Telegram channel warned her that someone had logged into her account from a device in Egypt, Novaya Gazeta Europe reported.

Epifanova is the CEO of independent news outlet Novaya Gazeta Europe and publisher of Novaya Gazeta project Novaya Gazeta Baltija, which covers Latvia, Lithuania, and Estonia.

Novaya Gazeta Europe is a Latvia-based newspaper launched in April 2022 by journalists who previously worked at the independent Russian newspaper Novaya Gazeta. Russian authorities designated Novaya Gazeta Europe as an “undesirable” organization in June, banning the outlet from operating on Russian territory.

Also, on August 29, Apple emailed Latvian journalist Evgeniy Pavlov that his phone might have been hacked by “state-sponsored hackers.” 

Pavlov is a correspondent with Novaya Gazeta Baltija and reports for Current Time TV and the Russian-language Latvia-based web portal rus.nra.lv.

Epifanova and Pavlov were in Latvia when they received the warnings; they turned to Access Now on Thursday to have their devices checked for spyware infection, Ekaterina Glikman, deputy editor of Novaya Gazeta Europe, told CPJ via a messaging app. 

CPJ’s emails to the Latvian State Security Service and the German Federal Ministry of the Interior received no responses.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

“CPJ is deeply disturbed by the disclosures that attackers used Pegasus spyware to infect the phone of exiled journalist Galina Timchenko, one of the world’s most prominent Russian media figures,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Journalists and their sources are not free and safe if they are spied on, and this attack on Timchenko underscores that governments must implement an immediate moratorium on the development, sale, and use of spyware technologies. The threat is simply too large to ignore.”

Timchenko’s phone was infected by Pegasus, a spyware produced by the Israeli company NSO Group, while she was in Berlin on or around February 10, 2023, according to a Meduza report and a joint-investigation by rights groups Access Now and research organization Citizen Lab. The investigation found that the infection took place shortly after Russia’s Prosecutor General designated Meduza as an “undesirable” organization –  a measure that banned the outlet from operating on Russian territory – and likely lasted several days or weeks.

According to the investigation, Apple had warned Timchenko and “other targets” in June that their devices may have been targeted with state-sponsored spyware. Meduza editor-in-chief Ivan Kolpakov told CPJ via messaging app that Apple’s warning prompted them to request that Access Now check Timchenko’s device.

According to Access Now, this is the first documented case of Pegasus surveillance of a Russian journalist; the investigation reported that the attack could have come from Russia, one of its allies, or an EU state may have been responsible for the attack.

The fact that some European government may have used Pegasus against Timchenko is “beyond our comprehension,’” Kolpakov said in a statement shared with CPJ. “As the developers claim, this software is used to fight terrorism — yet it is systematically used against the opposition and journalists.”

Meduza operates in exile, with most of its staff based in Berlin and the Latvian capital of Riga and covers various topics, including politics, social issues, culture, and the war in Ukraine. CPJ awarded Timchenko its 2022 Gwen Ifill Press Freedom Award.

“We often repeat to ourselves and our employees that Europe gives a feeling of complete security. But it is only a feeling – an illusion of security,” Kolpakov said in the statement.

Meduza journalist Elena Kostyuchenko recently reported that she may have been poisoned in Germany in October 2022.

Kolpakov said he hoped to be able to identify those responsible for the attack and obtain explanations from them as well as from the NSO Group.

NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.

A 2022 CPJ special report noted that the development of high-tech “zero-click” spyware like Pegasus– the kind that takes over a phone without a user’s knowledge or interaction – poses an existential crisis for journalism and the future of press freedom around the world. The report included CPJ’s recommendations to protect journalists and their sources from the abuse of the technology and called for an immediate moratorium on exporting this technology to countries with poor human rights records. CPJ has also joined other rights groups in calling for immediate action to stop spyware threatening press freedom.

CPJ emailed NSO Group and the German Federal Ministry of the Interior for comment on the Timchenko findings but did not immediately receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

By Antony Loewenstein

The Israeli defence industry inspires nations across the globe, many of which view themselves as under threat from external enemies.

The Taiwanese foreign minister, Joseph Wu, recently told the Israeli newspaper Haaretz that: “Every aspect of the Israeli fighting capability is amazing to the Taiwanese people and the Taiwanese government.”

Wu explained that he appreciated how Israel protected its own country because, “basically, we [Taiwan] have barely started. The fighting experiences of Israel are something we’re not quite sure about ourselves. We haven’t had any war in the last four or five decades, but Israel has that kind of experience”.

• READ MORE: Antony Loewenstein: Palestine a testing ground for war tech
• Antony Loewenstein’s website

Wu also expressed interest in Israeli weapons, suggesting his country had considered their usefulness in any potential war with China.

“Israel has the Iron Dome,” he said, referring to Israel’s defence system against short-range missiles. “We should look at some of the technology that has been used by the Israelis in its defence. I’m not sure whether we can copy it, but I think we can look at it and learn from it.”

It isn’t just Taiwan imagining itself as akin to Israel. Ukrainian President Volodymyr Zelensky said in April 2022 that his vision for his nation was to mimic “the Jewish state“.

Two months after Russia’s illegal invasion of its territory, Zelensky, who is a long-time supporter of Israel, argued that “our people will be our great army. We cannot talk about ‘Switzerland of the future’ — probably, our state will be able to be like this a long time after. But we will definitely become a ‘big Israel’ with its own face.”

Zelensky went on to explain that what he meant was the need in the future to have “representatives of the armed forces or the national guard in all institutions, supermarkets, cinemas; there will be people with weapons.”

The Palestine laboratory
This admiration for Israel is both unsurprising and disturbing. The praise for Israel almost always completely ignores its occupation of Palestinian territory — one of the longest in modern times — and the ways in which this colonial project is implemented.

When Taiwan, Ukraine or any other country looks to Israel for innovation, it’s a highly selective gaze which completely disappears the more than five million Palestinians under Israeli military occupation in the West Bank, East Jerusalem and Gaza.

The appeal of the Palestine laboratory is endless. I’ve spent the last years researching this concept and its execution in Palestine and across the globe.

My new book, The Palestine Laboratory: How Israel Exports the Technology of Occupation Around the World, uncovers how Israel has used the occupied Palestinians as the ultimate guineapigs when developing tools of repression, from drones to spyware and facial recognition to biometric data, while maintaining an “enemy” population, the Palestinians, under control for more than half a century.

Israel has sold defence equipment to at least 130 countries and is now the 10th biggest arms exporter in the world. The US is still the dominant player in this space, accounting for 40 percent of the global weapons industry.

Washington used its failed wars in Iraq and Afghanistan as a testing ground for new weapons. During the current Russian invasion of Ukraine, the war has been a vital “beta test” for new weapons and sophisticated forms of surveillance and killing.

But Israel has a ready-made population of occupied Palestinians over which it has complete control. For more than five decades, Israeli intelligence authorities have built an NSA-level system of surveillance across the entire occupied Palestinian territories.

Nowhere is completely immune from listening, watching or following.

In the last decade, the most infamous example of Israeli repression tech is Pegasus, the phone hacking tool developed by the company NSO Group. Used and abused by dozens of nations around the world, Mexico is its most prolific adherent.

I spoke to dissidents, lawyers and human rights activists in Togo, Mexico, India and beyond whose lives were upended by this invasive, mostly silent tool.

Israeli state and spyware
However, missing from so much of the western media coverage, including outrage against NSO Group and its founders who were Israeli army veterans, is acknowledgement of the close ties between the firm and the Israeli state.

NSO is a private corporation in name only and is in fact an arm of Israel’s diplomacy, used by Prime Minister Benjamin Netanyahu and the Mossad to attract new friends in the international arena. Despite being blacklisted by the Biden administration in November 2021, the company still hopes to continue trading.

My research, along with that of other reporters, has shown a clear connection between the sale of Israeli cyberweapons and Israel’s attempts to neuter any potential backlash to its illegal occupation.

From Rwanda to Saudi Arabia and the United Arab Emirates to India, Israeli spyware and surveillance tech are used by countless democracies and dictatorships alike.

Beyond Pegasus, many other similar tools have been deployed by newer and lesser-known Israeli companies, though they’re just as destructive. The problem isn’t just Pegasus — it could close down tomorrow and the privacy-busting technology would transfer to any number of competitors — but the unquenchable desire by governments, police forces and intelligence services for the relatively inexpensive Israeli tech that powers it.

India is even looking for alternatives to NSO Group with a less controversial history.

The Palestine laboratory is so successful because nobody wants to seriously regulate the fruits of its labours.

Ideological alignment
The extent of Israeli collusion with 20th and 21st century repression is overwhelming.

Perhaps the most revealing was the deep relationship between apartheid South Africa and Israel. It wasn’t just about arms trading, but an ideological alignment between two states that truly believed that they were fighting for their very existence.

In 1976, Israeli Prime Minister Yitzhak Rabin invited South African Prime Minister John Vorster, a Nazi sympathiser during the Second World War, to visit Israel. His tour included a stop at Yad Vashem, the country’s Holocaust memorial in Jerusalem.

When Vorster arrived in Israel, he was feted by Rabin at a state dinner. Rabin toasted “the ideals shared by Israel and South Africa: the hopes for justice and peaceful coexistence”. Both nations faced “foreign-inspired instability and recklessness”.

Israel and South Africa viewed themselves as under attack by foreign bodies committed to their destruction. A short time after Vorster’s visit, the South African government yearbook explained that both states were facing the same issue: “Israel and South Africa have one thing above all else in common: they are both situated in a predominantly hostile world inhabited by dark peoples.”

A love of ethnonationalism still fuels Israel today, along with a desire to export it. Some arms deals with nations, such as Bangladesh or the Philippines, are purely on military grounds and to make money.

Israel places barely any restrictions on what it sells, which pleases leaders who don’t want meddling in their actions. Pro-Israel lobbyists are increasingly working for repressive states, such as Bangladesh, to promote their supposed usefulness to the West.

Israel and the global far right
But Israel’s affinity with Hungary, India and the global far right, a group that traditionally hates Jews, speaks volumes about the inspirational nature of the modern Israeli state. As Haaretz journalist Noa Landau recently wrote, while explaining why Netanyahu’s government defended the latest arguably antisemitic comments by Elon Musk about George Soros:

“The government’s mobilisation in the service of stoking antisemitism is not surprising. It is the fruit of a long and consistent process in which the Netanyahu government has been growing closer to extreme right-wing elements around the world, at the expense of Jewish communities it purports to represent.”

It’s worth pausing for a moment to reflect on this undeniable reality. Israel, which claims to represent global Jewry, is encouraging an alignment between itself and a hyper-nationalist, bigoted and racist populism, regardless of the long-term consequences for the safety and security of Jews around the world.

Israel has thrived as an ethnonationalist state for so long because the vast bulk of the world grants it impunity. European nations have been key supporters of Israel, willing to overlook its occupation and abuse of Palestinians.

According to newly declassified documents from the files of Israel’s Ministry of Foreign Affairs, between 1967 and 1990 it’s clear that West Germany was becoming more critical of Israel’s settlement project in Palestine, but the main concern was protecting its own financial interests in the region if a regional war broke out.

In a document written on 16 February 1975 to the deputy director of Israel’s Ministry of Foreign Affairs for Western Europe, Nissim Yaish, before Israel’s Foreign Minister Yigal Allon’s visit to West Germany, Yaish explained the thinking in his country’s diplomatic bureaucracy:

“There is unanimity that this time such a war will have a far-reaching impact on all its affairs internally and externally and that it could wreak a Holocaust on the German economy. Based on this attitude, West Germany is interested in rapid progress toward a [peace] agreement.”

Western silence
But there has rarely been any serious interest in pursuing peace, or holding Israel to account for its blatantly illegal actions, because the economic imperative is too strong. Even today, when another Nakba against Palestinians is becoming more possible to imagine, there’s largely silence from Western elites.

Germany has banned public recognition of the 1948 Nakba and criminalised any solidarity with the Palestinian people. Germany is also keen to buy an Israeli missile defence system, confirming its priorities.

This is why Israeli apartheid and the Palestine laboratory are so hard to stop; countless nations want a piece of Israeli repression tech to surveil their own unwanted populations or election meddling support in Latin America or Africa.

Without a push for accountability, economic boycotts and regulation or banning Israeli spyware — the EU is flirting with the idea — Israel can feel comfortable that its position as a global leader in offensive weapons is secure.

This article was first published in the Middle East Eye.

This content originally appeared on Asia Pacific Report and was authored by APR editor.

“Today’s report is yet another deeply disturbing reminder of the immense danger posed by Pegasus and other spyware used to target journalists,” said Carlos Martinez de la Serna, CPJ’s program director, in New York. “Armenian and Azerbaijani authorities should allow transparent inquiries into the targeting of Armenian journalists with Pegasus, and NSO Group must offer a convincing response to the report’s findings and stop providing its technologies to states or other actors who target journalists.”

The report, “Hacking in a war zone: Pegasus spyware in the Azerbaijan-Armenia conflict,” identified at least 12 people whose devices were infected by Pegasus, spyware produced by the Israeli company NSO Group. Many of the infections clustered around the 2020 Nagorno-Karabakh war between Armenia and Azerbaijan and its subsequent escalations.

The report was published Thursday, May 25, by the rights groups Access Now, Amnesty International, and Citizen Lab, the Armenian digital emergencies group CyberHUB-AM, as well as independent mobile security researcher Ruben Muradyan.

The targets included Armenian human rights activists, academics, and state officials, two media representatives who requested to be kept anonymous, and three named journalists:

• Karlen Aslanyan, a reporter with the U.S. Congress-funded broadcaster RFE/RL’s Armenian service, Radio Azatutyun
• Astghik Bedevyan, a reporter with Radio Azatutyun
• Samvel Farmanyan, co-founder of the now-defunct independent broadcaster ArmNews TV

The report says its authors found “substantial evidence” suggesting that Azerbaijan authorities purchased access to Pegasus, and that the targets would have been of intense interest to Azerbaijan. The targets were also critical of Armenia’s government, which is believed to have previously used another spyware product.

NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.

CPJ has documented the grave threat posed to journalists by spyware, and joined with other rights groups to issue recommendations to policymakers and companies to combat the use of spyware against the media, including by imposing bans on technology and vendors implicated in human rights abuses.

Azerbaijani journalists Sevinj Vagifgizi and Khadija Ismayilova were previously confirmed to have had their devices infected with Pegasus, while dozens of other prominent Azerbaijani journalists featured on a leaked list of potential Pegasus targets analyzed by the collaborative investigation Pegasus Project in 2021.

CPJ emailed NSO Group, the National Security Service and Ministry of Internal Affairs of Armenia, and the State Security Service and Ministry of Internal Affairs of Azerbaijan for comment, but did not immediately receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

“Today’s report is yet another deeply disturbing reminder of the immense danger posed by Pegasus and other spyware used to target journalists,” said Carlos Martinez de la Serna, CPJ’s program director, in New York. “Armenian and Azerbaijani authorities should allow transparent inquiries into the targeting of Armenian journalists with Pegasus, and NSO Group must offer a convincing response to the report’s findings and stop providing its technologies to states or other actors who target journalists.”

The report, “Hacking in a war zone: Pegasus spyware in the Azerbaijan-Armenia conflict,” identified at least 12 people whose devices were infected by Pegasus, spyware produced by the Israeli company NSO Group. Many of the infections clustered around the 2020 Nagorno-Karabakh war between Armenia and Azerbaijan and its subsequent escalations.

The report was published Thursday, May 25, by the rights groups Access Now, Amnesty International, and Citizen Lab, the Armenian digital emergencies group CyberHUB-AM, as well as independent mobile security researcher Ruben Muradyan.

The targets included Armenian human rights activists, academics, and state officials, two media representatives who requested to be kept anonymous, and three named journalists:

• Karlen Aslanyan, a reporter with the U.S. Congress-funded broadcaster RFE/RL’s Armenian service, Radio Azatutyun
• Astghik Bedevyan, a reporter with Radio Azatutyun
• Samvel Farmanyan, co-founder of the now-defunct independent broadcaster ArmNews TV

The report says its authors found “substantial evidence” suggesting that Azerbaijan authorities purchased access to Pegasus, and that the targets would have been of intense interest to Azerbaijan. The targets were also critical of Armenia’s government, which is believed to have previously used another spyware product.

NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.

CPJ has documented the grave threat posed to journalists by spyware, and joined with other rights groups to issue recommendations to policymakers and companies to combat the use of spyware against the media, including by imposing bans on technology and vendors implicated in human rights abuses.

Azerbaijani journalists Sevinj Vagifgizi and Khadija Ismayilova were previously confirmed to have had their devices infected with Pegasus, while dozens of other prominent Azerbaijani journalists featured on a leaked list of potential Pegasus targets analyzed by the collaborative investigation Pegasus Project in 2021.

CPJ emailed NSO Group, the National Security Service and Ministry of Internal Affairs of Armenia, and the State Security Service and Ministry of Internal Affairs of Azerbaijan for comment, but did not immediately receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

Since March, López Obrador has sharply criticized Article 19, national investigative magazine Proceso, privately owned online news outlets Animal Político and Aristegui Noticias, and Animal Político investigative reporter Nayeli Roldán over their coverage of the Mexican federal government’s alleged use of illegal spyware.

The president’s statements have led to online abuse and threats of violence against Article 19, the three outlets, and their reporters, according to Roldán, Animal Político’s editorial director Daniel Moreno, and Article 19’s regional director Leopoldo Maldonado, who all spoke to CPJ by phone. 

“Mexican President López Obrador’s recent attempts to discredit journalist Nayeli Roldán, three critical news outlets, and Article 19 are more proof that his administration prefers harassing journalists over solving the country’s catastrophic press freedom crisis,” said CPJ Mexico Representative Jan-Albert Hootsen. “López Obrador’s constant verbal attacks on reporters, which serve only as a distraction from the issues they report on, must stop before they lead to further violence against the press.”

Since he assumed office in 2018, López Obrador repeatedly stated that his government does not engage in illegal surveillance with spyware and denied that his administration uses such applications for anything other than national security.

