The groups called on Saudi authorities to release all detained journalists, lift arbitrary travel bans, and end legal and digital attacks. They also urged U.S. President Donald Trump’s administration and the U.S. Congress to protect U.S.-based journalists from Saudi transnational repression and spyware.

Saudi Arabia is one of the most dangerous countries for journalists, with at least 10 behind bars on December 1, 2024, making it the 10^th worst jailer of journalists globally in CPJ’s latest annual prison census.

Read the full statement here.

This content originally appeared on Committee to Protect Journalists and was authored by CPJ Staff.

“The repeated targeting of Fanpage.it journalists suggests a pattern of surveillance aimed at intimidating and silencing investigative reporting — a chilling signal to journalists in Italy,” said Attila Mong, CPJ’s Europe representative. “Italian authorities must conduct a swift and transparent investigation, clarify the allegations of government involvement, hold all those responsible to account, and ensure that journalists can work without fear of surveillance.”

On April 30, Pellegrino said he had received an Apple threat notification warning that his iPhone had been targeted due to his journalistic work, which was later confirmed by cybersecurity experts. Apple sent similar alerts last week to users in about 100 countries.

In February, Francesco Cancellato, editor-in-chief of Fanpage.it — which is known for investigating corruption, organized crime, and Italy’s far-right — revealed that his phone had been targeted with Paragon spyware via WhatsApp, as part of a hacking attempt affecting around 90 of the messaging app’s users in dozens of countries.

Pellegrino told CPJ that his phone was being analyzed by security experts, and he was awaiting answers regarding the nature of the spyware, its duration, and the extent of the attack.

After local press freedom groups filed a complaint, the Rome prosecutor’s office launched an investigation in March into unauthorized surveillance of journalists and activists.

According to leaks from a closed session of Italy’s intelligence oversight committee in March, a government official said spyware surveillance had been approved for some migrant rights activists, but Cancellato was not targeted, and the operation was legally authorized.

The Guardian reported in February that Paragon had terminated its client relationship with Italy.

CPJ’s email requesting comment from the prosecutor’s office in Rome did not receive a reply.

This content originally appeared on Committee to Protect Journalists and was authored by CPJ Staff.

“The repeated targeting of Fanpage.it journalists suggests a pattern of surveillance aimed at intimidating and silencing investigative reporting — a chilling signal to journalists in Italy,” said Attila Mong, CPJ’s Europe representative. “Italian authorities must conduct a swift and transparent investigation, clarify the allegations of government involvement, hold all those responsible to account, and ensure that journalists can work without fear of surveillance.”

On April 30, Pellegrino said he had received an Apple threat notification warning that his iPhone had been targeted due to his journalistic work, which was later confirmed by cybersecurity experts. Apple sent similar alerts last week to users in about 100 countries.

In February, Francesco Cancellato, editor-in-chief of Fanpage.it — which is known for investigating corruption, organized crime, and Italy’s far-right — revealed that his phone had been targeted with Paragon spyware via WhatsApp, as part of a hacking attempt affecting around 90 of the messaging app’s users in dozens of countries.

Pellegrino told CPJ that his phone was being analyzed by security experts, and he was awaiting answers regarding the nature of the spyware, its duration, and the extent of the attack.

After local press freedom groups filed a complaint, the Rome prosecutor’s office launched an investigation in March into unauthorized surveillance of journalists and activists.

According to leaks from a closed session of Italy’s intelligence oversight committee in March, a government official said spyware surveillance had been approved for some migrant rights activists, but Cancellato was not targeted, and the operation was legally authorized.

The Guardian reported in February that Paragon had terminated its client relationship with Italy.

CPJ’s email requesting comment from the prosecutor’s office in Rome did not receive a reply.

This content originally appeared on Committee to Protect Journalists and was authored by CPJ Staff.

“The attack on investigative journalist Francesco Cancellato with Paragon spyware is a serious breach of journalistic rights and freedoms,” said Attila Mong, CPJ’s Europe representative. “Italian authorities must prove that they will not tolerate illegal surveillance of the media and that journalists can ensure the confidentiality of their sources without fear of being spied on.”

Cancellato said WhatsApp sent him a message on January 31 saying that the company had “interrupted the activities of a spyware company” which it believed attacked his phone and may have accessed his “data including messages saved on the device.”

The journalist, known for his investigations into corruption, organized crime, and Italy’s far-right, said he felt “violated” but didn’t want to speculate who was behind the attack.

Cancellato was the first journalist to come forward after WhatsApp revealed that it had detected a hacking attempt in December targeting around 90 users worldwide, including civil society and media figures in dozens of countries. The company announced that it had issued a cease-and-desist letter to the Israeli software firm Paragon Solutions, which sells the spyware called Graphite to governments for crime prevention.

Italy’s government said in a February 5 statement that seven unnamed WhatsApp users in the country had been targeted. The government denied any involvement and charged Italy’s National Cybersecurity Agency to investigate the matter. The following day, news reports said Paragon had terminated its dealings with Italy after the government failed to address the spying claims.

CPJ messaged Paragon Solutions, which does not have a public website, via the social media platform LinkedIn and emailed Italy’s National Cybersecurity Agency requesting comment but did not receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

The joint comments assess and offer recommendations for the Commerce Department to help curb the proliferation of such surveillance technologies.

The comments also note the U.S. government’s use of export controls to protect human rights, including through the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the Export Controls and Human Rights Initiative.

While these actions are welcome, the United States and other governments around the world must do more to curb the abuse of surveillance technologies.

CPJ has repeatedly documented the use of surveillance technology, including spyware, to undermine press freedom and journalist safety around the world.

Read the joint comments here.

This content originally appeared on Committee to Protect Journalists and was authored by CPJ Staff.

The report, “Exiled, then spied on: Civil society in Latvia, Lithuania, and Poland targeted with Pegasus spyware,” identified at least seven people whose devices were targeted between 2020 and 2023 by Pegasus, a form of zero-click spyware produced by the Israeli company NSO Group.

“Today’s report raises major concerns about the use of spyware against journalists and shows once again that the press is among the main targets of Pegasus spyware,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Journalists should not be spied on, and these new attacks mean that governments urgently need to implement an immediate moratorium on the development, sale, and use of spyware technologies.”

The targets included four named journalists and one Lithuania-based exiled Russian journalist whose device was targeted in June 2023 around an event in Riga, Latvia, and who requested to remain anonymous. The report describes the following attacks on the four named journalists:

• Latvia-based exiled Russian journalist Maria Epifanova’s device was infected in August 2020, “the earliest known use of Pegasus to target Russian civil society,” the report said. Epifanova is the CEO of independent news outlet Novaya Gazeta Europe, which Russian authorities outlawed as “undesirable” in June 2023. The report said the infection occurred when Epifanova was chief editor of Novaya Gazeta Baltija — which covers Latvia, Lithuania, and Estonia — and “shortly after she received accreditation to attend exiled Belarusian democratic opposition leader Sviatlana Tsikhanouskaya’s first press conference in Vilnius,” the capital of Lithuania.  

“Regardless of who is behind this attack, invasion in private life is unacceptable. I am now working with a lawyer to decide on the next steps and will do my best to bring more light onto my own case and cases of my colleagues,” Epifanova told CPJ.

• Latvia-based exiled Israeli-Russian journalist Evgeniy Erlich’s device was infected in late November 2022 while on vacation in Austria, the report said. Erlich, an independent producer, has worked with various media outlets, including broadcaster Current Time TV and Votvot, an on-demand Russian-language streaming platform. Both outlets are affiliated with the U.S. Congress-funded broadcaster Radio Free Europe/Radio Liberty (RFE/RL).

Erlich told CPJ that “we will most likely never know” who ordered the attacks.

• Latvian journalist Evgeniy Pavlov’s device was targeted in November 2022 and April 2023. Pavlov, a former correspondent with Novaya Gazeta Baltija and a freelance journalist for Current Time TV’s “Baltija” program, told CPJ that he was in Latvia at both times. Access Now was unable to confirm if the attempts were successful.

“If the intelligence services of any country can interfere with the activities of journalists in this way, it poses a very great threat to free and safe journalism. And to free speech in general,” Pavlov told CPJ.

• Poland-based exiled Belarusian journalist Natalya Radina’s device was infected twice in December 2022 and once in January 2023, the report said. The first infection occurred the day after the journalist participated in an anti-war conference in Vilnius. Radina is the editor-in-chief of independent news website Charter 97 and a CPJ 2011 International Press Freedom Awardee.

“My phone was illegally tapped in Belarus, where I was persecuted for political reasons, prosecuted, and imprisoned by the KGB [Belarusian national security service],” Radina told CPJ. “I know that…my absolutely legal journalistic activity can be of interest only to Belarusian and Russian special services, and I am only afraid of the possible cooperation in this matter of the present operators, whoever they are, with the KGB or the FSB [Russian Federal Security Service].”

In an email response to CPJ, the vice president of global communications for NSO group, Gil Lainer, maintained that the organization complies with all laws and regulations, emphasizing that it only sells to vetted intelligence and law enforcement agencies, and to allies of Israel and the United States. Lainer added that NSO group investigates all credible claims of misuse, adding that a number of investigations resulted in the suspension or termination of accounts.

A 2022 CPJ special report noted that the development of high-tech “zero-click” spyware like Pegasus — the kind that takes over a phone without a user’s knowledge or interaction — poses an existential crisis for journalism and the future of press freedom around the world. The report included CPJ’s recommendations to protect journalists and their sources from the abuse of the technology and called for an immediate moratorium on exporting this technology to countries with poor human rights records.

CPJ has also joined other rights groups in calling for immediate action to stop spyware threatening press freedom.

In September 2023, an investigation released by Access Now and Citizen Lab revealed that the phone of Galina Timchenko, the head of independent Russian-language news website Meduza, who has lived in Latvia since 2014, was infected by Pegasus while she was in Germany in February 2023.

The next day, Epifanova, Pavlov, and Erlich said Apple had notified them that their phone could have been targeted by hacker attacks.

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

Access Now’s report does not name the other 12 journalists and media workers, and CPJ was unable to immediately identify them. Previously, in 2022, CPJ called for an investigation into the use of Pegasus spyware on two Jordanian journalists, including Suhair Jaradat.

“The new revelations that journalists and media workers in Jordan have been targeted with Pegasus spyware underscores the need for an immediate moratorium on the use and sale of this technology, and a ban on vendors facilitating abuses,” said Sherif Mansour, CPJ’s Middle East and North Africa program coordinator, in Washington, D.C. “Journalists are not legitimate surveillance targets, and those responsible for these attacks should be held accountable.”

According to the report, phones belonging to Sabbagh and Dihmis, who cover the Middle East and North Africa as a senior editor and an investigative reporter, respectively, at the Organized Crime and Corruption Reporting Project (OCCRP), were targeted with Pegasus spyware.

“What bothered me most was the impact of the surveillance on my sources, and friends, and relatives,” said Sabbagh, who is also the co-founder of Arab Reporters for Investigative Journalism. “Because of the nature of OCCRP’s work, it is a principal target for surveillance agencies. They wish to keep crime and criminality hidden. We work to expose it. And with this type of work comes a very high price.”

Dihimis called the revelation “quite the violation,” adding that “as a journalist, it was a reminder of the importance of being cautious in terms of secure communication — to protect yourself but also your sources and colleagues. As a person, it spurred a lot of paranoia,” she added.

Kuttab, a Palestinian-American journalist based in Jordan and a 1996 recipient of CPJ’s International Press Freedom Award, was targeted by Pegasus spyware multiple times, according to the report.

On March 8, 2022, two weeks after the first incident, Kuttab was arrested when he arrived at Queen Alia International Airport outside of Jordan’s capital, Amman. He was detained under the Cybercrime Law for an article written in 2019 and was released a few hours later on bail, the report said.

The report detailed seven other attempts to infect Kuttabʼs mobile device with Pegasus, including a 2023 attempt in which the attacker impersonated a journalist from media outlet The Cradle asking questions about Jordanʼs cybercrime law while sending malicious links.

“I will not be intimidated, and I will not censor myself,” Kuttab told CPJ. “It is highly irritating to be spied on, but that also comes with the job nowadays. Whatever I know, I publish, but my only concern is my sources and their protection.”

Gharaibeh, director of Jordan’s Radio Husna, and the host of its morning talking show, was targeted successfully multiple times and there were also several failed attempts to infiltrate his phone, the report said.

When asked by CPJ about the apparent reason behind the recurrent attacks, Gharaibeh said that “it could be anything from monitoring the journalists and their sources to exploiting the journalists and silencing them.”

According to Access Now, the victims in the report were targeted using Pegasus with both zero-click attacks, in which spyware takes over a phone without the user’s knowledge, and attacks in which a user has to click a link. 

CPJ has documented the use of Pegasus to target journalists around the world in order to monitor their phones’ cameras, microphones, emails, texts, and calls. Journalists have been targeted with the software in Jordan, Morocco, the United Arab Emirates, and Saudi Arabia, among other countries.

CPJ emailed NSO Group for comment, but received no response. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On Tuesday, press freedom group Reporters Without Borders published findings that phones belonging to Lawson and Sossou had been infected with Pegasus. Those findings were independently confirmed by Amnesty International, the report said.

Pegasus spyware, produced by the Israeli company NSO Group, can take over a phone without a user’s knowledge or interaction. CPJ has documented how this zero-click spyware poses an existential crisis for journalism and press freedom around the world.

Lawson is the publisher of the newspaper Flambeau des Démocrates, and Sossou is a freelancer who has reported for various outlets, including as a correspondent for the Belgian investigative website L-Post and a commentator for the Togolese satellite broadcaster New World TV. He also publishes commentary on Facebook. Both journalists currently face criminal prosecution for their work and told CPJ they were surprised to learn they had been targeted.

“The targeting of journalists Loïc Lawson and Anani Sossou with Pegasus spyware makes even more real the fear of surveillance felt by many journalists in Togo, the existential threat that spyware poses to press freedom, and the imperative for an immediate moratorium on the use and sale of this technology,” said Angela Quintal, CPJ’s Africa program coordinator. “Lawson and Sossou currently face criminal prosecution for their reporting and now have to grapple with the fact that they were targeted with some of the world’s most aggressive spyware. They should have never had to deal with either of these threats.”

In mid-November 2023, Togolese authorities arrested and charged Lawson and Sossou with disseminating false news and attacking the honor of a minister, before granting them provisional release on December 1. Sossou was also charged with inciting a revolt. Their arrest and prosecution relate to a complaint by Togo’s Minister of Urban Planning and Land Reform, Kodjo Sévon-Tépé Adédzé, over posts by the journalists on social media—which have since been deleted—about the alleged theft of a large sum of money from Adédzé’s home.

Lawson and Sossou appeared in court on January 3 and January 17, when their case was transferred to the court of appeal in Lomé, the capital, according to media reports. The next hearing date has not been set.

In 2021, the phone numbers of at least three other Togolese journalists—Ferdinand Ayité, Luc Abaki, and Komlanvi Ketohou, who goes by Carlos—appeared on the Pegasus Project list of phone numbers allegedly selected for surveillance with Pegasus spyware, but the use of the spyware on those journalists’ phones was not confirmed. Ketohou told CPJ that the thought of his private activities in the hands of strangers was “torture,” and Ayité described the looming threat of surveillance as a “permanent fear.”

Citizen Lab, a University of Toronto-based research group, previously found other Togolese civil society members, including clergy, had been targeted with Pegasus in 2019. An unnamed Togolese activist was also targeted with a different spyware in late 2019 and early 2020, according to Amnesty International.

NSO Group, which produces and sells Pegasus spyware, previously told CPJ that it licenses Pegasus to investigate serious crime and terrorism. The company has said it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access.

CPJ’s calls to Yawa Kouigan, Togo’s minister of communication and media, as well as a spokesperson for the government, rang unanswered.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On Tuesday, press freedom group Reporters Without Borders published findings that phones belonging to Lawson and Sossou had been infected with Pegasus. Those findings were independently confirmed by Amnesty International, the report said.

Pegasus spyware, produced by the Israeli company NSO Group, can take over a phone without a user’s knowledge or interaction. CPJ has documented how this zero-click spyware poses an existential crisis for journalism and press freedom around the world.

Lawson is the publisher of the newspaper Flambeau des Démocrates, and Sossou is a freelancer who has reported for various outlets, including as a correspondent for the Belgian investigative website L-Post and a commentator for the Togolese satellite broadcaster New World TV. He also publishes commentary on Facebook. Both journalists currently face criminal prosecution for their work and told CPJ they were surprised to learn they had been targeted.

“The targeting of journalists Loïc Lawson and Anani Sossou with Pegasus spyware makes even more real the fear of surveillance felt by many journalists in Togo, the existential threat that spyware poses to press freedom, and the imperative for an immediate moratorium on the use and sale of this technology,” said Angela Quintal, CPJ’s Africa program coordinator. “Lawson and Sossou currently face criminal prosecution for their reporting and now have to grapple with the fact that they were targeted with some of the world’s most aggressive spyware. They should have never had to deal with either of these threats.”

In mid-November 2023, Togolese authorities arrested and charged Lawson and Sossou with disseminating false news and attacking the honor of a minister, before granting them provisional release on December 1. Sossou was also charged with inciting a revolt. Their arrest and prosecution relate to a complaint by Togo’s Minister of Urban Planning and Land Reform, Kodjo Sévon-Tépé Adédzé, over posts by the journalists on social media—which have since been deleted—about the alleged theft of a large sum of money from Adédzé’s home.

Lawson and Sossou appeared in court on January 3 and January 17, when their case was transferred to the court of appeal in Lomé, the capital, according to media reports. The next hearing date has not been set.

In 2021, the phone numbers of at least three other Togolese journalists—Ferdinand Ayité, Luc Abaki, and Komlanvi Ketohou, who goes by Carlos—appeared on the Pegasus Project list of phone numbers allegedly selected for surveillance with Pegasus spyware, but the use of the spyware on those journalists’ phones was not confirmed. Ketohou told CPJ that the thought of his private activities in the hands of strangers was “torture,” and Ayité described the looming threat of surveillance as a “permanent fear.”

Citizen Lab, a University of Toronto-based research group, previously found other Togolese civil society members, including clergy, had been targeted with Pegasus in 2019. An unnamed Togolese activist was also targeted with a different spyware in late 2019 and early 2020, according to Amnesty International.

