The existence of a surveillance operation that allegedly spied on Zogo since at least 2015 was disclosed in a 20-page referral to trial document reviewed by CPJ. The document was part of a judicial investigation into the January 2023 kidnapping, torture, and murder of the popular radio host, which was finalized on February 29, 2024.

Seventeen suspects are expected to stand trial, on a date yet to be set, in a military court in the capital, Yaoundé, on charges including murder, complicity and conspiracy to murder, complicity and conspiracy to torture, complicity to kidnap, and violation of instructions, according to the document and news reports.

The suspects include:

• Léopold Maxime Eko Eko, former head of the counterintelligence agency General Directorate for External Research (DGRE)
• Justin Danwe, former DGRE director of operations
• Jean-Pierre Amougou Belinga, an influential businessman and head of the privately owned media group L’Anecdote
• Bruno François Bidjang, L’Anecdote managing director and news presenter for privately owned television station Vision 4

“The revelation that a surveillance operation targeted popular radio host Martinez Zogo since at least 2015 raises concerns about which other journalists have been surveilled by Cameroon’s counterintelligence agency,” said Angela Quintal, head of CPJ’s Africa program in New York. “Cameroonian authorities must make a full disclosure and ensure the end to all surveillance, physical or electronically, of journalists. The unfettered practice is not only a violation of journalists’ right to privacy but has serious consequences for source protection.”

Zogo was found dead on January 22, 2023, after going missing five days earlier.  A week before his abduction, Zogo publicly accused Belinga of widespread corruption involving funds from the Cameroonian treasury during his radio show Embouteillage (Gridlock).

The court document reviewed by CPJ was prepared by lead investigating judge, Lieutenant-Colonel Pierrot Narcisse Nzié, the third investigating judge in the case who was appointed in December after the previous judge ordered the controversial release of Belinga and Eko Eko. The pair remained in detention after authorities claimed that the release order was fake.

The document describes how DGRE agents led by Danwe, under the influence of Belinga, allegedly carried out the kidnapping and torture of Zogo in Ebogo, a district of the capital Yaoundé, on January 17, 2023. Part of this team returned to the scene an hour later for a second operation that “resulted in Zogo’s death” by “strangulation and torture.”

The court document said Eko Eko denied involvement, saying Zogo was never a threat to him and the operation against the journalist was Danwe’s personal initiative; however, Nzié said Eko Eko could not claim this, as he had ordered the DGRE to surveil the journalist since 2015 as part of the “Presse” dossier.  The court documents did not elaborate further but said the surveillance operation ordered by Eko Eko was confirmed by another witness,  Emmanuella Moudie, the chief of the DRGE’s electronic surveillance division. 

Zogo’s surveillance was also corroborated by Yves Saïwang, another suspect facing trial and an officer in the DGRE’s electronic surveillance division, who “bluntly” declared during questioning that Zogo was the target of the DGRE’s surveillance, according to the court document. Saïwang also said that since 2017, he was responsible for monitoring Zoga. Eko Eko had never taken any measures to prevent this and could not escape responsibility, Nzié said in the court document.

Saïwang also said he sent Danwe geolocation information about Zogo via WhatsApp and then received 20,000 francs (US $33), according to the document. Heudji Guy Serge, another DGRE officer who is also a suspect in the trial, said he, too, provided technical information to Danwe about Zogo and received 15,000 francs (US $25).

Denis Omgba Bomba, director of the media observatory at Cameroon’s Ministry of Communication, told CPJ that there was no surveillance “program” dedicated to journalists but that as Zogo was a public figure, the surveillance was a normal intelligence operation. Bomba added that the protection of journalists’ sources is not absolute and that the state can ignore this for security reasons. 

Authorities charged Bidjang with conspiracy to torture, conspiracy to arrest, and kidnapping in relation to Zogo’s murder, according to the court document. He is detained in Yaoundé’s Principal Prison on separate charges of revolt, incitement to insurrection, rebellion, and spreading false news, his lawyer, Charles Tchoungang, told CPJ.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On Monday, Bihus.Info published an investigation which said that 30 members of a branch of the SBU, the Department for the Protection of National Statehood, spied on its journalists and filmed them using illegal recreational drugs at a private party in a hotel on December 27. The outlet said that the cameras used to surveil its staff had been placed in the hotel before the party and that the hotel’s security cameras had shown several SBU agents entering the hotel ahead of the event. 

“CPJ is deeply concerned that Bihus.Info journalists were spied on by the Ukrainian security service, which is responsible for combating national security threats. Investigative journalists are not a threat, but the foundation of a healthy democracy,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Ukrainian authorities must ensure their investigation into this illegal surveillance of the media is quick and transparent and hold those responsible to account.” 

The story broke last month, when YouTube channel Narodna Pravda published a video showing Bihus.Info employees apparently using drugs and recordings of phone conversations about obtaining cannabis and MDMA (also known as Ecstasy) – both of which are illegal in Ukraine. The video, which Bihus.Info director Denys Bihus acknowledged as genuine, has since been taken offline.

Anastasiya Borema, head of communications at Bihus.Info, told CPJ at the time that their analysis of the video showed that the journalists’ phones had been tapped for about a year.

On January 22, Ukraine’s national police said they had registered four cases of privacy violation at the request of four Bihus.Info representatives.

President Volodymyr Zelensky condemned the surveillance, said the matter was under investigation, and signed a decree on January 31 dismissing Roman Semenchenko, head of the Department for the Protection of National Statehood.

SBU responded to Monday’s investigation by Bihus.Info with a statement on Tuesday that said it had launched a criminal investigation into illegal surveillance and that it had originally acted on information claiming that employees of Bihus.Info were clients of drug dealers.

“We believe that independent media are an integral part of a modern democratic society and no actions of individuals can cast a shadow on any of the newsrooms and mass media in general, and all employees of the SBU must act exclusively to ensure the protection of the national interests of the state and society,” it said.

Also on Tuesday, Ukraine’s parliament voted to summon the head of the SBU, Vasyl Malyuk, over the affair. On the same day, Malyuk posted a statement saying that the “actions of individual employees” of the Department for the Protection of National Statehood were “truly outrageous” and “unacceptable” and the Office of the Prosecutor General said in a statement that it had instructed the State Bureau of Investigation (DBR), which investigates crimes committed by public officials, to carry out a pre-trial investigation into criminal proceedings over illegal surveillance. “Violations of the rights of journalists are unacceptable and are subject to careful consideration and appropriate response,” Attorney General Anriy Kostin said in the statement.

Bihus.Info’s Borema told CPJ that the criminal cases into the surveillance of their journalists had been transferred from the SBU and the police to the DBR.

“We are waiting for the continuation of the story and punishment for its participants and organizers,” she said. “The head of the department was fired, while about 30 people were involved in the surveillance operation. These people could not have come up with this operation on their own, so it was approved by the top management,” adding: “The editorial staff of Bihus.Info believes that the order to surveil the journalists was given either by the SBU leadership or by other government bodies.”

Several investigative Ukrainian journalists have faced threats, violence, and harassment over their work since Russia’s full-scale invasion of the country. Journalists seeking press accreditation previously told CPJ that they had been questioned by the SBU and pressured to take certain approaches in their reporting. 

On February 3, the military relaxed the accreditation rules that were in place since March 2023 and that had been criticized for limiting the journalists’ access to the frontline.

SBU’s spokesperson Artem Dekhtiarenko declined to respond to CPJ’s query as to whether the surveillance operation had been sanctioned by a prosecutor and referred CPJ to the agency’s previous statements.

Editor’s note: The 12th paragraph in this report has been updated to clarify a quote attribution.  

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

Access Now’s report does not name the other 12 journalists and media workers, and CPJ was unable to immediately identify them. Previously, in 2022, CPJ called for an investigation into the use of Pegasus spyware on two Jordanian journalists, including Suhair Jaradat.

“The new revelations that journalists and media workers in Jordan have been targeted with Pegasus spyware underscores the need for an immediate moratorium on the use and sale of this technology, and a ban on vendors facilitating abuses,” said Sherif Mansour, CPJ’s Middle East and North Africa program coordinator, in Washington, D.C. “Journalists are not legitimate surveillance targets, and those responsible for these attacks should be held accountable.”

According to the report, phones belonging to Sabbagh and Dihmis, who cover the Middle East and North Africa as a senior editor and an investigative reporter, respectively, at the Organized Crime and Corruption Reporting Project (OCCRP), were targeted with Pegasus spyware.

“What bothered me most was the impact of the surveillance on my sources, and friends, and relatives,” said Sabbagh, who is also the co-founder of Arab Reporters for Investigative Journalism. “Because of the nature of OCCRP’s work, it is a principal target for surveillance agencies. They wish to keep crime and criminality hidden. We work to expose it. And with this type of work comes a very high price.”

Dihimis called the revelation “quite the violation,” adding that “as a journalist, it was a reminder of the importance of being cautious in terms of secure communication — to protect yourself but also your sources and colleagues. As a person, it spurred a lot of paranoia,” she added.

Kuttab, a Palestinian-American journalist based in Jordan and a 1996 recipient of CPJ’s International Press Freedom Award, was targeted by Pegasus spyware multiple times, according to the report.

On March 8, 2022, two weeks after the first incident, Kuttab was arrested when he arrived at Queen Alia International Airport outside of Jordan’s capital, Amman. He was detained under the Cybercrime Law for an article written in 2019 and was released a few hours later on bail, the report said.

The report detailed seven other attempts to infect Kuttabʼs mobile device with Pegasus, including a 2023 attempt in which the attacker impersonated a journalist from media outlet The Cradle asking questions about Jordanʼs cybercrime law while sending malicious links.

“I will not be intimidated, and I will not censor myself,” Kuttab told CPJ. “It is highly irritating to be spied on, but that also comes with the job nowadays. Whatever I know, I publish, but my only concern is my sources and their protection.”

Gharaibeh, director of Jordan’s Radio Husna, and the host of its morning talking show, was targeted successfully multiple times and there were also several failed attempts to infiltrate his phone, the report said.

When asked by CPJ about the apparent reason behind the recurrent attacks, Gharaibeh said that “it could be anything from monitoring the journalists and their sources to exploiting the journalists and silencing them.”

According to Access Now, the victims in the report were targeted using Pegasus with both zero-click attacks, in which spyware takes over a phone without the user’s knowledge, and attacks in which a user has to click a link. 

CPJ has documented the use of Pegasus to target journalists around the world in order to monitor their phones’ cameras, microphones, emails, texts, and calls. Journalists have been targeted with the software in Jordan, Morocco, the United Arab Emirates, and Saudi Arabia, among other countries.

CPJ emailed NSO Group for comment, but received no response. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

“British authorities should ensure a thorough and transparent investigation into the alleged surveillance of journalists Trevor Birney and Barry McCaffrey, and make sure that any who violated journalists’ rights are held accountable,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Journalists must be able to speak with sources and do their jobs without fear that authorities will spy on their communications.”

The investigation stems from complaints filed by Birney and McCaffrey to the Investigatory Powers Tribunal, an independent judicial body charged with looking into surveillance allegations. The IPT is expected to hold a hearing later this year on the lawfulness of that alleged surveillance.

Birney and McCaffrey were arrested and their homes raided in 2018 on suspicion of stealing confidential documents while working on the documentary “No Stone Unturned,” about a Northern Ireland police investigation into the 1994 murders of six men. In 2020, the journalists won a case in the High Court of Belfast, which ruled that the search warrants were inappropriate and ordered the police to pay damages to both journalists.

Birney told The Guardian that he and McCaffrey had no insight into the IPT’s investigation. He said they were “completely blinkered in this process. We only get to see a glimpse behind the curtain of what the court is doing.”

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

In an October 24 article and interviews, Telloglou, a reporter for Greek privately owned online investigative outlet Inside Story, said that unknown individuals stalked him between May and August 2022, and used cell phone data to monitor him as well as Chondrogiannos, an investigative reporter at privately owned online investigative outletReporters United, Koukakis, a financial reporter who works for various local and international outlets, and Triantafillou, an investigative reporter at Inside Story. Telloglou’s report was published on the website of the Greek office of the Heinrich Böll Foundation, an independent organization affiliated with Germany’s Green Party.

The four reporters told CPJ by email and phone that they suspect Greek authorities are behind their surveillance, which they believe is linked to their reporting and investigations into a recent wiretapping and spyware scandal in which intelligence officials wiretapped Koukakis’ and another journalist’s cell phone and Koukakis’ phone was infected with Predator spyware, which the government denied procuring.

Their allegations come against a backdrop of a deteriorating climate for press freedom in Greece.

“Greek authorities must conduct a quick, transparent and independent investigation into the stalking and surveillance allegations by Tasos Telloglou and put an immediate stop to any use of cell phone data to track him and fellow investigative reporters Thodoris Chondrogiannos, Thanasis Koukakis, and Eliza Triantafillou,” said Attila Mong, CPJ’s Europe representative. “It is totally unacceptable to follow journalists or use cell phone data to track their and their sources’ movements. Greek authorities must protect the confidentiality of journalists’ sources rather than compromise it.”

In his article, Telloglou said that on May 27, he noticed that a man followed him in Athens as he walked to meet a source. Telloglou confronted the man, who ran away. Telloglou later contacted intelligence officials who denied following him. A few days later, a retired police officer warned him about the parking lot he used. A parking attendant told Telloglou that a policeman had wanted access to his car, but the attendant did not allow it.

Telloglou claimed that in June, a source gave him a photograph taken of him in an Athens café following his meeting with Koukakis on May 2. Telloglou did not publish the photo to protect his source. Also in June, an intelligence source told him that authorities were using cell phone signals to track his movements, those of the other three journalists, and potential sources to determine whether they had met, Telloglou wrote. 

Koukakis said Telloglou’s article “confirms that even after the scandal of surveillances was made public, the Greek government continued to monitor journalists working on this issue.”   

Chondrogiannos said the article confirms credible sources’ warnings that they and whistleblowers “have been targeted with geolocation surveillance for our investigation” on the scandal and that authorities wanted to identify their sources. The article exposes “the systematic surveillance of journalists” by intelligence officials in Greece, Chondrogiannos said. 

Triantafillou said that around May, she also noticed suspicious movements of unknown people outside her home, and believes that she was tailed as she walked to meetings with sources.

The reporters said they have not filed a police report on the incidents. Telloglou told CPJ that he does not think Greek authorities can offer protection from threats coming from the state. Chondrogiannos said that his outlet, Reporters United, will submit an official request to the Greek independent authority responsible for the protection of privacy (ADAE), to determine whether he had been under surveillance by intelligence officials.