However, a series of reports published in March 2023 provided evidence that the Mexican military used Pegasus, a spyware developed by the Israeli NSO group, to monitor conversations between human rights activist Raymundo Ramos and two journalists at the Mexico City newspaper El Universal since 2019.

In a March 10 press briefing, Roldán asked López Obrador about those allegations, to which he responded by saying Roldán was “always against his government.” When Roldán insisted the military must explain the legal basis for the spying, he accused her of “not being objective,” and called her “unprofessional” and part of the “tendentious, bribed media.”

During an April 28 press conference, the president told reporters that Roldán was paid in 2022 by the National Institute for Access to Information, a federal autonomous body that handles freedom of information requests and regulates the protection of personal data. López Obrador has been highly critical of the institute, which he claims is “useless,” “onerous, opaque, and unnecessarily expensive,” and opposes his administration and him personally, according to news reports.

During a May 2 press briefing, López Obrador accused Article 19 of being funded by the U.S. government to work “against his government,” therefore “violating our sovereignty” and called the organization “interventionist,” adding that he would send a diplomatic cable to the U.S. government “in protest.”  

Moreno, Roldán, and Maldonado told CPJ that the president’s remarks have led to many hateful comments on social media against them personally, as well as on websites and social media pages of Article 19, Proceso, Animal Político, and Aristegui Noticias. Roldán said she received “vicious” misogynistic comments, while Maldonado said he and his organization received many threats and statements echoing the president’s comments.

“I’ve been receiving lots of insults, an increasing number. I’d even call it stalking,” Roldán told CPJ, adding that the pressure has forced her to keep a lower profile on social media. “I can’t send out a single tweet without it receiving insults.” 

Moreno said the president’s comments have made him and his reporters feel less safe, leading some of his reporters to ask not to be named in bylines. 

“We try to respond to the president, who constantly lies about us and never rectifies false information. His daily press briefing is a far bigger platform than anything we could ever hope to have,” Moreno said. “We have seen an increase in the number of attacks and insults against us, including social media users openly asking who our family members are to accost them as well.”

CPJ contacted presidential spokesperson Jesús Ramírez Cuevas for comment via messaging app but did not receive any response.  

Mexico was the deadliest country in the Western Hemisphere for journalists in 2022. At least three reporters were murdered in direct connection to their work, and CPJ is investigating another 10 killings to determine the motive.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Six dozen civil society groups, journalists, and experts marked World Press Freedom Day on Wednesday with a joint call for "all governments to implement an immediate moratorium on the export, sale, transfer, servicing, and use of digital surveillance technologies, as well as a ban on abusive commercial spyware technology and its vendors."

The use of spyware against media workers is "an alarming trend impacting freedom of the press and creating a wider chilling effect on civil society and civic space," the statement argues. "Privacy, source protection, and digital security are essential components of press freedom, allowing journalists to protect the confidentiality and integrity of their work and sources."

"As governments and other entities seek to suppress the press and silence dissent, we are seeing an exponential increase in the market for digital surveillance technologies, including spyware, that overrides these journalistic principles."

"As governments and other entities seek to suppress the press and silence dissent, we are seeing an exponential increase in the market for digital surveillance technologies, including spyware, that overrides these journalistic principles," the statement continues. Such tools "can infiltrate a target's phone, giving the attacker full access to emails, messages, contacts, and even the device's microphone and camera," rendering secure and encrypted platforms useless.

"From El Salvador to Mexico, from India to Azerbaijan, from Hungary to Morocco, to Ethiopia—the list goes on of countries where investigative journalists working to expose corruption, power abuses, or human rights violations, have been targeted by invasive spyware such as Pegasus," the statement adds, referencing spyware from the Israeli firm NSO Group that has been used to target reporters, dissidents, and world leaders.

The advocates of banning this type of surveilleance technology noted that there are at least 180 known cases of potentially targeted journalists across 21 countries. They pointed to multiple examples, including Hungary-based Andras Szabo and Szabolcs Panyi being targeted with Pegasus in 2019, and Raymond Mujuni and Canary Mugume facing the same spyware two years later in Uganda.

According to the statement:

Moroccan investigative journalist Omar al-Radi was targeted with Pegasus spyware between 2019 and 2021, and later sentenced to six years in prison on bogus rape and espionage charges. Meanwhile journalist Hicham Mansouri, who fled from Morocco to France in 2016 following state harassment and detention, was hacked by Pegasus at least 20 times between February and April 2021.

Perhaps the most infamous example of how spyware can facilitate and enable transnational repression and serious human rights violations, including enforced disappearance and extrajudicial killing, is the murder of Saudi journalist and dissident Jamal Khashoggi at the Consulate of the Kingdom of Saudi Arabia in Istanbul on October 2, 2018. Both prior to and after his death, Mr. Kashoggi's family members and acquaintances were targeted by Pegasus spyware.

"It is clear that the use of spyware and unlawful targeted surveillance violates the fundamental rights of freedom of expression and access to information, peaceful assembly and association, freedom of movement, and privacy," the statement asserts, demanding not only a ban but also accountability for developers and distributors of the technology, and boosted efforts to protect journalists.

The statement was launched at Secret Surveillance: Countering Spyware's Threats to Freedom of the Press and Expression, an event co-hosted by advocacy organizations including Access Now.

"Invasive and abusive commercial spyware that has been used to facilitate human rights abuses globally has no place in our world," declared Access Now surveillance campaigner Rand Hammoud. "Years worth of evidence by civil society has demonstrated that the companies selling these technologies should not be rewarded with governmental contracts that would continue enabling their abuses."

Natalia Krapiva, tech legal counsel at Access Now, agreed that "this sinister technology that has been misused and abused by governments around the world is not safe in any hands, and its use can never be justified."

"Discussions do not suffice," Krapiva added. "We expect action: Protect freedom of the press, stamp out the spyware threat."

The spyware statement came as other members of the media acknowledged World Press Freedom Day in various ways, including sounding the alarm about the impacts of artificial intelligence on fact-based journalism, demanding global safeguards for digital privacy, and calling out the U.S. government for continuing to seek the extradition of WikiLeaks founder Julian Assange.

This content originally appeared on Common Dreams and was authored by Jessica Corbett.

The amendment authorizes the formulation of a central government fact-check unit empowered to order intermediaries, including social media companies and internet service providers, to take down “fake or false or misleading content.” Intermediaries risk liability in court if they fail to remove such content.

The statement expresses concern that the amendment, which was announced without adequate and meaningful consultation with journalists, press bodies, and civil society organizations, severely threatens press freedom and empowers the government to be the sole arbiter of truth on the internet.

The statement further notes that the surveillance of journalists continues with impunity and calls on the Indian government to meaningfully commit to protecting media freedom and ensuring that journalists can do their work freely and without fear of persecution.

Read the full statement here.

CPJ previously criticized the I.T. Rules, which expanded the government’s powers to censor online content. In January 2023, the Indian government cited the rules when ordering YouTube and Twitter to take down links to a BBC documentary investigating Prime Minister Narendra Modi’s alleged role in the 2002 riots in Gujarat.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

“The revelations that Mexican authorities have continued to spy on activists, including their communications with reporters, is a shocking confirmation that President Andrés Manuel López Obrador’s promises to do away with illegal surveillance have not been realized,” said Jan-Albert Hootsen, CPJ’s Mexico representative. “The previous failure to hold officials engaged in spying to account all but guaranteed that little would change. Only a credible, swift, and transparent investigation into these abuses will show that the government is taking such actions seriously.”

Joint reporting published Tuesday, March 7, by The New York Times and the independent Mexican outlet Aristegui Noticias showed that military authorities used Pegasus surveillance software designed by the Israeli firm NSO Group to spy on Ramos.

According to that reporting, an intelligence unit with Mexico’s Defense Secretariat attacked Ramos’ phone on numerous occasions between 2019 and 2020, and listened in on conversations he had with journalists at the newspaper El Universal about alleged extrajudicial executions of civilians in the northern state of Tamaulipas. The documents also revealed that the secretariat accused Ramos of working for a criminal gang in the state.

López Obrador, who assumed office in 2018, pledged that his government would end surveillance and denied the continued use of Pegasus. Past investigations into the use of Pegasus have not led to the arrest of public officials allegedly responsible for the surveillance.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

The hearing started unsurprisingly enough. Chaim Gelfand, the NSO Group lawyer, laid out the company line that Pegasus is designed for use against terrorists and other criminals. He promised that the company controlled its sales, developed human rights and whistleblowing policies, and took action against those governments that abused it. He wanted to “dispel certain rumors and misconceptions” about the technology that have circulated in “the press and public debate.” He made his case.

Then, surely from NSO Group’s perspective, it went downhill. MEP after MEP asked specific questions of NSO Group. For instance: if Pegasus is sold only to counter terrorism or serious crime, how did it come to be used in EU member states? How did it come to be used to eavesdrop on staffers at the European Commission, another public allegation? Can NSO provide examples of when it terminated contracts because a client misused Pegasus? Can NSO clarify what data it has on its clients’ uses of Pegasus? How does NSO Group know when the technology is “abused”? More personally: How come you spied on me?

MEPs were angry. Increasingly their questions became more intense, more personal, more laced with moral and legal outrage. And this tenor only deepened over the course of the hearing, as the NSO lawyer stumbled through his points and regularly resorted to the line that he could not speak to specific examples, cases or governments. Few, if any, seemed persuaded by the NSO Group claim that it has no insight into the day-to-day use of the spyware by the “end-user”. To the contrary, the PEGA hearing ended with one thing clear: NSO Group faces not only anger but the reality of an energized set of legislators.

More than a year after release of the Pegasus Project, the global reporting investigation that disclosed massive pools of potential targets for Pegasus surveillance, the momentum for action against spyware like Pegasus is gathering steam. 

Read CPJ’s complete special report: When spyware turns phones into weapons

In 2019, in my capacity as a U.N. Special Rapporteur, I issued a report to the United Nations Human Rights Council that surveyed the landscape of the private surveillance industry and the vast human rights abuses it facilitates, calling for a moratorium on the sale, transfer and use of such spyware. At the time, few picked up the call. But today, with extensive reporting of the use of spyware tools against journalists, opposition politicians, human rights defenders, the families of such persons, and others, the tide seems to be turning against Pegasus and spyware of its ilk.

The U.N. High Commissioner for Human Rights, several U.N. special rapporteurs, the leaders of major human rights organizations, and at least one state, Costa Rica, have joined the call for a moratorium. The Supreme Court of India is pursuing serious questions about the government’s use of Pegasus. The United States Department of Commerce placed NSO Group and another Israeli spyware firm on its list of restricted entities, forbidding the U.S. government from doing any business with them. Apple and Facebook’s parent company Meta have sued NSO Group for using their infrastructure to hack into individual phones.

All of these steps suggest not only momentum but the elements of a global process to constrain the industry. They need to be transformed into a long-term strategy to deal with the threats posed to human rights by intrusive, mercenary spyware. State-by-state responses, or high-profile corporate litigation, will generate pain for specific companies and begin to set out the normative standards that should apply to surveillance technologies. But in order to curb the industry as a whole, a global approach will be necessary. 

In principle, spyware with the characteristics of Pegasus – the capability to access one’s entire device and data connected to it, without discrimination, and without constraint – already violates basic standards of necessity and proportionality under international human rights law. On that ground alone, it’s time to begin speaking of not merely a moratorium but a ban of such intrusive technology, whether provided by private or public actors. No government should have such a tool, and no private company should be able to sell such a tool to governments or others.

In the land of reality, however, a ban will not take place immediately. Even if a coalition of human rights-friendly governments could get such negotiations toward a ban off the ground, it will take time.

Here is where bodies like the European Parliament and its PEGA Committee – and governments and parliamentarians around the world – can make an immediate difference. They should start to discuss a permanent ban while also entertaining other interim approaches: stricter global export controls to limit the spread of spyware technology; commitments by governments to ensure that their domestic law enables victims of spyware to bring suits against perpetrators, whether domestic or foreign; and broad agreement by third-party companies, such as device manufacturers, social media companies, security entities and others, to develop a process for notification of spyware breaches especially to users and to one another. 

Some of this would be hard to accomplish. It’s not as if the present moment, dominated as it is by tensions like Russian aggression against Ukraine, is conducive to international negotiations. Some steps could be achieved by governments that should be concerned about the spread of such technologies, already demonstrated by U.S. and European outrage. Either way, governments and activists can begin to lay the groundwork, defining the key terms, highlighting the fundamental illegality of spyware like Pegasus, taking steps in domestic law to ensure strict controls on export and use. 

There is precedent for such action in the global movement to ban landmines in the 1990s, which started with little hope of achieving a ban, focused instead on near-term controls. Ultimately human rights activists and like-minded governments were able to hammer out the Ottawa Convention to ban and destroy anti-personnel landmines in 1997. It is, at least, a process that activists and governments today could emulate and modify.

Human rights organizations and journalists have done the work to disclose the existence of a major threat to freedom of expression, privacy, and space for public participation. It is now the duty of governments to do something about it.

This content originally appeared on Committee to Protect Journalists and was authored by David Kaye.

“Earlier it was just one conversation they [authorities] would tap into,” Venu told CPJ in a phone interview. “They wouldn’t see what you would be doing in your bedroom or bathroom. The scale was stunning.”

The Indian journalists were among scores around the world who learned from the Pegasus Project in July 2021 that they, along with human rights activists, lawyers, and politicians, had been targeted for possible surveillance by Pegasus, the spyware made by Israel’s NSO Group. (The company denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.) 

The Pegasus Project found that the phones of two founding editors of The Wire – Venu and Siddharth Vardarajan – were confirmed by forensic analysis to have been infected with Pegasus. Four other journalists associated with the outlet – diplomatic editor Devirupa Mitra, and contributors Rohini Singh, Prem Shankar Jha, and Swati Chaturvedi – were listed as potential targets.

The Indian government denies that it has engaged in unauthorized surveillance, but has not commented directly on a January New York Times report that Prime Minister Narendra Modi agreed to buy Pegasus during a 2017 visit to Israel. The Indian government has not cooperated with an ongoing inquiry by an expert committee appointed by the country’s Supreme Court to investigate illegal use of spyware. In late August, the court revealed that the committee had found malware in five out of the 29 devices it examined, but could not confirm that it was Pegasus.

However, Indian journalists interviewed by CPJ had no doubt that it was the government behind any efforts to spy on them. “This government is obsessed with journalists who are not adhering to their cheerleading,” investigative reporter Chaturvedi told CPJ via messaging app. “My journalism has never been personal against anyone. I don’t understand why it is so personal to this government.” For Chaturvedi, the spying was an invasion of privacy “so heinous that how do you put it in words.” 

Read CPJ’s complete special report: When spyware turns phones into weapons

Overall, the Pegasus Project found that at least 40 journalists were among the 174 Indians named as potential targets of surveillance. With six associated with The Wire, the outlet was the country’s most targeted newsroom. The Wire has long been a thorn in the side of the ruling Bharatiya Janata Party (BJP) for its reporting on allegations of corruption by party officials, the party’s alleged promotion of sectarian violence, and its alleged use of technology to target government critics online. As a result, various BJP-led state governments, BJP officials, and their affiliates have targeted the website’s journalists with police investigations, defamation suits, online doxxing, and threats.

Indian home ministry and BJP spokespeople have not responded to CPJ’s email and text messages requesting comment. However after the last Supreme Court hearing, party spokesperson Gaurav Bhatia criticized the opposition for “trying to create an atmosphere of fear” in India. “They [Congress party] were trying to spread propaganda that citizens’ privacy has been invaded. The Supreme Court has made it clear that no conclusive evidence has been found to show the presence of Pegasus spyware in the 29 phones scanned,” he said.

As in so many other newsrooms around the world, the Pegasus Project revelations have prompted The Wire to introduce stricter security protocols, including the use of encrypted software, to protect its journalists as well as its sources.

Ajoy Ashirwad Mahaprashasta, political editor at The Wire, told CPJ in a phone interview that as part of the new procedures, “we would not talk [about sensitive stories] on the phone.” While working on the Pegasus project, the Wire newsroom was extra careful. “When we were meeting, we kept our phones in a separate room. We were also not using our general [office] computers,” he said.

Venu told CPJ that while regular editorial meetings at The Wire are held via video call, sensitive stories are discussed in person. “We take usual precautions like occasional reboot, keep phones away when we meet anyone. What else can we do?” he asks.

Chaturvedi told CPJ via messaging app that she quickly started using a new phone when she learned from local intelligence sources that she might have been under surveillance. As an investigative journalist, her immediate concern following the Pegasus Project disclosures was to avoid compromising her sources. “In Delhi, everyone I know who is in a position of power no longer talks on normal calls,” she said. “The paranoia is not just us who have been targeted with Pegasus.”

“Since the last five years, any important source I’m trying to talk to as a journalist will not speak to me on a normal regular call,” said Arfa Khanum Sherwani, who anchors a popular political show for The Wire and is known as a critic of Hindu right-wing politics. Sherwani told CPJ that her politician sources were the first ones who moved to communicate with her on encrypted messaging platforms even before the revelations as they “understood that something like this was at play.”

Rohini Singh similarly told CPJ that she doesn’t have any conversations related to her stories over the phone and leaves it behind when she meets people out reporting. “It is not about protecting myself. Ultimately it is going to be my story and my byline would be on it. I’m essentially protecting people who might be giving me information,” she said. 

Journalists also say they are concerned about the safety of their family members.

“After Pegasus, even though my name per se was not part of the whole thing, my friends and family members did not feel safe enough to call me or casually say something about the government. Because they feel that they are also being audiographed and videographed [filmed or recorded],” said Sherwani.

Chaturvedi told CPJ that her family has been “terrified” since the revelations. “Both my parents were in the government service. They can’t believe that this is the same country,” she said.

Venu and Sherwani both expressed concerns about how the atmosphere of fear could affect coverage by less-experienced journalists starting out in their careers. “The simple pleasure of doing journalism got affected. This may lead to self-censorship. When someone gets attacked badly, that journalist can start playing safe,” said Venu.

Said Sherwani: “For someone like me with a more established identity and career, I would be able to get people [to talk to me], but for younger journalists it will be much more difficult to contact politicians and speak to them. Whatever they say has to be on record, so you will see less and less source-based stories.”