NSO Group, which produces and sells Pegasus spyware, previously told CPJ that it licenses Pegasus to investigate serious crime and terrorism. The company has said it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access.

CPJ’s calls to Yawa Kouigan, Togo’s minister of communication and media, as well as a spokesperson for the government, rang unanswered.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Negotiations on the European Media Freedom Act (EMFA), a draft EU law seeking to strengthen media freedom and pluralism in EU member states, are likely to conclude during a meeting scheduled for December 15.

CPJ is concerned that Article 4 of the EMFA on the protection of journalists and their sources could be problematic, despite its well-intended purpose, because EU member states have requested that a “national security” exemption be included to justify spyware against journalists.

A 2022 CPJ report found that zero-click spyware, which secretly takes over electronic devices without being detected, has had a chilling effect on press freedom worldwide by putting journalists at risk of increased harassment and violence and hampering their ability to find sources.

Around the world, spyware, which secretly takes over electronic devices without being detected, puts journalists at risk of increased harassment and violence, and sometimes precedes imprisonment.

Media law experts have consistently called for the EMFA to include precise judicial safeguards, like court orders or proportionality requirements, as detailed by CPJ in its report, “Fragile Progress: The struggle for press freedom in the European Union.”

Article 4, they argue, must also be in line with the European Convention on Human Rights (ECHR) and its case law, which guarantee journalists’ right to protect their sources.

“The growing use of surveillance to spy on journalists has sent shivers around the media community in Europe, and governments have been using national security as a justification to avoid coming clean about their reasons for surveilling journalists,” said Tom Gibson, CPJ’s EU representative. “If the EU genuinely wants to protect journalists from spyware, it needs to insert clear legal checks and balances into the European Media Freedom Act.”

In light of the Pegasus Project revelations in 2021 that spyware was used to hack the phones of dozens of journalists, government officials and human rights activists globally, the European Parliament set up the PEGA Committee to investigate abuses of spyware. In May, it published its comprehensive recommendations, including to the European Commission, and called for EU action on the use of spyware.

In September, some 500 journalists complained to the European Parliament that intrusive surveillance threatened their ability to work, their right to privacy, and their sources’ confidentiality, and called for a complete ban on spyware.

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

A district court in the capital of Baku on Tuesday ordered that Hasanli and Vagifgizi remain in custody for four months on charges of conspiring to bring money into the country unlawfully, Abzas Media reported. If found guilty, they face up to eight years in prison under Article 206.3.2 of Azerbaijan’s criminal code.

Individuals in plainclothes who did not identify themselves took Kekalov from his home in Baku on Monday along with his laptop and cell phone, according to news reports and a source familiar with the case who spoke to CPJ on condition of anonymity, citing fear of reprisal. As of Tuesday evening, Kekalov’s whereabouts remained unknown.

“The remand terms handed to Ulvi Hasanli and Sevinj Vagifgizi only serve to underline authorities’ real goal, which is to silence Abzas Media’s bold anti-corruption reporting,” said CPJ Advocacy and Communications Director Gypsy Guillén Kaiser, in New York. “Azerbaijani authorities should release Vagifgizi and Hasanli immediately, provide information on Mahammad Kekalov’s whereabouts, and allow Abzas Media to continue its vital public interest reporting.”

Police arrested Hasanli on Monday, November 20, raided his apartment, and searched the Baku office of independent investigative website Abzas Media, where they said they found 40,000 Euros (US$43,770). Officers took a computer, cell phone, iWatch, and hard disk from the apartment and confiscated a microphone and hard disk from the office, Zibeyda Sadygova, the journalist’s lawyer, told CPJ.

Police arrested Vagifgizi at Baku airport at 1:30 a.m. on Tuesday as she returned from a work trip abroad and searched her home.

Hasanli and Vagifgizi have denied the charges, calling them retaliation for Abzas Media’s investigations into alleged corruption by relatives of Azerbaijan President Ilham Aliyev and state officials. Hasanli said he believes police planted the money in order to fabricate a case, according to a video posted by Abzas Media.

Abzas Media is one of a handful of independent outlets that remain in the country following a series of raids, arrests, and criminal investigations against independent media and press freedom groups since 2014.

In 2021, Vagifgizi was one of several Azerbaijani journalists whose phones were found to be compromised by Pegasus, spyware produced by the Israeli company NSO Group. Hasanli’s name was also on a leaked list of individuals targeted with Pegasus, according to the global investigative network Organized Crime and Corruption Reporting Project.

CPJ’s emails to the Baku Police Department and the Ministry of Internal Affairs did not receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

“CPJ is deeply disturbed by the disclosures that attackers used Pegasus spyware to infect the phone of exiled journalist Galina Timchenko, one of the world’s most prominent Russian media figures,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Journalists and their sources are not free and safe if they are spied on, and this attack on Timchenko underscores that governments must implement an immediate moratorium on the development, sale, and use of spyware technologies. The threat is simply too large to ignore.”

Timchenko’s phone was infected by Pegasus, a spyware produced by the Israeli company NSO Group, while she was in Berlin on or around February 10, 2023, according to a Meduza report and a joint-investigation by rights groups Access Now and research organization Citizen Lab. The investigation found that the infection took place shortly after Russia’s Prosecutor General designated Meduza as an “undesirable” organization –  a measure that banned the outlet from operating on Russian territory – and likely lasted several days or weeks.

According to the investigation, Apple had warned Timchenko and “other targets” in June that their devices may have been targeted with state-sponsored spyware. Meduza editor-in-chief Ivan Kolpakov told CPJ via messaging app that Apple’s warning prompted them to request that Access Now check Timchenko’s device.

According to Access Now, this is the first documented case of Pegasus surveillance of a Russian journalist; the investigation reported that the attack could have come from Russia, one of its allies, or an EU state may have been responsible for the attack.

The fact that some European government may have used Pegasus against Timchenko is “beyond our comprehension,’” Kolpakov said in a statement shared with CPJ. “As the developers claim, this software is used to fight terrorism — yet it is systematically used against the opposition and journalists.”

Meduza operates in exile, with most of its staff based in Berlin and the Latvian capital of Riga and covers various topics, including politics, social issues, culture, and the war in Ukraine. CPJ awarded Timchenko its 2022 Gwen Ifill Press Freedom Award.

“We often repeat to ourselves and our employees that Europe gives a feeling of complete security. But it is only a feeling – an illusion of security,” Kolpakov said in the statement.

Meduza journalist Elena Kostyuchenko recently reported that she may have been poisoned in Germany in October 2022.

Kolpakov said he hoped to be able to identify those responsible for the attack and obtain explanations from them as well as from the NSO Group.

NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.

A 2022 CPJ special report noted that the development of high-tech “zero-click” spyware like Pegasus– the kind that takes over a phone without a user’s knowledge or interaction – poses an existential crisis for journalism and the future of press freedom around the world. The report included CPJ’s recommendations to protect journalists and their sources from the abuse of the technology and called for an immediate moratorium on exporting this technology to countries with poor human rights records. CPJ has also joined other rights groups in calling for immediate action to stop spyware threatening press freedom.

CPJ emailed NSO Group and the German Federal Ministry of the Interior for comment on the Timchenko findings but did not immediately receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

By Antony Loewenstein

The Israeli defence industry inspires nations across the globe, many of which view themselves as under threat from external enemies.

The Taiwanese foreign minister, Joseph Wu, recently told the Israeli newspaper Haaretz that: “Every aspect of the Israeli fighting capability is amazing to the Taiwanese people and the Taiwanese government.”

Wu explained that he appreciated how Israel protected its own country because, “basically, we [Taiwan] have barely started. The fighting experiences of Israel are something we’re not quite sure about ourselves. We haven’t had any war in the last four or five decades, but Israel has that kind of experience”.

• READ MORE: Antony Loewenstein: Palestine a testing ground for war tech
• Antony Loewenstein’s website

Wu also expressed interest in Israeli weapons, suggesting his country had considered their usefulness in any potential war with China.

“Israel has the Iron Dome,” he said, referring to Israel’s defence system against short-range missiles. “We should look at some of the technology that has been used by the Israelis in its defence. I’m not sure whether we can copy it, but I think we can look at it and learn from it.”

It isn’t just Taiwan imagining itself as akin to Israel. Ukrainian President Volodymyr Zelensky said in April 2022 that his vision for his nation was to mimic “the Jewish state“.

Two months after Russia’s illegal invasion of its territory, Zelensky, who is a long-time supporter of Israel, argued that “our people will be our great army. We cannot talk about ‘Switzerland of the future’ — probably, our state will be able to be like this a long time after. But we will definitely become a ‘big Israel’ with its own face.”

Zelensky went on to explain that what he meant was the need in the future to have “representatives of the armed forces or the national guard in all institutions, supermarkets, cinemas; there will be people with weapons.”

The Palestine laboratory
This admiration for Israel is both unsurprising and disturbing. The praise for Israel almost always completely ignores its occupation of Palestinian territory — one of the longest in modern times — and the ways in which this colonial project is implemented.

When Taiwan, Ukraine or any other country looks to Israel for innovation, it’s a highly selective gaze which completely disappears the more than five million Palestinians under Israeli military occupation in the West Bank, East Jerusalem and Gaza.

The appeal of the Palestine laboratory is endless. I’ve spent the last years researching this concept and its execution in Palestine and across the globe.

My new book, The Palestine Laboratory: How Israel Exports the Technology of Occupation Around the World, uncovers how Israel has used the occupied Palestinians as the ultimate guineapigs when developing tools of repression, from drones to spyware and facial recognition to biometric data, while maintaining an “enemy” population, the Palestinians, under control for more than half a century.

Israel has sold defence equipment to at least 130 countries and is now the 10th biggest arms exporter in the world. The US is still the dominant player in this space, accounting for 40 percent of the global weapons industry.

Washington used its failed wars in Iraq and Afghanistan as a testing ground for new weapons. During the current Russian invasion of Ukraine, the war has been a vital “beta test” for new weapons and sophisticated forms of surveillance and killing.

But Israel has a ready-made population of occupied Palestinians over which it has complete control. For more than five decades, Israeli intelligence authorities have built an NSA-level system of surveillance across the entire occupied Palestinian territories.

Nowhere is completely immune from listening, watching or following.

In the last decade, the most infamous example of Israeli repression tech is Pegasus, the phone hacking tool developed by the company NSO Group. Used and abused by dozens of nations around the world, Mexico is its most prolific adherent.

I spoke to dissidents, lawyers and human rights activists in Togo, Mexico, India and beyond whose lives were upended by this invasive, mostly silent tool.

Israeli state and spyware
However, missing from so much of the western media coverage, including outrage against NSO Group and its founders who were Israeli army veterans, is acknowledgement of the close ties between the firm and the Israeli state.

NSO is a private corporation in name only and is in fact an arm of Israel’s diplomacy, used by Prime Minister Benjamin Netanyahu and the Mossad to attract new friends in the international arena. Despite being blacklisted by the Biden administration in November 2021, the company still hopes to continue trading.

My research, along with that of other reporters, has shown a clear connection between the sale of Israeli cyberweapons and Israel’s attempts to neuter any potential backlash to its illegal occupation.

From Rwanda to Saudi Arabia and the United Arab Emirates to India, Israeli spyware and surveillance tech are used by countless democracies and dictatorships alike.

Beyond Pegasus, many other similar tools have been deployed by newer and lesser-known Israeli companies, though they’re just as destructive. The problem isn’t just Pegasus — it could close down tomorrow and the privacy-busting technology would transfer to any number of competitors — but the unquenchable desire by governments, police forces and intelligence services for the relatively inexpensive Israeli tech that powers it.

India is even looking for alternatives to NSO Group with a less controversial history.

The Palestine laboratory is so successful because nobody wants to seriously regulate the fruits of its labours.

Ideological alignment
The extent of Israeli collusion with 20th and 21st century repression is overwhelming.

Perhaps the most revealing was the deep relationship between apartheid South Africa and Israel. It wasn’t just about arms trading, but an ideological alignment between two states that truly believed that they were fighting for their very existence.

In 1976, Israeli Prime Minister Yitzhak Rabin invited South African Prime Minister John Vorster, a Nazi sympathiser during the Second World War, to visit Israel. His tour included a stop at Yad Vashem, the country’s Holocaust memorial in Jerusalem.

When Vorster arrived in Israel, he was feted by Rabin at a state dinner. Rabin toasted “the ideals shared by Israel and South Africa: the hopes for justice and peaceful coexistence”. Both nations faced “foreign-inspired instability and recklessness”.

Israel and South Africa viewed themselves as under attack by foreign bodies committed to their destruction. A short time after Vorster’s visit, the South African government yearbook explained that both states were facing the same issue: “Israel and South Africa have one thing above all else in common: they are both situated in a predominantly hostile world inhabited by dark peoples.”

A love of ethnonationalism still fuels Israel today, along with a desire to export it. Some arms deals with nations, such as Bangladesh or the Philippines, are purely on military grounds and to make money.

Israel places barely any restrictions on what it sells, which pleases leaders who don’t want meddling in their actions. Pro-Israel lobbyists are increasingly working for repressive states, such as Bangladesh, to promote their supposed usefulness to the West.

Israel and the global far right
But Israel’s affinity with Hungary, India and the global far right, a group that traditionally hates Jews, speaks volumes about the inspirational nature of the modern Israeli state. As Haaretz journalist Noa Landau recently wrote, while explaining why Netanyahu’s government defended the latest arguably antisemitic comments by Elon Musk about George Soros:

“The government’s mobilisation in the service of stoking antisemitism is not surprising. It is the fruit of a long and consistent process in which the Netanyahu government has been growing closer to extreme right-wing elements around the world, at the expense of Jewish communities it purports to represent.”

It’s worth pausing for a moment to reflect on this undeniable reality. Israel, which claims to represent global Jewry, is encouraging an alignment between itself and a hyper-nationalist, bigoted and racist populism, regardless of the long-term consequences for the safety and security of Jews around the world.

Israel has thrived as an ethnonationalist state for so long because the vast bulk of the world grants it impunity. European nations have been key supporters of Israel, willing to overlook its occupation and abuse of Palestinians.

According to newly declassified documents from the files of Israel’s Ministry of Foreign Affairs, between 1967 and 1990 it’s clear that West Germany was becoming more critical of Israel’s settlement project in Palestine, but the main concern was protecting its own financial interests in the region if a regional war broke out.

In a document written on 16 February 1975 to the deputy director of Israel’s Ministry of Foreign Affairs for Western Europe, Nissim Yaish, before Israel’s Foreign Minister Yigal Allon’s visit to West Germany, Yaish explained the thinking in his country’s diplomatic bureaucracy:

“There is unanimity that this time such a war will have a far-reaching impact on all its affairs internally and externally and that it could wreak a Holocaust on the German economy. Based on this attitude, West Germany is interested in rapid progress toward a [peace] agreement.”

Western silence
But there has rarely been any serious interest in pursuing peace, or holding Israel to account for its blatantly illegal actions, because the economic imperative is too strong. Even today, when another Nakba against Palestinians is becoming more possible to imagine, there’s largely silence from Western elites.

Germany has banned public recognition of the 1948 Nakba and criminalised any solidarity with the Palestinian people. Germany is also keen to buy an Israeli missile defence system, confirming its priorities.

This is why Israeli apartheid and the Palestine laboratory are so hard to stop; countless nations want a piece of Israeli repression tech to surveil their own unwanted populations or election meddling support in Latin America or Africa.

Without a push for accountability, economic boycotts and regulation or banning Israeli spyware — the EU is flirting with the idea — Israel can feel comfortable that its position as a global leader in offensive weapons is secure.

This article was first published in the Middle East Eye.

This content originally appeared on Asia Pacific Report and was authored by APR editor.

“Today’s report is yet another deeply disturbing reminder of the immense danger posed by Pegasus and other spyware used to target journalists,” said Carlos Martinez de la Serna, CPJ’s program director, in New York. “Armenian and Azerbaijani authorities should allow transparent inquiries into the targeting of Armenian journalists with Pegasus, and NSO Group must offer a convincing response to the report’s findings and stop providing its technologies to states or other actors who target journalists.”

The report, “Hacking in a war zone: Pegasus spyware in the Azerbaijan-Armenia conflict,” identified at least 12 people whose devices were infected by Pegasus, spyware produced by the Israeli company NSO Group. Many of the infections clustered around the 2020 Nagorno-Karabakh war between Armenia and Azerbaijan and its subsequent escalations.

The report was published Thursday, May 25, by the rights groups Access Now, Amnesty International, and Citizen Lab, the Armenian digital emergencies group CyberHUB-AM, as well as independent mobile security researcher Ruben Muradyan.

The targets included Armenian human rights activists, academics, and state officials, two media representatives who requested to be kept anonymous, and three named journalists:

• Karlen Aslanyan, a reporter with the U.S. Congress-funded broadcaster RFE/RL’s Armenian service, Radio Azatutyun
• Astghik Bedevyan, a reporter with Radio Azatutyun
• Samvel Farmanyan, co-founder of the now-defunct independent broadcaster ArmNews TV

The report says its authors found “substantial evidence” suggesting that Azerbaijan authorities purchased access to Pegasus, and that the targets would have been of intense interest to Azerbaijan. The targets were also critical of Armenia’s government, which is believed to have previously used another spyware product.

NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.

CPJ has documented the grave threat posed to journalists by spyware, and joined with other rights groups to issue recommendations to policymakers and companies to combat the use of spyware against the media, including by imposing bans on technology and vendors implicated in human rights abuses.

Azerbaijani journalists Sevinj Vagifgizi and Khadija Ismayilova were previously confirmed to have had their devices infected with Pegasus, while dozens of other prominent Azerbaijani journalists featured on a leaked list of potential Pegasus targets analyzed by the collaborative investigation Pegasus Project in 2021.

CPJ emailed NSO Group, the National Security Service and Ministry of Internal Affairs of Armenia, and the State Security Service and Ministry of Internal Affairs of Azerbaijan for comment, but did not immediately receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

“Today’s report is yet another deeply disturbing reminder of the immense danger posed by Pegasus and other spyware used to target journalists,” said Carlos Martinez de la Serna, CPJ’s program director, in New York. “Armenian and Azerbaijani authorities should allow transparent inquiries into the targeting of Armenian journalists with Pegasus, and NSO Group must offer a convincing response to the report’s findings and stop providing its technologies to states or other actors who target journalists.”