Telloglou told CPJ that Greek authorities did not respond to his article.

CPJ emailed questions to the press department of Greece’s National Intelligence Service but received no reply.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Unsolved journalist killings weigh on the Greek press corps 

Investigative journalist Sokratis Giolias, who was killed 2010, and crime reporter Giorgos Karaivaz, who was killed 2021, were gunned down in similar circumstances by professional hitmen in the streets and there have been no arrests in either case. It has been years since authorities provided updates on Giolias, and while authorities say they are looking into what happened to Karaivaz, his family and colleagues are dissatisfied by the pace of the investigation. 

CPJ met with Karaivaz’s widow, Statha Alexandropoulou-Karaivaz, on the balcony of her Athens home overlooking the spot on the street where her husband was killed. She pointed CPJ to her emotional message on social media criticizing authorities for their sluggish work and for failing to update the family. “By no means will I accept silence,” she wrote, adding that she had heard rumors of the case being shelved. Soon after her post, Takis Theodorikakos, the minister for citizen protection in charge of overseeing the police met with Alexandropoulou-Karaivaz, and issued a statement that the investigation will continue “until the culprits are brought to justice.” 

But the assurance has proved cold comfort to the many journalists closely following the case. “In Greece, where everything gets leaked, the fact that there are no leaks about this probe is very telling,” one journalist told CPJ on the condition of anonymity given the sensitivities involved. Other journalists told CPJ they were skeptical that the investigation would yield any answers, especially because Karaivaz covered organized crime groups and their alleged links to policemen, officials, and politicians. The Greek elite, they said, have little interest in seeing a thorough investigation to fruition. 

The threat of violence has chilled reporting  

For many journalists covering issues like organized crime, protests, refugee movements, the threat of violence is part of their everyday working lives. Extremists groups have also launched arson attacks against media outlets. Authorities in most cases have failed to identify the perpetrators, compounding journalists’ feelings that they put themselves in harm’s way simply by doing their jobs. “When Karaivaz was murdered, we were frozen. This feeling is still with us,” Eliza Triantafillou, a journalist with investigative outlet Inside Story told CPJ. Thodoris Chondrogiannos, a journalist with investigative outlet Reporters United said that as long as Karaivaz’s killing is not properly investigated, “we can assume that it can happen to any journalist, and sources can also assume the same.” 

Journalists are concerned about surveillance

In November 2021, newspaper EfSyn reported that intelligence services’ wiretapped the cellphone of Stavros Malichudis, a journalist covering refugee issues. Then, in April 2022, Reporters United revealed government documents indicating authorities had similarly wiretapped a phone belonging to financial journalist Thanasis Koukakis in 2020. Koukakis also said that in 2021 his phone had been infected with Predator spyware, which can monitor a phone’s conversations, text messages, passwords, files, photos, internet history, and contacts. The company that sells Predator, Intellexa, says on its website that it markets its products to law enforcement agencies. 

The government initially denied that it surveilled the journalists. But over the summer, when an opposition politician revealed his phone was targeted with Predator — igniting a political scandal that ended in the resignation of Greece’s intelligence service chief and the prime minister’s aide, who was also his nephew — parliament vowed to investigate the use of spyware and other surveillance tools. The investigation, however, ended in October with no conclusions as the parliamentary inquiry failed to interview key players.  

Journalists predict more reporters will be surveilled  

Reporters who spoke with CPJ believe more members of the media have been targeted with wiretaps than is publicly known. “The process to get waivers for wiretapping is just so easy,” Malichudis told CPJ in an interview; in 2021, annual figures show that an official with oversight authority over the Greek secret service approved more than 15,000 wiretap requests on the basis of vague national security interests. Koukakis has taken his case to the European Court of Human Rights. 

While the government denied that it procured Predator, journalists are not so sure. Triantafillou told CPJ that the Predator spyware costs millions of Euros, a sum governments can afford. She pointed out that the firm Intellexa, which acquired Predator from its original developers in 2018, “continues its operations in Athens, undisturbed by the authorities” despite the scandal. 

In September dozens of Greek and foreign correspondents in the country petitioned PEGA, an EU committee investigating spyware abuse, to probe the Greek surveillance scandal, concerned that their phones could also be infected. “The fear of being under surveillance is just as effective as being under surveillance: it makes it difficult for journalists to find and communicate with their sources,” said Triantafillou. 

After CPJ’s fact-finding mission, another Greek reporter, Anastasios Telloglou alleged that security services had tracked him, as well as Chondrogiannos, Triantafillou, and Koukakis, using mobile data to identify their sources.  

The new government is especially sensitive to critical reporting

When Prime Minister Kyriakos Mitsotakis came to power in 2019, he vowed to improve Greece’s public image, tarnished by years of corruption and financial mismanagement. But journalists told CPJ that the new government has made life harder for politics reporters who now face retaliation for reporting on issues deemed harmful to Greece’s reputation. 

The government is especially jittery about unfavorable coverage in international media, reporters told CPJ. In September, German weekly Der Spiegel defended its correspondent, Giorgos Christides, after Greek government officials accused him of a breach of ethics over his reporting on the authorities’ treatment of refugees and migrants on the Greek-Turkish border. The reporter was vilified in pro-government media outlets as “anti-Greek” and his newspaper as “pro-Turkish.” In another case, after Politico Europe reporter Nektaria Stamouli, who heads the Greek Foreign Press Association, published an article in August on the country’s eroding press freedom, government spokesperson Giannis Oikonomou accused Stamouli in a statement of opposition bias.  

Lawsuits are another method to clamp down on critical reporting. In the wake of the government surveillance scandal, the prime minister’s nephew and former aide Giorgis Dimitriadis sued two media outlets, EfSyn and Reporters United, for a collective total of US$400,000 in damages over their investigations about Dimitriadis’ alleged business links with Intellexa. He has also sued Koukakis, demanding the withdrawal of a tweet about Reporters United’s and EfSyn’s reporting on the surveillance. The first hearings in the cases are scheduled for November.

A prominent critic of the government, Kostas Vaxevanis, publisher of weekly Documento told CPJ his newspaper has faced more than 80 vexatious lawsuits for damages in the millions of Euros launched by state-owned companies, institutions, government officials, and ruling party politicians. Most of these lawsuits end up in the courts which Vaxevanis said often rule in favor of the journalists. But the lawsuits themselves serve as a kind of warning, Nikolas Leontopoulos, investigative journalist at Reporters United, told CPJ. “The lawsuits strangle us, squeezing us of two things we lack the most: time and money,” he said. 

CPJ emailed questions to the office of the Greek government’s spokesperson, the press department of the Ministry of Citizens Protection and Intellexa but did not receive any reply. 

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong.

“Earlier it was just one conversation they [authorities] would tap into,” Venu told CPJ in a phone interview. “They wouldn’t see what you would be doing in your bedroom or bathroom. The scale was stunning.”

The Indian journalists were among scores around the world who learned from the Pegasus Project in July 2021 that they, along with human rights activists, lawyers, and politicians, had been targeted for possible surveillance by Pegasus, the spyware made by Israel’s NSO Group. (The company denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.) 

The Pegasus Project found that the phones of two founding editors of The Wire – Venu and Siddharth Vardarajan – were confirmed by forensic analysis to have been infected with Pegasus. Four other journalists associated with the outlet – diplomatic editor Devirupa Mitra, and contributors Rohini Singh, Prem Shankar Jha, and Swati Chaturvedi – were listed as potential targets.

The Indian government denies that it has engaged in unauthorized surveillance, but has not commented directly on a January New York Times report that Prime Minister Narendra Modi agreed to buy Pegasus during a 2017 visit to Israel. The Indian government has not cooperated with an ongoing inquiry by an expert committee appointed by the country’s Supreme Court to investigate illegal use of spyware. In late August, the court revealed that the committee had found malware in five out of the 29 devices it examined, but could not confirm that it was Pegasus.

However, Indian journalists interviewed by CPJ had no doubt that it was the government behind any efforts to spy on them. “This government is obsessed with journalists who are not adhering to their cheerleading,” investigative reporter Chaturvedi told CPJ via messaging app. “My journalism has never been personal against anyone. I don’t understand why it is so personal to this government.” For Chaturvedi, the spying was an invasion of privacy “so heinous that how do you put it in words.” 

Read CPJ’s complete special report: When spyware turns phones into weapons

Overall, the Pegasus Project found that at least 40 journalists were among the 174 Indians named as potential targets of surveillance. With six associated with The Wire, the outlet was the country’s most targeted newsroom. The Wire has long been a thorn in the side of the ruling Bharatiya Janata Party (BJP) for its reporting on allegations of corruption by party officials, the party’s alleged promotion of sectarian violence, and its alleged use of technology to target government critics online. As a result, various BJP-led state governments, BJP officials, and their affiliates have targeted the website’s journalists with police investigations, defamation suits, online doxxing, and threats.

Indian home ministry and BJP spokespeople have not responded to CPJ’s email and text messages requesting comment. However after the last Supreme Court hearing, party spokesperson Gaurav Bhatia criticized the opposition for “trying to create an atmosphere of fear” in India. “They [Congress party] were trying to spread propaganda that citizens’ privacy has been invaded. The Supreme Court has made it clear that no conclusive evidence has been found to show the presence of Pegasus spyware in the 29 phones scanned,” he said.

As in so many other newsrooms around the world, the Pegasus Project revelations have prompted The Wire to introduce stricter security protocols, including the use of encrypted software, to protect its journalists as well as its sources.

Ajoy Ashirwad Mahaprashasta, political editor at The Wire, told CPJ in a phone interview that as part of the new procedures, “we would not talk [about sensitive stories] on the phone.” While working on the Pegasus project, the Wire newsroom was extra careful. “When we were meeting, we kept our phones in a separate room. We were also not using our general [office] computers,” he said.

Venu told CPJ that while regular editorial meetings at The Wire are held via video call, sensitive stories are discussed in person. “We take usual precautions like occasional reboot, keep phones away when we meet anyone. What else can we do?” he asks.

Chaturvedi told CPJ via messaging app that she quickly started using a new phone when she learned from local intelligence sources that she might have been under surveillance. As an investigative journalist, her immediate concern following the Pegasus Project disclosures was to avoid compromising her sources. “In Delhi, everyone I know who is in a position of power no longer talks on normal calls,” she said. “The paranoia is not just us who have been targeted with Pegasus.”

“Since the last five years, any important source I’m trying to talk to as a journalist will not speak to me on a normal regular call,” said Arfa Khanum Sherwani, who anchors a popular political show for The Wire and is known as a critic of Hindu right-wing politics. Sherwani told CPJ that her politician sources were the first ones who moved to communicate with her on encrypted messaging platforms even before the revelations as they “understood that something like this was at play.”

Rohini Singh similarly told CPJ that she doesn’t have any conversations related to her stories over the phone and leaves it behind when she meets people out reporting. “It is not about protecting myself. Ultimately it is going to be my story and my byline would be on it. I’m essentially protecting people who might be giving me information,” she said. 

Journalists also say they are concerned about the safety of their family members.

“After Pegasus, even though my name per se was not part of the whole thing, my friends and family members did not feel safe enough to call me or casually say something about the government. Because they feel that they are also being audiographed and videographed [filmed or recorded],” said Sherwani.

Chaturvedi told CPJ that her family has been “terrified” since the revelations. “Both my parents were in the government service. They can’t believe that this is the same country,” she said.

Venu and Sherwani both expressed concerns about how the atmosphere of fear could affect coverage by less-experienced journalists starting out in their careers. “The simple pleasure of doing journalism got affected. This may lead to self-censorship. When someone gets attacked badly, that journalist can start playing safe,” said Venu.

Said Sherwani: “For someone like me with a more established identity and career, I would be able to get people [to talk to me], but for younger journalists it will be much more difficult to contact politicians and speak to them. Whatever they say has to be on record, so you will see less and less source-based stories.”

Ashirwad agreed. “I’m very critical of this government, which is known. My stand now is I shall not say anything in private which I’m not comfortable saying in public,” he said.  

This content originally appeared on Committee to Protect Journalists and was authored by Kunal Majumder/CPJ India Representative.

Over five years have passed since Villarreal and Ismael Bojórquez, RíoDoce’s co-founder and editor-in-chief, received the suspicious text messages that experts said bore telltale signs of Pegasus, the now notorious surveillance software developed by Israeli firm NSO Group. Just this month, a joint investigation by three Mexican rights groups and the University of Toronto’s Citizen Lab found evidence of Pegasus infections on the devices of two Mexican journalists and a human rights defender between 2019 and 2021 – infiltration that occurred in spite of Mexican President Andrés Manuel López Obrador’s 2018 promise to end illegal surveillance. (López Obrador denied on October 4 that his administration had used Pegasus against journalists or political opponents, saying, “if they have evidence, let them present it.”)

The previous Mexican administration also denied using the technology on high-profile journalists, even after the Pegasus Project, a global consortium of investigative journalists and affiliated news outlets that investigated the use of the spyware, reported in 2021 that more than two dozen journalists in Mexico have been targeted with the spyware. Those named included award-winning investigative journalist Carmen Aristegui and Jorge Carrasco, the editor-in-chief of the country’s foremost hard-hitting investigative magazine Proceso. Yet although the surveillance caused considerable outrage, almost nothing has changed since 2017, according to Villarreal, who spoke to CPJ from Sinaloa’s capital, Culiacán.

Read CPJ’s complete special report: When spyware turns phones into weapons

In what CPJ has found to be by far the deadliest country for journalists in the Western Hemisphere, there remains no legal protection from intrusive surveillance, no recourse for its victims, and no repercussions for those in public office who facilitated the spying.  

López Obrador’s pledge to stop illegal surveillance was one of his first major undertakings after he took office in December 2018. Eleven months later, he assured Mexicans that the use of the Israeli spyware would be investigated. “From this moment I tell you that we’re not involved in this. It was decided here that no one will be persecuted,” he said.

But with just over two years left in office – Mexico’s constitution allows presidents to serve only a single six-year term – journalists, digital rights groups, and human rights defenders say little has come of the president’s promises. Not only has the investigation into the documented cases of illegal use of Pegasus shown no meaningful progress, the critics say, but also virtually nothing has been done to prevent authorities from continuing to spy. 

“Unfortunately, the regulatory situation and the authorities’ capacity to intercept communication have remained intact,” said Luis Fernando García of Red en Defensa de los Derechos Digitales (R3D), a Mexico City-based digital rights group that supports reporters targeted with Pegasus. “There’s very little transparency, very little publicly available information about the use of such technologies, which makes repetition a very real possibility.”