Ashirwad agreed. “I’m very critical of this government, which is known. My stand now is I shall not say anything in private which I’m not comfortable saying in public,” he said.  

This content originally appeared on Committee to Protect Journalists and was authored by Kunal Majumder/CPJ India Representative.

Over five years have passed since Villarreal and Ismael Bojórquez, RíoDoce’s co-founder and editor-in-chief, received the suspicious text messages that experts said bore telltale signs of Pegasus, the now notorious surveillance software developed by Israeli firm NSO Group. Just this month, a joint investigation by three Mexican rights groups and the University of Toronto’s Citizen Lab found evidence of Pegasus infections on the devices of two Mexican journalists and a human rights defender between 2019 and 2021 – infiltration that occurred in spite of Mexican President Andrés Manuel López Obrador’s 2018 promise to end illegal surveillance. (López Obrador denied on October 4 that his administration had used Pegasus against journalists or political opponents, saying, “if they have evidence, let them present it.”)

The previous Mexican administration also denied using the technology on high-profile journalists, even after the Pegasus Project, a global consortium of investigative journalists and affiliated news outlets that investigated the use of the spyware, reported in 2021 that more than two dozen journalists in Mexico have been targeted with the spyware. Those named included award-winning investigative journalist Carmen Aristegui and Jorge Carrasco, the editor-in-chief of the country’s foremost hard-hitting investigative magazine Proceso. Yet although the surveillance caused considerable outrage, almost nothing has changed since 2017, according to Villarreal, who spoke to CPJ from Sinaloa’s capital, Culiacán.

Read CPJ’s complete special report: When spyware turns phones into weapons

In what CPJ has found to be by far the deadliest country for journalists in the Western Hemisphere, there remains no legal protection from intrusive surveillance, no recourse for its victims, and no repercussions for those in public office who facilitated the spying.  

López Obrador’s pledge to stop illegal surveillance was one of his first major undertakings after he took office in December 2018. Eleven months later, he assured Mexicans that the use of the Israeli spyware would be investigated. “From this moment I tell you that we’re not involved in this. It was decided here that no one will be persecuted,” he said.

But with just over two years left in office – Mexico’s constitution allows presidents to serve only a single six-year term – journalists, digital rights groups, and human rights defenders say little has come of the president’s promises. Not only has the investigation into the documented cases of illegal use of Pegasus shown no meaningful progress, the critics say, but also virtually nothing has been done to prevent authorities from continuing to spy. 

“Unfortunately, the regulatory situation and the authorities’ capacity to intercept communication have remained intact,” said Luis Fernando García of Red en Defensa de los Derechos Digitales (R3D), a Mexico City-based digital rights group that supports reporters targeted with Pegasus. “There’s very little transparency, very little publicly available information about the use of such technologies, which makes repetition a very real possibility.”

CPJ contacted the office of President López Obrador’s spokesperson for comment before publication of the October report about the most recent infections but did not receive a reply.

NSO says it only sells Pegasus to government and law enforcement agencies to combat terrorism or organized crime. But investigative journalists report that in countries like Mexico non-state actors, including criminal groups, can also get their hands on these tools even if they are not direct clients. This poses a major threat to journalists and their sources across the region, where CPJ research has found that organized crime groups are responsible for a significant percentage of threats and deadly violence targeting the press. At least one Mexican journalist who was killed for his work, Cecilio Pineda Birto, may have been singled out for surveillance the month before his death.

Villarreal and Bojorquez received the first Pegasus-infected text messages just two days after Javier Valdez Cárdenas, Riodoce co-founder and a 2011 recipient of CPJ’s International Press Freedom Award, was fatally shot on May 15, 2017, near the magazine’s offices in northern Sinaloa state. 

“Although it had all the hallmarks of Pegasus, it took us quite a while before we realized what was happening,” Villarreal recalled. “We were in a very vulnerable state after Javier’s death. It wasn’t until approximately a month later, after contact with press freedom groups, that we realized that it was Pegasus.”

A 2018 report by R3D, citing findings by Citizen Lab, stated that the likely source of Villarreal’s surveillance was the Agency of Criminal Investigation, a now-defunct arm of the federal attorney general’s office. Two autonomous federal regulators subsequently established that the attorney general’s office used Pegasus illegally and violated privacy laws.

However, an ongoing federal investigation initiated under the previous government of President Enrique Peña Nieto has not led to any arrests of public officials. In December 2021, Mexican authorities requested the extradition from Israel of the former head of the criminal investigation agency, Tomás Zerón, in connection with various investigations – reportedly including the Pegasus abuses – but that request has not yet been granted. (CPJ contacted the federal attorney general’s office for comment on the extradition, but did not receive a reply.)

Concerningly, according to Proceso, investigators of the federal state comptroller revealed in the audit of the federal budget in October 2021 that the López Obrador administration had paid more than 312 million pesos (US $16 million) to a Mexican businessman who had facilitated the acquisition of Pegasus in the past.

The López Obrador administration has not publicly responded to Proceso’s findings or the state comptroller’s report, but the president did say during his daily press briefing on August 3, 2021, that there ‘no longer existed a relationship’ with the developer of Pegasus. The president’s office had not responded to CPJ’s request for comment on the payment by the time of publication.

Experts at R3D and Citizen Lab said Pegasus traces on a journalist’s phone indicated they were hacked as recently as June 2021, just after they reported on alleged human rights abuses by the Mexican army for digital news outlet Animal Politico. The journalist was not named in reports of the incident.

“I don’t think anything has changed,” Villarreal said. “The risk continues to exist, but the government denied everything.”

R3D, together with a number of other civil society groups, has also pushed hard for new legislation to curb the use of surveillance technologies by lobbying directly to legislators and via platforms like the Open Government Alliance. So far, the result has been disappointing. Even though López Obrador and his party, the Movement of National Regeneration (Morena), hold absolute majorities in both chambers of federal congress and have repeatedly acknowledged the need to end illegal surveillance, there has been no meaningful push for new legislation on either the state or the federal level.

“There is indignation about surveillance, but my colleagues aren’t picking the issue up,” said Emilio Álvarez Icaza, an independent senator who has been outspoken about surveillance. “It’s an issue that at least the Senate does not seem to really care about.”

R3D’s García warns that Pegasus is just a part of the problem. R3D and other civil society groups say they have detected numerous other technologies that were acquired by state and federal authorities even after the scope of Pegasus’ use became clear.

“We’ve been able to detect the proliferation of systems that permit the intervention of telephones and there are publicly available documents that provide serious evidence that those systems have been used illegally,” García said. “The [attorney general’s office], for example, has acquired the capacity to conduct more than 100,000 searches of mobile phone data, but only gave clarity about 200 of them.”

“Even with regulation, the Mexican justice state has a tremendous problem of lack of transparency and accountability. The entire system seems to have been constructed to protect public officials,” said Ana Lorena Delgadillo, a lawyer and director of the Fundación para la Justicia, which provides legal support to Mexicans and Central Americans searching for ‘disappeared’ family members. “This is why I believe it’s important that cases of this nature are ultimately brought to the Supreme Court, but it’s hard to find people willing to litigate.”

Villarreal said he will not be one of those afraid to speak out. “Ultimately we’ve left our cases in the hands of civil society organizations,” he said. “Thing is, the spyware is just a new aspect of a problem that has always existed. The authorities have spied here, they will continue to do so. We have to adapt to the reality that we’ll never know the extent of what’s going on.”

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen, CPJ Mexico Correspondent.

Last July, when the Pegasus Project investigation revealed that imprisoned Moroccan journalist Soulaiman Raissouni was selected for surveillance by Israeli-made Pegasus spyware, the journalist could only laugh. 

“I was so sure,” his wife Kholoud Mokhtari said Raissouni told her from prison. 

Raissouni is one of seven local journalists named by the Pegasus Project – an investigative consortium of media organizations – as a potential or confirmed target of Pegasus spyware. The news only validated what Moroccan’s journalist community had long suspected: that the state’s vast intelligence apparatus has been monitoring some journalists’ every move. 

Moroccan journalists were among the first worldwide to complain of the use of spyware against reporters, pointing to digital surveillance as early as 2015. In 2019 and 2020, Amnesty International announced the findings of forensic analyses confirming that Pegasus had been used on the phone of at least two Moroccan journalists, Omar Radi and Maati Monjib. Subsequent state action against some of the surveilled journalists underscored the ongoing threat to Morocco’s independent media – and reinforced CPJ’s conclusion that spyware attacks often are precursors to other press freedom violations. 

Both Raissouni and Radi are imprisoned in Morocco for what family and colleagues describe as trumped up sex crimes charges. Taoufik Bouachrine, another journalist whom the Pegasus Project said was targeted with the spyware, is imprisoned on similar charges. 

Read CPJ’s complete special report: When spyware turns phones into weapons

The Pegasus Project was unable to analyze the phones of all of those named as surveillance targets to confirm the infection and the Moroccan government has repeatedly denied ever using Pegasus. However, many of the three journalists’ private pictures, videos, texts, and phone calls, as well as those belonging to family members, were published in pro-government newspapers and sites like Chouf TV, Barlamane.com, Telexpresse, and then later used as evidence against the journalists in court.   

Bouachrine, former editor-in-chief of local independent newspaper Akhbar al-Youm, was arrested in February 2018, and is serving a 15-year prison sentence on numerous sexual assault and human trafficking charges. His wife, Asmae Moussaoui, told CPJ in a phone call in May 2022 that she believes she was surveilled, too. 

In April 2019, Moussaoui said she called a private Washington, D.C.-based communications firm to help her run ads in U.S. newspapers about Bouachrine’s case, hoping that the publicity might aid efforts to free her husband. The next day, Barlamane published a story alleging that Moussaoui paid tens of thousands of euros to the firm, using money the journalist allegedly earned through human trafficking activities. Human Rights Watch describes Barlamane as being “closely tied with security services.” 

Suspecting she was being monitored, Moussaoui turned to one of her husband’s lawyers, who suggested the pair “pull a prank” that would help them detect whether authorities were indeed spying on her. The lawyer “called me and proposed that we speak with Taoufik’s alleged victims to reconcile, which we did not really intend to do. The next day, tabloids published an article saying that our family is planning to bribe each victim with two million dirhams [about $182,000] so they drop the case. I became very sure [of the surveillance] then,” Moussaoui told CPJ.

Moroccan journalist and press freedom advocate Maati Monjib, co-founder of the Moroccan Association for Investigative Journalism (AMJI), had a similar experience. Monjib was arrested in December 2020 and sentenced to a year in prison the following month after he was convicted of endangering state security and money laundering fraud. The latter charge stems from AMJI’s work helping investigative journalists apply for grants, Monjib told CPJ in a phone call. 

“During one of our meetings at AMJI in 2015, I mentioned that we need to look for grants to support more journalists. The next day, one of the tabloids published a story claiming that Maati Monjib is giving 5,000 euros [$4,850] to every journalist who criticizes the general director of the national security. This is a proof that they were listening to our meeting,” said Monjib. 

The revelations have forced journalists and their family members to take precautions against surveillance – no easy task given the difficulty of detecting spyware infection without forensic help. “[Raissouni] told me to try to be safe, so I am trying my best,” Mokhtari, Raissouni’s wife, told CPJ. 

“Other than the usual precautions I take to protect my phone, I regularly update it and I never keep any personal pictures or important messages or emails on it,” she said. “I also buy a new phone every three months and destroy the old one, which has taken a financial toll on my family. But honestly you can’t escape it. The most tech-savvy person I know is our friend Omar Radi. He took all the necessary precautions against hacking, and they still managed to infect his devices.” 

Monjib brings his devices to tech experts almost daily to check for bugs and to clean them, he told CPJ, adding that he also never answers phone calls, only uses the encrypted Signal messaging app, and always speaks in code.

Aboubakr Jamai, a prominent Moroccan journalist and a 2003 CPJ International Press Freedom Award winner, was selected for surveillance with Pegasus in 2018 and 2019 — and confirmed as a target in 2019 — even though he has been living in France since 2007, according to the Pegasus Project. He believes that the Moroccan government is to blame for the spyware attacks, and that the surveillance has effectively ensured the end of independent journalism in the country, he told CPJ in a phone call. 

“For years now, there haven’t been any independent media or journalism associations,” said Jamai. What’s left now is a handful of individuals who have strong voices and choose to echo it using some news websites, but mainly social media platforms.” 

CPJ emailed the Moroccan Ministry of Interior in September for comment but did not receive any response. 

Still, Jamai – who gave no credence to the government’s earlier denials of Pegasus use – did see one positive result from the spyware disclosures. “It publicly exposed Morocco’s desperation and the extent to which it is willing to go to silence journalists,” he said. “Now the whole world knows that the Moroccan state is using Pegasus to spy on journalists.”

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp.

The indignation and humiliation were from seeing himself and other prominent journalists included on a list of convicted criminals and known mob figures considered to be threats to Hungary’s national security. The pride was because the Hungarian government, which routinely ignored his reporting questions, thought it was worth spending tens, if not hundreds, of thousands of dollars on his surveillance; the relief was the validation that his earlier suspicions about being spied on were not a sign of paranoia.

Other Hungarian journalists targeted for surveillance expressed similarly ambiguous emotions in interviews with CPJ. And all were skeptical that any future recommendations by the European Parliament’s committee of inquiry into Pegasus and other spyware, expected next year, would bring much relief in a country where independent media face an increasingly hostile press freedom climate under the government of right-wing Prime Minister Viktor Orbán.

Panyi, who continues to relentlessly investigate the surveillance scandal, is one of the few journalists still giving regular interviews to Hungarian and international media about his surveillance. Three other CPJ interviewees said that while they were making an exception in talking to the organization, they’d otherwise stopped making public statements on their experience because they did not want their Pegasus targeting to define their lives.

Read CPJ’s complete special report: When spyware turns phones into weapons

The three – crime reporter Brigitta Csikász, Zoltán Varga, owner of one of the country’s biggest independent news sites, 24.hu, and a reporter who asked not to be identified for fear that further publicity would negatively impact his career – were named as targets in July 2021, when Panyi broke the story for Direkt36 as part of its reporting for the Pegasus Project, an international investigation that found the phone numbers of more than 180 journalists on a global list of potential spyware targets. (The NSO Group, which makes Pegasus, denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.)

Along with Panyi, all the journalists recounted signs that they were under physical and digital surveillance before they were aware of Pegasus being used against them, and all said that their private and professional lives had changed since the scandal broke last year.

Csikász, who covers corruption, told CPJ in a phone interview that she had seen numerous signs that people might be watching her and was warned by friends for years that her phone might be monitored. “I did not get a heart attack, I was not at all traumatized,” she told CPJ in a phone interview about her reaction to the news that Pegasus was used to monitor the contents of her phone between early April and mid-November 2019.   

Csikász has even managed to find some humor in her situation. “My friends took it real easy, most of them just crack jokes and my family took it as a sign of prestige and importance. For them, it is as if I was awarded with a special journalism prize,” she said. She added that the publicity surrounding the disclosures had even prompted some sources to contact her because they heard about her in the news. “I was not, and I have not, become paranoid,” she told CPJ.

Still, Csikász, who currently works for daily tabloid newspaper Blikk and was reporting for the investigative outlet Átlátszó, remains concerned about the intrusion. “As a journalist, I respect my country’s laws and my profession’s ethical standards and I consider the possibility of being spied on as part of my job,” she said. However, she would like to know which of her numerous investigations were considered threats to national security.

Varga told CPJ in a video interview that he’d attracted government attention when he started investing in media in 2014. This scrutiny increased, especially when he made it clear around 2017 that he would not be willing to sell his assets in spite of quiet threats and warnings from businesspeople linked to the government. In recent years, he said, he had spotted people sitting in cars parked outside his house and apparent eavesdroppers sitting next to his table at restaurants. He recalled that his phone calls were often interrupted, he once heard a recording of a call played back from the start, and at one point German tech experts provided proof that his android phone had been hacked.

Panyi’s investigation found Varga’s Pegasus surveillance started around the time he invited six people to a dinner in his house in Budapest in June 2018, two months after Orbán won a third consecutive term as prime minister. All seven participants of the dinner were selected as potential candidates for surveillance and at least one of their phones showed evidence of infection under Amnesty’s forensic analysis.  

“I was only surprised that the regime used this type of high-level technology to spy on an otherwise innocent gathering of intellectuals,” Varga told CPJ in a video call. “It was far from being a coup, it was just a friendly gathering. We discussed the very high level of corruption in Hungary’s ruling elite and how to find ways to expose it. Using this kind of technology in such a situation for me just shows how much the government is afraid of its opponents,” he said.

The reporter who spoke on condition of anonymity was also surprised that the government would deploy such high-tech spyware against journalists. Although he’d seen indications of occasional physical surveillance, the Pegasus infiltration “came out of the blue and was a real shock to me,” he said in a phone interview. His “dark period” only eased when the fact of his surveillance was publicly reported. “Since then, I prefer not to speak about it and share my experiences with anyone but my friends,” he told CPJ.

Panyi said that the way he communicates with sources has now become much slower and more complicated. “Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life,” he told CPJ in a phone interview. He uses various secure digital tools and applications, is mindful about what networks he connects to on his computer or mobile phone, regularly goes to meetings without his phone, and continues to take physical notes.

Varga says the spyware disclosures have harmed some of his business ventures. “The Pegasus scandal made it obvious for both my business and private contacts that it might be risky to talk to me and they might also get exposed, which people obviously try to avoid,” Varga told CPJ, adding that acquaintances now crack Pegasus “jokes” in most of his meetings. “As a result of this whole affair, I have much less phone calls, more walking meetings outside, without phones in the pocket,” he said.

Many companies, including advertising agencies and advertisers for his news site, seem to prefer to avoid doing business with him, and their loss is not offset by the small number of ad-buyers who now see the site as an important media voice, said Varga. “I have become kind of toxic for my environment,” he told CPJ. 

The reporter who preferred not to be named said that his phone now “stays outside” whenever he sees friends and family and he uses a special anti-tracking case when he attends professional meetings.

Hungary’s government acknowledged in November 2021 that it had bought Pegasus spyware, but says that its surveillance of journalists and political critics was carried out in accordance with Hungarian law.