The report, “Hacking in a war zone: Pegasus spyware in the Azerbaijan-Armenia conflict,” identified at least 12 people whose devices were infected by Pegasus, spyware produced by the Israeli company NSO Group. Many of the infections clustered around the 2020 Nagorno-Karabakh war between Armenia and Azerbaijan and its subsequent escalations.

The report was published Thursday, May 25, by the rights groups Access Now, Amnesty International, and Citizen Lab, the Armenian digital emergencies group CyberHUB-AM, as well as independent mobile security researcher Ruben Muradyan.

The targets included Armenian human rights activists, academics, and state officials, two media representatives who requested to be kept anonymous, and three named journalists:

• Karlen Aslanyan, a reporter with the U.S. Congress-funded broadcaster RFE/RL’s Armenian service, Radio Azatutyun
• Astghik Bedevyan, a reporter with Radio Azatutyun
• Samvel Farmanyan, co-founder of the now-defunct independent broadcaster ArmNews TV

The report says its authors found “substantial evidence” suggesting that Azerbaijan authorities purchased access to Pegasus, and that the targets would have been of intense interest to Azerbaijan. The targets were also critical of Armenia’s government, which is believed to have previously used another spyware product.

NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.

CPJ has documented the grave threat posed to journalists by spyware, and joined with other rights groups to issue recommendations to policymakers and companies to combat the use of spyware against the media, including by imposing bans on technology and vendors implicated in human rights abuses.

Azerbaijani journalists Sevinj Vagifgizi and Khadija Ismayilova were previously confirmed to have had their devices infected with Pegasus, while dozens of other prominent Azerbaijani journalists featured on a leaked list of potential Pegasus targets analyzed by the collaborative investigation Pegasus Project in 2021.

CPJ emailed NSO Group, the National Security Service and Ministry of Internal Affairs of Armenia, and the State Security Service and Ministry of Internal Affairs of Azerbaijan for comment, but did not immediately receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

Since March, López Obrador has sharply criticized Article 19, national investigative magazine Proceso, privately owned online news outlets Animal Político and Aristegui Noticias, and Animal Político investigative reporter Nayeli Roldán over their coverage of the Mexican federal government’s alleged use of illegal spyware.

The president’s statements have led to online abuse and threats of violence against Article 19, the three outlets, and their reporters, according to Roldán, Animal Político’s editorial director Daniel Moreno, and Article 19’s regional director Leopoldo Maldonado, who all spoke to CPJ by phone. 

“Mexican President López Obrador’s recent attempts to discredit journalist Nayeli Roldán, three critical news outlets, and Article 19 are more proof that his administration prefers harassing journalists over solving the country’s catastrophic press freedom crisis,” said CPJ Mexico Representative Jan-Albert Hootsen. “López Obrador’s constant verbal attacks on reporters, which serve only as a distraction from the issues they report on, must stop before they lead to further violence against the press.”

Since he assumed office in 2018, López Obrador repeatedly stated that his government does not engage in illegal surveillance with spyware and denied that his administration uses such applications for anything other than national security.

However, a series of reports published in March 2023 provided evidence that the Mexican military used Pegasus, a spyware developed by the Israeli NSO group, to monitor conversations between human rights activist Raymundo Ramos and two journalists at the Mexico City newspaper El Universal since 2019.

In a March 10 press briefing, Roldán asked López Obrador about those allegations, to which he responded by saying Roldán was “always against his government.” When Roldán insisted the military must explain the legal basis for the spying, he accused her of “not being objective,” and called her “unprofessional” and part of the “tendentious, bribed media.”

During an April 28 press conference, the president told reporters that Roldán was paid in 2022 by the National Institute for Access to Information, a federal autonomous body that handles freedom of information requests and regulates the protection of personal data. López Obrador has been highly critical of the institute, which he claims is “useless,” “onerous, opaque, and unnecessarily expensive,” and opposes his administration and him personally, according to news reports.

During a May 2 press briefing, López Obrador accused Article 19 of being funded by the U.S. government to work “against his government,” therefore “violating our sovereignty” and called the organization “interventionist,” adding that he would send a diplomatic cable to the U.S. government “in protest.”  

Moreno, Roldán, and Maldonado told CPJ that the president’s remarks have led to many hateful comments on social media against them personally, as well as on websites and social media pages of Article 19, Proceso, Animal Político, and Aristegui Noticias. Roldán said she received “vicious” misogynistic comments, while Maldonado said he and his organization received many threats and statements echoing the president’s comments.

“I’ve been receiving lots of insults, an increasing number. I’d even call it stalking,” Roldán told CPJ, adding that the pressure has forced her to keep a lower profile on social media. “I can’t send out a single tweet without it receiving insults.” 

Moreno said the president’s comments have made him and his reporters feel less safe, leading some of his reporters to ask not to be named in bylines. 

“We try to respond to the president, who constantly lies about us and never rectifies false information. His daily press briefing is a far bigger platform than anything we could ever hope to have,” Moreno said. “We have seen an increase in the number of attacks and insults against us, including social media users openly asking who our family members are to accost them as well.”

CPJ contacted presidential spokesperson Jesús Ramírez Cuevas for comment via messaging app but did not receive any response.  

Mexico was the deadliest country in the Western Hemisphere for journalists in 2022. At least three reporters were murdered in direct connection to their work, and CPJ is investigating another 10 killings to determine the motive.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On the morning of April 30, Togolese soldiers arrested Samboe, the founder and owner of the privately owned Laabali news website, as he was reporting on the aftermath of a jihadist attack in Togo’s northern Waldjouaque village, according to the journalist and Robert Douti, Laabali’s editorial director, who both spoke to CPJ by phone.

Samboe told CPJ that the soldiers took him to their nearby base, where they questioned him about why he was in the area, seized his two phones and computer, and deleted audio and video recordings he had taken that day. They then transferred him to the custody of the local gendarmerie office in the northern city of Dapaong. The gendarmerie held him until May 2 and released him only after he signed a document agreeing not to return to the area without first “informing” the authorities.

“Journalists should be free to work without fear of arrest, harassment, or undue requirements that they inform authorities of their movements,” said Angela Quintal, CPJ’s Africa program coordinator. “Togolese journalist Edouard Kamboissoa Samboe should be allowed to work without restriction, and authorities should refrain from harassing members of the press and seizing their devices.”

Samboe said the soldiers were angry because he tweeted about his detention before being transferred to the gendarmerie.  “Get him out, we’ll settle the accounts…We’re going to put him down,” Samboe recalled the soldiers saying, adding that they said, “We spared you and you are ungrateful.”

Samboe said the gendarmerie released him without charge after he signed the agreement and gendarmerie officers returned his phones and computer the following day. He described his detention as an attempt to “isolate” and “traumatize” him.

While in custody of the gendarmerie, Samboe said he was questioned about his work, including if he had ever interviewed jihadists or worked for France-based media outlets like TV5 Monde or Le Monde. Authorities in Burkina Faso, which shares a border with northern Togo, have suspended French broadcasters France 24 and Radio France Internationale over their coverage of the conflict with jihadists in the country, and in April expelled French reporters Agnès Faivre and Sophie Douce.

Samboe said both the soldiers and gendarmerie made him give up the password to one of his phones, which was locked. The gendarmerie also made him give them the password to his Telegram account, he added.

“It is possible that they read my messages,” he told CPJ, adding that he believed authorities had accessed his Facebook account as well because he was logged in on his computer when they took it, but was logged out after it was returned.

Samboe said he was worried that his devices were no longer safe to use, citing concerns over the threat of Pegasus spyware, which has been deployed against Togolese civil society members and may have been used to target Togolese journalists. In July 2022, Togo communication minister Akodah Ayewouadan told CPJ that the government had no connection with the Pegasus vendor NSO Group and “has not used that spyware,” but did not respond to subsequent written questions.

Togolese Minister of Security and Civil Protection Yank Damehame and a gendarmerie officer at the Dapaong office, who identified himself only as Rachid, both agreed to respond to queries via messaging app. CPJ sent questions to both for comment but did not receive any responses by the time of publication.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

Six dozen civil society groups, journalists, and experts marked World Press Freedom Day on Wednesday with a joint call for "all governments to implement an immediate moratorium on the export, sale, transfer, servicing, and use of digital surveillance technologies, as well as a ban on abusive commercial spyware technology and its vendors."

The use of spyware against media workers is "an alarming trend impacting freedom of the press and creating a wider chilling effect on civil society and civic space," the statement argues. "Privacy, source protection, and digital security are essential components of press freedom, allowing journalists to protect the confidentiality and integrity of their work and sources."

"As governments and other entities seek to suppress the press and silence dissent, we are seeing an exponential increase in the market for digital surveillance technologies, including spyware, that overrides these journalistic principles."

"As governments and other entities seek to suppress the press and silence dissent, we are seeing an exponential increase in the market for digital surveillance technologies, including spyware, that overrides these journalistic principles," the statement continues. Such tools "can infiltrate a target's phone, giving the attacker full access to emails, messages, contacts, and even the device's microphone and camera," rendering secure and encrypted platforms useless.

"From El Salvador to Mexico, from India to Azerbaijan, from Hungary to Morocco, to Ethiopia—the list goes on of countries where investigative journalists working to expose corruption, power abuses, or human rights violations, have been targeted by invasive spyware such as Pegasus," the statement adds, referencing spyware from the Israeli firm NSO Group that has been used to target reporters, dissidents, and world leaders.

The advocates of banning this type of surveilleance technology noted that there are at least 180 known cases of potentially targeted journalists across 21 countries. They pointed to multiple examples, including Hungary-based Andras Szabo and Szabolcs Panyi being targeted with Pegasus in 2019, and Raymond Mujuni and Canary Mugume facing the same spyware two years later in Uganda.

According to the statement:

Moroccan investigative journalist Omar al-Radi was targeted with Pegasus spyware between 2019 and 2021, and later sentenced to six years in prison on bogus rape and espionage charges. Meanwhile journalist Hicham Mansouri, who fled from Morocco to France in 2016 following state harassment and detention, was hacked by Pegasus at least 20 times between February and April 2021.

Perhaps the most infamous example of how spyware can facilitate and enable transnational repression and serious human rights violations, including enforced disappearance and extrajudicial killing, is the murder of Saudi journalist and dissident Jamal Khashoggi at the Consulate of the Kingdom of Saudi Arabia in Istanbul on October 2, 2018. Both prior to and after his death, Mr. Kashoggi's family members and acquaintances were targeted by Pegasus spyware.

"It is clear that the use of spyware and unlawful targeted surveillance violates the fundamental rights of freedom of expression and access to information, peaceful assembly and association, freedom of movement, and privacy," the statement asserts, demanding not only a ban but also accountability for developers and distributors of the technology, and boosted efforts to protect journalists.

The statement was launched at Secret Surveillance: Countering Spyware's Threats to Freedom of the Press and Expression, an event co-hosted by advocacy organizations including Access Now.

"Invasive and abusive commercial spyware that has been used to facilitate human rights abuses globally has no place in our world," declared Access Now surveillance campaigner Rand Hammoud. "Years worth of evidence by civil society has demonstrated that the companies selling these technologies should not be rewarded with governmental contracts that would continue enabling their abuses."

Natalia Krapiva, tech legal counsel at Access Now, agreed that "this sinister technology that has been misused and abused by governments around the world is not safe in any hands, and its use can never be justified."

"Discussions do not suffice," Krapiva added. "We expect action: Protect freedom of the press, stamp out the spyware threat."

The spyware statement came as other members of the media acknowledged World Press Freedom Day in various ways, including sounding the alarm about the impacts of artificial intelligence on fact-based journalism, demanding global safeguards for digital privacy, and calling out the U.S. government for continuing to seek the extradition of WikiLeaks founder Julian Assange.

This content originally appeared on Common Dreams and was authored by Jessica Corbett.

“President Biden’s executive order limiting the United States’ use of commercial spyware is an important step in recognizing and mitigating the harm that these technologies can have on journalists and democratic institutions more broadly,” said CPJ U.S. and Canada Program Coordinator Katherine Jacobsen. “This order serves as an important reminder as this week’s Summit for Democracy begins that unfettered use of technology to surveil journalists is a threat to core democratic values in the U.S. and abroad.”

The global use of spyware has prompted what CPJ views as an existential crisis for journalism and the organization has been among those calling for moratoriums on its use.

In 2021, the European Union adopted similar regulations on the export of surveillance technologies. Also that year, the U.S. Department of Commerce imposed export controls on the Israel-based technology company NSO Group over its development of Pegasus spyware.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

“The revelations that Mexican authorities have continued to spy on activists, including their communications with reporters, is a shocking confirmation that President Andrés Manuel López Obrador’s promises to do away with illegal surveillance have not been realized,” said Jan-Albert Hootsen, CPJ’s Mexico representative. “The previous failure to hold officials engaged in spying to account all but guaranteed that little would change. Only a credible, swift, and transparent investigation into these abuses will show that the government is taking such actions seriously.”

Joint reporting published Tuesday, March 7, by The New York Times and the independent Mexican outlet Aristegui Noticias showed that military authorities used Pegasus surveillance software designed by the Israeli firm NSO Group to spy on Ramos.

According to that reporting, an intelligence unit with Mexico’s Defense Secretariat attacked Ramos’ phone on numerous occasions between 2019 and 2020, and listened in on conversations he had with journalists at the newspaper El Universal about alleged extrajudicial executions of civilians in the northern state of Tamaulipas. The documents also revealed that the secretariat accused Ramos of working for a criminal gang in the state.

López Obrador, who assumed office in 2018, pledged that his government would end surveillance and denied the continued use of Pegasus. Past investigations into the use of Pegasus have not led to the arrest of public officials allegedly responsible for the surveillance.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

A human rights attorney raised alarm Monday over the expansion plans of Toka, an Israeli cyber firm that sells hacking technologies capable of finding, accessing, and manipulating security and smart camera footage.

Co-founded by former Israeli Prime Minister Ehud Barak and former Israel Defense Forces (IDF) cyber chief Yaron Rosen, Toka "sells technologies that allow clients to locate security cameras or even webcams within a given perimeter, hack into them, watch their live feed, and even alter it—and past recordings," Haaretzreported, citing internal documents it obtained and reviewed with a technical expert.

"One can imagine video being manipulated to incriminate innocent citizens or shield guilty parties."

The company, whose activities are overseen by the Israeli Defense Ministry, "was set up in 2018 and has offices in Tel Aviv and Washington," Haaretz reported. "It works solely with state clients in government, intelligence bodies, and law enforcement agencies, almost exclusively—but not just—in the West. According to the internal documents, as of 2021, the company had contracts with Israel valued at $6 million, and had also planned an 'expansion of existing deployment' in Israel."

Toka can tap into web-connected cameras found virtually everywhere—intersections, parking lots, malls, hotels, airports, and even homes. Haaretz compared the firm's "cyberoffense" capabilities to the 2001 heist movie Ocean's Eleven.

In that film, an "elite crew led by George Clooney and Brad Pitt hack the closed-circuit TV system of the Las Vegas casino vault they are trying to break into, diverting its feed to a mock safe they built in a nearby warehouse," the outlet noted.

Haaretz continued:

Twenty years on, this is no longer the stuff of movies: Toka's tech allows clients to do just that and more—not just diverting a live feed but also altering old feeds and erasing any evidence of a covert op.

Technical documents reviewed by an ethical hacker prove that Toka's tech can alter both live and recorded video feeds—all without leaving any forensics or telltale signs of a hack (in contrast to NSO's Pegasus spyware, or Intellexa's Predator, which leave a digital fingerprint on targeted devices).

"These are capabilities that were previously unimaginable," human rights lawyer Alon Sapir told the outlet. "This is a dystopian technology from a human rights perspective. Just its mere existence raises serious questions."

"One can imagine video being manipulated to incriminate innocent citizens or shield guilty parties that are close to the system, or even just manipulative editing for ideological or even political purposes should it fall into the wrong hands," said Sapir.

From a legal perspective, "intelligence collection is a sensitive issue," Sapir explained. "Despite a lack of legislation, the police deploy mass surveillance means they may not be fully authorized to use: technology like the HawkEye system, which no one knew about until the media revealed its existence."

While manipulated videos are inadmissible as evidence in Israeli courts, Sapir noted that "a scenario in which someone is accused of something and doesn't know if the evidence presented against them is real or not is truly dystopian. The current law does not begin to address situations like these."

People living in the Occupied Palestinian Territories are especially vulnerable to abuse.

"Take for example the Blue Wolf facial recognition technology, used by the IDF to keep track of Palestinians," said Sapir. "The West Bank is Israel's defense establishment testing ground—and a scenario in which Toka's tech is deployed unbeknownst to anyone is simply terrifying."

"There have been cases in which video evidence helped refute false claims made by settlers and soldiers, and helped save innocent Palestinians from jail," he added. "We've also seen cases in which video evidence has been tampered with in the past."

This content originally appeared on Common Dreams and was authored by Kenny Stancil.

Sophisticated surveillance technology, such as NSO Group’s Pegasus software, goes undetected as it infiltrates the devices of journalists, allowing the perpetrators to access phone calls, photos, emails, and messages — even ones sent via encrypted services like Signal. CPJ’s report, which includes interviews with reporters, tech experts, and press freedom advocates in multiple countries, includes first-hand accounts from journalists on how the disclosures have affected their work since they were named as possible surveillance targets in the revelatory 2021 Pegasus Project report. In reports from Hungary to India, Mexico to Morocco, journalists told CPJ that the simple prospect of spyware made it harder to conduct meetings, interact with sources, report on sensitive topics, and communicate with loved ones.

“Spyware technology poses an existential challenge for journalism. This insidious technology compromises editorial planning and can dissuade journalists from reporting on critical stories or discourage would-be sources from coming forward, carving a hole into the very fabric of journalism — the ability to report freely and safely,” said Gypsy Guillén Kaiser, CPJ’s advocacy and communications director. “Spyware brings another layer of risk to reporting that extends to the personal sphere when journalists’ families and associates are also targeted. Legislators everywhere must swiftly act to curtail the threats posed by this technology and hold perpetrators of illicit spyware use to account.” 