CPJ contacted the office of President López Obrador’s spokesperson for comment before publication of the October report about the most recent infections but did not receive a reply.

NSO says it only sells Pegasus to government and law enforcement agencies to combat terrorism or organized crime. But investigative journalists report that in countries like Mexico non-state actors, including criminal groups, can also get their hands on these tools even if they are not direct clients. This poses a major threat to journalists and their sources across the region, where CPJ research has found that organized crime groups are responsible for a significant percentage of threats and deadly violence targeting the press. At least one Mexican journalist who was killed for his work, Cecilio Pineda Birto, may have been singled out for surveillance the month before his death.

Villarreal and Bojorquez received the first Pegasus-infected text messages just two days after Javier Valdez Cárdenas, Riodoce co-founder and a 2011 recipient of CPJ’s International Press Freedom Award, was fatally shot on May 15, 2017, near the magazine’s offices in northern Sinaloa state. 

“Although it had all the hallmarks of Pegasus, it took us quite a while before we realized what was happening,” Villarreal recalled. “We were in a very vulnerable state after Javier’s death. It wasn’t until approximately a month later, after contact with press freedom groups, that we realized that it was Pegasus.”

A 2018 report by R3D, citing findings by Citizen Lab, stated that the likely source of Villarreal’s surveillance was the Agency of Criminal Investigation, a now-defunct arm of the federal attorney general’s office. Two autonomous federal regulators subsequently established that the attorney general’s office used Pegasus illegally and violated privacy laws.

However, an ongoing federal investigation initiated under the previous government of President Enrique Peña Nieto has not led to any arrests of public officials. In December 2021, Mexican authorities requested the extradition from Israel of the former head of the criminal investigation agency, Tomás Zerón, in connection with various investigations – reportedly including the Pegasus abuses – but that request has not yet been granted. (CPJ contacted the federal attorney general’s office for comment on the extradition, but did not receive a reply.)

Concerningly, according to Proceso, investigators of the federal state comptroller revealed in the audit of the federal budget in October 2021 that the López Obrador administration had paid more than 312 million pesos (US $16 million) to a Mexican businessman who had facilitated the acquisition of Pegasus in the past.

The López Obrador administration has not publicly responded to Proceso’s findings or the state comptroller’s report, but the president did say during his daily press briefing on August 3, 2021, that there ‘no longer existed a relationship’ with the developer of Pegasus. The president’s office had not responded to CPJ’s request for comment on the payment by the time of publication.

Experts at R3D and Citizen Lab said Pegasus traces on a journalist’s phone indicated they were hacked as recently as June 2021, just after they reported on alleged human rights abuses by the Mexican army for digital news outlet Animal Politico. The journalist was not named in reports of the incident.

“I don’t think anything has changed,” Villarreal said. “The risk continues to exist, but the government denied everything.”

R3D, together with a number of other civil society groups, has also pushed hard for new legislation to curb the use of surveillance technologies by lobbying directly to legislators and via platforms like the Open Government Alliance. So far, the result has been disappointing. Even though López Obrador and his party, the Movement of National Regeneration (Morena), hold absolute majorities in both chambers of federal congress and have repeatedly acknowledged the need to end illegal surveillance, there has been no meaningful push for new legislation on either the state or the federal level.

“There is indignation about surveillance, but my colleagues aren’t picking the issue up,” said Emilio Álvarez Icaza, an independent senator who has been outspoken about surveillance. “It’s an issue that at least the Senate does not seem to really care about.”

R3D’s García warns that Pegasus is just a part of the problem. R3D and other civil society groups say they have detected numerous other technologies that were acquired by state and federal authorities even after the scope of Pegasus’ use became clear.

“We’ve been able to detect the proliferation of systems that permit the intervention of telephones and there are publicly available documents that provide serious evidence that those systems have been used illegally,” García said. “The [attorney general’s office], for example, has acquired the capacity to conduct more than 100,000 searches of mobile phone data, but only gave clarity about 200 of them.”

“Even with regulation, the Mexican justice state has a tremendous problem of lack of transparency and accountability. The entire system seems to have been constructed to protect public officials,” said Ana Lorena Delgadillo, a lawyer and director of the Fundación para la Justicia, which provides legal support to Mexicans and Central Americans searching for ‘disappeared’ family members. “This is why I believe it’s important that cases of this nature are ultimately brought to the Supreme Court, but it’s hard to find people willing to litigate.”

Villarreal said he will not be one of those afraid to speak out. “Ultimately we’ve left our cases in the hands of civil society organizations,” he said. “Thing is, the spyware is just a new aspect of a problem that has always existed. The authorities have spied here, they will continue to do so. We have to adapt to the reality that we’ll never know the extent of what’s going on.”

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen, CPJ Mexico Correspondent.

Last July, when the Pegasus Project investigation revealed that imprisoned Moroccan journalist Soulaiman Raissouni was selected for surveillance by Israeli-made Pegasus spyware, the journalist could only laugh. 

“I was so sure,” his wife Kholoud Mokhtari said Raissouni told her from prison. 

Raissouni is one of seven local journalists named by the Pegasus Project – an investigative consortium of media organizations – as a potential or confirmed target of Pegasus spyware. The news only validated what Moroccan’s journalist community had long suspected: that the state’s vast intelligence apparatus has been monitoring some journalists’ every move. 

Moroccan journalists were among the first worldwide to complain of the use of spyware against reporters, pointing to digital surveillance as early as 2015. In 2019 and 2020, Amnesty International announced the findings of forensic analyses confirming that Pegasus had been used on the phone of at least two Moroccan journalists, Omar Radi and Maati Monjib. Subsequent state action against some of the surveilled journalists underscored the ongoing threat to Morocco’s independent media – and reinforced CPJ’s conclusion that spyware attacks often are precursors to other press freedom violations. 

Both Raissouni and Radi are imprisoned in Morocco for what family and colleagues describe as trumped up sex crimes charges. Taoufik Bouachrine, another journalist whom the Pegasus Project said was targeted with the spyware, is imprisoned on similar charges. 

Read CPJ’s complete special report: When spyware turns phones into weapons

The Pegasus Project was unable to analyze the phones of all of those named as surveillance targets to confirm the infection and the Moroccan government has repeatedly denied ever using Pegasus. However, many of the three journalists’ private pictures, videos, texts, and phone calls, as well as those belonging to family members, were published in pro-government newspapers and sites like Chouf TV, Barlamane.com, Telexpresse, and then later used as evidence against the journalists in court.   

Bouachrine, former editor-in-chief of local independent newspaper Akhbar al-Youm, was arrested in February 2018, and is serving a 15-year prison sentence on numerous sexual assault and human trafficking charges. His wife, Asmae Moussaoui, told CPJ in a phone call in May 2022 that she believes she was surveilled, too. 

In April 2019, Moussaoui said she called a private Washington, D.C.-based communications firm to help her run ads in U.S. newspapers about Bouachrine’s case, hoping that the publicity might aid efforts to free her husband. The next day, Barlamane published a story alleging that Moussaoui paid tens of thousands of euros to the firm, using money the journalist allegedly earned through human trafficking activities. Human Rights Watch describes Barlamane as being “closely tied with security services.” 

Suspecting she was being monitored, Moussaoui turned to one of her husband’s lawyers, who suggested the pair “pull a prank” that would help them detect whether authorities were indeed spying on her. The lawyer “called me and proposed that we speak with Taoufik’s alleged victims to reconcile, which we did not really intend to do. The next day, tabloids published an article saying that our family is planning to bribe each victim with two million dirhams [about $182,000] so they drop the case. I became very sure [of the surveillance] then,” Moussaoui told CPJ.

Moroccan journalist and press freedom advocate Maati Monjib, co-founder of the Moroccan Association for Investigative Journalism (AMJI), had a similar experience. Monjib was arrested in December 2020 and sentenced to a year in prison the following month after he was convicted of endangering state security and money laundering fraud. The latter charge stems from AMJI’s work helping investigative journalists apply for grants, Monjib told CPJ in a phone call. 

“During one of our meetings at AMJI in 2015, I mentioned that we need to look for grants to support more journalists. The next day, one of the tabloids published a story claiming that Maati Monjib is giving 5,000 euros [$4,850] to every journalist who criticizes the general director of the national security. This is a proof that they were listening to our meeting,” said Monjib. 

The revelations have forced journalists and their family members to take precautions against surveillance – no easy task given the difficulty of detecting spyware infection without forensic help. “[Raissouni] told me to try to be safe, so I am trying my best,” Mokhtari, Raissouni’s wife, told CPJ. 

“Other than the usual precautions I take to protect my phone, I regularly update it and I never keep any personal pictures or important messages or emails on it,” she said. “I also buy a new phone every three months and destroy the old one, which has taken a financial toll on my family. But honestly you can’t escape it. The most tech-savvy person I know is our friend Omar Radi. He took all the necessary precautions against hacking, and they still managed to infect his devices.” 

Monjib brings his devices to tech experts almost daily to check for bugs and to clean them, he told CPJ, adding that he also never answers phone calls, only uses the encrypted Signal messaging app, and always speaks in code.

Aboubakr Jamai, a prominent Moroccan journalist and a 2003 CPJ International Press Freedom Award winner, was selected for surveillance with Pegasus in 2018 and 2019 — and confirmed as a target in 2019 — even though he has been living in France since 2007, according to the Pegasus Project. He believes that the Moroccan government is to blame for the spyware attacks, and that the surveillance has effectively ensured the end of independent journalism in the country, he told CPJ in a phone call. 

“For years now, there haven’t been any independent media or journalism associations,” said Jamai. What’s left now is a handful of individuals who have strong voices and choose to echo it using some news websites, but mainly social media platforms.” 

CPJ emailed the Moroccan Ministry of Interior in September for comment but did not receive any response. 

Still, Jamai – who gave no credence to the government’s earlier denials of Pegasus use – did see one positive result from the spyware disclosures. “It publicly exposed Morocco’s desperation and the extent to which it is willing to go to silence journalists,” he said. “Now the whole world knows that the Moroccan state is using Pegasus to spy on journalists.”

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp.

The indignation and humiliation were from seeing himself and other prominent journalists included on a list of convicted criminals and known mob figures considered to be threats to Hungary’s national security. The pride was because the Hungarian government, which routinely ignored his reporting questions, thought it was worth spending tens, if not hundreds, of thousands of dollars on his surveillance; the relief was the validation that his earlier suspicions about being spied on were not a sign of paranoia.

Other Hungarian journalists targeted for surveillance expressed similarly ambiguous emotions in interviews with CPJ. And all were skeptical that any future recommendations by the European Parliament’s committee of inquiry into Pegasus and other spyware, expected next year, would bring much relief in a country where independent media face an increasingly hostile press freedom climate under the government of right-wing Prime Minister Viktor Orbán.

Panyi, who continues to relentlessly investigate the surveillance scandal, is one of the few journalists still giving regular interviews to Hungarian and international media about his surveillance. Three other CPJ interviewees said that while they were making an exception in talking to the organization, they’d otherwise stopped making public statements on their experience because they did not want their Pegasus targeting to define their lives.

Read CPJ’s complete special report: When spyware turns phones into weapons

The three – crime reporter Brigitta Csikász, Zoltán Varga, owner of one of the country’s biggest independent news sites, 24.hu, and a reporter who asked not to be identified for fear that further publicity would negatively impact his career – were named as targets in July 2021, when Panyi broke the story for Direkt36 as part of its reporting for the Pegasus Project, an international investigation that found the phone numbers of more than 180 journalists on a global list of potential spyware targets. (The NSO Group, which makes Pegasus, denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.)

Along with Panyi, all the journalists recounted signs that they were under physical and digital surveillance before they were aware of Pegasus being used against them, and all said that their private and professional lives had changed since the scandal broke last year.

Csikász, who covers corruption, told CPJ in a phone interview that she had seen numerous signs that people might be watching her and was warned by friends for years that her phone might be monitored. “I did not get a heart attack, I was not at all traumatized,” she told CPJ in a phone interview about her reaction to the news that Pegasus was used to monitor the contents of her phone between early April and mid-November 2019.   

Csikász has even managed to find some humor in her situation. “My friends took it real easy, most of them just crack jokes and my family took it as a sign of prestige and importance. For them, it is as if I was awarded with a special journalism prize,” she said. She added that the publicity surrounding the disclosures had even prompted some sources to contact her because they heard about her in the news. “I was not, and I have not, become paranoid,” she told CPJ.

Still, Csikász, who currently works for daily tabloid newspaper Blikk and was reporting for the investigative outlet Átlátszó, remains concerned about the intrusion. “As a journalist, I respect my country’s laws and my profession’s ethical standards and I consider the possibility of being spied on as part of my job,” she said. However, she would like to know which of her numerous investigations were considered threats to national security.

Varga told CPJ in a video interview that he’d attracted government attention when he started investing in media in 2014. This scrutiny increased, especially when he made it clear around 2017 that he would not be willing to sell his assets in spite of quiet threats and warnings from businesspeople linked to the government. In recent years, he said, he had spotted people sitting in cars parked outside his house and apparent eavesdroppers sitting next to his table at restaurants. He recalled that his phone calls were often interrupted, he once heard a recording of a call played back from the start, and at one point German tech experts provided proof that his android phone had been hacked.

Panyi’s investigation found Varga’s Pegasus surveillance started around the time he invited six people to a dinner in his house in Budapest in June 2018, two months after Orbán won a third consecutive term as prime minister. All seven participants of the dinner were selected as potential candidates for surveillance and at least one of their phones showed evidence of infection under Amnesty’s forensic analysis.  

“I was only surprised that the regime used this type of high-level technology to spy on an otherwise innocent gathering of intellectuals,” Varga told CPJ in a video call. “It was far from being a coup, it was just a friendly gathering. We discussed the very high level of corruption in Hungary’s ruling elite and how to find ways to expose it. Using this kind of technology in such a situation for me just shows how much the government is afraid of its opponents,” he said.

The reporter who spoke on condition of anonymity was also surprised that the government would deploy such high-tech spyware against journalists. Although he’d seen indications of occasional physical surveillance, the Pegasus infiltration “came out of the blue and was a real shock to me,” he said in a phone interview. His “dark period” only eased when the fact of his surveillance was publicly reported. “Since then, I prefer not to speak about it and share my experiences with anyone but my friends,” he told CPJ.