A government spokesman said that journalists might have been monitored because some of their sources were under surveillance on suspicion of crimes or terrorist links, not because the journalists were the direct targets of the investigations.

In January, the Hungarian National Authority for Data Protection and Freedom of Information issued a 55-page report, which concluded that in all the cases they investigated, including those involving journalists, all legal criteria for the application of the spyware were met and the spyware was used to protect Hungary’s national interests.  

These responses have left the journalists who spoke to CPJ with little hope that anyone will be held accountable for the intrusion on their lives. Nor do they expect help from the institutions of the European Union, where officials themselves have been targeted by spyware as they grapple with mounting political pressure over how to hold member states accountable for any breaches of the rule of law.

As the European Parliament’s committee of inquiry looks at the mountain of evidence that surveillance spyware has been used in EU countries and against EU citizens, the EU Commission lacks the powers to hold member states to account, and has been forced to refer those seeking justice to their national courts.    

Surveilled journalists might eventually get EU relief if a new draft European Media Freedom Act, released on September 16, becomes law. The Act could give journalists a path to file a complaint to the EU’s Court of Justice if they or those close to them are subject to the unjustified use of spyware. However, the Act still has to be reviewed by EU institutions and member states and may not survive in its current form.  

Meanwhile, Panyi does not believe Hungary’s courts can provide any relief. “The laws regulating national security, including surveillance, are so broadly formulated that it is legal to wiretap and surveil anyone,” he told CPJ. Noting that there was no independent oversight of the surveillance process, he added that “legal” in these cases meant only that “everything has been properly documented, and the necessary stamps are where they should be.”

In June, Panyi saw his concerns confirmed when the Central Investigation Prosecutor’s Office announced it had terminated its own investigation into the allegations of illegal surveillance of journalists and opposition politicians, citing absence of a crime. “A broad investigation which included classified documents found no unauthorized and secretive collection of information or the unauthorized use of a concealed device,” said the investigators. 

Additional reporting by Tom Gibson in Brussels

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong/CPJ EU Correspondent.

The report includes a global overview of spyware and how it’s used against journalists, as well as four case studies from India, Mexico, Hungary, and Morocco. Each provides first-hand accounts from journalists, digital privacy advocates, and others who were themselves targeted by spyware. The report also includes an opinion column by David Kaye, a former U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, on what he recommends global leaders should do to stop the abuse of spyware. 

The final piece offers concrete policy recommendations from CPJ experts to governments, corporate entities, and international human rights organizations to combat the arbitrary or unlawful deployment of spyware.

The full report will be available on Thursday, October 13 at 5:00am ET at: https://cpj.org/spyware-press-freedom

If you would like to speak with a CPJ expert about the report or about spyware’s impact on journalism more broadly, please contact Adam Peck at cpj@westendstrategy.com or at +1 202-531-6408.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

“This new report definitively shows that Mexico’s President Andrés Manuel López Obrador can no longer hide behind blaming his predecessor for widespread use of Pegasus in Mexico,” said Jan-Albert Hootsen, CPJ’s Mexico representative. “Mexican authorities must immediately and transparently investigate the use of Pegasus and other spyware to target journalists during his administration, as well as push for more regulations to end the use of this technology against the press once and for all.”

The report was published by the Mexican digital rights organization R3D (Red en los Defensa de los Derechos Digitales) and rights and research groups Article 19 and SocialTIC. The University of Toronto’s Citizen Lab conducted a forensic analysis of the devices.

The device of an unnamed journalist from the online outlet Animal Político was infected in 2021, according to the report. Journalist Ricardo Raphael, a columnist for news magazine Proceso and newspaper Milenio Diario who was previously targeted in 2016 and 2017, was hacked with Pegasus at least three times in October and December 2019 and again in December 2020.

According to Citizen Lab, the more recent cases differ from previous use of Pegasus against Mexican journalists in several ways, including the use of zero-click attacks rather than malicious text messages designed to trick targets into clicking on links triggering an infection.

CPJ has documented how spyware is used to target journalists and those close to them worldwide, including repeated cases of Pegasus infections targeting journalists in Mexico, and has called for a moratorium on its trade pending better safeguards.

Israeli firm NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism. Mexican president López Obrador said in his daily press conferences earlier today that his government may address the revelations later this week.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

In a joint letter to Acting Solicitor General Brian Fletcher on August 3, the groups argued that Israeli-owned NSO Group should not enjoy sovereign immunity. The letter concerns a lawsuit WhatsApp and its parent Facebook, now called Meta Platforms Inc., filed in October 2019 alleging NSO Group used WhatsApp’s servers to deliver Pegasus spyware to the devices of more than 1,400 users. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism and claims that it should avoid accountability in U.S. courts because it acted as an agent of foreign governments under the doctrine of sovereign immunity.

In December 2020, CPJ joined an amicus brief to the U.S. Federal 9th Circuit Court urging the court to reject this argument. Following an appeal by NSO Group, in June 2022 the U.S. Supreme Court asked the solicitor general to file a brief regarding whether it should grant NSO Group’s petition for sovereign immunity.

As our letter argues, “The impact of such a finding would be that U.S. persons, including U.S.-based technology companies, on whose technologies civil society and regular users depend on across the world, and who are entitled to the protection of American laws, would be left without an effective remedy and unfettered violations of citizens’ right to privacy would be rampant.” You can read the full letter here.

In a second letter, sent Wednesday, August 23, to Secretary of Commerce Gina M. Raimondo, CPJ joined other groups in urging the Biden administration to keep NSO Group on the Entity List for Malicious Cyber Activities. The Entity List is a tool used by the Department of Commerce’s Bureau of Industry and Security to limit a designee’s access to U.S. exports. NSO was added to this list in November 2021, but reporting suggests both NSO and the Israeli government are lobbying to have the company removed. The joint letter details reporting about the use of Pegasus against journalists and activists since the original listing.

“The evidence of the use of Pegasus spyware against human rights defenders, journalists, opposition parties, and state officials by repressive regimes continues to mount, contrary to NSO Group’s claim that their spyware is used as a tool for investigating criminal activity and terrorism,” the letter states. You can read the full letter here.

This content originally appeared on Committee to Protect Journalists and was authored by Michael De Dora.

The Pegasus Project, an investigation by Amnesty International and a consortium of media outlets coordinated by Forbidden Stories, revealed in July 2021 that at least 180 journalists were among those from over 50 countries who may have been targeted with the sophisticated surveillance software.

Three journalists from the West African country of Togo were included on the Pegasus Project list. They told CPJ at the time about how the revelations had caused “nightmarish nights” and damage to their personal as well as professional lives. Twelve months on, they say the prospect of being monitored still generates pervasive paranoia and hinders their communications with sources.

“Since I heard this news until today I can no longer easily communicate with my phone,” Ferdinand Ayité, director of L’Alternative newspaper, recently told CPJ about the implications of his phone number being listed. “There is a kind of permanent fear that forces me to change my means of communication.”

That fear is aggravated as Togolese authorities intensify their crackdown on independent press since the Pegasus Project revelations.

NSO Group, the Israeli company that sells the Pegasus spyware, has denied any connection to the Pegasus Project list and has said it only sells spyware to governments to fight terrorism and crime. However, research shows that journalists and those close to them have been targeted, along with activists and politicians, around the world.

Citizen Lab, a University of Toronto-based research group, found Togolese clergy had been selected for Pegasus surveillance in 2019. Similarly, Amnesty International reported that a Togolese human rights defender, who requested anonymity for security reasons, had been targeted with a different, Indian-made spyware in late 2019 and early 2020.

Ayité, like other journalists whose phones were reportedly listed for potential surveillance in countries ranging from Morocco to Mexico to India to Hungary, said the disclosures had affected their ability to work. “Sources treat us differently. Several people are reluctant to take our phone calls, and we are forced to proceed otherwise,” he said. “Personally, I no longer call certain sources…To this day I continue to think that my communications are always followed and listened to and this has a negative impact on the work.”

Ayité and two other journalists⁠—Komlanvi Ketohou and Luc Abaki⁠—whose contacts featured among the over 300 Togolese phone numbers on the Pegasus Project list, have not confirmed if their devices were ever infected with the spyware. But they told CPJ how the threat of surveillance shaped their broader concerns about freedom of expression in Togo. Spyware was just one of the reasons the Togolese Press Patronage (PPT), a local association of media owners, called 2021 the “darkest [year] of the democratic era in Togo in terms of press freedom.”

Days after he learned that his number had been listed, Ayité told CPJ he was not surprised and described himself as “a journalist on borrowed time.” Less than six months later, in early December 2021, police arrested Ayité and Fraternité newspaper director Joël Egah, and detained them for over 20 days on accusations of “contempt of authorities” and “propagation of falsehoods.” Ayité said authorities retained his passport until mid-June; Egah died of a heart attack in March.

In May, Ayité and his newspaper lost their appeal of a separate defamation case. The ruling they sought to reverse had ordered them each to pay 2 million West African francs (US $3,703) in damages over a June 2020 report accusing a local official of embezzlement. Ayité said he and his legal team were preparing to appeal again to Togo’s Supreme Court.

Ketohou, who also uses the first name Carlos, told CPJ that even a year after learning his number was listed, people still worried about being in contact with him.

“They have fear to speak with me,” Ketohou said. “Fear that what they say will be listened to by Togolese authorities.”

Even when people do agree to speak with him over the phone, Ketohou said they often request a video call to be able to see that it’s really him on the other end of the line. Ketohou recognized that this would not necessarily protect against spyware that can grant remote access to a phone’s microphone and camera, but people were looking for ways to build confidence in their communications with him.

Reached by phone on July 15, Togo communication minister Akodah Ayewouadan said the government had no connection with the NSO Group, “has not used that [Pegasus] spyware and we have not communicated on it.” Ayewouadan requested that he be sent questions in writing, but as of Monday, July 18, CPJ had not received any response to those written questions.

Months before learning his number was listed, Ketohou was arrested by Togolese police and detained for several days over a report published by his L’Indépendant Express newspaper alleging corruption by government ministers. That paper was barred from publishing following his release and he fled the country amid ongoing threats against him and his family, setting up the L’Express International news site in exile.

Living outside Togo, Ketohou told CPJ that he has remained worried about the transnational reach of the Togolese government. He said in recent months he had received video calls from numbers he did not know, which he refused to answer. Even without evidence to suggest the callers wished to harm him, Ketuhou said he feared they sought to confirm visually that it was his phone and to collect information about his location.

Luc Abaki, who works as a freelance reporter, told CPJ that while being listed in the Pegasus Project leak didn’t significantly change his private life, “certain people, especially close to power carefully avoid my calls, in particular telephone. This means that I no longer have access to certain information that is sometimes essential for the work that I do as a journalist.”

“I work conscientiously with the main objective of aiming for the common good,” Abaki said. “I always observe prudence.”

This content originally appeared on Committee to Protect Journalists and was authored by Jonathan Rozen/CPJ Africa Research Associate.

The statement calls on authorities to release all journalists detained for their work, including Fahad Shah, Sajad Gul, and Aasif Sultan, who were granted bail but then re-arrested this year under the Jammu and Kashmir Public Safety Act, a preventative detention law. The groups also expressed concern about the use of spurious terrorism and sedition charges against members of the press including journalist Siddique Kappan, who has been detained since October 2020.

The statement notes that journalists belonging to minority communities are particularly vulnerable to harassment and retaliation. In January, a demeaning fake auction app was taken offline after it listed at least 20 female Muslim journalists for “sale,” all of whom covered the BJP government’s policies affecting religious minorities.

The statement also expresses concern about the use of Pegasus spyware to monitor journalists’ digital communications. The Pegasus Project has identified more than 40 Indian journalists who appeared on a leaked list of potential targets for surveillance by the spyware, which is produced by the Israeli company NSO Group. In October 2021, the Supreme Court of India ordered a “thorough inquiry” on the government’s alleged use of Pegasus against journalists and others.

Read the statement here.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

Throughout 2021, Suhair Jaradat, a freelance columnist for media outlets including the London-based Arabic news website Today’s Opinion, was repeatedly targeted by the spyware, according to a joint report published on Tuesday, April 5, by the human rights group Front Line Defenders and digital rights group Citizen Lab, as well as Jaradat, who spoke to CPJ in a phone interview.

From February to December of that year, Jaradat’s phone was infected with Pegasus spyware on at least six separate occasions, according to the journalist and that report.

The report states that a second journalist, who also works as a human rights activist, had her phone infected by the spyware at least twice in 2021; the report does not name that journalist, and CPJ was unable to immediately identify them.

“Jordanian authorities must swiftly and transparently investigate the alleged surveillance of journalist Suhair Jaradat and a second unidentified journalist, and ensure those responsible are held to account,” said Sherif Mansour, CPJ’s Middle East and North Africa program coordinator. “Journalists must be able to work without fear that hackers will gain access to their sources or their private lives.”

Jaradat told CPJ that she discovered her phone had been infected in May 2021, and officers with the local Criminal Investigation Department’s cybercrime unit were able to remove the spyware from her device. At a cybersecurity conference in February 2022, she again found that her phone had been compromised, she said. The Front Line Defenders and Citizen Lab report said that a forensic examination of her phone showed that it had been infected with Pegasus six times from February to December of 2021.

The joint report said that researchers suspected two groups of hackers were behind the campaigns targeting Jaradat, that anonymous journalist, and human rights advocates in Jordan. One of those groups was focused entirely on Jordan, and the other also had activities in Iraq, Lebanon, and Saudi Arabia. Front Line Defenders and Citizen Lab wrote that both groups were “likely agencies of the Jordanian government.” CPJ was unable to immediately determine the origin of the spyware infections.

When CPJ contacted Jordanian Ministry of Information manager Dina Doud via messaging app for comment, she referred CPJ to a statement published by the country’s National Cyber Security Center, which denied any government involvement in the use of spyware against journalists, and said it would have been illegal for authorities to have been involved in such activities.

Jaradat noted, “In Jordan, authorities stated before that they don’t use this spyware, and that people inside the Royal Court were also attacked by it. Then who is behind this attack?”

Jaradat writes commentary about Jordanian politics, and is often critical of authorities. She has covered topics including sedition, the silencing of the country’s political opposition, and the recent arrests of political and union figures.

“I can’t think of a reason but my articles” for prompting the hack, Jaradat told CPJ. “I don’t know for sure, but I can analyze that the goal behind affecting my phone with a spyware is to reach my sources or the people I work with.”

She added that the hack could be “a way of pressuring me to stop writing.”

CPJ has documented the use of Pegasus, spyware software made by the Israeli company NSO Group, to target journalists around the world and monitor their phones’ cameras, microphones, emails, texts, and calls. Journalists have been targeted with the software in Morocco, the United Arab Emirates, and Saudi Arabia, among other countries.

CPJ emailed NSO Group for comment, but received no response. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

Israel’s justice ministry last month denied a report by Israeli tech site Calcalist about the allegedly unlawful use of Pegasus spyware by Israeli police. An internal investigation determined that the claims, which newspapers including The New York Times could not replicate, were largely unfounded.

However, the furor over the Calcalist report, and the ministry’s acknowledgement that police had used spyware on a phone belonging to a key witness in the corruption trial of former Prime Minister Benjamin Netanyahu, has prompted fears among journalists that any overhaul of Israel’s surveillance laws could hamper their reporting.

“We want to protect our sources,” said Anat Saragusti, press freedom director at the Union of Journalists in Israel, which sent a letter to the attorney general with the group’s demand. “We want to protect freedom of information, and we want to protect our assets.” 

A February statement from the justice ministry noted that in 2018 police infiltrated a phone belonging to Shlomo Filber, a now former director general of the Communications Ministry who was under investigation at the time. He is now state’s witness in the Netanyahu trial. 

In order to monitor Filber’s phone, police obtained a wiretapping warrant – a particular detail that raised the eyebrows of legal experts in the country.

“It’s unclear what exactly is the legal basis for what [police] have done,” said Michael Birnhack, a privacy law professor at Tel Aviv University. 

Israel has no law authorizing “cyber-tools” like spyware for law enforcement purposes, according to the Israel Democracy Institute – and the wiretapping law cited to monitor Filber’s phone dates back to 1979.

The decades-old wiretap law, said Birnhack, is an ill-fit to authorize spyware given that the technology can do so much more than listen in on calls – it can suck up old data in the form of texts, photos, voice memos, and more, without the owner’s knowledge. 

“The technological options exceed regular search and they exceed wiretapping,” he said.  

With spyware there’s also a risk of “exposing excessive data” beyond the scope of a warrant, said Birnhack — something that happened in Filber’s case.

According to the justice ministry, police acquired extra information like Filber’s contact list, which they said was not passed on to investigators. (The ministry also said that the spyware infiltration did not yield anything relevant to the investigation.)

Even if journalists are exempted from legislation regulating spyware, police use of the technology has implications for the profession. Anat Ben-David, a professor of society and technology at Israel’s Open University, worries about a chilling effect on the press. 

“This is uncharted territory at the moment, but I will say this: just knowing that this is a possibility could lead to self-censorship and to changing journalistic norms and instilling fear.”

Ben-David questions whether the technology belongs in the hands of police at all, given its extreme prying capabilities. 

Pegasus, made by the NSO Group – an Israeli company now under U.S. trade embargo – allows the purchaser to access virtually everything stored on a cell phone and activate its microphone and camera without the owner’s knowledge.

CPJ has documented the use of Pegasus to spy on journalists around the world. Amnesty International and the University of Toronto’s CitizenLab said it was found on Palestinian activists’ phones, though Israel has denied it was behind the alleged hacks.

The justice ministry did not identify Pegasus as the spyware used on Filber’s phone, but a later statement made it clear that Israeli police do have the controversial technology. The police department, said the statement, did not use the “Pegasus software in its hands” to spy without a warrant on the people named in the Calcalist report.

NSO Group spokesperson Liron Bruck replied “no comment” when CPJ asked in an email if it provided Pegasus or other spyware to Israeli police or other authorities. An Israeli police spokesperson said in an email the department could not “confirm or deny” use of Pegasus.

Ben-David also worries that the impetus to legislate spyware is following a pattern in which Israel introduces new monitoring technology and later legalizes its use against citizens.