The spyware industry’s lack of regulation makes it nearly impossible to prevent or even discourage the abuse of the technology and provides limited options for accountability or justice. In its report, CPJ puts forward a list of comprehensive policy recommendations to combat the arbitrary or unlawful deployment of spyware, including an immediate moratorium on the development, sale, and use of spyware technologies until governments have enacted robust regulations in line with international human rights standards. 

CPJ calls for export control listings and targeted sanctions to be enacted against those who have spied on journalists and the barring of all government agencies known to attack press freedom or lacking regulatory resources to purchase spyware. Critically, all governments should join the Export Controls and Human Rights Initiative to build consensus for global regulatory action.

The report also includes an opinion column by David Kaye, a former U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, on what he recommends global leaders should do to stop the abuse of spyware. 

For more information or to arrange interviews with CPJ experts, contact press@cpj.org. The overview of the report is also available in Spanish and the country case studies in their respective languages.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

The indignation and humiliation were from seeing himself and other prominent journalists included on a list of convicted criminals and known mob figures considered to be threats to Hungary’s national security. The pride was because the Hungarian government, which routinely ignored his reporting questions, thought it was worth spending tens, if not hundreds, of thousands of dollars on his surveillance; the relief was the validation that his earlier suspicions about being spied on were not a sign of paranoia.

Other Hungarian journalists targeted for surveillance expressed similarly ambiguous emotions in interviews with CPJ. And all were skeptical that any future recommendations by the European Parliament’s committee of inquiry into Pegasus and other spyware, expected next year, would bring much relief in a country where independent media face an increasingly hostile press freedom climate under the government of right-wing Prime Minister Viktor Orbán.

Panyi, who continues to relentlessly investigate the surveillance scandal, is one of the few journalists still giving regular interviews to Hungarian and international media about his surveillance. Three other CPJ interviewees said that while they were making an exception in talking to the organization, they’d otherwise stopped making public statements on their experience because they did not want their Pegasus targeting to define their lives.

Read CPJ’s complete special report: When spyware turns phones into weapons

The three – crime reporter Brigitta Csikász, Zoltán Varga, owner of one of the country’s biggest independent news sites, 24.hu, and a reporter who asked not to be identified for fear that further publicity would negatively impact his career – were named as targets in July 2021, when Panyi broke the story for Direkt36 as part of its reporting for the Pegasus Project, an international investigation that found the phone numbers of more than 180 journalists on a global list of potential spyware targets. (The NSO Group, which makes Pegasus, denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.)

Along with Panyi, all the journalists recounted signs that they were under physical and digital surveillance before they were aware of Pegasus being used against them, and all said that their private and professional lives had changed since the scandal broke last year.

Csikász, who covers corruption, told CPJ in a phone interview that she had seen numerous signs that people might be watching her and was warned by friends for years that her phone might be monitored. “I did not get a heart attack, I was not at all traumatized,” she told CPJ in a phone interview about her reaction to the news that Pegasus was used to monitor the contents of her phone between early April and mid-November 2019.   

Csikász has even managed to find some humor in her situation. “My friends took it real easy, most of them just crack jokes and my family took it as a sign of prestige and importance. For them, it is as if I was awarded with a special journalism prize,” she said. She added that the publicity surrounding the disclosures had even prompted some sources to contact her because they heard about her in the news. “I was not, and I have not, become paranoid,” she told CPJ.

Still, Csikász, who currently works for daily tabloid newspaper Blikk and was reporting for the investigative outlet Átlátszó, remains concerned about the intrusion. “As a journalist, I respect my country’s laws and my profession’s ethical standards and I consider the possibility of being spied on as part of my job,” she said. However, she would like to know which of her numerous investigations were considered threats to national security.

Varga told CPJ in a video interview that he’d attracted government attention when he started investing in media in 2014. This scrutiny increased, especially when he made it clear around 2017 that he would not be willing to sell his assets in spite of quiet threats and warnings from businesspeople linked to the government. In recent years, he said, he had spotted people sitting in cars parked outside his house and apparent eavesdroppers sitting next to his table at restaurants. He recalled that his phone calls were often interrupted, he once heard a recording of a call played back from the start, and at one point German tech experts provided proof that his android phone had been hacked.

Panyi’s investigation found Varga’s Pegasus surveillance started around the time he invited six people to a dinner in his house in Budapest in June 2018, two months after Orbán won a third consecutive term as prime minister. All seven participants of the dinner were selected as potential candidates for surveillance and at least one of their phones showed evidence of infection under Amnesty’s forensic analysis.  

“I was only surprised that the regime used this type of high-level technology to spy on an otherwise innocent gathering of intellectuals,” Varga told CPJ in a video call. “It was far from being a coup, it was just a friendly gathering. We discussed the very high level of corruption in Hungary’s ruling elite and how to find ways to expose it. Using this kind of technology in such a situation for me just shows how much the government is afraid of its opponents,” he said.

The reporter who spoke on condition of anonymity was also surprised that the government would deploy such high-tech spyware against journalists. Although he’d seen indications of occasional physical surveillance, the Pegasus infiltration “came out of the blue and was a real shock to me,” he said in a phone interview. His “dark period” only eased when the fact of his surveillance was publicly reported. “Since then, I prefer not to speak about it and share my experiences with anyone but my friends,” he told CPJ.

Panyi said that the way he communicates with sources has now become much slower and more complicated. “Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life,” he told CPJ in a phone interview. He uses various secure digital tools and applications, is mindful about what networks he connects to on his computer or mobile phone, regularly goes to meetings without his phone, and continues to take physical notes.

Varga says the spyware disclosures have harmed some of his business ventures. “The Pegasus scandal made it obvious for both my business and private contacts that it might be risky to talk to me and they might also get exposed, which people obviously try to avoid,” Varga told CPJ, adding that acquaintances now crack Pegasus “jokes” in most of his meetings. “As a result of this whole affair, I have much less phone calls, more walking meetings outside, without phones in the pocket,” he said.

Many companies, including advertising agencies and advertisers for his news site, seem to prefer to avoid doing business with him, and their loss is not offset by the small number of ad-buyers who now see the site as an important media voice, said Varga. “I have become kind of toxic for my environment,” he told CPJ. 

The reporter who preferred not to be named said that his phone now “stays outside” whenever he sees friends and family and he uses a special anti-tracking case when he attends professional meetings.

Hungary’s government acknowledged in November 2021 that it had bought Pegasus spyware, but says that its surveillance of journalists and political critics was carried out in accordance with Hungarian law.

A government spokesman said that journalists might have been monitored because some of their sources were under surveillance on suspicion of crimes or terrorist links, not because the journalists were the direct targets of the investigations.

In January, the Hungarian National Authority for Data Protection and Freedom of Information issued a 55-page report, which concluded that in all the cases they investigated, including those involving journalists, all legal criteria for the application of the spyware were met and the spyware was used to protect Hungary’s national interests.  

These responses have left the journalists who spoke to CPJ with little hope that anyone will be held accountable for the intrusion on their lives. Nor do they expect help from the institutions of the European Union, where officials themselves have been targeted by spyware as they grapple with mounting political pressure over how to hold member states accountable for any breaches of the rule of law.

As the European Parliament’s committee of inquiry looks at the mountain of evidence that surveillance spyware has been used in EU countries and against EU citizens, the EU Commission lacks the powers to hold member states to account, and has been forced to refer those seeking justice to their national courts.    

Surveilled journalists might eventually get EU relief if a new draft European Media Freedom Act, released on September 16, becomes law. The Act could give journalists a path to file a complaint to the EU’s Court of Justice if they or those close to them are subject to the unjustified use of spyware. However, the Act still has to be reviewed by EU institutions and member states and may not survive in its current form.  

Meanwhile, Panyi does not believe Hungary’s courts can provide any relief. “The laws regulating national security, including surveillance, are so broadly formulated that it is legal to wiretap and surveil anyone,” he told CPJ. Noting that there was no independent oversight of the surveillance process, he added that “legal” in these cases meant only that “everything has been properly documented, and the necessary stamps are where they should be.”

In June, Panyi saw his concerns confirmed when the Central Investigation Prosecutor’s Office announced it had terminated its own investigation into the allegations of illegal surveillance of journalists and opposition politicians, citing absence of a crime. “A broad investigation which included classified documents found no unauthorized and secretive collection of information or the unauthorized use of a concealed device,” said the investigators. 

Additional reporting by Tom Gibson in Brussels

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong/CPJ EU Correspondent.

“Earlier it was just one conversation they [authorities] would tap into,” Venu told CPJ in a phone interview. “They wouldn’t see what you would be doing in your bedroom or bathroom. The scale was stunning.”

The Indian journalists were among scores around the world who learned from the Pegasus Project in July 2021 that they, along with human rights activists, lawyers, and politicians, had been targeted for possible surveillance by Pegasus, the spyware made by Israel’s NSO Group. (The company denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.) 

The Pegasus Project found that the phones of two founding editors of The Wire – Venu and Siddharth Vardarajan – were confirmed by forensic analysis to have been infected with Pegasus. Four other journalists associated with the outlet – diplomatic editor Devirupa Mitra, and contributors Rohini Singh, Prem Shankar Jha, and Swati Chaturvedi – were listed as potential targets.

The Indian government denies that it has engaged in unauthorized surveillance, but has not commented directly on a January New York Times report that Prime Minister Narendra Modi agreed to buy Pegasus during a 2017 visit to Israel. The Indian government has not cooperated with an ongoing inquiry by an expert committee appointed by the country’s Supreme Court to investigate illegal use of spyware. In late August, the court revealed that the committee had found malware in five out of the 29 devices it examined, but could not confirm that it was Pegasus.

However, Indian journalists interviewed by CPJ had no doubt that it was the government behind any efforts to spy on them. “This government is obsessed with journalists who are not adhering to their cheerleading,” investigative reporter Chaturvedi told CPJ via messaging app. “My journalism has never been personal against anyone. I don’t understand why it is so personal to this government.” For Chaturvedi, the spying was an invasion of privacy “so heinous that how do you put it in words.” 

Read CPJ’s complete special report: When spyware turns phones into weapons

Overall, the Pegasus Project found that at least 40 journalists were among the 174 Indians named as potential targets of surveillance. With six associated with The Wire, the outlet was the country’s most targeted newsroom. The Wire has long been a thorn in the side of the ruling Bharatiya Janata Party (BJP) for its reporting on allegations of corruption by party officials, the party’s alleged promotion of sectarian violence, and its alleged use of technology to target government critics online. As a result, various BJP-led state governments, BJP officials, and their affiliates have targeted the website’s journalists with police investigations, defamation suits, online doxxing, and threats.

Indian home ministry and BJP spokespeople have not responded to CPJ’s email and text messages requesting comment. However after the last Supreme Court hearing, party spokesperson Gaurav Bhatia criticized the opposition for “trying to create an atmosphere of fear” in India. “They [Congress party] were trying to spread propaganda that citizens’ privacy has been invaded. The Supreme Court has made it clear that no conclusive evidence has been found to show the presence of Pegasus spyware in the 29 phones scanned,” he said.

As in so many other newsrooms around the world, the Pegasus Project revelations have prompted The Wire to introduce stricter security protocols, including the use of encrypted software, to protect its journalists as well as its sources.

Ajoy Ashirwad Mahaprashasta, political editor at The Wire, told CPJ in a phone interview that as part of the new procedures, “we would not talk [about sensitive stories] on the phone.” While working on the Pegasus project, the Wire newsroom was extra careful. “When we were meeting, we kept our phones in a separate room. We were also not using our general [office] computers,” he said.

Venu told CPJ that while regular editorial meetings at The Wire are held via video call, sensitive stories are discussed in person. “We take usual precautions like occasional reboot, keep phones away when we meet anyone. What else can we do?” he asks.

Chaturvedi told CPJ via messaging app that she quickly started using a new phone when she learned from local intelligence sources that she might have been under surveillance. As an investigative journalist, her immediate concern following the Pegasus Project disclosures was to avoid compromising her sources. “In Delhi, everyone I know who is in a position of power no longer talks on normal calls,” she said. “The paranoia is not just us who have been targeted with Pegasus.”

“Since the last five years, any important source I’m trying to talk to as a journalist will not speak to me on a normal regular call,” said Arfa Khanum Sherwani, who anchors a popular political show for The Wire and is known as a critic of Hindu right-wing politics. Sherwani told CPJ that her politician sources were the first ones who moved to communicate with her on encrypted messaging platforms even before the revelations as they “understood that something like this was at play.”

Rohini Singh similarly told CPJ that she doesn’t have any conversations related to her stories over the phone and leaves it behind when she meets people out reporting. “It is not about protecting myself. Ultimately it is going to be my story and my byline would be on it. I’m essentially protecting people who might be giving me information,” she said. 

Journalists also say they are concerned about the safety of their family members.

“After Pegasus, even though my name per se was not part of the whole thing, my friends and family members did not feel safe enough to call me or casually say something about the government. Because they feel that they are also being audiographed and videographed [filmed or recorded],” said Sherwani.

Chaturvedi told CPJ that her family has been “terrified” since the revelations. “Both my parents were in the government service. They can’t believe that this is the same country,” she said.

Venu and Sherwani both expressed concerns about how the atmosphere of fear could affect coverage by less-experienced journalists starting out in their careers. “The simple pleasure of doing journalism got affected. This may lead to self-censorship. When someone gets attacked badly, that journalist can start playing safe,” said Venu.

Said Sherwani: “For someone like me with a more established identity and career, I would be able to get people [to talk to me], but for younger journalists it will be much more difficult to contact politicians and speak to them. Whatever they say has to be on record, so you will see less and less source-based stories.”

Ashirwad agreed. “I’m very critical of this government, which is known. My stand now is I shall not say anything in private which I’m not comfortable saying in public,” he said.  

This content originally appeared on Committee to Protect Journalists and was authored by Kunal Majumder/CPJ India Representative.

Over five years have passed since Villarreal and Ismael Bojórquez, RíoDoce’s co-founder and editor-in-chief, received the suspicious text messages that experts said bore telltale signs of Pegasus, the now notorious surveillance software developed by Israeli firm NSO Group. Just this month, a joint investigation by three Mexican rights groups and the University of Toronto’s Citizen Lab found evidence of Pegasus infections on the devices of two Mexican journalists and a human rights defender between 2019 and 2021 – infiltration that occurred in spite of Mexican President Andrés Manuel López Obrador’s 2018 promise to end illegal surveillance. (López Obrador denied on October 4 that his administration had used Pegasus against journalists or political opponents, saying, “if they have evidence, let them present it.”)

The previous Mexican administration also denied using the technology on high-profile journalists, even after the Pegasus Project, a global consortium of investigative journalists and affiliated news outlets that investigated the use of the spyware, reported in 2021 that more than two dozen journalists in Mexico have been targeted with the spyware. Those named included award-winning investigative journalist Carmen Aristegui and Jorge Carrasco, the editor-in-chief of the country’s foremost hard-hitting investigative magazine Proceso. Yet although the surveillance caused considerable outrage, almost nothing has changed since 2017, according to Villarreal, who spoke to CPJ from Sinaloa’s capital, Culiacán.

Read CPJ’s complete special report: When spyware turns phones into weapons

In what CPJ has found to be by far the deadliest country for journalists in the Western Hemisphere, there remains no legal protection from intrusive surveillance, no recourse for its victims, and no repercussions for those in public office who facilitated the spying.  

López Obrador’s pledge to stop illegal surveillance was one of his first major undertakings after he took office in December 2018. Eleven months later, he assured Mexicans that the use of the Israeli spyware would be investigated. “From this moment I tell you that we’re not involved in this. It was decided here that no one will be persecuted,” he said.

But with just over two years left in office – Mexico’s constitution allows presidents to serve only a single six-year term – journalists, digital rights groups, and human rights defenders say little has come of the president’s promises. Not only has the investigation into the documented cases of illegal use of Pegasus shown no meaningful progress, the critics say, but also virtually nothing has been done to prevent authorities from continuing to spy. 

“Unfortunately, the regulatory situation and the authorities’ capacity to intercept communication have remained intact,” said Luis Fernando García of Red en Defensa de los Derechos Digitales (R3D), a Mexico City-based digital rights group that supports reporters targeted with Pegasus. “There’s very little transparency, very little publicly available information about the use of such technologies, which makes repetition a very real possibility.”

CPJ contacted the office of President López Obrador’s spokesperson for comment before publication of the October report about the most recent infections but did not receive a reply.

NSO says it only sells Pegasus to government and law enforcement agencies to combat terrorism or organized crime. But investigative journalists report that in countries like Mexico non-state actors, including criminal groups, can also get their hands on these tools even if they are not direct clients. This poses a major threat to journalists and their sources across the region, where CPJ research has found that organized crime groups are responsible for a significant percentage of threats and deadly violence targeting the press. At least one Mexican journalist who was killed for his work, Cecilio Pineda Birto, may have been singled out for surveillance the month before his death.

Villarreal and Bojorquez received the first Pegasus-infected text messages just two days after Javier Valdez Cárdenas, Riodoce co-founder and a 2011 recipient of CPJ’s International Press Freedom Award, was fatally shot on May 15, 2017, near the magazine’s offices in northern Sinaloa state. 

“Although it had all the hallmarks of Pegasus, it took us quite a while before we realized what was happening,” Villarreal recalled. “We were in a very vulnerable state after Javier’s death. It wasn’t until approximately a month later, after contact with press freedom groups, that we realized that it was Pegasus.”

A 2018 report by R3D, citing findings by Citizen Lab, stated that the likely source of Villarreal’s surveillance was the Agency of Criminal Investigation, a now-defunct arm of the federal attorney general’s office. Two autonomous federal regulators subsequently established that the attorney general’s office used Pegasus illegally and violated privacy laws.

However, an ongoing federal investigation initiated under the previous government of President Enrique Peña Nieto has not led to any arrests of public officials. In December 2021, Mexican authorities requested the extradition from Israel of the former head of the criminal investigation agency, Tomás Zerón, in connection with various investigations – reportedly including the Pegasus abuses – but that request has not yet been granted. (CPJ contacted the federal attorney general’s office for comment on the extradition, but did not receive a reply.)

Concerningly, according to Proceso, investigators of the federal state comptroller revealed in the audit of the federal budget in October 2021 that the López Obrador administration had paid more than 312 million pesos (US $16 million) to a Mexican businessman who had facilitated the acquisition of Pegasus in the past.