Panyi said that the way he communicates with sources has now become much slower and more complicated. “Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life,” he told CPJ in a phone interview. He uses various secure digital tools and applications, is mindful about what networks he connects to on his computer or mobile phone, regularly goes to meetings without his phone, and continues to take physical notes.

Varga says the spyware disclosures have harmed some of his business ventures. “The Pegasus scandal made it obvious for both my business and private contacts that it might be risky to talk to me and they might also get exposed, which people obviously try to avoid,” Varga told CPJ, adding that acquaintances now crack Pegasus “jokes” in most of his meetings. “As a result of this whole affair, I have much less phone calls, more walking meetings outside, without phones in the pocket,” he said.

Many companies, including advertising agencies and advertisers for his news site, seem to prefer to avoid doing business with him, and their loss is not offset by the small number of ad-buyers who now see the site as an important media voice, said Varga. “I have become kind of toxic for my environment,” he told CPJ. 

The reporter who preferred not to be named said that his phone now “stays outside” whenever he sees friends and family and he uses a special anti-tracking case when he attends professional meetings.

Hungary’s government acknowledged in November 2021 that it had bought Pegasus spyware, but says that its surveillance of journalists and political critics was carried out in accordance with Hungarian law.

A government spokesman said that journalists might have been monitored because some of their sources were under surveillance on suspicion of crimes or terrorist links, not because the journalists were the direct targets of the investigations.

In January, the Hungarian National Authority for Data Protection and Freedom of Information issued a 55-page report, which concluded that in all the cases they investigated, including those involving journalists, all legal criteria for the application of the spyware were met and the spyware was used to protect Hungary’s national interests.  

These responses have left the journalists who spoke to CPJ with little hope that anyone will be held accountable for the intrusion on their lives. Nor do they expect help from the institutions of the European Union, where officials themselves have been targeted by spyware as they grapple with mounting political pressure over how to hold member states accountable for any breaches of the rule of law.

As the European Parliament’s committee of inquiry looks at the mountain of evidence that surveillance spyware has been used in EU countries and against EU citizens, the EU Commission lacks the powers to hold member states to account, and has been forced to refer those seeking justice to their national courts.    

Surveilled journalists might eventually get EU relief if a new draft European Media Freedom Act, released on September 16, becomes law. The Act could give journalists a path to file a complaint to the EU’s Court of Justice if they or those close to them are subject to the unjustified use of spyware. However, the Act still has to be reviewed by EU institutions and member states and may not survive in its current form.  

Meanwhile, Panyi does not believe Hungary’s courts can provide any relief. “The laws regulating national security, including surveillance, are so broadly formulated that it is legal to wiretap and surveil anyone,” he told CPJ. Noting that there was no independent oversight of the surveillance process, he added that “legal” in these cases meant only that “everything has been properly documented, and the necessary stamps are where they should be.”

In June, Panyi saw his concerns confirmed when the Central Investigation Prosecutor’s Office announced it had terminated its own investigation into the allegations of illegal surveillance of journalists and opposition politicians, citing absence of a crime. “A broad investigation which included classified documents found no unauthorized and secretive collection of information or the unauthorized use of a concealed device,” said the investigators. 

Additional reporting by Tom Gibson in Brussels

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong/CPJ EU Correspondent.

The hearing started unsurprisingly enough. Chaim Gelfand, the NSO Group lawyer, laid out the company line that Pegasus is designed for use against terrorists and other criminals. He promised that the company controlled its sales, developed human rights and whistleblowing policies, and took action against those governments that abused it. He wanted to “dispel certain rumors and misconceptions” about the technology that have circulated in “the press and public debate.” He made his case.

Then, surely from NSO Group’s perspective, it went downhill. MEP after MEP asked specific questions of NSO Group. For instance: if Pegasus is sold only to counter terrorism or serious crime, how did it come to be used in EU member states? How did it come to be used to eavesdrop on staffers at the European Commission, another public allegation? Can NSO provide examples of when it terminated contracts because a client misused Pegasus? Can NSO clarify what data it has on its clients’ uses of Pegasus? How does NSO Group know when the technology is “abused”? More personally: How come you spied on me?

MEPs were angry. Increasingly their questions became more intense, more personal, more laced with moral and legal outrage. And this tenor only deepened over the course of the hearing, as the NSO lawyer stumbled through his points and regularly resorted to the line that he could not speak to specific examples, cases or governments. Few, if any, seemed persuaded by the NSO Group claim that it has no insight into the day-to-day use of the spyware by the “end-user”. To the contrary, the PEGA hearing ended with one thing clear: NSO Group faces not only anger but the reality of an energized set of legislators.

More than a year after release of the Pegasus Project, the global reporting investigation that disclosed massive pools of potential targets for Pegasus surveillance, the momentum for action against spyware like Pegasus is gathering steam. 

Read CPJ’s complete special report: When spyware turns phones into weapons

In 2019, in my capacity as a U.N. Special Rapporteur, I issued a report to the United Nations Human Rights Council that surveyed the landscape of the private surveillance industry and the vast human rights abuses it facilitates, calling for a moratorium on the sale, transfer and use of such spyware. At the time, few picked up the call. But today, with extensive reporting of the use of spyware tools against journalists, opposition politicians, human rights defenders, the families of such persons, and others, the tide seems to be turning against Pegasus and spyware of its ilk.

The U.N. High Commissioner for Human Rights, several U.N. special rapporteurs, the leaders of major human rights organizations, and at least one state, Costa Rica, have joined the call for a moratorium. The Supreme Court of India is pursuing serious questions about the government’s use of Pegasus. The United States Department of Commerce placed NSO Group and another Israeli spyware firm on its list of restricted entities, forbidding the U.S. government from doing any business with them. Apple and Facebook’s parent company Meta have sued NSO Group for using their infrastructure to hack into individual phones.

All of these steps suggest not only momentum but the elements of a global process to constrain the industry. They need to be transformed into a long-term strategy to deal with the threats posed to human rights by intrusive, mercenary spyware. State-by-state responses, or high-profile corporate litigation, will generate pain for specific companies and begin to set out the normative standards that should apply to surveillance technologies. But in order to curb the industry as a whole, a global approach will be necessary. 

In principle, spyware with the characteristics of Pegasus – the capability to access one’s entire device and data connected to it, without discrimination, and without constraint – already violates basic standards of necessity and proportionality under international human rights law. On that ground alone, it’s time to begin speaking of not merely a moratorium but a ban of such intrusive technology, whether provided by private or public actors. No government should have such a tool, and no private company should be able to sell such a tool to governments or others.

In the land of reality, however, a ban will not take place immediately. Even if a coalition of human rights-friendly governments could get such negotiations toward a ban off the ground, it will take time.

Here is where bodies like the European Parliament and its PEGA Committee – and governments and parliamentarians around the world – can make an immediate difference. They should start to discuss a permanent ban while also entertaining other interim approaches: stricter global export controls to limit the spread of spyware technology; commitments by governments to ensure that their domestic law enables victims of spyware to bring suits against perpetrators, whether domestic or foreign; and broad agreement by third-party companies, such as device manufacturers, social media companies, security entities and others, to develop a process for notification of spyware breaches especially to users and to one another. 

Some of this would be hard to accomplish. It’s not as if the present moment, dominated as it is by tensions like Russian aggression against Ukraine, is conducive to international negotiations. Some steps could be achieved by governments that should be concerned about the spread of such technologies, already demonstrated by U.S. and European outrage. Either way, governments and activists can begin to lay the groundwork, defining the key terms, highlighting the fundamental illegality of spyware like Pegasus, taking steps in domestic law to ensure strict controls on export and use. 

There is precedent for such action in the global movement to ban landmines in the 1990s, which started with little hope of achieving a ban, focused instead on near-term controls. Ultimately human rights activists and like-minded governments were able to hammer out the Ottawa Convention to ban and destroy anti-personnel landmines in 1997. It is, at least, a process that activists and governments today could emulate and modify.

Human rights organizations and journalists have done the work to disclose the existence of a major threat to freedom of expression, privacy, and space for public participation. It is now the duty of governments to do something about it.

This content originally appeared on Committee to Protect Journalists and was authored by David Kaye.

From July 12 to September 24, 2021, Koukakis, a financial editor for CNN Greece and a regular contributor for local and international outlets including The Financial Times and CNBC, had his cellphone surveilled by Predator, according to news reports and Koukakis, who disclosed the hacking on Monday, April 11, and spoke to CPJ in a phone interview.

Koukakis, who covers financial news, said he was notified about the surveillance by the digital rights group Citizen Lab in late March. Around the time of the surveillance, he covered topics including alleged money laundering and corruption, he said.

“Greek authorities must conduct a swift, thorough, and transparent investigation into the surveillance of journalist Thanasis Koukakis, find whoever orchestrated it, and hold them to account,” said Attila Mong, CPJ’s Europe representative. “Journalists must be able to protect their sources, and authorities must ensure that the are able to work without fear that hackers will gain access to their sources or details of their private lives.”

Predator spyware was originally developed by the North Macedonian company Cytrox, and can monitor a phone’s conversations, text messages, passwords, files, photos, internet history, and contacts, according to the Greek news outlet Inside Story, which said that the software is now owned by the Cyprus-based company WiSpear.

Koukakis told CPJ that Citizen Lab researchers believed his phone was infected through a text message containing a link that he clicked on July 12.

Koukakis said he previously noticed his phone acting strangely in 2020 and suspected it may have been infected with spyware. That August, he filed a complaint with the Hellenic Authority for Communication Security and Privacy, which later said it did not find any evidence of a breach of privacy on his phone. When Koukakis was targeted by spyware in 2021, he was using a new phone he had purchased since that incident, he said.

Koukakis told CPJ that on April 6, 2022, he filed a new complaint to the Hellenic Authority for Communication Security and Privacy and sent them Citizen Lab’s report on his case. He said he also planned to file a criminal complaint over the surveillance.

Greek government spokesperson Yannis Economou denied that the government had any involvement in surveilling Koukakis, according to news reports. CPJ emailed the Hellenic Authority for Communications Security and Privacy for comment, but did not immediately receive any reply.

CPJ was unable to find contact information for WiSpear, as its website did not load. In February, the company was fined in Cyprus for illegally surveilling private communications through the use of a “spy van,” according to news reports.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

From July 12 to September 24, 2021, Koukakis, a financial editor for CNN Greece and a regular contributor for local and international outlets including The Financial Times and CNBC, had his cellphone surveilled by Predator, according to news reports and Koukakis, who disclosed the hacking on Monday, April 11, and spoke to CPJ in a phone interview.

Koukakis, who covers financial news, said he was notified about the surveillance by the digital rights group Citizen Lab in late March. Around the time of the surveillance, he covered topics including alleged money laundering and corruption, he said.

“Greek authorities must conduct a swift, thorough, and transparent investigation into the surveillance of journalist Thanasis Koukakis, find whoever orchestrated it, and hold them to account,” said Attila Mong, CPJ’s Europe representative. “Journalists must be able to protect their sources, and authorities must ensure that the are able to work without fear that hackers will gain access to their sources or details of their private lives.”

Predator spyware was originally developed by the North Macedonian company Cytrox, and can monitor a phone’s conversations, text messages, passwords, files, photos, internet history, and contacts, according to the Greek news outlet Inside Story, which said that the software is now owned by the Cyprus-based company WiSpear.

Koukakis told CPJ that Citizen Lab researchers believed his phone was infected through a text message containing a link that he clicked on July 12.

Koukakis said he previously noticed his phone acting strangely in 2020 and suspected it may have been infected with spyware. That August, he filed a complaint with the Hellenic Authority for Communication Security and Privacy, which later said it did not find any evidence of a breach of privacy on his phone. When Koukakis was targeted by spyware in 2021, he was using a new phone he had purchased since that incident, he said.

Koukakis told CPJ that on April 6, 2022, he filed a new complaint to the Hellenic Authority for Communication Security and Privacy and sent them Citizen Lab’s report on his case. He said he also planned to file a criminal complaint over the surveillance.

Greek government spokesperson Yannis Economou denied that the government had any involvement in surveilling Koukakis, according to news reports. CPJ emailed the Hellenic Authority for Communications Security and Privacy for comment, but did not immediately receive any reply.

CPJ was unable to find contact information for WiSpear, as its website did not load. In February, the company was fined in Cyprus for illegally surveilling private communications through the use of a “spy van,” according to news reports.

This content originally appeared on Committee to Protect Journalists and was authored by Erik Crouch.

Kitatta, a photojournalist and reporter, has been in hiding and unable to work since March 11, he told CPJ via messaging app, after a group of 12 men thought to be plain-clothed government security officers were seen allegedly surveilling the offices of the Vision Group, a Kampala-based state-owned media company that publishes Kitatta’s work in its New Vision  and Bukedde newspapers, according to a report by New Vision and a statement by the local press rights group, the Human Rights Network for Journalists-Uganda.

Since February 24, Kitatta has reported two other incidents of being followed and attacked by people he believed to be security officers, he told CPJ. Kitatta believes the security personnel planned to detain him following a February 22 incident in which a police officer attached to the elite Presidential Protection Guard, which provides security to high-ranking government officials and delegates, kicked him while he was covering an opposition protest in Kampala outside the home of Anita Among, who has since been elected speaker of parliament, according to media reports.

The attack was widely publicized, and Kitatta told CPJ that a picture of the incident was published on the front page in the Daily Monitor, a large privately owned newspaper. Kitatta also wrote a first-person account that was published by New Vision.

“It is a shame that a Ugandan journalist has been forced to go into hiding out of fear simply because he spoke out about being attacked while on assignment,” said CPJ sub-Saharan Africa Representative Muthoki Mumo. “Authorities should hold the police officer who kicked Lawrence Kitattta on February 22 accountable and provide guarantees that the journalist will be allowed to continue his work safely.”

In the February 22 incident, Kitatta heard the police officer making disparaging comments about the media and saying he did not like journalists before covering his face with a mask, chasing protesters, and assaulting Kitatta, the journalist told CPJ.

In a tweet, Asan Kasingye, an assistant inspector general and chief political commissar of the Uganda police force, accused Kitatta of attempting to grab the police officer’s weapon and suggested the officer was only trying to protect his gun. Kitatta told CPJ that when the officer went to kick him, he put out his arm in front of his body in a self-defensive reflex, not to grab the police officer’s gun. 

Kitatta first suspected he was being surveilled on February 24, when a man in civilian clothes approached the journalist while he was walking back to the Vision Group following a lunch break, Kitatta told CPJ. The man called him by name but walked away when Kitatta responded.