“Surveillance technologies are introduced through the back door, and after petitions to the Supreme Court they enter through the front door through legislation,” said Ben-David.  

She pointed to the security services’ tracking of cell phones to curb transmission of COVID-19. After repeated legal challenges from civil rights groups, the Israeli Knesset passed a law approving the tracking. In March 2021, Israel’s Supreme Court outlawed the practice for Israelis who cooperated with contact tracing efforts, though it was briefly reinstated by emergency order to counter the Omicron variant.

Journalists, however, had been exempted from the tracking since April 2020 after a petition from the Union of Journalists, the group that wants to make sure the press is excluded from spyware laws.

Israeli journalists do have some protections. A 1987 Supreme Court ruling said that journalists don’t have to reveal their sources unless a court deems it critical to prevent a crime or save a life.

But journalists can find their sources exposed through other means. Police obtained information about Filber’s calls with two Israeli broadcast journalists, Amit Segal of Channel 12 and Raviv Drucker of Channel 13, when it spied on Filber’s phone, according to Haaretz.

Segal told CPJ that he learned that his interviews were snooped on from the newspaper, while Drucker learned about his exposure in the course of his own reporting. A justice ministry spokesperson would not confirm or deny the Haaretz report in a phone call with CPJ.

It’s not clear if police used spyware or another type of monitoring technology to listen in on the calls with the journalists.

Regardless of the method used, Segal told CPJ it was “not very pleasant” to learn that police had accessed his interviews with Filber, especially since he reports critically on the police.

“They shouldn’t wiretap conversations with journalists,” said Segal, who added that police are not supposed to transcribe conversations between journalists and their sources. “It is not OK, but it is not the most severe attack on journalists the world has ever seen.” 

Drucker, for his part, called it a “breach of the journalistic relationship between a source and a journalist.” A private conversation with a source “is not something that should be exposed.”

Drucker added that he hopes lawmakers considering surveillance legislation “will take into account the interest of the free press and the free media and journalists’ ability to do their work.”

Now, Segal, Drucker, and the Israeli press corps at large, are watching to see if the government will heed their concerns.   

This content originally appeared on Committee to Protect Journalists and was authored by Naomi Zeveloff/CPJ Features Editor.

On Wednesday, members of the European Parliament are set to vote on establishing a committee to investigate how EU member states have used Pegasus spyware to monitor people, including journalists in Europe, as well as the international reach of intrusive spyware. That committee’s final report could include recommendations that would shape the EU’s approach on tackling surveillance for years to come.

“The Committee of Inquiry should leave no stone unturned in its investigation into the use of spyware, and it must do everything possible to hold EU member states and institutions, as well as international companies, to account for the surveillance of journalists,” said Tom Gibson, CPJ’s EU representative. “This is the EU’s opportunity to take an international lead on curbing the malicious use of spyware to surveil journalists.”

CPJ has reported extensively on the use of spyware to target journalists because of their work. Israel-based NSO Group, which produces Pegasus, has said it sells only to vetted governments and law enforcement agencies.

The committee’s investigation would take place as the EU also works to more closely monitor press freedom trends in member states through its rule of law mechanism, and to better oversee recent EU legislation on the export of dual-use surveillance technology that could be used to spy on journalists. 

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

CPJ joined civil society and media groups yesterday in a statement calling on Salvadoran authorities to respond to the findings by experts at Citizen Lab and Access Now, among others. It’s not clear who was operating the spyware, but Pegasus creator NSO Group, an Israeli company, has repeatedly said it sells Pegasus only to vetted government clients and investigates allegations of abuse. More than 180 journalists around the world were identified as possible Pegasus targets last July in investigative reports that the company said were false.

The incidents in El Salvador were first publicized in November, when several journalists with iPhones reported Apple had notified them about possible spyware; Apple subsequently filed a lawsuit against NSO in a U.S. court for facilitating surveillance.

Gavarrete covers politics, health, environment, and gender for El Faro and previously worked at Gato Encerrado. Investigators found that staff at both independent digital outlets faced repeated Pegasus attacks in 2020 and 2021, especially El Faro, which reported 22 phones owned by its journalists were infected 226 times in total. The incidents coincided with some of their most hard-hitting investigations, Gavarrete told CPJ. 

President Nayib Bukele and other Salvadoran officials have also singled out the sites and other independent outlets, disparaging staff, barring entry to press conferences, and denying work permits since Bukele’s election in 2019. 

CPJ emailed Bukele’s office for comment but did not receive a response.

In a recent phone interview, Gavarrete told CPJ’s Dánae Vílchez about how knowledge of the spyware has affected her reporting. The interview has been edited for length and clarity.

Let’s talk about context: What is happening in El Salvador right now regarding press freedom?

In 2021 we saw setbacks – [fewer options] for citizens requesting information from institutions to understand what the government is doing with public funds, and the government also took a more concrete position against media it considered “inconvenient,” those that are doing watchdog work and monitoring finances. I don’t believe the situation will improve.

Were you afraid you were being spied on?

Several of us already suspected that [our communications] were being intercepted. Information that we shared was later made public on social media through trolls and Twitter accounts, [or] on pages that share fake news. But it was just a hunch.

Last year I was working on an investigative project, and it seemed like someone had read my conversations with a source. People stopped us at the entrance to a building like they knew we were going to be there. That confirmed to me that we were being monitored, but I never knew where the intervention came from.

I don’t know, for example, if the theft of my computer was state surveillance. [Editor’s note: In 2020, Gavarrete’s laptop was stolen from her home though other valuables were untouched; she was working for Gato Encerrado at the time.] I could never confirm it because the investigation never went anywhere.

How did you find out what was really going on?

I was able to confirm that I was being monitored with Pegasus working directly with organizations that were looking into this matter here in El Salvador.

My first impression was shock; suspecting you’ve been targeted isn’t the same as knowing. It hit me not only on a professional level, but also emotionally. To think about the amount of information that passes through a device, and the personal information they can access and what they can do with [it]…Processing that took me a bit of time, but in the end you have to turn the page and try to continue. That was my way of coping.

From what you know, can you tell us a little about what was found on the phones?

We found continuous interventions in which [someone] had access to and extracted information from our phones. Analysis allowed us to identify specific dates when the infections occurred.

Many of my initial thoughts were about work: What kind of information was reaching my phone [on] those days? What sources was I seeing?

Then I thought about difficult moments in my life, [like] my father’s illness. Not only are these people interested in knowing who you are as a journalist, but they want to know what happens in your personal life. Imagine the type of unscrupulous people behind this.

There were dates when a number of [us] were subject to heavy surveillance. Some journalists endured [it for] at least a year. Even for the researchers [performing the analysis], the obsessive use of Pegasus in El Salvador was very strange. It is not just that devices were being infected, but that the infections were constant.

Why do you think the government would be interested in monitoring your work?

Those who are behind these interventions are undoubtedly interested in knowing what is being produced in our newsroom. The government will always be interested in knowing what journalists who are investigating them are doing, although we do not have evidence of specific contracts.

What has become very clear to us is that during the periods when we have been surveilled, El Faro was working on hard-hitting reports into corruption or irregular purchases. There isn’t a single day that the reports showed we had been infected that wasn’t related to something that El Faro published or an ongoing investigation.

At a global level, state surveillance shows that governments are interested in controlling what is said about them, and not fighting organized crime.

Has the government acknowledged what happened or taken any responsibility?

The government distanced itself from the messages from Apple. Some officials said that what Apple was saying was not about El Salvador. It was just a matter of denying and trying to shift attention elsewhere.

We hope the government can provide answers, clarify whether it is using this type of software, [and] investigate who is behind all this – and that the international community gets more involved in demanding that we get these answers. We are talking about an excessive amount of money that someone is spending on this.

How has this situation affected your work as a journalist? How does it make you feel?

It is a stressful burden. Now it’s confirmed, it is not only about protecting our integrity and that of our sources, but also our families, trying to explain what is going on and why they can’t communicate with us “normally.” [Our devices] may still be infected. Anything sensitive that they want to say to me, they can only say in person. This is one of the most significant pressures that I have had to deal with.

I was cautious before, but [now] I am even more extreme to avoid putting sources in danger. But it wears you out day-to-day, and you have to make an even greater effort to be able to produce journalism.

See CPJ’s safety advisory, “Journalist targets of Pegasus spyware”

This content originally appeared on Committee to Protect Journalists and was authored by Dánae Vílchez/CPJ Central America Correspondent.

The statement identified “one of the most persistent and intensive known uses of Pegasus to surveil journalists in the world” based on forensic analysis of dozens of phones by rights and research groupsAccess Now, Front Line Defenders, The Citizen Lab, Amnesty International, Fundación Acceso, and SocialTIC.

Devices belonging to 35 people, mostly journalists along with a few members of civil society, were infected with Pegasus between July 2020 and November 2021, according to the findings; more than half worked for independent digital media outlet El Faro. Pegasus can control phones and extract content without the owners’ knowledge, and some of the devices were infiltrated more than 40 times, the statement said.  

Since his election in 2019, Salvadoran President Nayib Bukele and other government officials have consistently used anti-press rhetoric and harassed independent media outlets, individual journalists, and others critical of his administration.

According to the statement, it is not clear who was responsible for the surveillance, but the Israel-based NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism. CPJ emailed the company to ask about clients in El Salvador but did not receive a response before publication.

CPJ has documented how spyware is used to target journalists and those close to them around the world and called for a moratorium on its trade pending better safeguards.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On November 23, the Fundación para la Justicia y el Estado Democrático de Derecho, a Mexico City-based legal nonprofit, revealed in the Washington Post that the Mexican federal attorney general’s office (FGR) had in 2016 opened an “organized crime” and “kidnapping” investigation into Turati, the nonprofit’s director Ana Lorena Delgadillo, and Argentine forensic anthropologist Mercedes Doretti.

The investigation into the three women was part of a broader probe into the 2011 mass disappearance of almost 200 people in San Fernando, in the northern Mexican state of Tamaulipas, which Turati reported on for Mexico City weekly Proceso. Mexican federal authorities alleged that Los Zetas, one of the country’s most notorious and violent criminal gangs, was behind the disappearances.

If being investigated wasn’t shocking enough, Turati also learned that authorities had surveilled her as part of the probe. According to the foundation, the federal attorney general’s office obtained phone and geolocation data on the women without a court order. It was able to do that because Mexican law compels mobile phone operators – in Turati’s case, Movistar – to cooperate with federal authorities in organized crime probes.

The revelation came shortly after Turati learned that she was one of at least 25 journalists in Mexico who had been selected for potential surveillance with Pegasus phone hacking technology, according to a report by investigative journalism nonprofit Forbidden Stories. NSO Group, the Israeli company that makes Pegasus and sells it to government clients, disputes the report.

FGR has not commented publicly on the case. CPJ sent a request for comment to the assistant of Raúl Tovar, the chief spokesperson for the FGR and attorney general Alejandro Gertz Manero via messaging app, but did not receive a reply.

CPJ spoke with Turati about how the discovery of the investigation has impacted her and what it means for investigative reporting in Mexico, which is, according to CPJ research, the deadliest country for journalists in the Western Hemisphere. The interview has been edited for length and clarity.

What was your initial response to learning you were investigated by federal authorities?

It came as a huge shock to me, because I saw my photo, my digital fingerprint, contact I had with my family, my address, everything. First I felt very angry, then I felt scared and, exposed, especially after I was told earlier this year that I was also targeted with the Pegasus spyware. If that was successful, then they have also had access to my messages, email, and photos.

I’m also angry for what this means for investigative journalism in Mexico. It’s as if they have exposed my professional secrets as a journalist. Ultimately what they did was send an analysis to the Federal Police to see how many times I met my sources. They also looked into calls I made to the lawyer of the families, that I had covered Ayotzinapa [the abduction of 43 students of a rural teachers’ college in the southern Mexican state of Guerrero in 2014, which authorities said was possibly a mass murder]. We haven’t seen a lot of the documents yet, but we’re talking about some 500 pages about my life. I’m really worried about what else may turn up.

FGR specifically labeled the investigation as one into “organized crime” and “kidnapping” in the case file —how does this ease its ability to surveil you?  

They did it to trick the system. When a person disappears in Mexico and they urgently request mobile phone data to track calls, it can take months to obtain the information. In our case they got the data in just 24 hours. They can skip the judge [by tagging an investigation as “organized crime”]. They didn’t create a separate case file about us, but they included us in a case as if we were suspects.

What does the inclusion of your name in this federal organized crime probe mean for Mexican journalists who cover human rights abuses?

This happened in 2015 and 2016, under a different government than that of President Andrés Manuel López Obrador, but the investigator who requested the data is the same who handed the case file to the foundation in May [in compliance with a Mexican Supreme Court ruling, according to the Washington Post]. He still works at the attorney general’s office, and there are the others who have a copy, who signed off. They’re all still there.

There are a lot of things that go through my mind. As happened with the Pegasus spyware case, the people who did this are still working there. We haven’t been shown that the FGR has been purged. This is very serious. It can still happen; we really only found out about this case by accident. How many others are there?

Another thing is that, if a journalist can’t keep her sources secret, it’s like taking us out of the water we swim in. You take away the right of people to report abuses. I felt that this is not just something they did to me. They abuse the state apparatus; the FGR was involved, federal police, forensic investigators, and the highest officials were informed, because they received copies of the case file.

Do you have any faith that the López Obrador administration will take steps to prevent this from happening again?

I’m not sure. Alejandro Encinas, the undersecretary for Human Rights, condemned it and promised that it would be investigated, but he’s not the one with the authority to do something about this. The FGR hasn’t said anything. They can change the story. They can end impunity in this case by sanctioning the officials who were responsible if they want to. But we don’t know what’s going on.

Will this change the way you work as a reporter?

I do everything by myself, but since Pegasus I ask myself how it’s possible to defend yourself against this. Would I have to stop using smartphones and do things like they did with Watergate, leaving a ribbon on my balcony so sources know that I want to talk with them? Even if you use different phones and take courses in cybersecurity, how much can one really do? How can you do journalism without speaking with a source of the telephone, if you can’t be sure that they’re not spying on you?

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen/CPJ Mexico Representative.

Reporters Without Borders

The 2021 Reporters Without Borders (RSF) Press Freedom Awards have been given to Chinese journalist Zhang Zhan in the courage category, Palestinian journalist Majdoleen Hassona in the independence category, and the Pegasus Project in the impact category.

RSF’s press freedom prizes are awarded every year to journalists or media that have made a notable contribution to the defence or promotion of freedom of the press in the world.

This is the 29th year they have been awarded.

• READ MORE: The RSF Press Freedom Awards

The 2021 awards have been given in three categories — journalistic courage, impact and independence. Six journalists and six media outlets or journalists’ organisations from a total of 11 countries were nominated.

Courage Prize
The 2021 Prize for Courage, which aims to support and salute journalists, media outlets or NGOs that have displayed courage in the practice, defence or promotion of journalism, has been awarded to Chinese journalist Zhang Zhan.

Despite constant threats, this lawyer-turned-journalist covered the covid-19 outbreak in the city of Wuhan in February 2020, live-streaming video reports on social media that showed the city’s streets and hospitals, and the families of the sick.

Her reporting from the heart of the pandemic’s initial epicentre was one of the main sources of independent information about the health situation in Wuhan at the time.

After being arrested in May 2020 and held incommunicado for several months without any official reason being provided, Zhang Zhan was sentenced on 28 December 2020 to four years in prison for “picking quarrels and provoking trouble”.

In protest against this injustice and the mistreatment to which she was subjected, she went on a hunger strike that resulted in her being shackled and force-fed. Her friends and family now fear for her life, and her health has worsened dramatically in recent weeks.

Independence Prize
The 2021 Prize for Independence, which rewards journalists, media outlets or NGOs that have resisted financial, political, economic or religious pressure in a noteworthy manner, has been awarded to Palestinian journalist Majdoleen Hassona.

Before joining the Turkish TV channel TRT and relocating to Istanbul, this Palestinian journalist was often harassed and prosecuted by both Israeli and Palestinian authorities for her critical reporting.

While on a return visit to the West Bank in August 2019 with her fiancé (also a TRT journalist based in Turkey), she was stopped at an Israeli checkpoint and was told that she was subject to a ban on leaving the territory that had been issued by Israeli intelligence “for security reasons”.

She has been stranded in the West Bank ever since but decided to resume reporting there and covered the anti-government protests in June 2021 following the death of the activist Nizar Banat.

Impact Prize
The 2021 Prize for Impact, which rewards journalists, media outlets or NGOS that have contributed to clear improvements in journalistic freedom, independence and pluralism, or increased awareness of these issues, has been awarded to the Pegasus Project.

The Pegasus Project is an investigation by an international consortium of more than 80 journalists from 17 media outlets* in 11 different countries that was coordinated by the NGO Forbidden Stories with technical support from experts at Amnesty International’s Security Lab.

Based on a leak of more than 50,000 phone numbers targeted by Pegasus, spyware made by the Israeli company NSO Group, the Pegasus Project revealed that nearly 200 journalists were targeted for spying by 11 governments — both autocratic and democratic — which had acquired licences to use Pegasus.

This investigation has made people aware of the extent of the surveillance to which journalists are exposed and has led many media outlets and RSF to file complaints and demand a moratorium on surveillance technology sales.

“For defying censorship and alerting the world to the reality of the nascent pandemic, the laureate in the ‘courage’ category is now in prison and her state of health is extremely worrying,” said RSF secretary-general Christophe Deloire.

“For displaying a critical attitude and perseverance, the laureate in the ‘independence category has been unable to leave Israeli-controlled territory for the past two years.

“For having revealed the scale of the surveillance to which journalists can be subjected, some of the journalists who are laureates in the ‘impact’ category are now being prosecuted by governments.

“This, unfortunately, sums up the situation of journalism today. The RSF Award laureates embody the noblest journalistic qualities and also pay the highest price because of this. They deserve not only our admiration but also our support.”