The López Obrador administration has not publicly responded to Proceso’s findings or the state comptroller’s report, but the president did say during his daily press briefing on August 3, 2021, that there ‘no longer existed a relationship’ with the developer of Pegasus. The president’s office had not responded to CPJ’s request for comment on the payment by the time of publication.

Experts at R3D and Citizen Lab said Pegasus traces on a journalist’s phone indicated they were hacked as recently as June 2021, just after they reported on alleged human rights abuses by the Mexican army for digital news outlet Animal Politico. The journalist was not named in reports of the incident.

“I don’t think anything has changed,” Villarreal said. “The risk continues to exist, but the government denied everything.”

R3D, together with a number of other civil society groups, has also pushed hard for new legislation to curb the use of surveillance technologies by lobbying directly to legislators and via platforms like the Open Government Alliance. So far, the result has been disappointing. Even though López Obrador and his party, the Movement of National Regeneration (Morena), hold absolute majorities in both chambers of federal congress and have repeatedly acknowledged the need to end illegal surveillance, there has been no meaningful push for new legislation on either the state or the federal level.

“There is indignation about surveillance, but my colleagues aren’t picking the issue up,” said Emilio Álvarez Icaza, an independent senator who has been outspoken about surveillance. “It’s an issue that at least the Senate does not seem to really care about.”

R3D’s García warns that Pegasus is just a part of the problem. R3D and other civil society groups say they have detected numerous other technologies that were acquired by state and federal authorities even after the scope of Pegasus’ use became clear.

“We’ve been able to detect the proliferation of systems that permit the intervention of telephones and there are publicly available documents that provide serious evidence that those systems have been used illegally,” García said. “The [attorney general’s office], for example, has acquired the capacity to conduct more than 100,000 searches of mobile phone data, but only gave clarity about 200 of them.”

“Even with regulation, the Mexican justice state has a tremendous problem of lack of transparency and accountability. The entire system seems to have been constructed to protect public officials,” said Ana Lorena Delgadillo, a lawyer and director of the Fundación para la Justicia, which provides legal support to Mexicans and Central Americans searching for ‘disappeared’ family members. “This is why I believe it’s important that cases of this nature are ultimately brought to the Supreme Court, but it’s hard to find people willing to litigate.”

Villarreal said he will not be one of those afraid to speak out. “Ultimately we’ve left our cases in the hands of civil society organizations,” he said. “Thing is, the spyware is just a new aspect of a problem that has always existed. The authorities have spied here, they will continue to do so. We have to adapt to the reality that we’ll never know the extent of what’s going on.”

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen, CPJ Mexico Correspondent.

Last July, when the Pegasus Project investigation revealed that imprisoned Moroccan journalist Soulaiman Raissouni was selected for surveillance by Israeli-made Pegasus spyware, the journalist could only laugh. 

“I was so sure,” his wife Kholoud Mokhtari said Raissouni told her from prison. 

Raissouni is one of seven local journalists named by the Pegasus Project – an investigative consortium of media organizations – as a potential or confirmed target of Pegasus spyware. The news only validated what Moroccan’s journalist community had long suspected: that the state’s vast intelligence apparatus has been monitoring some journalists’ every move. 

Moroccan journalists were among the first worldwide to complain of the use of spyware against reporters, pointing to digital surveillance as early as 2015. In 2019 and 2020, Amnesty International announced the findings of forensic analyses confirming that Pegasus had been used on the phone of at least two Moroccan journalists, Omar Radi and Maati Monjib. Subsequent state action against some of the surveilled journalists underscored the ongoing threat to Morocco’s independent media – and reinforced CPJ’s conclusion that spyware attacks often are precursors to other press freedom violations. 

Both Raissouni and Radi are imprisoned in Morocco for what family and colleagues describe as trumped up sex crimes charges. Taoufik Bouachrine, another journalist whom the Pegasus Project said was targeted with the spyware, is imprisoned on similar charges. 

Read CPJ’s complete special report: When spyware turns phones into weapons

The Pegasus Project was unable to analyze the phones of all of those named as surveillance targets to confirm the infection and the Moroccan government has repeatedly denied ever using Pegasus. However, many of the three journalists’ private pictures, videos, texts, and phone calls, as well as those belonging to family members, were published in pro-government newspapers and sites like Chouf TV, Barlamane.com, Telexpresse, and then later used as evidence against the journalists in court.   

Bouachrine, former editor-in-chief of local independent newspaper Akhbar al-Youm, was arrested in February 2018, and is serving a 15-year prison sentence on numerous sexual assault and human trafficking charges. His wife, Asmae Moussaoui, told CPJ in a phone call in May 2022 that she believes she was surveilled, too. 

In April 2019, Moussaoui said she called a private Washington, D.C.-based communications firm to help her run ads in U.S. newspapers about Bouachrine’s case, hoping that the publicity might aid efforts to free her husband. The next day, Barlamane published a story alleging that Moussaoui paid tens of thousands of euros to the firm, using money the journalist allegedly earned through human trafficking activities. Human Rights Watch describes Barlamane as being “closely tied with security services.” 

Suspecting she was being monitored, Moussaoui turned to one of her husband’s lawyers, who suggested the pair “pull a prank” that would help them detect whether authorities were indeed spying on her. The lawyer “called me and proposed that we speak with Taoufik’s alleged victims to reconcile, which we did not really intend to do. The next day, tabloids published an article saying that our family is planning to bribe each victim with two million dirhams [about $182,000] so they drop the case. I became very sure [of the surveillance] then,” Moussaoui told CPJ.

Moroccan journalist and press freedom advocate Maati Monjib, co-founder of the Moroccan Association for Investigative Journalism (AMJI), had a similar experience. Monjib was arrested in December 2020 and sentenced to a year in prison the following month after he was convicted of endangering state security and money laundering fraud. The latter charge stems from AMJI’s work helping investigative journalists apply for grants, Monjib told CPJ in a phone call. 

“During one of our meetings at AMJI in 2015, I mentioned that we need to look for grants to support more journalists. The next day, one of the tabloids published a story claiming that Maati Monjib is giving 5,000 euros [$4,850] to every journalist who criticizes the general director of the national security. This is a proof that they were listening to our meeting,” said Monjib. 

The revelations have forced journalists and their family members to take precautions against surveillance – no easy task given the difficulty of detecting spyware infection without forensic help. “[Raissouni] told me to try to be safe, so I am trying my best,” Mokhtari, Raissouni’s wife, told CPJ. 

“Other than the usual precautions I take to protect my phone, I regularly update it and I never keep any personal pictures or important messages or emails on it,” she said. “I also buy a new phone every three months and destroy the old one, which has taken a financial toll on my family. But honestly you can’t escape it. The most tech-savvy person I know is our friend Omar Radi. He took all the necessary precautions against hacking, and they still managed to infect his devices.” 

Monjib brings his devices to tech experts almost daily to check for bugs and to clean them, he told CPJ, adding that he also never answers phone calls, only uses the encrypted Signal messaging app, and always speaks in code.

Aboubakr Jamai, a prominent Moroccan journalist and a 2003 CPJ International Press Freedom Award winner, was selected for surveillance with Pegasus in 2018 and 2019 — and confirmed as a target in 2019 — even though he has been living in France since 2007, according to the Pegasus Project. He believes that the Moroccan government is to blame for the spyware attacks, and that the surveillance has effectively ensured the end of independent journalism in the country, he told CPJ in a phone call. 

“For years now, there haven’t been any independent media or journalism associations,” said Jamai. What’s left now is a handful of individuals who have strong voices and choose to echo it using some news websites, but mainly social media platforms.” 

CPJ emailed the Moroccan Ministry of Interior in September for comment but did not receive any response. 

Still, Jamai – who gave no credence to the government’s earlier denials of Pegasus use – did see one positive result from the spyware disclosures. “It publicly exposed Morocco’s desperation and the extent to which it is willing to go to silence journalists,” he said. “Now the whole world knows that the Moroccan state is using Pegasus to spy on journalists.”

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp.

The hearing started unsurprisingly enough. Chaim Gelfand, the NSO Group lawyer, laid out the company line that Pegasus is designed for use against terrorists and other criminals. He promised that the company controlled its sales, developed human rights and whistleblowing policies, and took action against those governments that abused it. He wanted to “dispel certain rumors and misconceptions” about the technology that have circulated in “the press and public debate.” He made his case.

Then, surely from NSO Group’s perspective, it went downhill. MEP after MEP asked specific questions of NSO Group. For instance: if Pegasus is sold only to counter terrorism or serious crime, how did it come to be used in EU member states? How did it come to be used to eavesdrop on staffers at the European Commission, another public allegation? Can NSO provide examples of when it terminated contracts because a client misused Pegasus? Can NSO clarify what data it has on its clients’ uses of Pegasus? How does NSO Group know when the technology is “abused”? More personally: How come you spied on me?

MEPs were angry. Increasingly their questions became more intense, more personal, more laced with moral and legal outrage. And this tenor only deepened over the course of the hearing, as the NSO lawyer stumbled through his points and regularly resorted to the line that he could not speak to specific examples, cases or governments. Few, if any, seemed persuaded by the NSO Group claim that it has no insight into the day-to-day use of the spyware by the “end-user”. To the contrary, the PEGA hearing ended with one thing clear: NSO Group faces not only anger but the reality of an energized set of legislators.

More than a year after release of the Pegasus Project, the global reporting investigation that disclosed massive pools of potential targets for Pegasus surveillance, the momentum for action against spyware like Pegasus is gathering steam. 

Read CPJ’s complete special report: When spyware turns phones into weapons

In 2019, in my capacity as a U.N. Special Rapporteur, I issued a report to the United Nations Human Rights Council that surveyed the landscape of the private surveillance industry and the vast human rights abuses it facilitates, calling for a moratorium on the sale, transfer and use of such spyware. At the time, few picked up the call. But today, with extensive reporting of the use of spyware tools against journalists, opposition politicians, human rights defenders, the families of such persons, and others, the tide seems to be turning against Pegasus and spyware of its ilk.

The U.N. High Commissioner for Human Rights, several U.N. special rapporteurs, the leaders of major human rights organizations, and at least one state, Costa Rica, have joined the call for a moratorium. The Supreme Court of India is pursuing serious questions about the government’s use of Pegasus. The United States Department of Commerce placed NSO Group and another Israeli spyware firm on its list of restricted entities, forbidding the U.S. government from doing any business with them. Apple and Facebook’s parent company Meta have sued NSO Group for using their infrastructure to hack into individual phones.

All of these steps suggest not only momentum but the elements of a global process to constrain the industry. They need to be transformed into a long-term strategy to deal with the threats posed to human rights by intrusive, mercenary spyware. State-by-state responses, or high-profile corporate litigation, will generate pain for specific companies and begin to set out the normative standards that should apply to surveillance technologies. But in order to curb the industry as a whole, a global approach will be necessary. 

In principle, spyware with the characteristics of Pegasus – the capability to access one’s entire device and data connected to it, without discrimination, and without constraint – already violates basic standards of necessity and proportionality under international human rights law. On that ground alone, it’s time to begin speaking of not merely a moratorium but a ban of such intrusive technology, whether provided by private or public actors. No government should have such a tool, and no private company should be able to sell such a tool to governments or others.

In the land of reality, however, a ban will not take place immediately. Even if a coalition of human rights-friendly governments could get such negotiations toward a ban off the ground, it will take time.

Here is where bodies like the European Parliament and its PEGA Committee – and governments and parliamentarians around the world – can make an immediate difference. They should start to discuss a permanent ban while also entertaining other interim approaches: stricter global export controls to limit the spread of spyware technology; commitments by governments to ensure that their domestic law enables victims of spyware to bring suits against perpetrators, whether domestic or foreign; and broad agreement by third-party companies, such as device manufacturers, social media companies, security entities and others, to develop a process for notification of spyware breaches especially to users and to one another. 

Some of this would be hard to accomplish. It’s not as if the present moment, dominated as it is by tensions like Russian aggression against Ukraine, is conducive to international negotiations. Some steps could be achieved by governments that should be concerned about the spread of such technologies, already demonstrated by U.S. and European outrage. Either way, governments and activists can begin to lay the groundwork, defining the key terms, highlighting the fundamental illegality of spyware like Pegasus, taking steps in domestic law to ensure strict controls on export and use. 

There is precedent for such action in the global movement to ban landmines in the 1990s, which started with little hope of achieving a ban, focused instead on near-term controls. Ultimately human rights activists and like-minded governments were able to hammer out the Ottawa Convention to ban and destroy anti-personnel landmines in 1997. It is, at least, a process that activists and governments today could emulate and modify.

Human rights organizations and journalists have done the work to disclose the existence of a major threat to freedom of expression, privacy, and space for public participation. It is now the duty of governments to do something about it.

This content originally appeared on Committee to Protect Journalists and was authored by David Kaye.

For all governments

• Implement an immediate moratorium on the development, export, sale, transfer, servicing, and use of spyware technologies until governments have enacted robust regulations that guarantee its use in line with international human rights standards.
• Bar government agencies from purchasing or licensing the export of spyware technology from companies that sell to governments with a track record of attacking press freedom and/or journalists, or that lack mechanisms to prevent their clients from unlawfully targeting the press. 
• Commit to not using spyware technology against journalists and pursue efforts to make it explicitly illegal in national legislation. 
• Establish accountability and remedy mechanisms in documented cases of abuse against the media 
• Where governments continue to engage in the use or sale of this technology, require public reporting and consultation about spyware purchases and exports 
• Use targeted actions – including visa and economic sanctions and export control listings – to hold accountable those who have spied or facilitated spying on journalists through the sale or use of spyware, and to deter future spying. 
• If not a member, join the Export Controls and Human Rights Initiative, an international effort to codify rights-respecting policy approaches to surveillance technology exports, and use it to build consensus for global action through concrete action.

For the U.S. government 

• Comply with the Congressional requirement to create a list of companies known to sell such spyware to countries with a record of using it unlawfully or with poor human rights records. [Note: the State Department was required to do this by National Defense Authorization Act 2021 but hasn’t complied yet. State said they are working on it.] 
• Continue to use the Department of Commerce’s (DoC) Entity List for Malicious Cyber Activities to impose export controls on spyware-producing companies, such as was done with NSO Group. 
• Stringently enforce a new DoC rule establishing controls on the export, reexport, or transfer of items that can be used to spy on journalists.
• Ensure U.S. businesses are complying with the State Department’s September 2020 Guidance on “Implementing the UN Guiding Principles for Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities.”
• Congress should adopt the Surveillance Technologies Disclosure Rule, which would require companies to conduct human rights due diligence and provide transparency in the surveillance technologies’ supply chain.
• Congress should adopt the Foreign Advanced Technology Surveillance Accountability Act, which would require the U.S. State Department to report on the wrongful use of surveillance technologies in the annual Country Reports on Human Rights Practices. 

For European Union institutions 

• EU member states should fully implement the European Parliament regulation on the export of dual-use surveillance technology by EU-based companies and prevent the export of this technology from harming human rights in countries where journalists are targeted and under surveillance because of their work. 
• The European Parliament’s Committee of Inquiry into Pegasus and equivalent spyware should conduct full and independent investigations into all allegations of abuse of Pegasus in EU member states and in third countries. The committee should issue ambitious and robust recommendations to EU member states, and the institutions, with a structured plan for continued scrutiny and timely monitoring to ensure all recommendations are implemented in full.
• EU member states should fully and independently investigate all national reports that Pegasus has been used to spy on journalists, providing full access to remedy for journalists targeted, including guarantees of non-repetition and restitution.
• The European Commission should assess the extent to which the Pegasus revelations have breached EU law, seek all sanctions against violating member states, including infringement procedures, and consider its own competencies to defend EU citizens against such abuse in the future.

For companies

• Embrace corporate accountability by making  a public commitment to press freedom and protecting journalists and media outlets from covert surveillance. 
• Prohibit clients from deploying technology to spy on journalists by inserting explicit terms in contracts and licenses. 
• Revoke access to spyware when abuse is detected, and report abuse to affected individuals, relevant authorities, and oversight bodies. 
• Establish procedures to review complaints and support human rights monitors investigating allegations of abuse involving specific products. 

For international organizations 

• Consult with civil society, report on the use of spyware against journalists around the world, and raise cases with governments. 
• Use human rights review mechanisms, including the Universal Periodic Review, and related processes to ensure that commitments to limit the abusive use of surveillance technologies, including spyware, translate to appropriate action, laws and policies that align with international human rights standards on targeted surveillance. 
• Promote public debate about the abusive use of spyware and encourage member states to adopt policies and laws to stem the problem by requiring corporate actors to respect human rights and implement measures as prescribed by the United Nations Guiding Principles on Business and Human Rights.

See CPJ’s 2021 policy brief for summarized recommendations.  

Read CPJ’s complete special report on how spyware threatens journalists, their sources, and global press freedom.

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp.

The report includes a global overview of spyware and how it’s used against journalists, as well as four case studies from India, Mexico, Hungary, and Morocco. Each provides first-hand accounts from journalists, digital privacy advocates, and others who were themselves targeted by spyware. The report also includes an opinion column by David Kaye, a former U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, on what he recommends global leaders should do to stop the abuse of spyware. 

The final piece offers concrete policy recommendations from CPJ experts to governments, corporate entities, and international human rights organizations to combat the arbitrary or unlawful deployment of spyware.

The full report will be available on Thursday, October 13 at 5:00am ET at: https://cpj.org/spyware-press-freedom

If you would like to speak with a CPJ expert about the report or about spyware’s impact on journalism more broadly, please contact Adam Peck at cpj@westendstrategy.com or at +1 202-531-6408.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

“This new report definitively shows that Mexico’s President Andrés Manuel López Obrador can no longer hide behind blaming his predecessor for widespread use of Pegasus in Mexico,” said Jan-Albert Hootsen, CPJ’s Mexico representative. “Mexican authorities must immediately and transparently investigate the use of Pegasus and other spyware to target journalists during his administration, as well as push for more regulations to end the use of this technology against the press once and for all.”

The report was published by the Mexican digital rights organization R3D (Red en los Defensa de los Derechos Digitales) and rights and research groups Article 19 and SocialTIC. The University of Toronto’s Citizen Lab conducted a forensic analysis of the devices.

The device of an unnamed journalist from the online outlet Animal Político was infected in 2021, according to the report. Journalist Ricardo Raphael, a columnist for news magazine Proceso and newspaper Milenio Diario who was previously targeted in 2016 and 2017, was hacked with Pegasus at least three times in October and December 2019 and again in December 2020.