“I think he was trying to confirm it was me, to confirm my identity,” Kitatta said.

On the evening of February 28, when he was riding his motorcycle home from the Vision Group offices, he noticed a man riding another motorcycle without a license plate following him, Kitatta told CPJ. The man followed him for about two miles (three kilometers), then tried to run him off the road. Kitatta told CPJ that he stopped and waited for the other man to drive off before taking an alternative route home.

On March 1, accompanied by a Vision Group lawyer, Kitatta reported both incidents to police at the Jinja Road station, in Kampala, according to a report published by the newspaper, which CPJ reviewed.

Kitatta told CPJ that he believed that the group of men outside the Vision Group building on March 11 incident was connected to these two earlier incidents. In its reporting, New Vision said that some of the men, riding motorcycles without license plates, watched the building’s exit while another group waited in an idling car. 

When one of the men was asked by Vision staff what they were doing outside the Vision Group offices, the man claimed to be looking to hire space for a conference — a service the media company does not provide. Kitatta told CPJ that at least one of the men approached a Vision Group security officer, asking for Kitatta’s whereabouts.

Kitatta told CPJ that he was warned by his colleagues that there were men looking for him, so he hid in the Vision Groupoffices throughout the afternoon until they left.

In a telephone call on March 31, Kasingye said he had no comment on the case and referred CPJ to police spokesperson Fred Enanga and the Criminal Investigations Department spokesperson Charles Twiine for comment.

Twiine asked CPJ to visit his office for a response to queries sent via messaging application and did not respond to a further request to communicate his comments either via email or WhatsApp. Enanga did not answer multiple calls and messages from CPJ requesting comment.  CPJ’s March 26 email to the police was also unanswered.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Israel’s justice ministry last month denied a report by Israeli tech site Calcalist about the allegedly unlawful use of Pegasus spyware by Israeli police. An internal investigation determined that the claims, which newspapers including The New York Times could not replicate, were largely unfounded.

However, the furor over the Calcalist report, and the ministry’s acknowledgement that police had used spyware on a phone belonging to a key witness in the corruption trial of former Prime Minister Benjamin Netanyahu, has prompted fears among journalists that any overhaul of Israel’s surveillance laws could hamper their reporting.

“We want to protect our sources,” said Anat Saragusti, press freedom director at the Union of Journalists in Israel, which sent a letter to the attorney general with the group’s demand. “We want to protect freedom of information, and we want to protect our assets.” 

A February statement from the justice ministry noted that in 2018 police infiltrated a phone belonging to Shlomo Filber, a now former director general of the Communications Ministry who was under investigation at the time. He is now state’s witness in the Netanyahu trial. 

In order to monitor Filber’s phone, police obtained a wiretapping warrant – a particular detail that raised the eyebrows of legal experts in the country.

“It’s unclear what exactly is the legal basis for what [police] have done,” said Michael Birnhack, a privacy law professor at Tel Aviv University. 

Israel has no law authorizing “cyber-tools” like spyware for law enforcement purposes, according to the Israel Democracy Institute – and the wiretapping law cited to monitor Filber’s phone dates back to 1979.

The decades-old wiretap law, said Birnhack, is an ill-fit to authorize spyware given that the technology can do so much more than listen in on calls – it can suck up old data in the form of texts, photos, voice memos, and more, without the owner’s knowledge. 

“The technological options exceed regular search and they exceed wiretapping,” he said.  

With spyware there’s also a risk of “exposing excessive data” beyond the scope of a warrant, said Birnhack — something that happened in Filber’s case.

According to the justice ministry, police acquired extra information like Filber’s contact list, which they said was not passed on to investigators. (The ministry also said that the spyware infiltration did not yield anything relevant to the investigation.)

Even if journalists are exempted from legislation regulating spyware, police use of the technology has implications for the profession. Anat Ben-David, a professor of society and technology at Israel’s Open University, worries about a chilling effect on the press. 

“This is uncharted territory at the moment, but I will say this: just knowing that this is a possibility could lead to self-censorship and to changing journalistic norms and instilling fear.”

Ben-David questions whether the technology belongs in the hands of police at all, given its extreme prying capabilities. 

Pegasus, made by the NSO Group – an Israeli company now under U.S. trade embargo – allows the purchaser to access virtually everything stored on a cell phone and activate its microphone and camera without the owner’s knowledge.

CPJ has documented the use of Pegasus to spy on journalists around the world. Amnesty International and the University of Toronto’s CitizenLab said it was found on Palestinian activists’ phones, though Israel has denied it was behind the alleged hacks.

The justice ministry did not identify Pegasus as the spyware used on Filber’s phone, but a later statement made it clear that Israeli police do have the controversial technology. The police department, said the statement, did not use the “Pegasus software in its hands” to spy without a warrant on the people named in the Calcalist report.

NSO Group spokesperson Liron Bruck replied “no comment” when CPJ asked in an email if it provided Pegasus or other spyware to Israeli police or other authorities. An Israeli police spokesperson said in an email the department could not “confirm or deny” use of Pegasus.

Ben-David also worries that the impetus to legislate spyware is following a pattern in which Israel introduces new monitoring technology and later legalizes its use against citizens.

“Surveillance technologies are introduced through the back door, and after petitions to the Supreme Court they enter through the front door through legislation,” said Ben-David.  

She pointed to the security services’ tracking of cell phones to curb transmission of COVID-19. After repeated legal challenges from civil rights groups, the Israeli Knesset passed a law approving the tracking. In March 2021, Israel’s Supreme Court outlawed the practice for Israelis who cooperated with contact tracing efforts, though it was briefly reinstated by emergency order to counter the Omicron variant.

Journalists, however, had been exempted from the tracking since April 2020 after a petition from the Union of Journalists, the group that wants to make sure the press is excluded from spyware laws.

Israeli journalists do have some protections. A 1987 Supreme Court ruling said that journalists don’t have to reveal their sources unless a court deems it critical to prevent a crime or save a life.

But journalists can find their sources exposed through other means. Police obtained information about Filber’s calls with two Israeli broadcast journalists, Amit Segal of Channel 12 and Raviv Drucker of Channel 13, when it spied on Filber’s phone, according to Haaretz.

Segal told CPJ that he learned that his interviews were snooped on from the newspaper, while Drucker learned about his exposure in the course of his own reporting. A justice ministry spokesperson would not confirm or deny the Haaretz report in a phone call with CPJ.

It’s not clear if police used spyware or another type of monitoring technology to listen in on the calls with the journalists.

Regardless of the method used, Segal told CPJ it was “not very pleasant” to learn that police had accessed his interviews with Filber, especially since he reports critically on the police.

“They shouldn’t wiretap conversations with journalists,” said Segal, who added that police are not supposed to transcribe conversations between journalists and their sources. “It is not OK, but it is not the most severe attack on journalists the world has ever seen.” 

Drucker, for his part, called it a “breach of the journalistic relationship between a source and a journalist.” A private conversation with a source “is not something that should be exposed.”

Drucker added that he hopes lawmakers considering surveillance legislation “will take into account the interest of the free press and the free media and journalists’ ability to do their work.”

Now, Segal, Drucker, and the Israeli press corps at large, are watching to see if the government will heed their concerns.   

This content originally appeared on Committee to Protect Journalists and was authored by Naomi Zeveloff/CPJ Features Editor.

“Israel’s government should fully and transparently investigate whether police used NSO Group’s Pegasus spyware against Israeli journalists, and should take concrete steps to curtail the technology’s use against members of the media in Israel and around the globe,” said Justin Shilad, CPJ’s senior Middle East and North Africa researcher. “By allowing Pegasus spyware to proliferate worldwide, the Israeli government has unleashed a monster that now appears to be going after Israeli journalists.”

According to a report Monday in the Israeli daily newspaper The Calcalist, Israeli police used the spyware against Aviram Elad, former editor-in-chief of the online Israeli news outlet Walla, and other unnamed Walla journalists. The report said that police deployed spyware without warrants during their investigation in one of the alleged corruption cases into former Prime Minister Benjamin Netanyahu. The report also alleged the use of the spyware against Israeli chief executives, activists, political advisers, and Netanyahu’s son Avner Netanyahu.

In an email to CPJ, an Israeli police spokesperson said that the Israeli police commissioner, Yaakov Shabtai, asked the minister of internal security to establish an “external and independent” review committee to look into the allegations, instate rules about technology, and “restore public trust” in the police.

Reached by CPJ via messaging app, Elad said he couldn’t immediately comment as he was still looking into the allegations in the report.

Last year, the Pegasus Project, an investigation conducted by an international journalist consortium, revealed at least 180 journalists were named as potential Pegasus targets. CPJ has documented the use of Pegasus spyware against journalists across the globe. NSO Group has repeatedly told CPJ in the past that it licenses the spyware to fight crime and terrorism.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Will reporters follow well-honed instincts, report the news, and face possible punishment from Chinese officials, even expulsion from China? Or will they stick to feel-good coverage, curb their tongues, compromise professional integrity, and potentially lose credibility among viewers and readers?

Traditionally, sports journalists are some of the best reporters and storytellers in the business. They delve into the personal stories behind the amazing performances of elite athletes. They make them into real people we can relate to — at a distance, of course. But those real people have feelings and views. Out of the nearly 3,000 athletes expected to compete in the games, it’s fanciful to imagine that all of them will stay silent about the human rights tragedy taking place all around China. Or that journalists will fail to report it. Or that journalists will all, unanimously, ignore the widely reported human rights abuses in China as an essential backdrop to the games. What if athletes complain about the venues, management of the games, or even the food or accommodations?

The Beijing Organizing Committee cast a shadow over the games on January 18, when Yang Shu, deputy director general of international relations for the Committee, said in a news conference that “Any behavior or speech that is against the Olympic spirit, especially against the Chinese laws and regulations, are also subject to certain punishment.”

The remark was aimed at the athletes, but it has implications for journalists too, who were previously warned by a foreign ministry spokesperson that they must comply with Chinese “laws and regulations,” which are vague and flexible, according to Reuters.

In theory, total press freedom is guaranteed for the international press in the “bubble” of the Olympic village. According to the IOC contract with Beijing: “There shall be no restrictions or limitations on (a) the freedom of the media to provide independent news coverage of the Games and Paralympic Games as well as related events, and (b) the editorial independence of the material broadcasted or published by the media.” Yet, how difficult would it be for Chinese authorities to declare that a journalist’s report violated Chinese law? And what would the International Olympic Committee, not known for a strong backbone, do about it?

China has not been shy, or especially secretive, about its treatment of critical journalists. CPJ counted at least 50 journalists in jail last year in its annual census of imprisoned journalists, making China the biggest jailer of journalists in the world for the third year running. It has forced the closure of independent news outlets in Hong Kong, in blatant violation of earlier commitments. It has continued to harass and restrict international journalists who are stationed in the country, arrested local staff or forced others to be fired, and chased many reporters out of the country. As the Foreign Correspondents Club of China put it in its annual report on working conditions, released on January 31: “The Chinese state continues to find new ways to intimidate foreign correspondents, their Chinese colleagues, and those whom the foreign press seeks to interview, via online trolling, physical assaults, cyber hacking, and visa denials.”

In an earlier era, China might have been shy about beating up on athletes or the press—literally and figuratively—while under a global spotlight, such as the Olympics. But by some accounts, China is not aiming to show compliance with international standards of human rights and press freedom. Rather it wants to show the world who is in charge. And it has a host of measures it could take against journalists ranging from blocking access to competition venues or press conferences, to blocking communication, to expulsion from the country. Nothing could be easier, or less transparent, than conveniently finding that a troublesome journalist has tested positive in the required daily COVID test, or forcing quarantine for alleged exposure to the virus, as journalists stationed in China suspect is already happening, according to the FCCC report.  

The Chinese Ministry of Foreign affairs did not immediately reply to a request for comment.

With the country’s sweeping digital and human surveillance apparatus, authorities are positioned to monitor journalists. University of Toronto-based Citizen Lab rang alarm bells about the required app aimed at tracking COVID-19, MY2022, pointing out a “devastating flaw” in which voice audio and encrypted files shared via the app can be compromised; according to tech news site Protocol, the flaw has been fixed but Citizen Lab also lost access to its MY2022 account for further research.

Yet China’s abysmal human rights record is part of the story, whether athletes talk about it or not. A recent feature in Bloomberg Businessweek, for example, found it noteworthy that Chinese-American superstar freestyle skier Eileen Gu, who grew up in the U.S. and is competing for China, has maintained studious silence about China’s human rights abuses, including its alleged genocide inflicted on millions of Uyghur Muslims.

We can expect more such coverage, no matter what the athletes do. And the Chinese hosts of the games won’t like it. Who will first test the limits? How much risk is it worth taking to get the story? Personally I hope journalists won’t be intimidated and will fully report the story. But that’s a tough choice that they must make for themselves. And it’s a key part of the Olympics drama that will play out away from the ski slopes or skating rinks.

This content originally appeared on Committee to Protect Journalists and was authored by Steven Butler/CPJ Asia Program Coordinator.

CPJ joined civil society and media groups yesterday in a statement calling on Salvadoran authorities to respond to the findings by experts at Citizen Lab and Access Now, among others. It’s not clear who was operating the spyware, but Pegasus creator NSO Group, an Israeli company, has repeatedly said it sells Pegasus only to vetted government clients and investigates allegations of abuse. More than 180 journalists around the world were identified as possible Pegasus targets last July in investigative reports that the company said were false.

The incidents in El Salvador were first publicized in November, when several journalists with iPhones reported Apple had notified them about possible spyware; Apple subsequently filed a lawsuit against NSO in a U.S. court for facilitating surveillance.

Gavarrete covers politics, health, environment, and gender for El Faro and previously worked at Gato Encerrado. Investigators found that staff at both independent digital outlets faced repeated Pegasus attacks in 2020 and 2021, especially El Faro, which reported 22 phones owned by its journalists were infected 226 times in total. The incidents coincided with some of their most hard-hitting investigations, Gavarrete told CPJ. 

President Nayib Bukele and other Salvadoran officials have also singled out the sites and other independent outlets, disparaging staff, barring entry to press conferences, and denying work permits since Bukele’s election in 2019. 

CPJ emailed Bukele’s office for comment but did not receive a response.

In a recent phone interview, Gavarrete told CPJ’s Dánae Vílchez about how knowledge of the spyware has affected her reporting. The interview has been edited for length and clarity.

Let’s talk about context: What is happening in El Salvador right now regarding press freedom?