Chaired by RSF president Pierre Haski, the jury of the 29th RSF Press Freedom Awards consisted of prominent journalists and free speech defenders from across the world: Rana Ayyub, an Indian journalist and Washington Post opinion columnist;  Raphaëlle Bacqué, a leading French reporter for Le Monde; Mazen Darwish, a Syrian lawyer and president of the Syrian Centre for Media and Freedom of Expression; Zaina Erhaim, a Syrian journalist and communication consultant; Erick Kabendera, a Tanzanian investigative reporter; Hamid Mir, a Pakistani news editor, columnist and writer; Frederik Obermaier, a German investigative journalist with Munich’s Süddeutsche Zeitung newspaper; and Mikhail Zygar, a Russian journalist and founding editor-in-chief of Dozhd, Russia’s only independent TV news channel.

Previous winners of this prize, which was created in 1992, have included Russian journalist Elena Milashina (2020 Prize for Courage), Saudi blogger Raif Badawi (Netizen category prize in 2014) and the Chinese Nobel Peace laureate Liu Xiaobo (Press Freedom Defender prize in 2004).

Pacific Media Watch works in association with Reporters Without Borders.

*(Aristegui Noticias, Daraj, Die Zeit, Direkt 36, Knack, Forbidden Stories, Haaretz, Le Monde, Organised Crime and Corruption Reporting Project, Proceso, PBS Frontline, Radio France, Le Soir, Süddeutsche Zeitung, The Guardian, The Washington Post and The Wire)

This content originally appeared on Asia Pacific Report and was authored by Pacific Media Watch.

The move represented a relatively new use for the Entity List for Malicious Cyber Activities, a tool used by the department’s Bureau of Industry and Security to limit a designee’s access to U.S. exports,lawyer Douglas Jacobson, who specializes in export control and sanctions, told CPJ in a recent phone call. Economic sanctions, a stricter control, are more common in response to human rights concerns, but export restrictions could have limited impact on the company, he said.

Commerce listed three other companies in its November 3 press release. NSO, however, is the best known of the group for its development of advanced Pegasus spyware which can infiltrate individual cellphones for surveillance purposes. The company says it sells to vetted government clients for law enforcement purposes and investigates reports of abuse – but forensic experts say dozens of journalists are among the targets. In July, reporting by 17 global media outlets found that at least 180 journalists were possible targets of surveillance by government clients of NSO. CPJ has found that some of those, such as the jailed Moroccan journalist Omar Radi, face severe reprisals for their work.

NSO told CPJ it was dismayed by the U.S. listing, and that its “rigorous compliance and human rights programs” have led to “multiple terminations of contacts with government agencies that misused our products.” The company has previously told CPJ that it investigated allegations that Pegasus was used to surveil Omar Radi, without elaborating on its findings.  

The Commerce Department linked one of the other three newly-listed companies, Israel-based Candiru, to spyware used to target journalists. The University of Toronto-based Citizen Lab reported in July that Candiru appeared to be responsible for malware attacks Microsoft described as targeting “more than 100 victims around the world,” including unnamed journalists and human rights activists. CPJ attempted to reach Candiru for comment, but the company does not have a website and Eitan Achlow, who was identified as the CEO in news reports, does not allow messaging on his LinkedIn profile. 

CPJ spoke to Jacobson about what the export restriction could mean for NSO Group. The interview has been edited for length and clarity.

What are the practical implications of being on the entity list?

[It] imposes a license requirement, but the U.S. is not penalizing NSO or Candiru or any of these other companies. They are just restricting their access to certain goods that are known to be subject to the Export Administration Regulations [everything that’s in the US or manufactured in the US, including software]. U.S. companies can [still] import goods from these companies if they want to.

The license requirement [could apply] to something as mundane as [the] desk chair you’re sitting on. A furniture company would need a license to export office furniture to the NSO Group. The license review policy is one of presumption of denial – if I wanted to submit a license on behalf of the client to NSO Group for office furniture, then I would have to convince the [Bureau of Industry and Security] to overcome this presumption of denial. It is intended to prevent them from getting certain technologies.  

I would imagine this would have a negative impact on NSO, because this will limit their ability to acquire even a new Windows laptop computer, for example.

Will it be crippling? Doubtful. There are certainly many workarounds that companies could use in order to acquire what they need. The U.S. is no longer the only producer of high-tech knowledge, and many U.S. [goods] may not even be subject to [these export regulations] because they’re manufactured [abroad]. But I think that this is a high-profile action.

Somebody asked me yesterday, is this really something that would make a [supplier] think twice? If I was advising a German company [on whether to] sell to NSO, I [would] say that’s a business decision. Your goods are not subject to [U.S. export regulation], so you wouldn’t be violating US law by doing that.

But for certain suppliers, it’s a PR risk?

Correct. [In case] the Wall Street Journal or whomever did an exposé and said, “This company in Germany or this company in Japan continues to sell to NSO.”

Is there a penalty from Commerce if they catch a U.S. company supplying someone on the entity list without a license?

Absolutely. The maximum civil penalty for violations of the [export regulations] is the greater of $308,901 per violation or twice the value of the transaction that is the basis of the violation.

Does this export restriction include services such as web hosting, training, service maintenance?

This does not apply to services at all. [The export regulations] only govern the export of tangible goods, software, or technology information. If you’re just going to repair something that is broken, for example, and a repairman goes to Israel [to repair] a server and they’re not having to provide the company with any information or replacement parts, then that would not be prohibited. And “technology” is broad – there’s a definition of technology in the Export Administration Regulations, but it doesn’t cover everything.

Senator Ron Wyden told The New York Times that sanctions should be applied to NSO Group under the Global Magnitsky Act. Is that possible?

The Global Magnitsky sanctionsare administered by the U.S. Department of Treasury’s Office of Foreign Assets Control, or OFAC, and can be applied to companies. That’s human rights related, and that would have a much bigger impact on NSO.

[Economic sanctions like these] prohibit financial transactions by U.S. persons, company, or citizen. They are broad; they prohibit the export of U.S. goods, they prohibit payments to those individuals, and they also prohibit services [provided to them].

The Commerce Department announcement lists a number of subsidiaries for Candiru, but none of the known subsidiaries for NSO Group are listed. Does that mean those subsidiary companies would not be considered during implementation?

[It] doesn’t apply to any of their affiliates unless they are named. However, a company [supplying exported goods] has to be very careful because that affiliate may be a conduit by which the main prohibited company is acquiring goods that they shouldn’t be acquiring.

Something else that struck me about this listing was the reasoning that it was a consequence for human rights violations, particularly about journalists being maliciously targeted. Is that a normal reasoning to get a company on this list?

The criteria [include] reasonable cause to believe that the entity has been involved in activities that are contrary to the national security or foreign policy interest of the U.S.

Foreign policy is a broader, more amorphous term, of course. That is what is being used as the basis for these human rights designations, which is, relatively, a broader interpretation of foreign policy [in the context of the entity list].  

How often is this list reviewed? What is the process?

The process is not an easy one, particularly when it comes to human rights issues. [China’s] Huawei has been on it for [almost] three years. There doesn’t appear to be much of an off-ramp for Huawei because of the national security issues – but there is an off-ramp. It does take time, [but] parties are removed from the entity list periodically. A company does have a chance to appeal their listing.

The problem is, [the group that would remove them is] the same group that added them. This is called the End-User Review Committee, which is an interagency group chaired by the Department of Commerce. There has to be some change in behavior or [proof] that they didn’t do what they were alleged to have done.

This content originally appeared on Committee to Protect Journalists and was authored by Alicia Ceccanese.

Russian company Positive Technologies and the Singapore-based Computer Security Initiative Consultancy also made the list “based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”

The move had a measure of approval in Congress. “The entity listing signals that the US government is ready to take strong action to stop US exports and investors from engaging with such companies,” came the approving remarks in a joint statement from Democrat House Representatives Tom Malinowski, Anna Eshoo and Joaquin Castro.

This offers mild comfort to students of the private surveillance industry, who have shown it to be governed by traditional capitalist incentive rather than firm political ideology.  Steven Feldstein of the Carnegie Endowment’s Democracy, Conflict, and Governance Program observes how such entities have actually thrived in liberal democratic states.  “Relevant companies, such as Cellebrite, FinFisher, Blue Coat, Hacking Team, Cyberpoint, L3 Technologies, Verint, and NSO group, are headquartered in the most democratic countries in the world, including the United States, Italy, France, Germany, and Israel.”

The relationship between Digital China and Austin-based Oracle shows how talk about democracy and such ideals are fairly meaningless in such transactions.  Digital China is credited with aiding the PRC develop a surveillance state; software and data analytics company Oracle, despite pledging to “uphold and respect human rights for all people” was still happy to count Digital China a global “partner of the year” in 2018.  Its software products have been used to aid police in Liaoning province to do, among other things, gather details on financial records, travel information, social media and surveillance camera footage.  What’s bad for human rights is very good for business.

In its indignant response to the Commerce Department’s blacklisting, NSO wished to point out to US authorities how its own “technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”  Portraying itself as a card-carrying member of the human rights fraternity, the company claimed to have “the world’s most rigorous compliance and human rights programs that are based [on] the American values we deeply share”.  Previous contracts with governments had been terminated because they had “misused our products.”

As NSO has shown on numerous previous occasions, such strident assertions rarely match the record.  In July, an investigation known as the Pegasus Project, an initiative of 17 media organisations and groups, reported how 50,000 phone numbers had appeared on a list of hackable targets that had interested a number of governments.  The spyware used in question was Pegasus, that most disturbingly appealing of creations by NSO designed to infect the phone in question and turn it into a surveillance tool for the relevant user.

The range of targets was skin crawlingly impressive: human rights activists, business executives, journalists, politicians and government officials.  None of this was new to those who have kept an eye on the exploits of the Israeli concern. Its sale of Pegasus has seen it feature in lawsuits from private citizens and companies such as WhatsApp keen to rein in its insidious practices.

Despite denying any connection, the company will be forever associated with providing the tools to one of its clients, the Kingdom of Saudi Arabia, to monitor calls made by Saudi journalist Jamal Khashoggi and a fellow dissident scribbler, Omar Abdulaziz.  In October 2018, Khashoggi was carved to oblivion on the premises of the Saudi consulate in Istanbul by a hit squad with prints stretching back to Crown Prince Mohammed bin Salman.  In a legal suit against NSO, lawyers for Abdulaziz argue that the hacking of his phone “contributed in a significant manner to the decision to murder Mr Khashoggi.”  To date, the vicious, petulant modernist royal remains at large, feted by governments the world over as a reformer.

While NSO has hogged the rude limelight on the international spyware market, that other Israeli-based concern, Candiru, has been a rolling hit with government clients.  Their products are also tailored to infecting and monitoring iPhones, Androids, Macs, PCs, and, discomfortingly enough, cloud accounts.

Those behind this company evidently have a distasteful sense of humour; the original candiru of Amazon River fame is, goes one account in the Journal of Travel Medicine, “known as a little fish keen on entering the nether regions of people urinating in the Amazon River.”  Equipped with spikes, the fish invades and fastens itself within penis, vagina or rectum, making it a gruesome challenge to remove.  However colourful the imaginative accounts of the Candiru’s exploits are – William S. Burroughs’ Naked Lunch is merely one – the Israeli version is far more sinister and deserves consternated worry.

In July this year, the Citizen Lab based at the University of Toronto identified over 750 websites that had been influenced by the use of Candiru spyware.  “We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.”  The company, founded in 2014, maintains an opaque operations and recruitment structure, reputedly drawing expertise from the Israeli Defence Forces Unit 8200, responsible for code encryption and gathering signals intelligence.

Within two years of its founding, the company had raked in $30 million in sales, establishing a slew of clients across Europe, states across the former Soviet Union, the Persian Gulf, Asia and Latin America.  A labour dispute between a former senior employee and the company shed some light on the company’s activities, with one document, signed by an unnamed vice president, noting the offering of a “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets, by using explosions and disseminations operations.”

NSO Group’s reputation, and credentials, are now impossible to ignore.  The Israeli government, which grants the export licenses that enable the likes of NSO and Candiru to operate, is splitting hairs.  “NSO is a private company,” insists Israel’s Foreign Minister Yair Lapid, “it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.”  In his view, no other country had “such strict rules according to cyber warfare” and “imposing those rules more than Israel and we will continue to do so.”

No Israeli government is likely to entirely abandon companies that make annual sales of $1 billion in the business of offensive cyber.  The efforts by governments the world over to attack encrypted communications while trampling human rights on route have become unrelenting.  In that quest, it matters little whether you are a citizen journalist, a master criminal, or a terrorist.  Those deploying the spyware rarely make such distinctions.

This content originally appeared on Dissident Voice and was authored by Binoy Kampmark.

The risk was reaffirmed this month with the release of the Pegasus Project, collaborative reporting by 17 global media outlets on a list of thousands of leaked phone numbers allegedly selected for possible surveillance by government clients of Israeli firm NSO Group. According to the groups involved in the project, at least 180 journalists are implicated as targets.   

NSO Group denied any connection with the list in a statement to CPJ; it says that only vetted government clients can purchase its Pegasus spyware to fight crime and terrorism.

Among the outlets analyzing the data is the global journalism network Organized Crime and Corruption Reporting Project, which, as of July 29, had listed 122 of those journalists on its website.

Not all of those focus on corruption, Drew Sullivan, OCCRP co-founder and publisher, told CPJ in a recent video call. But several of OCCRP’s own partners in corruption reporting featured, he said, listing people who have worked for Azerbaijan’s independent outlet Meydan TV and Hungary’s investigative outlet Direkt 36 as examples.

“People who are looking at problems with these administrations — which tend to be somewhat autocratic — in a lot of countries they were perceived as enemies of the state because they were holding governments accountable,” he said.   

At least four corruption reporters whose cases CPJ has been tracking for years — in Mexico, Morocco, Azerbaijan, and India — appeared in the Pegasus Project reporting as possible spyware victims. Their inclusion in the project adds a new dimension to their stories of persecution, suggesting governments are increasingly willing to explore controversial technology as yet another tool to silence corruption journalism.

Here’s how the Pegasus Project revelations have shed new light on these four cases: 

Freelance journalist Cecilio Pineda Birto, killed in Mexico

(Forbidden Stories/Youtube)

What we knew: Pineda endured death threats and a shooting attempt to continue posting on crime and corruption to a news-focused Facebook page he ran, but was gunned down at his local car wash in 2017. He was one of six journalists killed in retaliation for their reporting in Mexico that year.    

New information: Pineda’s phone number was selected for possible surveillance a month before his death; he had recently told a federal protection mechanism for journalists that he believed he could evade threats because potential assailants would not know his location, according to The Guardian.  

The government’s response: Mexican officials said this month that the two previous administrations had spent $300 million in government money on surveillance technology between 2006 and 2018, including contracts with NSO Group, according to The Associated Press. CPJ emailed Raúl Tovar, director of social communication at the office of Mexico’s federal prosecutor, and Jesús Ramírez Cuevas, spokesperson for President Andrés Manuel López Obrador, for comment on the use of spyware against journalists, but received no response.

Le Desk reporter Omar Radi, imprisoned in Morocco

(Reuters/Youssef Boudlal)

What we knew: On July 19, 2021 – as many of the Pegasus Project stories were still breaking – a court sentenced Radi to six years in prison on charges widely considered to be retaliatory; he was jailed one year earlier, possibly to prevent completion of his investigation into abusive land seizures. Like fellow Moroccan journalists Taoufik Bouachrine and Soulaiman Raissouni, who are serving sentences of 15 years and 5 years, respectively, Radi was convicted of a sex crime, which journalists told CPJ was a tactic to dampen public support for the accused.  

New information: Amnesty International had already performed forensic analysis of Radi’s phone in 2019 and 2020 and connected it to Pegasus spyware, as outlined in the Pegasus Project reporting. Now we know that Bouachrine and Raissouni were also selected as potential targets, according to Forbidden Stories.

The government’s response: The Moroccan state has instructed a lawyer to file a defamation suit against groups involved in the Pegasus Project in a French court, according to Reuters.  CPJ requested comment from a Moroccan justice ministry email address in July but received no response; CPJ’s past attempts to reach someone to respond to questions about spyware at the ministries of communications and the interior were also unsuccessful.

Investigative reporter Khadija Ismayilova, formerly imprisoned in Azerbaijan

(AP Photo/Aziz Karimov)

What we knew: Ismayilova, a prominent investigative journalist, is known for her exposés of high-level government corruption and alleged ties between President Ilham Aliyev’s family and businesses. She was sentenced to seven and a half years in prison on a raft of trumped up charges in December 2014 and served 538 days before her release.  

New information: Amnesty International detected multiple traces of activity that it linked to Pegasus spyware, dating from 2019 to 2021, in a forensic analysis of Ismayilova’s phone after her number was identified on the list. Ismayilova subsequently reviewed other Azerbaijani phone numbers identified by the Pegasus Project and recognized some belonging to her niece, a friend, and her taxi driver, OCCRP reported.   

The government’s response: CPJ requested comment from Azerbaijan state security services via a portal on its website on July 28 but received no response; CPJ’s request regarding the alleged surveillance of Meydan TV journalist Sevinj Vagifgizi last week was also unacknowledged.

Economic and Political Weekly journalist Paranjoy Guha Thakurta, subject to legal harassment in India

(Photo: Paranjoy Guha Thakurta)

What we knew: Guha Thakurta, a journalist and author, has faced a protracted criminal and civil defamation suit dating from 2017, along with three colleagues at the academic journal Economic and Political Weekly – and was recently threatened with arrest when he refused to attend a hearing across the country during the pandemic. That suit — brought by the Adani Group conglomerate following an article that described how the company had influenced government policies — was one of several legal actions he has faced, actions he characterized to CPJ as an intimidation tactic and way to harass reporters.

New information: Amnesty International detected forensic indications connected to Pegasus spyware in an analysis of Guha Thakurta’s phone, dating from early 2018. In a personal account published by Mumbai daily The Free Press Journal, Guha Thakurta noted he had been writing about Prime Minister Narendra Modi and the governing Bharatiya Janata Party’s use of social media for political campaigning at the time, as well as investigating a wealthy Indian business family’s foreign assets – but he still didn’t know why his phone was apparently tapped.