According to Citizen Lab, the more recent cases differ from previous use of Pegasus against Mexican journalists in several ways, including the use of zero-click attacks rather than malicious text messages designed to trick targets into clicking on links triggering an infection.

CPJ has documented how spyware is used to target journalists and those close to them worldwide, including repeated cases of Pegasus infections targeting journalists in Mexico, and has called for a moratorium on its trade pending better safeguards.

Israeli firm NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism. Mexican president López Obrador said in his daily press conferences earlier today that his government may address the revelations later this week.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

In a joint letter to Acting Solicitor General Brian Fletcher on August 3, the groups argued that Israeli-owned NSO Group should not enjoy sovereign immunity. The letter concerns a lawsuit WhatsApp and its parent Facebook, now called Meta Platforms Inc., filed in October 2019 alleging NSO Group used WhatsApp’s servers to deliver Pegasus spyware to the devices of more than 1,400 users. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism and claims that it should avoid accountability in U.S. courts because it acted as an agent of foreign governments under the doctrine of sovereign immunity.

In December 2020, CPJ joined an amicus brief to the U.S. Federal 9th Circuit Court urging the court to reject this argument. Following an appeal by NSO Group, in June 2022 the U.S. Supreme Court asked the solicitor general to file a brief regarding whether it should grant NSO Group’s petition for sovereign immunity.

As our letter argues, “The impact of such a finding would be that U.S. persons, including U.S.-based technology companies, on whose technologies civil society and regular users depend on across the world, and who are entitled to the protection of American laws, would be left without an effective remedy and unfettered violations of citizens’ right to privacy would be rampant.” You can read the full letter here.

In a second letter, sent Wednesday, August 23, to Secretary of Commerce Gina M. Raimondo, CPJ joined other groups in urging the Biden administration to keep NSO Group on the Entity List for Malicious Cyber Activities. The Entity List is a tool used by the Department of Commerce’s Bureau of Industry and Security to limit a designee’s access to U.S. exports. NSO was added to this list in November 2021, but reporting suggests both NSO and the Israeli government are lobbying to have the company removed. The joint letter details reporting about the use of Pegasus against journalists and activists since the original listing.

“The evidence of the use of Pegasus spyware against human rights defenders, journalists, opposition parties, and state officials by repressive regimes continues to mount, contrary to NSO Group’s claim that their spyware is used as a tool for investigating criminal activity and terrorism,” the letter states. You can read the full letter here.

This content originally appeared on Committee to Protect Journalists and was authored by Michael De Dora.

From July to September 2021, Koukakis, a financial editor for CNN Greece and a regular contributor to local and international outlets including The Financial Times and CNBC, had his cellphone surveilled by Predator spyware. The letter notes that the journalist’s communications were previously targeted by the Greek National Intelligence Service, a body overseen by the prime minister’s office.

The groups call on the Greek government to explain authorities’ previous surveillance of Koukakis, to disclose all available information about the source of the 2021 spyware attack, and to transparently show whether the Greek government was connected to the 2021 attack.

The full text of the letter can be read here.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

From July 12 to September 24, 2021, Koukakis, a financial editor for CNN Greece and a regular contributor for local and international outlets including The Financial Times and CNBC, had his cellphone surveilled by Predator, according to news reports and Koukakis, who disclosed the hacking on Monday, April 11, and spoke to CPJ in a phone interview.

Koukakis, who covers financial news, said he was notified about the surveillance by the digital rights group Citizen Lab in late March. Around the time of the surveillance, he covered topics including alleged money laundering and corruption, he said.

“Greek authorities must conduct a swift, thorough, and transparent investigation into the surveillance of journalist Thanasis Koukakis, find whoever orchestrated it, and hold them to account,” said Attila Mong, CPJ’s Europe representative. “Journalists must be able to protect their sources, and authorities must ensure that the are able to work without fear that hackers will gain access to their sources or details of their private lives.”

Predator spyware was originally developed by the North Macedonian company Cytrox, and can monitor a phone’s conversations, text messages, passwords, files, photos, internet history, and contacts, according to the Greek news outlet Inside Story, which said that the software is now owned by the Cyprus-based company WiSpear.

Koukakis told CPJ that Citizen Lab researchers believed his phone was infected through a text message containing a link that he clicked on July 12.

Koukakis said he previously noticed his phone acting strangely in 2020 and suspected it may have been infected with spyware. That August, he filed a complaint with the Hellenic Authority for Communication Security and Privacy, which later said it did not find any evidence of a breach of privacy on his phone. When Koukakis was targeted by spyware in 2021, he was using a new phone he had purchased since that incident, he said.

Koukakis told CPJ that on April 6, 2022, he filed a new complaint to the Hellenic Authority for Communication Security and Privacy and sent them Citizen Lab’s report on his case. He said he also planned to file a criminal complaint over the surveillance.

Greek government spokesperson Yannis Economou denied that the government had any involvement in surveilling Koukakis, according to news reports. CPJ emailed the Hellenic Authority for Communications Security and Privacy for comment, but did not immediately receive any reply.

CPJ was unable to find contact information for WiSpear, as its website did not load. In February, the company was fined in Cyprus for illegally surveilling private communications through the use of a “spy van,” according to news reports.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

From July 12 to September 24, 2021, Koukakis, a financial editor for CNN Greece and a regular contributor for local and international outlets including The Financial Times and CNBC, had his cellphone surveilled by Predator, according to news reports and Koukakis, who disclosed the hacking on Monday, April 11, and spoke to CPJ in a phone interview.

Koukakis, who covers financial news, said he was notified about the surveillance by the digital rights group Citizen Lab in late March. Around the time of the surveillance, he covered topics including alleged money laundering and corruption, he said.

“Greek authorities must conduct a swift, thorough, and transparent investigation into the surveillance of journalist Thanasis Koukakis, find whoever orchestrated it, and hold them to account,” said Attila Mong, CPJ’s Europe representative. “Journalists must be able to protect their sources, and authorities must ensure that the are able to work without fear that hackers will gain access to their sources or details of their private lives.”

Predator spyware was originally developed by the North Macedonian company Cytrox, and can monitor a phone’s conversations, text messages, passwords, files, photos, internet history, and contacts, according to the Greek news outlet Inside Story, which said that the software is now owned by the Cyprus-based company WiSpear.

Koukakis told CPJ that Citizen Lab researchers believed his phone was infected through a text message containing a link that he clicked on July 12.

Koukakis said he previously noticed his phone acting strangely in 2020 and suspected it may have been infected with spyware. That August, he filed a complaint with the Hellenic Authority for Communication Security and Privacy, which later said it did not find any evidence of a breach of privacy on his phone. When Koukakis was targeted by spyware in 2021, he was using a new phone he had purchased since that incident, he said.

Koukakis told CPJ that on April 6, 2022, he filed a new complaint to the Hellenic Authority for Communication Security and Privacy and sent them Citizen Lab’s report on his case. He said he also planned to file a criminal complaint over the surveillance.

Greek government spokesperson Yannis Economou denied that the government had any involvement in surveilling Koukakis, according to news reports. CPJ emailed the Hellenic Authority for Communications Security and Privacy for comment, but did not immediately receive any reply.

CPJ was unable to find contact information for WiSpear, as its website did not load. In February, the company was fined in Cyprus for illegally surveilling private communications through the use of a “spy van,” according to news reports.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

Throughout 2021, Suhair Jaradat, a freelance columnist for media outlets including the London-based Arabic news website Today’s Opinion, was repeatedly targeted by the spyware, according to a joint report published on Tuesday, April 5, by the human rights group Front Line Defenders and digital rights group Citizen Lab, as well as Jaradat, who spoke to CPJ in a phone interview.

From February to December of that year, Jaradat’s phone was infected with Pegasus spyware on at least six separate occasions, according to the journalist and that report.

The report states that a second journalist, who also works as a human rights activist, had her phone infected by the spyware at least twice in 2021; the report does not name that journalist, and CPJ was unable to immediately identify them.

“Jordanian authorities must swiftly and transparently investigate the alleged surveillance of journalist Suhair Jaradat and a second unidentified journalist, and ensure those responsible are held to account,” said Sherif Mansour, CPJ’s Middle East and North Africa program coordinator. “Journalists must be able to work without fear that hackers will gain access to their sources or their private lives.”

Jaradat told CPJ that she discovered her phone had been infected in May 2021, and officers with the local Criminal Investigation Department’s cybercrime unit were able to remove the spyware from her device. At a cybersecurity conference in February 2022, she again found that her phone had been compromised, she said. The Front Line Defenders and Citizen Lab report said that a forensic examination of her phone showed that it had been infected with Pegasus six times from February to December of 2021.

The joint report said that researchers suspected two groups of hackers were behind the campaigns targeting Jaradat, that anonymous journalist, and human rights advocates in Jordan. One of those groups was focused entirely on Jordan, and the other also had activities in Iraq, Lebanon, and Saudi Arabia. Front Line Defenders and Citizen Lab wrote that both groups were “likely agencies of the Jordanian government.” CPJ was unable to immediately determine the origin of the spyware infections.

When CPJ contacted Jordanian Ministry of Information manager Dina Doud via messaging app for comment, she referred CPJ to a statement published by the country’s National Cyber Security Center, which denied any government involvement in the use of spyware against journalists, and said it would have been illegal for authorities to have been involved in such activities.

Jaradat noted, “In Jordan, authorities stated before that they don’t use this spyware, and that people inside the Royal Court were also attacked by it. Then who is behind this attack?”

Jaradat writes commentary about Jordanian politics, and is often critical of authorities. She has covered topics including sedition, the silencing of the country’s political opposition, and the recent arrests of political and union figures.

“I can’t think of a reason but my articles” for prompting the hack, Jaradat told CPJ. “I don’t know for sure, but I can analyze that the goal behind affecting my phone with a spyware is to reach my sources or the people I work with.”

She added that the hack could be “a way of pressuring me to stop writing.”

CPJ has documented the use of Pegasus, spyware software made by the Israeli company NSO Group, to target journalists around the world and monitor their phones’ cameras, microphones, emails, texts, and calls. Journalists have been targeted with the software in Morocco, the United Arab Emirates, and Saudi Arabia, among other countries.

CPJ emailed NSO Group for comment, but received no response. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

On Wednesday, members of the European Parliament are set to vote on establishing a committee to investigate how EU member states have used Pegasus spyware to monitor people, including journalists in Europe, as well as the international reach of intrusive spyware. That committee’s final report could include recommendations that would shape the EU’s approach on tackling surveillance for years to come.

“The Committee of Inquiry should leave no stone unturned in its investigation into the use of spyware, and it must do everything possible to hold EU member states and institutions, as well as international companies, to account for the surveillance of journalists,” said Tom Gibson, CPJ’s EU representative. “This is the EU’s opportunity to take an international lead on curbing the malicious use of spyware to surveil journalists.”

CPJ has reported extensively on the use of spyware to target journalists because of their work. Israel-based NSO Group, which produces Pegasus, has said it sells only to vetted governments and law enforcement agencies.

The committee’s investigation would take place as the EU also works to more closely monitor press freedom trends in member states through its rule of law mechanism, and to better oversee recent EU legislation on the export of dual-use surveillance technology that could be used to spy on journalists. 

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

CPJ joined civil society and media groups yesterday in a statement calling on Salvadoran authorities to respond to the findings by experts at Citizen Lab and Access Now, among others. It’s not clear who was operating the spyware, but Pegasus creator NSO Group, an Israeli company, has repeatedly said it sells Pegasus only to vetted government clients and investigates allegations of abuse. More than 180 journalists around the world were identified as possible Pegasus targets last July in investigative reports that the company said were false.

The incidents in El Salvador were first publicized in November, when several journalists with iPhones reported Apple had notified them about possible spyware; Apple subsequently filed a lawsuit against NSO in a U.S. court for facilitating surveillance.

Gavarrete covers politics, health, environment, and gender for El Faro and previously worked at Gato Encerrado. Investigators found that staff at both independent digital outlets faced repeated Pegasus attacks in 2020 and 2021, especially El Faro, which reported 22 phones owned by its journalists were infected 226 times in total. The incidents coincided with some of their most hard-hitting investigations, Gavarrete told CPJ. 

President Nayib Bukele and other Salvadoran officials have also singled out the sites and other independent outlets, disparaging staff, barring entry to press conferences, and denying work permits since Bukele’s election in 2019. 

CPJ emailed Bukele’s office for comment but did not receive a response.

In a recent phone interview, Gavarrete told CPJ’s Dánae Vílchez about how knowledge of the spyware has affected her reporting. The interview has been edited for length and clarity.

Let’s talk about context: What is happening in El Salvador right now regarding press freedom?

In 2021 we saw setbacks – [fewer options] for citizens requesting information from institutions to understand what the government is doing with public funds, and the government also took a more concrete position against media it considered “inconvenient,” those that are doing watchdog work and monitoring finances. I don’t believe the situation will improve.

Were you afraid you were being spied on?

Several of us already suspected that [our communications] were being intercepted. Information that we shared was later made public on social media through trolls and Twitter accounts, [or] on pages that share fake news. But it was just a hunch.

Last year I was working on an investigative project, and it seemed like someone had read my conversations with a source. People stopped us at the entrance to a building like they knew we were going to be there. That confirmed to me that we were being monitored, but I never knew where the intervention came from.

I don’t know, for example, if the theft of my computer was state surveillance. [Editor’s note: In 2020, Gavarrete’s laptop was stolen from her home though other valuables were untouched; she was working for Gato Encerrado at the time.] I could never confirm it because the investigation never went anywhere.

How did you find out what was really going on?

I was able to confirm that I was being monitored with Pegasus working directly with organizations that were looking into this matter here in El Salvador.

My first impression was shock; suspecting you’ve been targeted isn’t the same as knowing. It hit me not only on a professional level, but also emotionally. To think about the amount of information that passes through a device, and the personal information they can access and what they can do with [it]…Processing that took me a bit of time, but in the end you have to turn the page and try to continue. That was my way of coping.

From what you know, can you tell us a little about what was found on the phones?

We found continuous interventions in which [someone] had access to and extracted information from our phones. Analysis allowed us to identify specific dates when the infections occurred.

Many of my initial thoughts were about work: What kind of information was reaching my phone [on] those days? What sources was I seeing?

Then I thought about difficult moments in my life, [like] my father’s illness. Not only are these people interested in knowing who you are as a journalist, but they want to know what happens in your personal life. Imagine the type of unscrupulous people behind this.

There were dates when a number of [us] were subject to heavy surveillance. Some journalists endured [it for] at least a year. Even for the researchers [performing the analysis], the obsessive use of Pegasus in El Salvador was very strange. It is not just that devices were being infected, but that the infections were constant.

Why do you think the government would be interested in monitoring your work?

Those who are behind these interventions are undoubtedly interested in knowing what is being produced in our newsroom. The government will always be interested in knowing what journalists who are investigating them are doing, although we do not have evidence of specific contracts.

What has become very clear to us is that during the periods when we have been surveilled, El Faro was working on hard-hitting reports into corruption or irregular purchases. There isn’t a single day that the reports showed we had been infected that wasn’t related to something that El Faro published or an ongoing investigation.

At a global level, state surveillance shows that governments are interested in controlling what is said about them, and not fighting organized crime.

Has the government acknowledged what happened or taken any responsibility?

The government distanced itself from the messages from Apple. Some officials said that what Apple was saying was not about El Salvador. It was just a matter of denying and trying to shift attention elsewhere.

We hope the government can provide answers, clarify whether it is using this type of software, [and] investigate who is behind all this – and that the international community gets more involved in demanding that we get these answers. We are talking about an excessive amount of money that someone is spending on this.

How has this situation affected your work as a journalist? How does it make you feel?

It is a stressful burden. Now it’s confirmed, it is not only about protecting our integrity and that of our sources, but also our families, trying to explain what is going on and why they can’t communicate with us “normally.” [Our devices] may still be infected. Anything sensitive that they want to say to me, they can only say in person. This is one of the most significant pressures that I have had to deal with.

I was cautious before, but [now] I am even more extreme to avoid putting sources in danger. But it wears you out day-to-day, and you have to make an even greater effort to be able to produce journalism.

See CPJ’s safety advisory, “Journalist targets of Pegasus spyware”

This content originally appeared on Committee to Protect Journalists and was authored by Dánae Vílchez/CPJ Central America Correspondent.

The statement identified “one of the most persistent and intensive known uses of Pegasus to surveil journalists in the world” based on forensic analysis of dozens of phones by rights and research groupsAccess Now, Front Line Defenders, The Citizen Lab, Amnesty International, Fundación Acceso, and SocialTIC.

Devices belonging to 35 people, mostly journalists along with a few members of civil society, were infected with Pegasus between July 2020 and November 2021, according to the findings; more than half worked for independent digital media outlet El Faro. Pegasus can control phones and extract content without the owners’ knowledge, and some of the devices were infiltrated more than 40 times, the statement said.  

Since his election in 2019, Salvadoran President Nayib Bukele and other government officials have consistently used anti-press rhetoric and harassed independent media outlets, individual journalists, and others critical of his administration.

According to the statement, it is not clear who was responsible for the surveillance, but the Israel-based NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism. CPJ emailed the company to ask about clients in El Salvador but did not receive a response before publication.

CPJ has documented how spyware is used to target journalists and those close to them around the world and called for a moratorium on its trade pending better safeguards.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

The move represented a relatively new use for the Entity List for Malicious Cyber Activities, a tool used by the department’s Bureau of Industry and Security to limit a designee’s access to U.S. exports,lawyer Douglas Jacobson, who specializes in export control and sanctions, told CPJ in a recent phone call. Economic sanctions, a stricter control, are more common in response to human rights concerns, but export restrictions could have limited impact on the company, he said.

Commerce listed three other companies in its November 3 press release. NSO, however, is the best known of the group for its development of advanced Pegasus spyware which can infiltrate individual cellphones for surveillance purposes. The company says it sells to vetted government clients for law enforcement purposes and investigates reports of abuse – but forensic experts say dozens of journalists are among the targets. In July, reporting by 17 global media outlets found that at least 180 journalists were possible targets of surveillance by government clients of NSO. CPJ has found that some of those, such as the jailed Moroccan journalist Omar Radi, face severe reprisals for their work.