In 2021 we saw setbacks – [fewer options] for citizens requesting information from institutions to understand what the government is doing with public funds, and the government also took a more concrete position against media it considered “inconvenient,” those that are doing watchdog work and monitoring finances. I don’t believe the situation will improve.

Were you afraid you were being spied on?

Several of us already suspected that [our communications] were being intercepted. Information that we shared was later made public on social media through trolls and Twitter accounts, [or] on pages that share fake news. But it was just a hunch.

Last year I was working on an investigative project, and it seemed like someone had read my conversations with a source. People stopped us at the entrance to a building like they knew we were going to be there. That confirmed to me that we were being monitored, but I never knew where the intervention came from.

I don’t know, for example, if the theft of my computer was state surveillance. [Editor’s note: In 2020, Gavarrete’s laptop was stolen from her home though other valuables were untouched; she was working for Gato Encerrado at the time.] I could never confirm it because the investigation never went anywhere.

How did you find out what was really going on?

I was able to confirm that I was being monitored with Pegasus working directly with organizations that were looking into this matter here in El Salvador.

My first impression was shock; suspecting you’ve been targeted isn’t the same as knowing. It hit me not only on a professional level, but also emotionally. To think about the amount of information that passes through a device, and the personal information they can access and what they can do with [it]…Processing that took me a bit of time, but in the end you have to turn the page and try to continue. That was my way of coping.

From what you know, can you tell us a little about what was found on the phones?

We found continuous interventions in which [someone] had access to and extracted information from our phones. Analysis allowed us to identify specific dates when the infections occurred.

Many of my initial thoughts were about work: What kind of information was reaching my phone [on] those days? What sources was I seeing?

Then I thought about difficult moments in my life, [like] my father’s illness. Not only are these people interested in knowing who you are as a journalist, but they want to know what happens in your personal life. Imagine the type of unscrupulous people behind this.

There were dates when a number of [us] were subject to heavy surveillance. Some journalists endured [it for] at least a year. Even for the researchers [performing the analysis], the obsessive use of Pegasus in El Salvador was very strange. It is not just that devices were being infected, but that the infections were constant.

Why do you think the government would be interested in monitoring your work?

Those who are behind these interventions are undoubtedly interested in knowing what is being produced in our newsroom. The government will always be interested in knowing what journalists who are investigating them are doing, although we do not have evidence of specific contracts.

What has become very clear to us is that during the periods when we have been surveilled, El Faro was working on hard-hitting reports into corruption or irregular purchases. There isn’t a single day that the reports showed we had been infected that wasn’t related to something that El Faro published or an ongoing investigation.

At a global level, state surveillance shows that governments are interested in controlling what is said about them, and not fighting organized crime.

Has the government acknowledged what happened or taken any responsibility?

The government distanced itself from the messages from Apple. Some officials said that what Apple was saying was not about El Salvador. It was just a matter of denying and trying to shift attention elsewhere.

We hope the government can provide answers, clarify whether it is using this type of software, [and] investigate who is behind all this – and that the international community gets more involved in demanding that we get these answers. We are talking about an excessive amount of money that someone is spending on this.

How has this situation affected your work as a journalist? How does it make you feel?

It is a stressful burden. Now it’s confirmed, it is not only about protecting our integrity and that of our sources, but also our families, trying to explain what is going on and why they can’t communicate with us “normally.” [Our devices] may still be infected. Anything sensitive that they want to say to me, they can only say in person. This is one of the most significant pressures that I have had to deal with.

I was cautious before, but [now] I am even more extreme to avoid putting sources in danger. But it wears you out day-to-day, and you have to make an even greater effort to be able to produce journalism.

See CPJ’s safety advisory, “Journalist targets of Pegasus spyware”

This content originally appeared on Committee to Protect Journalists and was authored by Dánae Vílchez/CPJ Central America Correspondent.

The statement identified “one of the most persistent and intensive known uses of Pegasus to surveil journalists in the world” based on forensic analysis of dozens of phones by rights and research groupsAccess Now, Front Line Defenders, The Citizen Lab, Amnesty International, Fundación Acceso, and SocialTIC.

Devices belonging to 35 people, mostly journalists along with a few members of civil society, were infected with Pegasus between July 2020 and November 2021, according to the findings; more than half worked for independent digital media outlet El Faro. Pegasus can control phones and extract content without the owners’ knowledge, and some of the devices were infiltrated more than 40 times, the statement said.  

Since his election in 2019, Salvadoran President Nayib Bukele and other government officials have consistently used anti-press rhetoric and harassed independent media outlets, individual journalists, and others critical of his administration.

According to the statement, it is not clear who was responsible for the surveillance, but the Israel-based NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism. CPJ emailed the company to ask about clients in El Salvador but did not receive a response before publication.

CPJ has documented how spyware is used to target journalists and those close to them around the world and called for a moratorium on its trade pending better safeguards.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

On November 23, the Fundación para la Justicia y el Estado Democrático de Derecho, a Mexico City-based legal nonprofit, revealed in the Washington Post that the Mexican federal attorney general’s office (FGR) had in 2016 opened an “organized crime” and “kidnapping” investigation into Turati, the nonprofit’s director Ana Lorena Delgadillo, and Argentine forensic anthropologist Mercedes Doretti.

The investigation into the three women was part of a broader probe into the 2011 mass disappearance of almost 200 people in San Fernando, in the northern Mexican state of Tamaulipas, which Turati reported on for Mexico City weekly Proceso. Mexican federal authorities alleged that Los Zetas, one of the country’s most notorious and violent criminal gangs, was behind the disappearances.

If being investigated wasn’t shocking enough, Turati also learned that authorities had surveilled her as part of the probe. According to the foundation, the federal attorney general’s office obtained phone and geolocation data on the women without a court order. It was able to do that because Mexican law compels mobile phone operators – in Turati’s case, Movistar – to cooperate with federal authorities in organized crime probes.

The revelation came shortly after Turati learned that she was one of at least 25 journalists in Mexico who had been selected for potential surveillance with Pegasus phone hacking technology, according to a report by investigative journalism nonprofit Forbidden Stories. NSO Group, the Israeli company that makes Pegasus and sells it to government clients, disputes the report.

FGR has not commented publicly on the case. CPJ sent a request for comment to the assistant of Raúl Tovar, the chief spokesperson for the FGR and attorney general Alejandro Gertz Manero via messaging app, but did not receive a reply.

CPJ spoke with Turati about how the discovery of the investigation has impacted her and what it means for investigative reporting in Mexico, which is, according to CPJ research, the deadliest country for journalists in the Western Hemisphere. The interview has been edited for length and clarity.

What was your initial response to learning you were investigated by federal authorities?

It came as a huge shock to me, because I saw my photo, my digital fingerprint, contact I had with my family, my address, everything. First I felt very angry, then I felt scared and, exposed, especially after I was told earlier this year that I was also targeted with the Pegasus spyware. If that was successful, then they have also had access to my messages, email, and photos.

I’m also angry for what this means for investigative journalism in Mexico. It’s as if they have exposed my professional secrets as a journalist. Ultimately what they did was send an analysis to the Federal Police to see how many times I met my sources. They also looked into calls I made to the lawyer of the families, that I had covered Ayotzinapa [the abduction of 43 students of a rural teachers’ college in the southern Mexican state of Guerrero in 2014, which authorities said was possibly a mass murder]. We haven’t seen a lot of the documents yet, but we’re talking about some 500 pages about my life. I’m really worried about what else may turn up.

FGR specifically labeled the investigation as one into “organized crime” and “kidnapping” in the case file —how does this ease its ability to surveil you?  

They did it to trick the system. When a person disappears in Mexico and they urgently request mobile phone data to track calls, it can take months to obtain the information. In our case they got the data in just 24 hours. They can skip the judge [by tagging an investigation as “organized crime”]. They didn’t create a separate case file about us, but they included us in a case as if we were suspects.

What does the inclusion of your name in this federal organized crime probe mean for Mexican journalists who cover human rights abuses?

This happened in 2015 and 2016, under a different government than that of President Andrés Manuel López Obrador, but the investigator who requested the data is the same who handed the case file to the foundation in May [in compliance with a Mexican Supreme Court ruling, according to the Washington Post]. He still works at the attorney general’s office, and there are the others who have a copy, who signed off. They’re all still there.

There are a lot of things that go through my mind. As happened with the Pegasus spyware case, the people who did this are still working there. We haven’t been shown that the FGR has been purged. This is very serious. It can still happen; we really only found out about this case by accident. How many others are there?

Another thing is that, if a journalist can’t keep her sources secret, it’s like taking us out of the water we swim in. You take away the right of people to report abuses. I felt that this is not just something they did to me. They abuse the state apparatus; the FGR was involved, federal police, forensic investigators, and the highest officials were informed, because they received copies of the case file.

Do you have any faith that the López Obrador administration will take steps to prevent this from happening again?

I’m not sure. Alejandro Encinas, the undersecretary for Human Rights, condemned it and promised that it would be investigated, but he’s not the one with the authority to do something about this. The FGR hasn’t said anything. They can change the story. They can end impunity in this case by sanctioning the officials who were responsible if they want to. But we don’t know what’s going on.

Will this change the way you work as a reporter?

I do everything by myself, but since Pegasus I ask myself how it’s possible to defend yourself against this. Would I have to stop using smartphones and do things like they did with Watergate, leaving a ribbon on my balcony so sources know that I want to talk with them? Even if you use different phones and take courses in cybersecurity, how much can one really do? How can you do journalism without speaking with a source of the telephone, if you can’t be sure that they’re not spying on you?

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen/CPJ Mexico Representative.

The confirmation was the government’s first real engagement with allegations involving global surveillance of journalists and activists, including many Hungarians, described by an international consortium of journalists for the Pegasus Project in July, according to Szabolcs Panyi, the investigative reporter who broke the story for Hungarian news outlet Direkt 36.  

Kósa’s statement came the day after the United States Department of Commerce imposed trade limits on Israel’s NSO Group for supplying foreign governments that used Pegasus to target journalists and others. The powerful spyware can secretly manipulate a target’s phone to extract information or activate the camera or microphone, and CPJ is among many calling for a moratorium on the use of such technology pending stronger regulation. NSO told CPJ it was dismayed by the U.S. restriction, and says it investigates allegations of abuse by its vetted government and law enforcement clients. The company has said the allegations in the Pegasus Project are false. CPJ sent questions to NSO’s press email in December but received no response.

Panyi, who covers national security, high-level diplomacy, and corruption, was himself on the consortium’s list of Hungarian targets along with colleague András Szabó, and Amnesty International reported forensic traces linked to Pegasus on Panyi’s phone.

It’s not clear whether anyone will be held to account for the intrusion. The parliamentary committee deliberates behind closed doors, and while the Prosecutor’s Office started a preliminary investigation to find out whether a crime has been committed in relation to Pegasus, no results had been announced by mid-December.

CPJ emailed questions to the Hungarian government’s international spokesperson, Zoltán Kovács, but received no response.

CPJ’s Attila Mong spoke with Panyi by phone this month about the latest developments. The interview has been edited for length and clarity.

How did you feel when your first learned about your own surveillance?

I had very mixed feelings. Partly, of course, I felt indignation and humiliation to see myself and other prominent journalists on a list of targets together with convicted criminals and known mob figures. I also felt pride that [the government thought it was worth spending thousands of dollars] on my surveillance – more than my yearly income! Finally, it sounds paradoxical, but it was a relief to learn that when I had felt a bit paranoid – when I had thought [I saw] signs [of possible surveillance] from time to time – it was for a reason, and not because I was actually going crazy.

In a way, this is the best answer to all the smears [on my character] from pro-government media, which regularly accuse me of being a CIA agent. If I had done anything legally or ethically questionable as a journalist, it would be already in the public domain. I passed through the purgatory [of surveillance by someone linked to the government], [but] they couldn’t find anything wrong.

To what extent has the Hungarian government acknowledged what happened and taken responsibility? 

The government [has] finally acknowledged that they had acquired the spyware and used it to surveil Hungarian [phone numbers] – but they maintain that its use was legal.

Is this true? Can it be legal to wiretap journalists in an EU member state?

Since 2010, the government has had a two-thirds supermajority in parliament and used its powers to introduce sweeping [constitutional] changes. The laws regulating national security including surveillance are so broadly formulated that it is legal to wiretap and surveil anyone. So “legal” in this case means that these very broad rules have been formally respected, everything has been properly documented, and the necessary stamps are where they should be.

Were there legitimate national security threats to justify surveillance?

Since all the documents are classified, we cannot properly judge whether there were real reasons behind the requests to wiretap journalists, which were then approved by the justice minister in most cases. [Editor’s note: In a July media interview, Justice Minister Judit Varga said that her ministry is responsible for signing off these requests but refused to comment on specific cases.]

The government says that journalists might have been wiretapped not because they were direct targets of the investigations, but because some of their sources – criminals, people with terrorist links or links to foreign intelligence – were under surveillance. However, we cannot [confirm] the legitimacy of these requests, as there is no independent oversight.

Are there cases where journalists were involved that do not seem to involve national security?

Here are a couple of examples. [We reported that] a former journalist turned professional pilot was [on the target list] because – using publicly available data – he gave journalists tips [about] Prime Minister Viktor Orbán’s use of private jets. Similarly, a photojournalist who documented the lavish lifestyle and use of private yachts in Orbán circles was also targeted. These examples demonstrate how broadly the government defined “national security threat.”

What about accountability? Has the government acknowledged political responsibility in any way?

Political accountability is tricky, since several ministers were involved in the decision-making process around Pegasus, most prominently Orbán himself, whose 2017 meeting with then-Israeli Prime Minister Benjamin Netanyahu opened the way for the acquisition of the spyware and [its] later use on Hungarian targets. If any element of the use of Pegasus is illegitimate, it [will be] very difficult to control the damage and save Orbán from political responsibility. Moreover, several members of the government, including a top counter-terrorism official, were also targeted – evidently to check their loyalty to the government.

In what way do you work differently now as a journalist?

The way I communicate has become much slower and more complicated. I use various secure tools [and] applications; I have to be very mindful [as] to what Wi-Fi or other networks I connect [to on] my computer or mobile phone; I regularly go to meetings now without my phone. I continue to take physical notes.

Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life. Among Hungarian journalists, the biggest fear now is that this affair will have a chilling effect on sources, and paradoxically this enormous scoop will hinder our work in the long run.

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong/CPJ Europe Correspondent.