The government’s response: Ashwini Vaishnaw, the minister for information technology, has called the latest revelations about Pegasus “an attempt to malign Indian democracy,” and said illegal surveillance was not possible in India, according to The Hindu national daily. CPJ emailed Vaishnaw’s office for comment, but received no response. A former Indian government official has told CPJ that Pegasus is “available and used” in India and a committee was formed to investigate alleged Indian spyware targets in 2020, but CPJ was unable to reach someone to confirm the status of that committee in January this year.

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.

Cathcart has been outspoken about threats to security, including so-called backdoors, which governments argue would give law enforcement much-needed access to encrypted communications, but which would also be vulnerable to malicious hacking. Cathcart has also been highly critical of the NSO Group, the Israeli firm that has marketed Pegasus spyware to governments around the world. Pegasus can be surreptitiously implanted on smartphones, giving governments unfettered access to all communications on the phone—and bypassing the encryption that WhatsApp and other secure apps like Signal apply to messages in transit.

NSO group says Pegasus is a critical tool that governments use to combat crime and terror. But a recent report dubbed the Pegasus Project—published jointly by 17 media organizations and based on a leaked list of 50,000 phone numbers allegedly selected by NSO clients—revealed that possible targets included hundreds of journalists and human rights defenders, not to mention senior political leaders such as French President Emmanuel Macron.

NSO has told CPJ it has no connection to the list of phone numbers, that it vets all clients and investigates credible allegations of abuse, and that it cannot access customer data except in the course of an investigation. In a statement to the Guardian, the company denied that Macron had been targeted by any of its customers.

CPJ spoke with Cathcart via Zoom on July 23. The interview has been edited for clarity and length. NSO’s responses relating to some of his comments appear at the end.

Right after the Pegasus Project was published, you put out a tweet storm. You posted a thread with your own reaction and you retweeted some interesting folks, everyone from David Kaye to Edward Snowden. Tell me why you responded the way you did.

The issue of spyware, especially unaccountable spyware, is a huge problem. And it’s being used to undermine freedom. We detected and defeated an attack from NSO Group in 2019. And we worked with Citizen Lab who helped us analyze the 1,400 or so victims we saw then, and discovered over 100 cases of clear abuse, including journalists and human rights defenders. The new reporting shows the much, much larger scale of the problem. This should be a wake-up call for security on the internet.

You mentioned the 2019 attack, which resulted in WhatsApp filing a lawsuit [in U.S. federal court] against the NSO Group. Your Washington Post op-ed in which you lay out the rationale is pinned to the top of your Twitter feed. What made you decide to take on the NSO Group?

When we saw the attack and defeated it in 2019, we decided we needed to get to the bottom of what had happened. These were not, as has been claimed, clear law enforcement operations. This was out-of-control abuse.

We felt we needed to be very loud about what we saw, because we knew that even if we had fixed the issue, there still exist vulnerabilities in people’s mobile phones. The operating systems have bugs that are still being exploited. So even though we’d stopped the attack from our perspective, it’s still a problem. If you’re a journalist, if you’re a human rights defender, if you’re a political dissident, you still have to be worried. So yeah, absolutely, we sued the NSO Group. They broke the law. We want to hold them accountable. We think their behavior needs to be stopped.

There’s clearly a business interest here. One of the selling points of end-to-end encryption is the security that it provides. If there’s spyware out there that’s seeking to subvert that security, it’s a threat to the business model. But do you see this as a matter of principle as well? How do those two things relate to each other?

This is a threat to end democracy. What we offer is a service for having private, secure communication. The reason everyone at WhatsApp gets up every day excited about working on that and fighting to defend it, is we believe it enables really important things. We believe journalists being able to talk to each other, and [to] sources, [to] bring out critical stories on governments or companies is a fundamental element of a democracy. We believe, in democracy, you need to have opposition. We believe human rights defenders all around the world do really, really important work. WhatsApp is popular in a lot of countries around the world that don’t have as robust traditions of freedom and liberal democracy. We’re popular in a lot of places where the ability to communicate securely is critical to someone’s safety.

You’ve been very outspoken about your concerns. What would you like to see from the tech community at large?

I would love to see all the other tech companies stand up, talk about this problem, talk about the victims, talk about the principles at stake, and do everything they can to put a stop to it. I was really excited to see Microsoft, when they discovered some spyware from a different company a few weeks ago, they were loud about it. They worked with Citizen Lab to understand the victims. I think that needs to be the model. I don’t think it is okay, when you find these vulnerabilities and you find these attacks to say, “Well, it’s disappointing, but it only affected a few people.” An attack on journalists, an attack on human rights defenders, an attack on political figures in democracies, that affects us all.

You’ve recognized the communications needs of journalists and human rights defenders, particularly those working in high-risk environments. But some security experts believe that phones just aren’t secure anymore. Do you still feel confident that WhatsApp is a secure form of communication for vulnerable individuals, given this emerging security threat of spyware?

Well, the mobile phone is the computer for most people. It’s the only computer most people have ever experienced. We need to make it secure. We need mobile operating systems to invest a lot more in security to fix these vulnerabilities. That’s why we defend end-to-end encryption [and] privacy. This is a moment where governments should stop asking us to weaken end-to-end encryption. That is a horrible idea. We have seen the damage that comes from this spyware with the security we have today. We should be having conversations about increasing security.

Within WhatsApp, your messages are extremely secure when they’re being delivered from you to the person you’re talking to. What other forms of security can we add? I’m not sure it’s good for everyone to keep a copy of every conversation on their phone forever. Because what if your phone gets stolen? What if someone forces you to open the phone for them? So we added, late last year, the ability for you to have messages disappear after a week. If someone gets your phone, all you have is the last week’s worth of messages.

We haven’t added this yet, but we’re working on the ability for you to send a photo that the recipient can only see once. We’re working on the ability for you to change a setting in your WhatsApp account to say, “I want every thread that I create, or that someone creates with me, to disappear by default.” I think there’s a lot more we can do to help protect people – but it takes the whole industry saying, “We need to make the phone secure.”

You’ve called for import controls and other kinds of regulations to rein in a spyware industry that’s out of control. But if you look at the way technology develops, things get cheaper and easier over time. What makes you think that even if the current generation of spyware purveyors are somehow put out of business, they won’t be replaced by others who are even more ruthless? Or by state level technology from Russia, China, the U.S. for that matter? Can the spyware threat be defeated through regulation or import controls?

Well, I think all of it helps. If you think about people breaking into our homes, obviously that’s still a problem. But we have locks on the doors. We have burglar alarms. We also have accountability. If someone breaks into my home, hopefully I can go to the police, I can go to the government, they’ll hold them accountable. If governments were actually holding people accountable when [spyware attacks] happen – that makes a huge difference. There will always be bad people out there. There will always be hostile governments out there. You’ve got to have as much security as possible in defense.

You’ve emphasized WhatsApp’s commitment to privacy, to operating within the human rights framework. But WhatsApp is owned by Facebook. You worked at Facebook for many years. Facebook is involved in a huge public controversy, and was recently accused by President Biden of “killing people [in relation to COVID-19 vaccine disinformation].” Their business model is based on monetizing data. And there’s a huge amount of concern about misinformation circulating on the platform. Of course, people raise those concerns about WhatsApp as well. Does the relationship with Facebook complicate your messaging about privacy and human rights?

We added end-to-end encryption to WhatsApp as part of Facebook. We’ve been very consistent on that and very supportive across the whole company – about the importance of that, why that’s the right thing, why that protects people’s fundamental rights, including journalists. Obviously, there are a lot of issues. But they’re different products. Take misinformation, for example. The question of what you do about misinformation on a large public social network is very different from how you should approach it on a private communication service. We think on a private communications service, you should have the right to talk to someone else privately, securely without a government listening in, and without a company looking at it. That’s different than if you’re broadcasting something out to every single person on a public social network.

We’ve talked today about spyware. But are backdoors an even greater threat to secure online communication?

Absolutely. Security experts who’ve looked at this agree. If you look at the threat from spyware, they’re having to go to each phone individually and compromise it. If you talk about holding a backdoor into any encryption, you are creating a centralized vulnerability in the whole communications network. And the scenario you need to be worried about is: what if a spyware company, what if a hostile government, what if a hacker, accessed all of the communications? It’s why, honestly, the proposals from some governments to weaken end-to-end corruption are just terrifying. They aren’t grappling with the nightmare scenario of everyone’s communications in a country being compromised.

If this was a big wake up call, what are you planning to do next? What should the industry do next? What can people who are concerned about this do to fight back?

We’re continuing to add security and privacy to WhatsApp, continuing our lawsuit in our push against NSO Group. We’re hoping more of the industry joins, and that more of the industry is loud about the problem. But what’s most important is governments. Governments need to step in and say this was not okay. Who was behind it? Who were the victims? What’s the accountability? Governments need to step in and have a complete moratorium on the spyware industry. It’s got to stop.

[Editor’s note: CPJ emailed NSO with a request for comment on the WhatsApp lawsuit and the attack Cathcart attributed to NSO, but did not hear back before publication. The company denied the WhatsApp allegations when the lawsuit was announced, as CPJ noted at the time, and is challenging the suit in court, arguing it should be immune on grounds that its clients are foreign governments, according to the Guardian.]

This content originally appeared on Committee to Protect Journalists and was authored by Joel Simon.

In the wake of this week’s revelations about the Pegasus spyware, Reporters Without Borders (RSF) and two journalists with French and Moroccan dual nationality, Omar Brouksy and Maati Monjib, have filed a joint complaint with prosecutors in Paris.

They are calling on them to “identify those responsible, and their accomplices” for targeted harassment of the journalists.

The complaint does not name NSO Group, the Israeli company that makes Pegasus, but it targets the company and was filed in response to the revelations that Pegasus has been used to spy on at least 180 journalists in 20 countries, including 30 in France.

• READ MORE: Pegasus: RSF calls for Israeli moratorium on spyware exports
• More reports on the ‘vile and loathsome’ Pegasus spyware tool

Drafted by RSF lawyers William Bourdon and Vincent Brengarth, the complaint cites invasion of privacy (article 216-1 of the French penal code), violation of the secrecy of correspondence (article 226-15), fraudulent collection of personal data (article 226- 18), fraudulent data introduction and extraction and access to automated data systems (articles 323-1 and 3, and 462-2), and undue interference with the freedom of expression and breach of the confidentiality of sources (article 431-1).

This complaint is the first in a series that RSF intends to file in several countries together with journalists who were directly targeted.

The complaint makes it clear that NSO Group’s spyware was used to target Brouksy and Monjib and other journalists the Moroccan authorities wanted to silence.

The author of two books on the Moroccan monarchy and a former AFP correspondent, Brouksy is an active RSF ally in Morocco.

20-day hunger strike
Monjib, who was recently defended by RSF, was released by the Moroccan authorities on March 23 after a 20-day hunger strike, and continues to await trial.

“We will do everything to ensure that NSO Group is convicted for the crimes it has committed and for the tragedies it has made possible,” RSF secretary-general Christophe Deloire said.

“We have filed a complaint in France first because this country appears to be a prime target for NSO Group customers, and because RSF’s international’s headquarters are located here. Other complaints will follow in other countries. The scale of the violations that have been revealed calls for a major legal response.”

After revelations by the Financial Times in 2019 about attacks on the smartphones of around 100 journalists, human rights activists and political dissidents, several lawsuits were filed against NSO Group, including one by the WhatsApp messaging service in California.

The amicus brief that RSF and other NGOs filed in this case said: “The intrusions into the private communications of activists and journalists cannot be justified on grounds of security or defence, but are carried out solely with the aim of enabling government opponents to be tracked down and gagged.

“NSO Group nonetheless continues to provide surveillance technology to its state clients, knowing that they are using it to violate international law and thereby failing in its responsibility to respect human rights.”

RSF included NSO Group in its list of “digital predators” in 2020.

• The 2021 ‘digital predators’ list

Pacific Media Watch collaborates with Reporters Without Borders.

This content originally appeared on Asia Pacific Report and was authored by Pacific Media Watch.

In the wake of this week’s revelations about the Pegasus spyware, Reporters Without Borders (RSF) and two journalists with French and Moroccan dual nationality, Omar Brouksy and Maati Monjib, have filed a joint complaint with prosecutors in Paris.

They are calling on them to “identify those responsible, and their accomplices” for targeted harassment of the journalists.

The complaint does not name NSO Group, the Israeli company that makes Pegasus, but it targets the company and was filed in response to the revelations that Pegasus has been used to spy on at least 180 journalists in 20 countries, including 30 in France.

• READ MORE: Pegasus: RSF calls for Israeli moratorium on spyware exports
• More reports on the ‘vile and loathsome’ Pegasus spyware tool

Drafted by RSF lawyers William Bourdon and Vincent Brengarth, the complaint cites invasion of privacy (article 216-1 of the French penal code), violation of the secrecy of correspondence (article 226-15), fraudulent collection of personal data (article 226- 18), fraudulent data introduction and extraction and access to automated data systems (articles 323-1 and 3, and 462-2), and undue interference with the freedom of expression and breach of the confidentiality of sources (article 431-1).

This complaint is the first in a series that RSF intends to file in several countries together with journalists who were directly targeted.

The complaint makes it clear that NSO Group’s spyware was used to target Brouksy and Monjib and other journalists the Moroccan authorities wanted to silence.

The author of two books on the Moroccan monarchy and a former AFP correspondent, Brouksy is an active RSF ally in Morocco.

20-day hunger strike
Monjib, who was recently defended by RSF, was released by the Moroccan authorities on March 23 after a 20-day hunger strike, and continues to await trial.

“We will do everything to ensure that NSO Group is convicted for the crimes it has committed and for the tragedies it has made possible,” RSF secretary-general Christophe Deloire said.

“We have filed a complaint in France first because this country appears to be a prime target for NSO Group customers, and because RSF’s international’s headquarters are located here. Other complaints will follow in other countries. The scale of the violations that have been revealed calls for a major legal response.”

After revelations by the Financial Times in 2019 about attacks on the smartphones of around 100 journalists, human rights activists and political dissidents, several lawsuits were filed against NSO Group, including one by the WhatsApp messaging service in California.

The amicus brief that RSF and other NGOs filed in this case said: “The intrusions into the private communications of activists and journalists cannot be justified on grounds of security or defence, but are carried out solely with the aim of enabling government opponents to be tracked down and gagged.

“NSO Group nonetheless continues to provide surveillance technology to its state clients, knowing that they are using it to violate international law and thereby failing in its responsibility to respect human rights.”

RSF included NSO Group in its list of “digital predators” in 2020.

• The 2021 ‘digital predators’ list

Pacific Media Watch collaborates with Reporters Without Borders.

This content originally appeared on Asia Pacific Report and was authored by Pacific Media Watch.

Sevinj Vagifgizi, a correspondent for the Berlin-based, Azerbaijan-focused independent media outlet Meydan TV, was targeted by Pegasus from 2019 to 2021, according to the international network Organized Crime and Corruption Reporting Project (OCCRP), which analyzed Vagifgizi’s phone. Meydan TV is a member of the OCCRP.

According to the OCCRP, the journalist was previously in Azerbaijani authorities’ crosshairs. She was banned from leaving the country from 2015 to 2019 after authorities told her Meydan TV was under investigation in a criminal case, and in 2019 she faced libel charges after she reported on people voting with government-issued prefilled ballots.

Vagifgizi spoke to CPJ via phone about her experience of being hacked from Berlin, where she is currently based as part of Time Out and Research Scholarship program of Reporters Without Borders Germany.

CPJ send an email request to NSO Group for comment for this piece but did not receive a reply. In a rebuttal published online, the company said the Pegasus Project’s allegations were false. The company has told CPJ that it will “investigate credible claims of misuse” and that it vets its clients. CPJ also requested comment from Azerbaijan’s state security service via its website, but it was not returned.

Her answers were edited for length and clarity.     

How did you find out you were surveilled?

In June, my colleagues from the Organized Crime and Corruption Reporting Project contacted me and said that we should meet. They came to Berlin. During the meeting, they said: “We have bad news for you, we should take your phone because we have information that the government bugged your phone.” After they checked my phone, they told me that my phone had been targeted with the Pegasus program since 2019. They said with this program, [the Azerbaijani authorities] could listen and record all audio and video, including private videos and photos, get all the information about my contacts, and have access to all my text and voice messages. I was also told that they knew my location at any point in time.

How did you feel at that moment? What were your main concerns?

I was astonished, I felt awful. I was always aware that the [Azerbaijani] security service listens to our phone calls, but I never imagined that they could access anything through the internet and can record voices and take videos, and listen to and read everything I write or say.

I was concerned about my sources who didn’t want the authorities to know that they were in touch with me. I was also concerned about my colleagues who didn’t want the authorities to know about them because if the authorities find out who they are, it may cause problems for them.

You are currently in Berlin but are set to return to Baku in late August. Are you concerned about going back to Azerbaijan? 

My main concern is that the authorities will bar me from traveling abroad again. I was under a travel ban for four years, from 2015 through 2019. I went through all appeal stages [in Azerbaijan] and then went to the European Court of Human Rights. The European Court ruled that the travel ban was unlawful, and the [Azerbaijani] government paid me a compensation and lifted the travel ban in 2019. I was able to come to Berlin this spring because I am not barred from leaving Azerbaijan anymore. I am concerned that the ban may return. I am also worried that now the authorities know who provided information to Meydan TV [because of the surveillance] and may bar them from leaving Azerbaijan too.

Do you know what triggered the surveillance? Was it a specific investigation or your work in general?

I’ve worked as a journalist since 2010. Before joining Meydan TV, I also worked with independent newspaper Azadliq. I have reported on social issues and human rights violations. I often covered political prisoners’ plights. I also did an investigation for OCCRP on [alleged] official corruption in Azerbaijan. But the time they bugged my phone coincided with the lifting of my travel ban.

Do you know which government agency may have procured the Pegasus spyware to hack your phone?

I don’t have any exact information on that but my colleagues and I assume it’s the state security service of Azerbaijan.

How would authorities have gotten ahold of your number?

It’s easy to find my number because as a journalist I contact a lot of people. Many people want to talk to me, tell me about their problems, so I can prepare reports on those issues as a journalist. Therefore they have or can easily find my number. Other journalists, including those who work for state media outlets, also have my contacts. So, it wasn’t hard.

What is next for you? What do you want to do about the surveillance?