NSO told CPJ it was dismayed by the U.S. listing, and that its “rigorous compliance and human rights programs” have led to “multiple terminations of contacts with government agencies that misused our products.” The company has previously told CPJ that it investigated allegations that Pegasus was used to surveil Omar Radi, without elaborating on its findings.  

The Commerce Department linked one of the other three newly-listed companies, Israel-based Candiru, to spyware used to target journalists. The University of Toronto-based Citizen Lab reported in July that Candiru appeared to be responsible for malware attacks Microsoft described as targeting “more than 100 victims around the world,” including unnamed journalists and human rights activists. CPJ attempted to reach Candiru for comment, but the company does not have a website and Eitan Achlow, who was identified as the CEO in news reports, does not allow messaging on his LinkedIn profile. 

CPJ spoke to Jacobson about what the export restriction could mean for NSO Group. The interview has been edited for length and clarity.

What are the practical implications of being on the entity list?

[It] imposes a license requirement, but the U.S. is not penalizing NSO or Candiru or any of these other companies. They are just restricting their access to certain goods that are known to be subject to the Export Administration Regulations [everything that’s in the US or manufactured in the US, including software]. U.S. companies can [still] import goods from these companies if they want to.

The license requirement [could apply] to something as mundane as [the] desk chair you’re sitting on. A furniture company would need a license to export office furniture to the NSO Group. The license review policy is one of presumption of denial – if I wanted to submit a license on behalf of the client to NSO Group for office furniture, then I would have to convince the [Bureau of Industry and Security] to overcome this presumption of denial. It is intended to prevent them from getting certain technologies.  

I would imagine this would have a negative impact on NSO, because this will limit their ability to acquire even a new Windows laptop computer, for example.

Will it be crippling? Doubtful. There are certainly many workarounds that companies could use in order to acquire what they need. The U.S. is no longer the only producer of high-tech knowledge, and many U.S. [goods] may not even be subject to [these export regulations] because they’re manufactured [abroad]. But I think that this is a high-profile action.

Somebody asked me yesterday, is this really something that would make a [supplier] think twice? If I was advising a German company [on whether to] sell to NSO, I [would] say that’s a business decision. Your goods are not subject to [U.S. export regulation], so you wouldn’t be violating US law by doing that.

But for certain suppliers, it’s a PR risk?

Correct. [In case] the Wall Street Journal or whomever did an exposé and said, “This company in Germany or this company in Japan continues to sell to NSO.”

Is there a penalty from Commerce if they catch a U.S. company supplying someone on the entity list without a license?

Absolutely. The maximum civil penalty for violations of the [export regulations] is the greater of $308,901 per violation or twice the value of the transaction that is the basis of the violation.

Does this export restriction include services such as web hosting, training, service maintenance?

This does not apply to services at all. [The export regulations] only govern the export of tangible goods, software, or technology information. If you’re just going to repair something that is broken, for example, and a repairman goes to Israel [to repair] a server and they’re not having to provide the company with any information or replacement parts, then that would not be prohibited. And “technology” is broad – there’s a definition of technology in the Export Administration Regulations, but it doesn’t cover everything.

Senator Ron Wyden told The New York Times that sanctions should be applied to NSO Group under the Global Magnitsky Act. Is that possible?

The Global Magnitsky sanctionsare administered by the U.S. Department of Treasury’s Office of Foreign Assets Control, or OFAC, and can be applied to companies. That’s human rights related, and that would have a much bigger impact on NSO.

[Economic sanctions like these] prohibit financial transactions by U.S. persons, company, or citizen. They are broad; they prohibit the export of U.S. goods, they prohibit payments to those individuals, and they also prohibit services [provided to them].

The Commerce Department announcement lists a number of subsidiaries for Candiru, but none of the known subsidiaries for NSO Group are listed. Does that mean those subsidiary companies would not be considered during implementation?

[It] doesn’t apply to any of their affiliates unless they are named. However, a company [supplying exported goods] has to be very careful because that affiliate may be a conduit by which the main prohibited company is acquiring goods that they shouldn’t be acquiring.

Something else that struck me about this listing was the reasoning that it was a consequence for human rights violations, particularly about journalists being maliciously targeted. Is that a normal reasoning to get a company on this list?

The criteria [include] reasonable cause to believe that the entity has been involved in activities that are contrary to the national security or foreign policy interest of the U.S.

Foreign policy is a broader, more amorphous term, of course. That is what is being used as the basis for these human rights designations, which is, relatively, a broader interpretation of foreign policy [in the context of the entity list].  

How often is this list reviewed? What is the process?

The process is not an easy one, particularly when it comes to human rights issues. [China’s] Huawei has been on it for [almost] three years. There doesn’t appear to be much of an off-ramp for Huawei because of the national security issues – but there is an off-ramp. It does take time, [but] parties are removed from the entity list periodically. A company does have a chance to appeal their listing.

The problem is, [the group that would remove them is] the same group that added them. This is called the End-User Review Committee, which is an interagency group chaired by the Department of Commerce. There has to be some change in behavior or [proof] that they didn’t do what they were alleged to have done.

This content originally appeared on Committee to Protect Journalists and was authored by Alicia Ceccanese.

Journalists in India have been aware of the threat since 2019, when WhatsApp notified several that a Pegasus operator had tried to exploit the messaging app to access their phones; a former home secretary told CPJ at the time that Pegasus was “available and used” in India. In July 2021, when allegations of Pegasus surveillance surfaced across the globe, Indian news website The Wire partnered with Amnesty International and the investigative journalism group Forbidden Stories to reveal the names of 161 possible Pegasus targets in India, including 29 journalists. 

NSO has disputed the allegations by WhatsApp (the company is fighting a lawsuit WhatsApp filed against it in a U.S. federal court) and said the Pegasus Project allegations are false. CPJ emailed the company’s press email to request comment about sales to India, but received an error message.

Indian government officials also said the Project’s reporting had no substance, and five of those affected – freelance journalists Paranjoy Guha Thakurta, S.N.M. Abdi, Prem Shankar Jha, Rupesh Kumar Singh, and activist Ipsa Shatakshi – petitioned the Supreme Court to intervene.Three were suspected targets, while Amnesty confirmed traces of Pegasus infection on phones belonging to Guha Thakurta, a former editor of the Economic and Political Weekly journal, and former Outlook journalist Abdi,according to The Wire.

Ajay Prakash Sawhney, secretary of India’s ministry of electronics and information technology, did not immediately respond to CPJ’s email requesting comment.

Lawyer Apar Gupta, who has argued before the Supreme Court and is the executive director of the local digital rights group Internet Freedom Foundation, spoke to CPJ by phone about the Supreme Court’s move, and what will happen next. The interview has been edited for length and clarity.

Why should journalists, in India and elsewhere, be paying attention to the Supreme Court’s initial judgment?

The petitioners who have approached the court include senior journalists as well as journalists who work in rural districts. This issue concerns much more than surveillance – democratic processes will be subverted once controls are exerted over [journalists] or information gathered on them in a clandestine manner.

[The Supreme Court] stated that working journalists’ ability to gather information and talk to their sources will be impacted by surveillance. It has also stated that such surveillance brings into focus the larger public injury of self-censorship – which is essentially any person fearing that they can be infected [with spyware], thereby causing a chilling effect in which people don’t express criticism or displeasure against government policies.

Is this good news for the petitioners?

It is premature to have any celebrations. It is only the commencement of the process of investigation and we are quite distant from any kind of accountability.

The court has directed an independent committee to probe into two clear aspects. First, the committee should inquire about certain questions, and second, make recommendations towards accountability and changes in law.

What are your expectations from the committee?

While some commentators are a bit more cynical about the committee, I do hold some hope [for] a positive outcome, because it is headed by a retired supreme court judge [Justice R.V Raveendran]who has a fairly good reputation. Further, it comprises of a technical expert [Sundeep Oberoi] in the domain of cybersecurity, alongside a former senior civil servant [from the] intelligence services, Alok Joshi, [formerly] the head of the Research and Analysis Wing, which is a powerful policing and surveillance body in India.

The court has also crafted well-structured terms of reference which are direct as well as expansive, so they give [the committee] ample powers and flexibility.

[However,] the committee could have included voices from civil society who have been at the forefront [of anti-surveillance campaigns] or digital rights experts who understand Pegasus spyware.

The Indian government has been largely unresponsive on this important issue. What is your reading of the court’s judgment on this matter?

The judgment notes the non-cooperation of the [central] government in providing even the most basic information beyond what it calls a “limited affidavit” – which was essentially two pages, and annexed a pre-existing statement made by [Ashwini Vaishnaw], the minister of electronics and information technology, before parliament on July 18.

The court states that facts [in the petitions] are not just reliant on newspaper reports, but on actual forensic reports. The nature of such allegations requires a specific response. The court expresses dissatisfaction [with the government’s affidavit] and provides further time to the government to look at the petitions factually and specifically. The government fails to do this.

The court notes that these are serious violations because of the impacted parties, including Rupesh Kumar Singh, a journalist from Jharkhand. [Spyware surveillance] would not only cause him mental duress and anxiety, but would also have a direct impact on [his] freedom of speech and expression, given that he is a working journalist and it will compromise his sources.

The government’s [claim is] that talking about this issue will impact national security, and terrorists will get to know how we procure technologies and how we use them. The court goes on to say: “National security cannot be the bugbear that the judiciary shies away from by the virtue of its mere mentioning.”

These are significant observations, which, if followed as legal precedent, will help check the rampant use of national security as a [cover] for state impunity, in which legal examination is prevented in courts and tribunals in India.

At an advanced stage of the hearing, [the government] offered to set up [its own] expert committee. The court notes that there is reasonable apprehension expressed by the petitioners: given that Pegasus can only be purchased by governments, there is a real possibility of its use by an Indian state agency. Secondly, it notes that there is a lower degree of confidence in the government, given that there is lack of progress in any official investigation regarding the first Pegasus disclosures in November 2019. That’s why it sets up a committee independent of the government.

Another independent investigation, under a parliamentary standing committee headed by opposition lawmaker Shashi Tharoor, stalled. Why do you think this committee will be any different?

As per media reports, the standing committee had a high degree of division along political lines. One of the sittings could not be conducted, as lawmakers from the ruling Bharatiya Janata Party refused to sign the attendance register. This is symptomatic of the polarization which has impeded the functioning of this committee. The committee which has been set up by the Supreme Court does not have such limitations.

[Editor’s note: BJP lawmaker Nishikant Dubey, a member of the parliamentary standing committee on information technology, did not immediately respond to CPJ’s email requesting comment.]

Has the court set any time frame for the committee’s inquiry?

No time frame has been set for the committee. On the contrary, [it] has been given full liberty to devise its own process and procedure. However, the [Supreme Court] has kept [its own] judgment pending on the Pegasus petitions, which will come up for hearing after eight weeks. At that point of time, we will get to know much more.

This content originally appeared on Committee to Protect Journalists and was authored by Kunal Majumder/CPJ India Correspondent.

“CPJ welcomes the Department of Commerce’s decision to impose export controls on NSO Group for developing and supplying Pegasus spyware to foreign governments that maliciously used the technology to target journalists,” said CPJ Program Director Carlos Martinez de la Serna. “We hope this first step in export control is a move toward greater global oversight and transparency around the export and use of spyware by governments.”

CPJ has reported extensively on the use of spyware to target journalists.

Inclusion on the list limits U.S. entities from supplying the company, which makes it harder for U.S. researchers to deliver security vulnerabilities like those allegedly used to install Pegasus in the past, according to Reuters. NSO has said it sells only to vetted government and law enforcement agencies. In an email to CPJ received after publication and attributed to an NSO spokesperson, the company said: “NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed. We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.” 

Editor’s note: The final paragraph has been updated with a comment from the NSO Group.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Sullivan is traveling to the region today to meet with Saudi Crown Prince Mohammed bin Salman, Saudi Deputy Defense Minister Khalid bin Salman, and unspecified U.A.E. officials to discuss the ongoing conflict in Yemen, according to news reports.

“Given the ongoing Saudi and Emirati role in the conflict in Yemen, U.S. National Security Adviser Jake Sullivan must push both countries’ leaders to end press freedom violations committed by parties they support, and call for all sides to end attacks on journalists in Yemen as a first step to any peace settlement,” said CPJ Middle East and North Africa Program Coordinator Sherif Mansour. “Additionally, the U.S. should address Saudi and Emirati leaders’ press freedom records throughout the region, including the use of spyware, and make it clear that security concerns are not a free pass for targeting journalists.”

Forces loyal to the Saudi-backed internationally recognized Yemeni government have detained journalists, and those loyal to the U.A.E.-backed secessionist Southern Transitional Council have held journalists for months and raided news outlets, as CPJ has documented. Amid violations from all sides, including the Houthis sentencing four journalists to death, journalists have told CPJ that they fear for the future of independent journalism in the country.

Both Saudi Arabia and the United Arab Emirates have also deployed spyware and surveillance technology extensively in the region and around the world, as CPJ has documented, making both countries’ press freedom records an international concern, particularly ahead of the October 2 anniversary of Saudi journalist Jamal Khashoggi’s 2018 murder in the Saudi consulate in Istanbul, Turkey.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

The revelation came via the Pegasus Project, a collaborative global media investigation detailing how thousands of leaked phone numbers, including many that belonged to journalists, were allegedly selected for potential surveillance by clients of the Israeli firm NSO Group. In addition to Ketohou, Togolese journalist Ferdinand Ayité, director of L’Alternative newspaper, was also on the Pegasus Project list, according to Forbidden Stories, one of the project’s partners. A third Togolese journalist, freelancer Luc Abaki, was similarly selected as a potential spyware target, according to a representative from Amnesty International, another of the project’s partners, who confirmed his number’s listing to Abaki and then to CPJ.

Ferdinand Ayité (left), director of Togolese newspaper L’Alternative, and freelance reporter Luc Abaki (right) learned that their phone numbers were allegedly selected for potential surveillance. (Photos: Ferdinand Ayité and Luc Abaki)

The use of NSO Group’s Pegasus spyware on these journalists’ phones has not been confirmed and NSO Group denied any connection to the list. But the three journalists told CPJ in multiple interviews conducted via email, phone, and messaging app that learning of their status as potential surveillance targets heightened their sense of insecurity, even as they continue to work in the profession.

“I spent nightmarish nights thinking about all my phone activities. My private life, my personal problems in the hands of strangers,” Ketohou said. “It’s scary. And it’s torture for me.”

The potential use of Pegasus spyware to surveil journalists in Togo adds to an already lengthy list of the country’s press freedom concerns. In recent years, journalists in Togo have been arrested and attacked, had their newspapers suspended over critical coverage, and struggled to work amid disrupted access to internet and messaging apps, CPJ has documented.

NSO Group has said it only sells its spyware, which allows the user to secretly monitor a target’s phone, to governments for use investigating crime and terrorism. Yet Pegasus has been repeatedly used to target members of civil society around the world, including Togolese clergy in 2019, according to Citizen Lab, a University of Toronto-based research group which investigates spyware. Over 300 Togolese numbers appeared on the Pegasus Project list of potential targets, Le Monde, another partner in the project, reported.

“I was very afraid,” Ketohou told CPJ after he said he was informed by Forbidden Stories that his number was listed in 2017 and 2018. He said it confirmed his decision to go into exile, where he started a new news site, L’Express International, after Togo’s media regulator barred L’Independant Express from publishing in early 2021 as CPJ documented. He asked CPJ not to disclose his location for security reasons.

Ketohou told CPJ that he couldn’t point to a specific article that may have triggered potential surveillance, but said that at the time his phone was selected his newspaper was reporting on nationwide protests—which began in 2017—opposing President Faure Gnassingbé’s rule. His position at the time as president of the Togolese Press Patronage, a local media owners association, and membership in the Togolese League for Human Rights (LTDH) advocacy group may have contributed to interests in having his phone monitored, Ketohou added.

L’Alternative director Ayité told CPJ that he was not certain what caused his phone number to be selected in 2018, as Forbidden Stories informed him, but that year his newspaper published what he described as “sensitive” reports on the political crisis surrounding the protests and the mediation efforts by surrounding countries.

He said the selection of his number for potential surveillance fit a pattern of Togolese authorities’ efforts to intimidate him and L’Alternative.

In February, CPJ documented how Togo’s media regulator for the second time in less than a year suspended L’Alternative; Ayité told CPJ in late July that the suspension ended in June. In a separate incident, in November 2020 a local court ordered Ayité and L’Alternative each to pay 2 million Western African francs (US$3,703) in damages to a Togo official who complained that their reporting on his alleged embezzlement violated the country’s press code; Ayité told CPJ that he has appealed the court order and that the next hearing is scheduled to be held on October 10.   

Unlike the other two journalists, Abaki said he was taking a break from journalism in 2018, the year he was listed for potential targeting, according to the Amnesty International representative.

But Abaki, who has been freelancing since last year, has also had his journalism impeded by authorities. In 2017, Togo’s media regulator closed La Chaîne du Futur and City FM, the television and radio stations he directed at the time, over alleged administrative issues, according to the government of Togo’s website. Abaki told CPJ that the closure was a political reprisal against a local politician who owned the station.

CPJ’s questions to Togo’s Broadcast and Communications High Authority, sent via the contact page on its website, as well as by text message to its president, Willybrond Télou Pitalounani, went unanswered.

Abaki said that being listed for surveillance was “extremely traumatic,” adding “there is no private life.”

“I told myself that I could have died, since the other journalists targeted from the other countries were murdered,” Ketohou told CPJ.

The Guardian reported that around the time Saudi Washington Post columnist Jamal Khashoggi was killed in 2018, phones belonging to his associates and family, including his wife and fiancée, were targeted with Pegasus spyware. Separately, The Guardian also reported that freelance Mexican journalist Cecilio Pineda Birto was selected for surveillance with the spyware a month before his assassination in 2017. Spyware attacks often occur alongside other press freedom violations, CPJ has found.

“There is a huge psychological impact of knowing that someone in this country is taking control of your phone, violating your privacy,” Ayité told CPJ, adding that his broader safety and privacy concerns had already caused him to limit his dating and other personal relationships. “I will be even more careful and vigilant you never know where the fatal blow will come from. I am a journalist on borrowed time.”