The move represented a relatively new use for the Entity List for Malicious Cyber Activities, a tool used by the department’s Bureau of Industry and Security to limit a designee’s access to U.S. exports,lawyer Douglas Jacobson, who specializes in export control and sanctions, told CPJ in a recent phone call. Economic sanctions, a stricter control, are more common in response to human rights concerns, but export restrictions could have limited impact on the company, he said.

Commerce listed three other companies in its November 3 press release. NSO, however, is the best known of the group for its development of advanced Pegasus spyware which can infiltrate individual cellphones for surveillance purposes. The company says it sells to vetted government clients for law enforcement purposes and investigates reports of abuse – but forensic experts say dozens of journalists are among the targets. In July, reporting by 17 global media outlets found that at least 180 journalists were possible targets of surveillance by government clients of NSO. CPJ has found that some of those, such as the jailed Moroccan journalist Omar Radi, face severe reprisals for their work.

NSO told CPJ it was dismayed by the U.S. listing, and that its “rigorous compliance and human rights programs” have led to “multiple terminations of contacts with government agencies that misused our products.” The company has previously told CPJ that it investigated allegations that Pegasus was used to surveil Omar Radi, without elaborating on its findings.  

The Commerce Department linked one of the other three newly-listed companies, Israel-based Candiru, to spyware used to target journalists. The University of Toronto-based Citizen Lab reported in July that Candiru appeared to be responsible for malware attacks Microsoft described as targeting “more than 100 victims around the world,” including unnamed journalists and human rights activists. CPJ attempted to reach Candiru for comment, but the company does not have a website and Eitan Achlow, who was identified as the CEO in news reports, does not allow messaging on his LinkedIn profile. 

CPJ spoke to Jacobson about what the export restriction could mean for NSO Group. The interview has been edited for length and clarity.

What are the practical implications of being on the entity list?

[It] imposes a license requirement, but the U.S. is not penalizing NSO or Candiru or any of these other companies. They are just restricting their access to certain goods that are known to be subject to the Export Administration Regulations [everything that’s in the US or manufactured in the US, including software]. U.S. companies can [still] import goods from these companies if they want to.

The license requirement [could apply] to something as mundane as [the] desk chair you’re sitting on. A furniture company would need a license to export office furniture to the NSO Group. The license review policy is one of presumption of denial – if I wanted to submit a license on behalf of the client to NSO Group for office furniture, then I would have to convince the [Bureau of Industry and Security] to overcome this presumption of denial. It is intended to prevent them from getting certain technologies.  

I would imagine this would have a negative impact on NSO, because this will limit their ability to acquire even a new Windows laptop computer, for example.

Will it be crippling? Doubtful. There are certainly many workarounds that companies could use in order to acquire what they need. The U.S. is no longer the only producer of high-tech knowledge, and many U.S. [goods] may not even be subject to [these export regulations] because they’re manufactured [abroad]. But I think that this is a high-profile action.

Somebody asked me yesterday, is this really something that would make a [supplier] think twice? If I was advising a German company [on whether to] sell to NSO, I [would] say that’s a business decision. Your goods are not subject to [U.S. export regulation], so you wouldn’t be violating US law by doing that.

But for certain suppliers, it’s a PR risk?

Correct. [In case] the Wall Street Journal or whomever did an exposé and said, “This company in Germany or this company in Japan continues to sell to NSO.”

Is there a penalty from Commerce if they catch a U.S. company supplying someone on the entity list without a license?

Absolutely. The maximum civil penalty for violations of the [export regulations] is the greater of $308,901 per violation or twice the value of the transaction that is the basis of the violation.

Does this export restriction include services such as web hosting, training, service maintenance?

This does not apply to services at all. [The export regulations] only govern the export of tangible goods, software, or technology information. If you’re just going to repair something that is broken, for example, and a repairman goes to Israel [to repair] a server and they’re not having to provide the company with any information or replacement parts, then that would not be prohibited. And “technology” is broad – there’s a definition of technology in the Export Administration Regulations, but it doesn’t cover everything.

Senator Ron Wyden told The New York Times that sanctions should be applied to NSO Group under the Global Magnitsky Act. Is that possible?

The Global Magnitsky sanctionsare administered by the U.S. Department of Treasury’s Office of Foreign Assets Control, or OFAC, and can be applied to companies. That’s human rights related, and that would have a much bigger impact on NSO.

[Economic sanctions like these] prohibit financial transactions by U.S. persons, company, or citizen. They are broad; they prohibit the export of U.S. goods, they prohibit payments to those individuals, and they also prohibit services [provided to them].

The Commerce Department announcement lists a number of subsidiaries for Candiru, but none of the known subsidiaries for NSO Group are listed. Does that mean those subsidiary companies would not be considered during implementation?

[It] doesn’t apply to any of their affiliates unless they are named. However, a company [supplying exported goods] has to be very careful because that affiliate may be a conduit by which the main prohibited company is acquiring goods that they shouldn’t be acquiring.

Something else that struck me about this listing was the reasoning that it was a consequence for human rights violations, particularly about journalists being maliciously targeted. Is that a normal reasoning to get a company on this list?

The criteria [include] reasonable cause to believe that the entity has been involved in activities that are contrary to the national security or foreign policy interest of the U.S.

Foreign policy is a broader, more amorphous term, of course. That is what is being used as the basis for these human rights designations, which is, relatively, a broader interpretation of foreign policy [in the context of the entity list].  

How often is this list reviewed? What is the process?

The process is not an easy one, particularly when it comes to human rights issues. [China’s] Huawei has been on it for [almost] three years. There doesn’t appear to be much of an off-ramp for Huawei because of the national security issues – but there is an off-ramp. It does take time, [but] parties are removed from the entity list periodically. A company does have a chance to appeal their listing.

The problem is, [the group that would remove them is] the same group that added them. This is called the End-User Review Committee, which is an interagency group chaired by the Department of Commerce. There has to be some change in behavior or [proof] that they didn’t do what they were alleged to have done.

This content originally appeared on Committee to Protect Journalists and was authored by Alicia Ceccanese.

“CPJ welcomes the Department of Commerce’s decision to impose export controls on NSO Group for developing and supplying Pegasus spyware to foreign governments that maliciously used the technology to target journalists,” said CPJ Program Director Carlos Martinez de la Serna. “We hope this first step in export control is a move toward greater global oversight and transparency around the export and use of spyware by governments.”

CPJ has reported extensively on the use of spyware to target journalists.

Inclusion on the list limits U.S. entities from supplying the company, which makes it harder for U.S. researchers to deliver security vulnerabilities like those allegedly used to install Pegasus in the past, according to Reuters. NSO has said it sells only to vetted government and law enforcement agencies. In an email to CPJ received after publication and attributed to an NSO spokesperson, the company said: “NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed. We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.” 

Editor’s note: The final paragraph has been updated with a comment from the NSO Group.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Kaye never got those details. “The same basic questions of transparency and accountability remain,” he said in a July 2021 Zoom call with CPJ.

There’s still no evidence Khashoggi himself was targeted with Pegasus, which can silently access the contents of a phone and monitor its surroundings. Yet as many as 10 other people connected with him have now been linked to the technology as part of the Pegasus Project, a collaborative media investigation of leaked data allegedly linked to NSO clients. The Guardian reported that nine people – including Khashoggi’s fiancée, his son, and a Turkish prosecutor who charged 20 Saudi nationals with his murder  –  appear to have been selected for surveillance, in addition to Khashoggi’s friend Omar Abdulaziz, whose targeting CPJ documented in 2018.

“[Researchers] have uncovered how Pegasus is used in the wild, and they’ve done it through forensic tools,” said Kaye, citing the work of Amnesty International, which provided forensic research for the Pegasus Project, and internet research laboratory Citizen Lab. “Not only do NSO certainly have [the same] tools, but they know who their clients are,” he continued. “How is it that outsiders with no information about their clients can get so much information about the uses of the tool? It doesn’t make a lot of sense.”

In a statement attributed to “NSO Group,” the company said, “We can confirm that our technology was not used to listen, monitor, track, or collect information regarding [Jamal Khashoggi] or his family members.” Referencing a previous response in which the company characterized the Pegasus Project as slander pushed by special interest groups, the statement said that NSO Group doesn’t see evidence of the use of its technology in the Pegasus Project’s forensic reporting and could not base an investigation on it.

“NSO will continue to push for serious international discussions about regulation of the cyber intelligence industry,” the statement said, noting that Kaye has an open invitation to visit the company to discuss these issues.

CPJ spoke to Kaye, a law professor at the University of California Irvine, about NSO Group and the moratorium on the use, sale, or transfer of surveillance tools that he and 150 individuals and rights groups – including CPJ — have called for pending implementation of human rights-respecting regulation.  Kaye is also the independent board chair of the Global Network Initiative, a multistakeholder alliance to support free expression and privacy on the internet, of which CPJ is a member. The interview has been edited for length and clarity.   

Looking back to your time as special rapporteur, why was surveillance technology on your radar as a freedom of expression issue, and as something that should concern journalists?

When I started [in 2014, it was a] little over a year since the revelations that Edward Snowden launched on bulk collection of data by the United States National Security Agency, British GCHQ [Government Communications Headquarters] and others that partner with them in the intelligence space. That puts everybody, in a way, under potential surveillance.

It became clear that [this] wasn’t the only kind of surveillance in the digital age. I became interested in the way in which small companies were making spyware available to governments that couldn’t afford to have a mass surveillance operation. These targeted tools have a direct impact, not just on privacy but on people’s willingness to communicate.

It has a particular impact on activists, and on journalists. If a journalist is tracked, that means her sources are tracked. [Her] ability to collect information, to maintain sources, is broken.

Originally when I was first thinking about this area, I thought adherence to the U.N. Guiding Principles [on Business and Human Rights] would be a meaningful step for players in this industry – not just NSO Group but many other companies. But I’ve come to think that only government regulation will impose requirements that will be meaningful [enough] for the public to know what this industry does.

What stood out to you from all the Pegasus Project reporting that you’ve seen in the past week or two? Did you learn anything you didn’t know?

It’s not surprising, but it’s shocking. What was striking was the extent to which governments – clients of NSO, but undoubtedly of other companies as well – see the [technology] as a tool to use against basic pillars of democratic life. [The reporting] highlights the very real possibility that this tool can be used against journalists, activists, and others in a way that is [supporting] autocracy, dictatorships, those who are trying to undermine democracy.

Even if [phone] numbers on these lists [being investigated by the Pegasus Project] are never actually subject to an effort to infect their phones with Pegasus, the threat is there – and the publicity of the threat is actually part of the effort to silence journalists and activists.

The fact that this is enabled by a company that operates in a democratic country [Israel, where NSO Group is based] and without real controls or constraints, that’s frightening. The Pegasus Project underscores that for people. The spy scandal in Mexico [in which Pegasus was implicated in the spying on journalists and others] really rattled Mexican society and politics. I think what we’re seeing is an expansion of that to places beyond Mexico.

Could we see something like that in Israel? The New York Times reported that Israel encouraged NSO Group’s relationship with Saudi Arabia even after Khashoggi’s murder, and Israeli lawyer Eitay Mack describes Israeli companies as heavily controlled by the Israeli Ministry of Defense. How can regulation account for that kind of dynamic?

It’s important to separate out – although they are related – the global concern with an industry that has companies throughout Europe, the U.S., and involves tools that goes beyond Pegasus to all sorts of tools sold on the open market to governments around the world – from the particulars of NSO and Israeli governmental control of Pegasus.

On the one hand, we need a global effort to identify: What are the rules around export controls of surveillance technologies? To what extent should human rights be part of the assessment of any particular export application? Once you have those rules set up, it’s up to national governments to implement those rules. That should happen.

The situation in Israel is like an instance of the global disfunction. NSO had offices in Cyprus and Bulgaria also, so there may be other export issues – but particularly when NSO required [an Israeli export] license, it’s clear that the Israeli Ministry of Defense understood who the clients were and had the potential to limit the export. But also, given how badly governments wanted access to Pegasus, the Israeli government probably understood that this could be a tool in their bilateral relations around the world.

That requires a focus on the specifics between Israel and NSO and deserves bilateral attention from the U.S. government and others, because to the extent that the government of Israel actually encouraged the export of this technology, it was supporting technologies that are in opposition to, for example, the Biden administration’s concern about transnational repression. There’s a lot of room here for a focused approach to getting Israel to rein in its own companies. It’s just that it’s harder to do the reining in if you don’t have a great set of global norms.

[Editor’s note: CPJ emailed a spokesperson at the Israeli Ministry of Defense for comment on the Times report and Kaye’s statements about Israel, but received no response before publication. The spokesperson has previously told CPJ that “human rights, policy and security issues are all taken into consideration” when defense exports are licensed.]   

What about zero-day exploits, which have been used to install Pegasus using a previously unknown vulnerability in other software? New York Times journalist Nicole Perlroth and others report that these are not subject to export control because they are often supplied by hackers. How can global rules account for those?

In some ways, [this] is no different to the black market weapons trade, which exists even though there are global rules around the transfer of weapons, [or] the private mercenary environment, where you have an emerging set of norms and some international law, but you also have [black market] operators.

We’re at the stage of creating the normative framework, and then the legal framework, that limits this trade, and also creates a kind of pressure on those who would be operating on the black market, in the shadows. Right now, it’s almost as if there are no shadows, because there are no legal constraints.

We see a lot of governments legislating to introduce fines for social media companies or even jail terms for their executives. Why do you think it’s so easy for us to pursue accountability in that area when we’re so behind in how we regulate this highly problematic surveillance industry?

The rules that guide social media, or other companies that are mediating speech – and the impact they have on the information that we see – is pretty obvious. Because social media companies are advertising companies, we all feel implicated by their choices as to what information they surface in our feeds.

By contrast, the surveillance industry is kind of a force multiplier for authoritarian regimes. They don’t need to sell to everybody, they’re perfectly happy being unknown to the public, and [their] clients only need to target a handful of people to achieve their goals. Any one of the clients that has been identified in recent reporting on NSO would need to target maybe a dozen journalists in order to intimidate them, dry up their sources of information, and make it harder for them to report information to the public.

The Pegasus Project reporting highlights for people that, “Oh — this thing that’s happening to a relatively small number of people actually affects the information I receive in a way that’s more profound than social media’s role.”

Can we talk about judicial remedy – are the courts the right way to pursue accountability in the wake of some of these revelations?

I’m not sure that any of the current revelations are actionable – and that’s a problem. We’ve been talking about export controls and company responsibility, but we’re also talking about torts – legal harms – that companies and governments together are imposing on individuals. In a normal, working legal environment, a person who is harmed should have a cause of action, a cognizable legal action they can take against the person who harmed them.