We are going to take the case to an [Azerbaijani] court. We want to find out what explanation the Azerbaijani government can offer for targeting us. We are determined to go to the European Court [of Human Rights] too.

As a journalist, I am determined to continue my work because people need us, because people don’t have [many] sources to get truthful information about the real situation in the country. My colleagues and I will keep working. I know that the government will continue surveilling us, but they won’t stop us. 

This content originally appeared on Committee to Protect Journalists and was authored by Gulnoza Said/CPJ Europe and Central Asia Program Coordinator.

“I’ve had many experiences of these – sometimes clumsy – surveillance attempts,” Hope said.   

More recently, Hope may have been singled out for more sophisticated surveillance. A veteran newspaper reporter specializing in complex international stories, Hope was identified by investigative collaboration the Pegasus Project as one of nearly 200 journalists potentially targeted by clients of the Israel-based technology company NSO Group, which manufactures Pegasus spyware to help governments and law enforcement secretly infiltrate cellphones.

The Guardian, which contributed to the Pegasus Project, reported that a client believed to be the UAE began selecting Hope’s phone number for possible surveillance while he was working for The Wall Street Journal in London in early 2018.

Hope has since left the Journal to launch his own investigative project with his reporting collaborator Tom Wright. It’s dubbed Project Brazen, he said, after the codename the pair used while uncovering a corruption scandal implicating former Malaysian Prime Minister Najib Razak in the embezzlement of funds from the 1Malaysia Development Berhad (1MDB) company. That investigation became the focus of their September 2018 book, “Billion Dollar Whale,” a story that led them to conspirators in the UAE.  

Hope spoke to CPJ about the press freedom implications of the Pegasus Project’s list – which also includes some of slain Saudi journalist Jamal Khashoggi’s close associates. Khashoggi’s violent 2018 death features in Hope’s second book, “Blood and Oil,” on Saudi Crown Prince Mohammed bin Salman, whom the CIA has concluded ordered the journalist’s murder.

This interview has been edited for length and clarity. CPJ asked NSO Group to comment on Hope’s remarks; in an emailed statement, a spokesperson said “any claim that a name on the list was necessarily related to a Pegasus target or Pegasus potential target is erroneous and false. NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.” The company has told CPJ that it investigates credible claims of misuse made against its vetted clients.

CPJ emailed requests for comment to the Saudi Center for International Communications under the media ministry; the UAE’s ministry of foreign affairs and international cooperation; and the Chinese ministry of foreign affairs but received no responses before publication.

How did you learn you were on the list that is the focus of the Pegasus Project?  

The Guardian contacted me and let me know that I was a target. We did some forensic analysis of my current phone which was considered clean. I was changing my phone frequently when I was a reporter at The Wall Street Journal – I was not particularly worried about the UAE, but more concerned about other characters in the 1MDB case who have a lot of money and a lot of reasons to try and sabotage our reporting. I used best practices to avoid this kind of risk, so if it’s true that they infiltrated a phone of mine, it would have been for a short period.

I was disappointed on one level. I try and have a relationship with all parties that I’m covering, even people that hate my coverage. I always try and [let] them put their point of view. I don’t rush them at the last minute, I give them more time than you would think to respond to anything. I would hope that the UAE would continue to engage me at that level rather than resorting to black ops techniques.

In a way I was surprised that it was NSO software that was allegedly used. They had been briefing many journalists – some that I know – saying that this software couldn’t be used on U.S. or U.K. numbers. I’ve seen in the press recently that they referred only to U.S. numbers, but I’ve heard that they disable its use against U.K. numbers [like the one Hope was using at the time]. I’ve never been a fan of this kind of software but [that idea] was some tiny bit of reassurance.

I wasn’t worried about NSO, I was worried about [actors] that are not well known that have similar software or employ hackers. When it turned out to be the most well-known company – that was surprising.      

Jamal Khashoggi, whose associate Omar Abdulaziz was targeted with Pegasus spyware, features prominently in “Blood and Oil.” Were you surprised to learn that more of his connections, including his fiancée Hatice Cengiz, were also listed?

From the perspective of people like myself, in America or Europe, he was a Saudi commentator writing opinion pieces. From the perspective of Saudi Arabia, he was a traitor for a variety of reasons. So knowing that, I’m not surprised that they would be trying to find [proof] that he was working for other countries.

The classic technique to find out about someone is to go through family members. In this case they might have been targeted after he was killed. It would be partially because they’re trying to understand what countries are working with those family members to elevate that story or whether his family members were being paid or anything like that – evidence for what they believe to be true. 

What were you working on yourself?

I was doing some reporting that would have been viewed in Abu Dhabi by some parties as problematic. We wrote a series of stories [for the Journal] about the UAE’s main conspirator in the 1MDB scandal. That would likely be very annoying for different parties in the UAE.

The fact-checking part of [“Billion Dollar Whale”] was the culmination of all that, where we really laid out all the damaging things we had found. That would have been reason for somebody in the UAE potentially to put my phone number on a list because they’d be wanting to know, “Who are the sources for this journalist?” They’d be wondering what other country was supplying this information – even though it was never the case, many people in the government would think that way.  

After the prime minister of Malaysia was voted out of office, all these documents were released [including] talking points between China and the Malaysian government. Chinese officials offered to penetrate [“Billion Dollar Whale” co-author] Tom [Wright]’s devices and do physical surveillance of him in Hong Kong, where he lived at the time. Another time when Tom was reporting in Malaysia, a source close to the bad guy called us and said they were thinking about arresting him and he had to escape through Singapore very rapidly.

I never once really worried about physical threats in my career particularly because I was an American journalist at a major international newspaper. But cybersecurity [threats] I was always afraid of, and things like [the Pegasus Project], they kind of highlight it.   

[Editor’s note: In January 2019, Hope and Wright reported in the Journal that a Chinese domestic security official had established “full scale residence/office/device tapping, computer/phone/web data retrieval, and full operational surveillance,” in order to “establish all links that WSJ HK has with Malaysia-related individuals.” Neither that official nor the Chinese government information office responded to their requests for comment at the time.]

Where were you at the time you could have been targeted, and how does that factor into the risk of surveillance?

I would have been mostly located in the U.K. [with a U.K. number] at that time. I didn’t travel to the Middle East. If I was in the country, it would be a lot easier to insert something [on the device].

In many countries in the world – Gulf countries, countries in Asia like China – there is no safe way to travel there with any of your technology. If you’re doing reporting in those places you have to leave everything behind and not log into anything while you’re there. I would bring a new phone. [When you leave] you have to assume that everything you’ve taken with you is no longer usable. You have to have a temporary set of equipment. 

If you’re reporting on anything that relates to the leadership of those countries, I would argue it’s too dangerous to do any reporting on the ground [if] you’re not comfortable leaving a trail. It would be very hard to ask people in those countries [questions] about the leadership. It’s a funny situation. If you’re the Saudi bureau chief you’re actually restricted in what you could find out. The best place to report on the UAE, Saudi Arabia for example, would be London.  

[Those] Middle Eastern countries [that] are not developing tools themselves are having to go and buy them which increases the risk to them of being exposed. In China we hear all the time about Chinese hacking initiatives, mostly through U.S. federal lawsuits that name and shame them, explaining what they did and who they hacked within America. We don’t hear about them buying the software because they develop it all within China.

The Gulf states are essentially buying those things – everything from intelligence work to cyber intrusion, and that’s much easier to get exposed, whereas China is much better at keeping a tight lid on what’s going on in China.

What does this mean for journalists?

The arms race for intrusion is so profound, there’s no real stopping it. There’s always going to be someone out there with this kind of equipment. It’s a wake-up call for journalists. We love our phones, all this high-tech stuff, using Signal – but there’s no way to protect yourself enough.

The toolbox for journalists has to change. I hope that Apple and others take up the challenge to make phones more secure, but ultimately if you’re dealing with any story where someone’s life is at risk, you have to go lo-fi and take really annoying, time-consuming steps to protect people – meeting people and leaving your phone behind. Giving your source an old-fashioned pay-as-you-go phone that you only use to plan the meeting. Tools like Signal have been such a boon for journalists, but if your phone itself is vulnerable it doesn’t help.  

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.

CPJ’s work on this issue includes:

• A policy brief calling on governments to bar the use of spyware on journalists, including banning the export or transfer of surveillance technology or expertise to governments with poor press freedom records
• A map of dozens of incidents in which journalists and those close to them were targeted with spyware since 2011
• Digital safety advice for journalists on how to keep their information safe, and specific guidance on NSO Group’s Pegasus spyware in six languages

Many countries suspected of spying are notorious for repressing the media, and CPJ reporting shows that some of the journalists targeted, or those connected with them, have faced arrest and physical violence in reprisal for their work.

CPJ experts are available to speak on spyware and press freedom as well as individual cases of journalists targeted, in multiple languages. To schedule an interview, email press@cpj.org. 

Media contact:

Bebe Santa-Wood

Communications Associate

press@cpj.org

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Israeli companies like NSO Group and Cellebrite market equipment to government and law enforcement agencies to fight crime, yet as CPJ has noted, journalists are vulnerable to the same sophisticated tools if they fall into the hands of repressive governments. NSO’s Pegasus spyware can remotely control a cell phone and its contents, while police say they use Cellebrite’s forensics products to extract the contents of devices seized during interrogation, potentially exposing journalists’ colleagues, family members, and sources to monitoring or reprisals.   

When Mack learns that such technology is being used to commit abuses — against journalists or others — he tries to stop its export by petitioning the Israeli Ministry of Defense. The ministry is essentially in control of the industry, he said, through its marketing and license export regime; Mack petitions the ministry to withdraw the relevant license. 

His work has had an impact, according to the Israeli daily Haaretz: following Mack’s petitions, Cellebrite said that it would stop sales to Russia and Belarus in March 2021, and in September 2020, said it would not supply the government of Venezuelan President Nicolás Maduro despite previous sales to defense and police clients in the country. An Israeli High Court ruling on Mack’s petition to halt the trade of arms to Myanmar in September 2017 was subject to a gag order and hasn’t been disclosed, according to Haaretz.

CPJ spoke with Mack about his efforts to stop exports of the equipment and bring transparency to an otherwise secretive industry. His answers below have been edited for length and clarity. 

CPJ sought response to Mack’s remarks from the Defense Ministry, NSO, Cellebrite, and other entities named in the interview. Their replies are detailed below. 

How often do you come across journalists affected by surveillance technologies? 

There’s a lot of public interest if it can be proved [that the equipment was used] against a journalist or an activist. But journalists [often] rely on people on the ground with a Twitter or Facebook account, and these kinds of technologies are enabling mass surveillance. If you’re talking about NSO, their system targets [a specific] person each time. According to the company, the list of targets is a few hundred. If you’re talking about Cellebrite, Alexander Bastrykin, the head of Russia’s Investigative Committee said in 2020 that in the previous year the system was used more than 26,000 times in Russia. You connect 26,000 phones, take the information – you control the population. 

When you figure out where the technology is going, how do you try and stop it? 

I file a petition to an Israeli court. My goal is to cancel the export license given by the Ministry of Defense. 

The international media say a lot about the companies themselves, which is very comfortable for the Ministry of Defense. But companies are like subcontractors. The agreements are made between governments and the Ministry of Defense decides which company [gets] the deal. 

Even if an Israeli surveillance company wants to cancel services because it got information that the system was being used against journalists or to violate human rights, it wouldn’t be able to, because it would cause a crisis [with a] foreign government. 

The Ministry of Defense has an information security unit called MALMAB that terrorizes the companies to warn them against leaking, and there are very few people [internally] with security clearance to access the client list. If NSO or another company says, “We are like a normal international company, we have an ethics board with the greatest minds in human rights that can check our work,” [that board doesn’t] have information about what the company is doing. 

How many companies in Israel export surveillance technology? 

There’s no way to know, because we only know about the companies you see in the headlines. There is digital forensics, like the company Cellebrite; UAVs [unmanned aerial vehicles]; then the classic surveillance stories like the NSO Group’s Pegasus or PicSix in Bangladesh or the unknown Israeli company in Vietnam. 

In 2013 I petitioned the Ministry of Defense to disclose the companies in the defense export register. They [only] gave a few numbers in 2014: there were about 80,000 export licenses and 320,000 marketing licenses. In Israel, there’s a unique marketing license [that companies need to negotiate with] potential clients, then a separate export license… [Through the] marketing license, you are exposing your potential client [to the ministry] which can choose to give this client to another company.

I can identify rifles in pictures on social media, and depending on the model, I can estimate when it was exported, but surveillance systems aren’t physical. With NSO, we don’t know names of their clients, it’s hard to prove. Even with Cellebrite, [which] physically connects to the mobile phone, I only got to know that it [was being used] in Russia and Venezuela and Belarus because [local] authorities announced it. 

How is the industry regulated in Israel? 

They keep changing the bureaucracy to make people like me waste time. In the case of Cellebrite, the Ministry of Economy should approve [civilian clients]. But they told me [its sales to Hong Kong] came under the Ministry of Defense, according to the [Defense Export Control Law] of 2007 governing defense equipment. That law is very problematic, because the only limit is in case of a U.N. Security Council arms embargo, which is very rare. It’s why we are seeing Israeli defense exports around the world.  

[In February 2021] the Ministry of Defense told me they had transferred approval from the unit for defense exports to the director of the Ministry of Defense, because digital forensics [systems like Cellebrite’s] fell under a 1974 order for encrypted items. That order is much worse than the 2007 law, because it allows the director to award licenses as he sees fit. 

If two laws apply, why choose the older one? In my opinion, they wanted to widen the discretion [to approve] a company like Cellebrite for political and economic [reasons]. 

This is what I’m trying to change, to introduce a consideration of human rights and democracy. I don’t think Israeli authorities will do it on their own, and they are used to foreign criticism in international forums. It will only happen with pressure from the Israeli public.

Why are cases you’re involved in often subject to a gag order? 

In all petitions on defense exports, the Ministry of Defense asks [the court] for a gag order so that only people who are part of the proceedings are able to know the ruling. [Their] representative is not even ashamed to argue that they want the gag order because they don’t have control of the media. 

It’s annoying, in 2021, that they need to keep asking. But [a gag order] has no meaning, it’s like a child putting a blanket over its head and saying it’s night. Under defamation law in Israel you can publish information that is part of the legal process, so journalists [can report on the petitions even if they can’t report on the verdict]. And I’m allowed to say whatever I want, just not what happened inside the court. 

What should be happening internationally to improve regulation of this industry?

The global framework is already there. We should think about surveillance [the same way we] think about rifles and classic defense exports. Every time we’re talking about sanctions or an arms embargo, we should be talking about surveillance systems.

There should be more demands about the technology and how it is being used, a lot of details are still unknown. Because of NSO Group’s contradictory responses to the media, we don’t know if they are technically able to dismantle [spyware] if they have knowledge of abuse. 

With Cellebrite, the problem in a legal scenario – as far as I can tell – is that the system sucks up everything, you can’t [request one] WhatsApp message. Then are [law enforcement] violating a search order, and what do [they] do with all the information? 

It seems that companies – and this is also problem with the Israeli government – they don’t see anything as a human rights crisis, but when they have a huge PR crisis, they are ready to be more transparent. 

[Editor’s note: NSO Group has told CPJ that it has used a “kill switch” to shut down its systems in cases of serious misuse, but as CPJ and other groups noted in a public letter to the company in April 2021, the company has been vague about how it terminates relationships with clients. Cellebrite told CPJ that its platform “enables selective extraction of major types of digital sources, preservation, analysis and reporting of evidence to accelerate criminal cases” and that its tools are “designed to limit the analysis to only data that might be relevant to the case.”]

Cellebrite has attracted scrutiny because it is preparing to go public on the New York stock exchange. Could that trigger a PR crisis?  

It’s an interesting development [when that happens] because it can bring more normalization to the companies. That could push companies to be more transparent, but I don’t think investors outside Israel understand the risk of being 100% dependent on the Israeli government. If the company can’t get an export license, it’s finished. And investors won’t know what the company is doing. They will read [about] it in the newspaper.     

Editor’s note: In response to CPJ’s questions about Mark’s remarks, Betty Ilovici, the foreign press advisor of the ministry of defense, said in a statement via email on behalf of the ministry that the Defense Export Controls Agency supervises exports of dual use cyber defense products in line with Israel’s Defense Export Control Law and international regulatory regimes, and with oversight from Israeli courts and the Knesset. “Human rights, policy and security issues are all taken into consideration,” she said, but declined to comment on specific licenses citing ministry policy. The statement did not explicitly address CPJ’s questions about MALMAB or Mack’s characterization of companies as ministry subcontractors.

The statement also said that Israel “is one of the few countries in the world that require a two-stage licensing process by law. In accordance with the two-stage process, the exporter is required to hold a defense marketing license ahead of any marketing or promotional activity and a defense export license, for the export of any product.”

NSO Group characterized Mack’s statements as “a complete misunderstanding of how NSO operates,” in a statement emailed to CPJ via the Mercury Public Affairs group, but refused to respond on specific points because CPJ declined to identify the interviewee in advance of publication, per CPJ’s editorial policy. The statement added that NSO investigates credible claims of misuse and shuts down a customer’s system if warranted; its Governance, Risk and Compliance Committee reviews human rights and compliance issues, and “takes every possible step to ensure NSO’s technology is sold only to those who use it as intended — to prevent and investigate terror and serious crime.”

Cellebrite said its products “can only be used lawfully — either pursuant to a court order or warrant” and “we do not enter into business with customers whose positions or actions we consider inconsistent with our mission to support law enforcement acting in a legal manner,” noting several layers of oversight, including a board. The company could terminate license agreements and block software updates in cases where the technology is used in a manner that does not comply with the company’s values, it said in an emailed statement via the Fusion PR firm.    

Al-Jazeera reported that in 2018 Bangladesh’s army secretly purchased equipment from the Israeli company PicSix to capture communications from mobile phones. Bangladesh’s foreign minister has denied purchasing interception equipment from Israel, according to that report. PicSix did not respond to CPJ’s request for comment submitted via its website. 

Haaretz reported in 2018 that Vietnam had purchased an Israeli communications interception system. CPJ called Vietnam’s Ministry of Public Security for comment but the line rang unanswered.

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.