CPJ’s calls to Akodah Ayewouadan, Togo’s minister of communication and spokesperson for the government, rang unanswered. In July, President Gnassingbé said he “can’t confirm” the use of Pegasus spyware to target his political opponents, according to Le Monde. “Each sovereign state is organizing itself to face what threatens it with the means at its disposal,” he said.

In an email to CPJ, NSO Group said that “NSO will thoroughly investigate any credible proof of misuse of its technologies” and “will shut down the system where necessary.” NSO did not directly respond to CPJ’s questions about the mental health implications of its technology’s sale and use.

Meanwhile, Ketohou has vowed to plow ahead with his journalistic work. “I have increased security around me, my internet activities, my work,” he said. But the experience, he added, “did not deter or intimidate me in my work as a journalist or human rights defender.”

This content originally appeared on Committee to Protect Journalists and was authored by Jonathan Rozen/CPJ Senior Africa Researcher.

Cathcart has been outspoken about threats to security, including so-called backdoors, which governments argue would give law enforcement much-needed access to encrypted communications, but which would also be vulnerable to malicious hacking. Cathcart has also been highly critical of the NSO Group, the Israeli firm that has marketed Pegasus spyware to governments around the world. Pegasus can be surreptitiously implanted on smartphones, giving governments unfettered access to all communications on the phone—and bypassing the encryption that WhatsApp and other secure apps like Signal apply to messages in transit.

NSO group says Pegasus is a critical tool that governments use to combat crime and terror. But a recent report dubbed the Pegasus Project—published jointly by 17 media organizations and based on a leaked list of 50,000 phone numbers allegedly selected by NSO clients—revealed that possible targets included hundreds of journalists and human rights defenders, not to mention senior political leaders such as French President Emmanuel Macron.

NSO has told CPJ it has no connection to the list of phone numbers, that it vets all clients and investigates credible allegations of abuse, and that it cannot access customer data except in the course of an investigation. In a statement to the Guardian, the company denied that Macron had been targeted by any of its customers.

CPJ spoke with Cathcart via Zoom on July 23. The interview has been edited for clarity and length. NSO’s responses relating to some of his comments appear at the end.

Right after the Pegasus Project was published, you put out a tweet storm. You posted a thread with your own reaction and you retweeted some interesting folks, everyone from David Kaye to Edward Snowden. Tell me why you responded the way you did.

The issue of spyware, especially unaccountable spyware, is a huge problem. And it’s being used to undermine freedom. We detected and defeated an attack from NSO Group in 2019. And we worked with Citizen Lab who helped us analyze the 1,400 or so victims we saw then, and discovered over 100 cases of clear abuse, including journalists and human rights defenders. The new reporting shows the much, much larger scale of the problem. This should be a wake-up call for security on the internet.

You mentioned the 2019 attack, which resulted in WhatsApp filing a lawsuit [in U.S. federal court] against the NSO Group. Your Washington Post op-ed in which you lay out the rationale is pinned to the top of your Twitter feed. What made you decide to take on the NSO Group?

When we saw the attack and defeated it in 2019, we decided we needed to get to the bottom of what had happened. These were not, as has been claimed, clear law enforcement operations. This was out-of-control abuse.

We felt we needed to be very loud about what we saw, because we knew that even if we had fixed the issue, there still exist vulnerabilities in people’s mobile phones. The operating systems have bugs that are still being exploited. So even though we’d stopped the attack from our perspective, it’s still a problem. If you’re a journalist, if you’re a human rights defender, if you’re a political dissident, you still have to be worried. So yeah, absolutely, we sued the NSO Group. They broke the law. We want to hold them accountable. We think their behavior needs to be stopped.

There’s clearly a business interest here. One of the selling points of end-to-end encryption is the security that it provides. If there’s spyware out there that’s seeking to subvert that security, it’s a threat to the business model. But do you see this as a matter of principle as well? How do those two things relate to each other?

This is a threat to end democracy. What we offer is a service for having private, secure communication. The reason everyone at WhatsApp gets up every day excited about working on that and fighting to defend it, is we believe it enables really important things. We believe journalists being able to talk to each other, and [to] sources, [to] bring out critical stories on governments or companies is a fundamental element of a democracy. We believe, in democracy, you need to have opposition. We believe human rights defenders all around the world do really, really important work. WhatsApp is popular in a lot of countries around the world that don’t have as robust traditions of freedom and liberal democracy. We’re popular in a lot of places where the ability to communicate securely is critical to someone’s safety.

You’ve been very outspoken about your concerns. What would you like to see from the tech community at large?

I would love to see all the other tech companies stand up, talk about this problem, talk about the victims, talk about the principles at stake, and do everything they can to put a stop to it. I was really excited to see Microsoft, when they discovered some spyware from a different company a few weeks ago, they were loud about it. They worked with Citizen Lab to understand the victims. I think that needs to be the model. I don’t think it is okay, when you find these vulnerabilities and you find these attacks to say, “Well, it’s disappointing, but it only affected a few people.” An attack on journalists, an attack on human rights defenders, an attack on political figures in democracies, that affects us all.

You’ve recognized the communications needs of journalists and human rights defenders, particularly those working in high-risk environments. But some security experts believe that phones just aren’t secure anymore. Do you still feel confident that WhatsApp is a secure form of communication for vulnerable individuals, given this emerging security threat of spyware?

Well, the mobile phone is the computer for most people. It’s the only computer most people have ever experienced. We need to make it secure. We need mobile operating systems to invest a lot more in security to fix these vulnerabilities. That’s why we defend end-to-end encryption [and] privacy. This is a moment where governments should stop asking us to weaken end-to-end encryption. That is a horrible idea. We have seen the damage that comes from this spyware with the security we have today. We should be having conversations about increasing security.

Within WhatsApp, your messages are extremely secure when they’re being delivered from you to the person you’re talking to. What other forms of security can we add? I’m not sure it’s good for everyone to keep a copy of every conversation on their phone forever. Because what if your phone gets stolen? What if someone forces you to open the phone for them? So we added, late last year, the ability for you to have messages disappear after a week. If someone gets your phone, all you have is the last week’s worth of messages.

We haven’t added this yet, but we’re working on the ability for you to send a photo that the recipient can only see once. We’re working on the ability for you to change a setting in your WhatsApp account to say, “I want every thread that I create, or that someone creates with me, to disappear by default.” I think there’s a lot more we can do to help protect people – but it takes the whole industry saying, “We need to make the phone secure.”

You’ve called for import controls and other kinds of regulations to rein in a spyware industry that’s out of control. But if you look at the way technology develops, things get cheaper and easier over time. What makes you think that even if the current generation of spyware purveyors are somehow put out of business, they won’t be replaced by others who are even more ruthless? Or by state level technology from Russia, China, the U.S. for that matter? Can the spyware threat be defeated through regulation or import controls?

Well, I think all of it helps. If you think about people breaking into our homes, obviously that’s still a problem. But we have locks on the doors. We have burglar alarms. We also have accountability. If someone breaks into my home, hopefully I can go to the police, I can go to the government, they’ll hold them accountable. If governments were actually holding people accountable when [spyware attacks] happen – that makes a huge difference. There will always be bad people out there. There will always be hostile governments out there. You’ve got to have as much security as possible in defense.

You’ve emphasized WhatsApp’s commitment to privacy, to operating within the human rights framework. But WhatsApp is owned by Facebook. You worked at Facebook for many years. Facebook is involved in a huge public controversy, and was recently accused by President Biden of “killing people [in relation to COVID-19 vaccine disinformation].” Their business model is based on monetizing data. And there’s a huge amount of concern about misinformation circulating on the platform. Of course, people raise those concerns about WhatsApp as well. Does the relationship with Facebook complicate your messaging about privacy and human rights?

We added end-to-end encryption to WhatsApp as part of Facebook. We’ve been very consistent on that and very supportive across the whole company – about the importance of that, why that’s the right thing, why that protects people’s fundamental rights, including journalists. Obviously, there are a lot of issues. But they’re different products. Take misinformation, for example. The question of what you do about misinformation on a large public social network is very different from how you should approach it on a private communication service. We think on a private communications service, you should have the right to talk to someone else privately, securely without a government listening in, and without a company looking at it. That’s different than if you’re broadcasting something out to every single person on a public social network.

We’ve talked today about spyware. But are backdoors an even greater threat to secure online communication?

Absolutely. Security experts who’ve looked at this agree. If you look at the threat from spyware, they’re having to go to each phone individually and compromise it. If you talk about holding a backdoor into any encryption, you are creating a centralized vulnerability in the whole communications network. And the scenario you need to be worried about is: what if a spyware company, what if a hostile government, what if a hacker, accessed all of the communications? It’s why, honestly, the proposals from some governments to weaken end-to-end corruption are just terrifying. They aren’t grappling with the nightmare scenario of everyone’s communications in a country being compromised.

If this was a big wake up call, what are you planning to do next? What should the industry do next? What can people who are concerned about this do to fight back?

We’re continuing to add security and privacy to WhatsApp, continuing our lawsuit in our push against NSO Group. We’re hoping more of the industry joins, and that more of the industry is loud about the problem. But what’s most important is governments. Governments need to step in and say this was not okay. Who was behind it? Who were the victims? What’s the accountability? Governments need to step in and have a complete moratorium on the spyware industry. It’s got to stop.

[Editor’s note: CPJ emailed NSO with a request for comment on the WhatsApp lawsuit and the attack Cathcart attributed to NSO, but did not hear back before publication. The company denied the WhatsApp allegations when the lawsuit was announced, as CPJ noted at the time, and is challenging the suit in court, arguing it should be immune on grounds that its clients are foreign governments, according to the Guardian.]

This content originally appeared on Committee to Protect Journalists and was authored by Joel Simon.

In the wake of this week’s revelations about the Pegasus spyware, Reporters Without Borders (RSF) and two journalists with French and Moroccan dual nationality, Omar Brouksy and Maati Monjib, have filed a joint complaint with prosecutors in Paris.

They are calling on them to “identify those responsible, and their accomplices” for targeted harassment of the journalists.

The complaint does not name NSO Group, the Israeli company that makes Pegasus, but it targets the company and was filed in response to the revelations that Pegasus has been used to spy on at least 180 journalists in 20 countries, including 30 in France.

• READ MORE: Pegasus: RSF calls for Israeli moratorium on spyware exports
• More reports on the ‘vile and loathsome’ Pegasus spyware tool

Drafted by RSF lawyers William Bourdon and Vincent Brengarth, the complaint cites invasion of privacy (article 216-1 of the French penal code), violation of the secrecy of correspondence (article 226-15), fraudulent collection of personal data (article 226- 18), fraudulent data introduction and extraction and access to automated data systems (articles 323-1 and 3, and 462-2), and undue interference with the freedom of expression and breach of the confidentiality of sources (article 431-1).

This complaint is the first in a series that RSF intends to file in several countries together with journalists who were directly targeted.

The complaint makes it clear that NSO Group’s spyware was used to target Brouksy and Monjib and other journalists the Moroccan authorities wanted to silence.

The author of two books on the Moroccan monarchy and a former AFP correspondent, Brouksy is an active RSF ally in Morocco.

20-day hunger strike
Monjib, who was recently defended by RSF, was released by the Moroccan authorities on March 23 after a 20-day hunger strike, and continues to await trial.

“We will do everything to ensure that NSO Group is convicted for the crimes it has committed and for the tragedies it has made possible,” RSF secretary-general Christophe Deloire said.

“We have filed a complaint in France first because this country appears to be a prime target for NSO Group customers, and because RSF’s international’s headquarters are located here. Other complaints will follow in other countries. The scale of the violations that have been revealed calls for a major legal response.”

After revelations by the Financial Times in 2019 about attacks on the smartphones of around 100 journalists, human rights activists and political dissidents, several lawsuits were filed against NSO Group, including one by the WhatsApp messaging service in California.

The amicus brief that RSF and other NGOs filed in this case said: “The intrusions into the private communications of activists and journalists cannot be justified on grounds of security or defence, but are carried out solely with the aim of enabling government opponents to be tracked down and gagged.

“NSO Group nonetheless continues to provide surveillance technology to its state clients, knowing that they are using it to violate international law and thereby failing in its responsibility to respect human rights.”

RSF included NSO Group in its list of “digital predators” in 2020.

• The 2021 ‘digital predators’ list

Pacific Media Watch collaborates with Reporters Without Borders.

This content originally appeared on Asia Pacific Report and was authored by Pacific Media Watch.

In the wake of this week’s revelations about the Pegasus spyware, Reporters Without Borders (RSF) and two journalists with French and Moroccan dual nationality, Omar Brouksy and Maati Monjib, have filed a joint complaint with prosecutors in Paris.

They are calling on them to “identify those responsible, and their accomplices” for targeted harassment of the journalists.

The complaint does not name NSO Group, the Israeli company that makes Pegasus, but it targets the company and was filed in response to the revelations that Pegasus has been used to spy on at least 180 journalists in 20 countries, including 30 in France.

• READ MORE: Pegasus: RSF calls for Israeli moratorium on spyware exports
• More reports on the ‘vile and loathsome’ Pegasus spyware tool

Drafted by RSF lawyers William Bourdon and Vincent Brengarth, the complaint cites invasion of privacy (article 216-1 of the French penal code), violation of the secrecy of correspondence (article 226-15), fraudulent collection of personal data (article 226- 18), fraudulent data introduction and extraction and access to automated data systems (articles 323-1 and 3, and 462-2), and undue interference with the freedom of expression and breach of the confidentiality of sources (article 431-1).

This complaint is the first in a series that RSF intends to file in several countries together with journalists who were directly targeted.

The complaint makes it clear that NSO Group’s spyware was used to target Brouksy and Monjib and other journalists the Moroccan authorities wanted to silence.

The author of two books on the Moroccan monarchy and a former AFP correspondent, Brouksy is an active RSF ally in Morocco.

20-day hunger strike
Monjib, who was recently defended by RSF, was released by the Moroccan authorities on March 23 after a 20-day hunger strike, and continues to await trial.

“We will do everything to ensure that NSO Group is convicted for the crimes it has committed and for the tragedies it has made possible,” RSF secretary-general Christophe Deloire said.

“We have filed a complaint in France first because this country appears to be a prime target for NSO Group customers, and because RSF’s international’s headquarters are located here. Other complaints will follow in other countries. The scale of the violations that have been revealed calls for a major legal response.”

After revelations by the Financial Times in 2019 about attacks on the smartphones of around 100 journalists, human rights activists and political dissidents, several lawsuits were filed against NSO Group, including one by the WhatsApp messaging service in California.

The amicus brief that RSF and other NGOs filed in this case said: “The intrusions into the private communications of activists and journalists cannot be justified on grounds of security or defence, but are carried out solely with the aim of enabling government opponents to be tracked down and gagged.

“NSO Group nonetheless continues to provide surveillance technology to its state clients, knowing that they are using it to violate international law and thereby failing in its responsibility to respect human rights.”

RSF included NSO Group in its list of “digital predators” in 2020.

• The 2021 ‘digital predators’ list

Pacific Media Watch collaborates with Reporters Without Borders.

This content originally appeared on Asia Pacific Report and was authored by Pacific Media Watch.

CPJ’s work on this issue includes:

• A policy brief calling on governments to bar the use of spyware on journalists, including banning the export or transfer of surveillance technology or expertise to governments with poor press freedom records
• A map of dozens of incidents in which journalists and those close to them were targeted with spyware since 2011
• Digital safety advice for journalists on how to keep their information safe, and specific guidance on NSO Group’s Pegasus spyware in six languages

Many countries suspected of spying are notorious for repressing the media, and CPJ reporting shows that some of the journalists targeted, or those connected with them, have faced arrest and physical violence in reprisal for their work.

CPJ experts are available to speak on spyware and press freedom as well as individual cases of journalists targeted, in multiple languages. To schedule an interview, email press@cpj.org. 

Media contact:

Bebe Santa-Wood

Communications Associate

press@cpj.org

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

“This report shows how governments and companies must act now to stop the abuse of this spyware which is evidently being used to undermine civil liberties, not just counter terrorism and crime,” said Robert Mahoney, CPJ’s deputy executive director. “No one should have unfettered power to spy on the press, least of all governments known to target journalists with physical abuse and legal reprisals.”

The reporting, known as the Pegasus Project, was conducted by a consortium including investigative journalism nonprofit Forbidden Stories and global media outlets such as The Washington Post. Amnesty International, which performed technical analysis, reported that more than 180 journalists had been identified by the consortium on a list of 50,000 phone numbers allegedly linked to clients of NSO Group technology. In a statement emailed to CPJ, an NSO spokesperson said there was nothing to link the 50,000 numbers to NSO Group or Pegasus. In a rebuttal published online, the company said the consortium’s allegations were false.

NSO has repeatedly told CPJ in the past that it licenses Pegasus to fight crime and terrorism. The July 19 statement said its products were “sold to vetted foreign governments.”

“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations,” it said. “This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, has done multiple times in the past, and will not hesitate to do again if a situation warrants.”

CPJ has issued recommendations to policymakers and companies to combat spyware abuse against the media.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Amendments to Germany’s Federal Constitutional Protection Act–approved on June 10, 2021–give domestic and foreign intelligence services and the federal police powers to secretly monitor a target’s online activity, including encrypted communications, according to local news reports. Though the surveillance powers are subject to strict conditions during terrorism investigations, the amendments removed prohibitions on intelligence agencies hacking journalists’ computers and smartphones, according to German news site netzpolitik.org.  

“Germany must immediately restore protections for journalists in order to prevent government surveillance of their devices and communications,” said CPJ Europe and Central Asia program coordinator Gulnoza Said, in New York. “Journalists need to know that their communications are secure and private to protect the anonymity of their sources.”

According to netzpolitik, the law allows authorities to monitor a target’s communications from the point that they obtain access using spyware – a kind of malware designed for monitoring that can be installed on a device without the user’s knowledge. Internet service providers could be required to help install the malware, according to netzpolitik.

CPJ has previously warned that the law would undermine basic journalistic rights. Lawyers and experts told netzpolitik that they intend to file a constitutional complaint on press freedom grounds against the legislation to the country’s highest court.

In German law, the Federal Constitutional Court (Bundesverfassungsgericht) can decide whether  new legislation violates citizen’s rights laid down in the constitution, the Basic Law, according to CPJ’s review of the court’s duties published on its website.

CPJ requested comment from the press department of the German Federal Ministry of the Interior but received no immediate reply.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.