We don’t have a good domestic legal framework for that in most countries. If one government conducts surveillance of somebody in another government’s territory, the person can’t bring a claim against them because there’s sovereign immunity – that government may not be subject to legal process in their own country.

Sometimes it’s hard to identify where exactly the harm took place, which would create the jurisdiction for a court to entertain a client. Sometimes the surveillance is so opaque, it’s hard for an individual to prove the actual surveillance and then to prove there was a harm. So there needs to be a lot of legal development in order to provide individuals with the ability to actually bring cases against companies and governments.

Your recent op-ed describes an “avalanche of tools shared across borders” in this industry. Your 2019 report to the U.N. Human Rights Council called for a global moratorium on the sale and transfer of all of these, pending development of a rights-respecting framework, is that right?

There are a lot of tools out there that all need to be considered. [Digital forensic] tools are out there – there are also the kind that directly access internet traffic, that capture mobile transfer of communication. It’s not just specific tools like Pegasus – although Pegasus feels most invasive because you can visualize it. You’re holding your phone and [if] somebody has access to it – that’s your life, it’s everything. [But] some of the others are just as invasive.

As technology changes, and communication changes, bad actors – and governments that are good actors, generally – will seek to counteract that. For every improvement of encryption, there is a governmental response to limit it. We have to be [able to be] nimble in creating new rules. We don’t really have that right now. In the 2019 report, I talk about the Wassenaar Arrangement, which is this international non-binding regime to control dual-use – military and civilian – technologies. It doesn’t have a human rights component. And it should – they could have a working group for tools like Pegasus, but also regular consultations as the technologies evolve. Who knows what tools will be next?

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.

The risk was reaffirmed this month with the release of the Pegasus Project, collaborative reporting by 17 global media outlets on a list of thousands of leaked phone numbers allegedly selected for possible surveillance by government clients of Israeli firm NSO Group. According to the groups involved in the project, at least 180 journalists are implicated as targets.   

NSO Group denied any connection with the list in a statement to CPJ; it says that only vetted government clients can purchase its Pegasus spyware to fight crime and terrorism.

Among the outlets analyzing the data is the global journalism network Organized Crime and Corruption Reporting Project, which, as of July 29, had listed 122 of those journalists on its website.

Not all of those focus on corruption, Drew Sullivan, OCCRP co-founder and publisher, told CPJ in a recent video call. But several of OCCRP’s own partners in corruption reporting featured, he said, listing people who have worked for Azerbaijan’s independent outlet Meydan TV and Hungary’s investigative outlet Direkt 36 as examples.

“People who are looking at problems with these administrations — which tend to be somewhat autocratic — in a lot of countries they were perceived as enemies of the state because they were holding governments accountable,” he said.   

At least four corruption reporters whose cases CPJ has been tracking for years — in Mexico, Morocco, Azerbaijan, and India — appeared in the Pegasus Project reporting as possible spyware victims. Their inclusion in the project adds a new dimension to their stories of persecution, suggesting governments are increasingly willing to explore controversial technology as yet another tool to silence corruption journalism.

Here’s how the Pegasus Project revelations have shed new light on these four cases: 

Freelance journalist Cecilio Pineda Birto, killed in Mexico

(Forbidden Stories/Youtube)

What we knew: Pineda endured death threats and a shooting attempt to continue posting on crime and corruption to a news-focused Facebook page he ran, but was gunned down at his local car wash in 2017. He was one of six journalists killed in retaliation for their reporting in Mexico that year.    

New information: Pineda’s phone number was selected for possible surveillance a month before his death; he had recently told a federal protection mechanism for journalists that he believed he could evade threats because potential assailants would not know his location, according to The Guardian.  

The government’s response: Mexican officials said this month that the two previous administrations had spent $300 million in government money on surveillance technology between 2006 and 2018, including contracts with NSO Group, according to The Associated Press. CPJ emailed Raúl Tovar, director of social communication at the office of Mexico’s federal prosecutor, and Jesús Ramírez Cuevas, spokesperson for President Andrés Manuel López Obrador, for comment on the use of spyware against journalists, but received no response.

Le Desk reporter Omar Radi, imprisoned in Morocco

(Reuters/Youssef Boudlal)

What we knew: On July 19, 2021 – as many of the Pegasus Project stories were still breaking – a court sentenced Radi to six years in prison on charges widely considered to be retaliatory; he was jailed one year earlier, possibly to prevent completion of his investigation into abusive land seizures. Like fellow Moroccan journalists Taoufik Bouachrine and Soulaiman Raissouni, who are serving sentences of 15 years and 5 years, respectively, Radi was convicted of a sex crime, which journalists told CPJ was a tactic to dampen public support for the accused.  

New information: Amnesty International had already performed forensic analysis of Radi’s phone in 2019 and 2020 and connected it to Pegasus spyware, as outlined in the Pegasus Project reporting. Now we know that Bouachrine and Raissouni were also selected as potential targets, according to Forbidden Stories.

The government’s response: The Moroccan state has instructed a lawyer to file a defamation suit against groups involved in the Pegasus Project in a French court, according to Reuters.  CPJ requested comment from a Moroccan justice ministry email address in July but received no response; CPJ’s past attempts to reach someone to respond to questions about spyware at the ministries of communications and the interior were also unsuccessful.

Investigative reporter Khadija Ismayilova, formerly imprisoned in Azerbaijan

(AP Photo/Aziz Karimov)

What we knew: Ismayilova, a prominent investigative journalist, is known for her exposés of high-level government corruption and alleged ties between President Ilham Aliyev’s family and businesses. She was sentenced to seven and a half years in prison on a raft of trumped up charges in December 2014 and served 538 days before her release.  

New information: Amnesty International detected multiple traces of activity that it linked to Pegasus spyware, dating from 2019 to 2021, in a forensic analysis of Ismayilova’s phone after her number was identified on the list. Ismayilova subsequently reviewed other Azerbaijani phone numbers identified by the Pegasus Project and recognized some belonging to her niece, a friend, and her taxi driver, OCCRP reported.   

The government’s response: CPJ requested comment from Azerbaijan state security services via a portal on its website on July 28 but received no response; CPJ’s request regarding the alleged surveillance of Meydan TV journalist Sevinj Vagifgizi last week was also unacknowledged.

Economic and Political Weekly journalist Paranjoy Guha Thakurta, subject to legal harassment in India

(Photo: Paranjoy Guha Thakurta)

What we knew: Guha Thakurta, a journalist and author, has faced a protracted criminal and civil defamation suit dating from 2017, along with three colleagues at the academic journal Economic and Political Weekly – and was recently threatened with arrest when he refused to attend a hearing across the country during the pandemic. That suit — brought by the Adani Group conglomerate following an article that described how the company had influenced government policies — was one of several legal actions he has faced, actions he characterized to CPJ as an intimidation tactic and way to harass reporters.

New information: Amnesty International detected forensic indications connected to Pegasus spyware in an analysis of Guha Thakurta’s phone, dating from early 2018. In a personal account published by Mumbai daily The Free Press Journal, Guha Thakurta noted he had been writing about Prime Minister Narendra Modi and the governing Bharatiya Janata Party’s use of social media for political campaigning at the time, as well as investigating a wealthy Indian business family’s foreign assets – but he still didn’t know why his phone was apparently tapped.

The government’s response: Ashwini Vaishnaw, the minister for information technology, has called the latest revelations about Pegasus “an attempt to malign Indian democracy,” and said illegal surveillance was not possible in India, according to The Hindu national daily. CPJ emailed Vaishnaw’s office for comment, but received no response. A former Indian government official has told CPJ that Pegasus is “available and used” in India and a committee was formed to investigate alleged Indian spyware targets in 2020, but CPJ was unable to reach someone to confirm the status of that committee in January this year.

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.

The Pegasus Project, an investigation released July 18 by Forbidden Stories with the support of Amnesty International in collaboration with 16 media organizations around the world, identified at least 180 journalists in 20 countries as potential surveillance targets by clients of NSO Group. According to the letter, NSO says it sells only to government clients. NSO has repeatedly told CPJ in the past that it licenses Pegasus to fight crime and terrorism.

CPJ has documented how spyware is being sold to governments with poor press freedom records and is used to target journalists and those close to them. The Pegasus Project reporting expands the known number of countries that may target journalists with spyware.

As journalists rely on mobile devices to communicate with sources and publish news, spyware threatens their ability to do so privately and securely, and therefore threatens the public’s right to access information. CPJ has called on governments to bar the use of spyware against journalists and media outlets, and establish legal frameworks to regulate its sale, transfer, and use.

The joint statement can be found here.

This content originally appeared on Committee to Protect Journalists and was authored by Michael De Dora, CPJ Washington Advocacy Manager.

Sevinj Vagifgizi, a correspondent for the Berlin-based, Azerbaijan-focused independent media outlet Meydan TV, was targeted by Pegasus from 2019 to 2021, according to the international network Organized Crime and Corruption Reporting Project (OCCRP), which analyzed Vagifgizi’s phone. Meydan TV is a member of the OCCRP.

According to the OCCRP, the journalist was previously in Azerbaijani authorities’ crosshairs. She was banned from leaving the country from 2015 to 2019 after authorities told her Meydan TV was under investigation in a criminal case, and in 2019 she faced libel charges after she reported on people voting with government-issued prefilled ballots.

Vagifgizi spoke to CPJ via phone about her experience of being hacked from Berlin, where she is currently based as part of Time Out and Research Scholarship program of Reporters Without Borders Germany.

CPJ send an email request to NSO Group for comment for this piece but did not receive a reply. In a rebuttal published online, the company said the Pegasus Project’s allegations were false. The company has told CPJ that it will “investigate credible claims of misuse” and that it vets its clients. CPJ also requested comment from Azerbaijan’s state security service via its website, but it was not returned.

Her answers were edited for length and clarity.     

How did you find out you were surveilled?

In June, my colleagues from the Organized Crime and Corruption Reporting Project contacted me and said that we should meet. They came to Berlin. During the meeting, they said: “We have bad news for you, we should take your phone because we have information that the government bugged your phone.” After they checked my phone, they told me that my phone had been targeted with the Pegasus program since 2019. They said with this program, [the Azerbaijani authorities] could listen and record all audio and video, including private videos and photos, get all the information about my contacts, and have access to all my text and voice messages. I was also told that they knew my location at any point in time.

How did you feel at that moment? What were your main concerns?

I was astonished, I felt awful. I was always aware that the [Azerbaijani] security service listens to our phone calls, but I never imagined that they could access anything through the internet and can record voices and take videos, and listen to and read everything I write or say.

I was concerned about my sources who didn’t want the authorities to know that they were in touch with me. I was also concerned about my colleagues who didn’t want the authorities to know about them because if the authorities find out who they are, it may cause problems for them.

You are currently in Berlin but are set to return to Baku in late August. Are you concerned about going back to Azerbaijan? 

My main concern is that the authorities will bar me from traveling abroad again. I was under a travel ban for four years, from 2015 through 2019. I went through all appeal stages [in Azerbaijan] and then went to the European Court of Human Rights. The European Court ruled that the travel ban was unlawful, and the [Azerbaijani] government paid me a compensation and lifted the travel ban in 2019. I was able to come to Berlin this spring because I am not barred from leaving Azerbaijan anymore. I am concerned that the ban may return. I am also worried that now the authorities know who provided information to Meydan TV [because of the surveillance] and may bar them from leaving Azerbaijan too.

Do you know what triggered the surveillance? Was it a specific investigation or your work in general?

I’ve worked as a journalist since 2010. Before joining Meydan TV, I also worked with independent newspaper Azadliq. I have reported on social issues and human rights violations. I often covered political prisoners’ plights. I also did an investigation for OCCRP on [alleged] official corruption in Azerbaijan. But the time they bugged my phone coincided with the lifting of my travel ban.

Do you know which government agency may have procured the Pegasus spyware to hack your phone?

I don’t have any exact information on that but my colleagues and I assume it’s the state security service of Azerbaijan.

How would authorities have gotten ahold of your number?

It’s easy to find my number because as a journalist I contact a lot of people. Many people want to talk to me, tell me about their problems, so I can prepare reports on those issues as a journalist. Therefore they have or can easily find my number. Other journalists, including those who work for state media outlets, also have my contacts. So, it wasn’t hard.

What is next for you? What do you want to do about the surveillance?

We are going to take the case to an [Azerbaijani] court. We want to find out what explanation the Azerbaijani government can offer for targeting us. We are determined to go to the European Court [of Human Rights] too.

As a journalist, I am determined to continue my work because people need us, because people don’t have [many] sources to get truthful information about the real situation in the country. My colleagues and I will keep working. I know that the government will continue surveilling us, but they won’t stop us. 

This content originally appeared on Committee to Protect Journalists and was authored by Gulnoza Said/CPJ Europe and Central Asia Program Coordinator.

“I’ve had many experiences of these – sometimes clumsy – surveillance attempts,” Hope said.   

More recently, Hope may have been singled out for more sophisticated surveillance. A veteran newspaper reporter specializing in complex international stories, Hope was identified by investigative collaboration the Pegasus Project as one of nearly 200 journalists potentially targeted by clients of the Israel-based technology company NSO Group, which manufactures Pegasus spyware to help governments and law enforcement secretly infiltrate cellphones.

The Guardian, which contributed to the Pegasus Project, reported that a client believed to be the UAE began selecting Hope’s phone number for possible surveillance while he was working for The Wall Street Journal in London in early 2018.

Hope has since left the Journal to launch his own investigative project with his reporting collaborator Tom Wright. It’s dubbed Project Brazen, he said, after the codename the pair used while uncovering a corruption scandal implicating former Malaysian Prime Minister Najib Razak in the embezzlement of funds from the 1Malaysia Development Berhad (1MDB) company. That investigation became the focus of their September 2018 book, “Billion Dollar Whale,” a story that led them to conspirators in the UAE.  

Hope spoke to CPJ about the press freedom implications of the Pegasus Project’s list – which also includes some of slain Saudi journalist Jamal Khashoggi’s close associates. Khashoggi’s violent 2018 death features in Hope’s second book, “Blood and Oil,” on Saudi Crown Prince Mohammed bin Salman, whom the CIA has concluded ordered the journalist’s murder.

This interview has been edited for length and clarity. CPJ asked NSO Group to comment on Hope’s remarks; in an emailed statement, a spokesperson said “any claim that a name on the list was necessarily related to a Pegasus target or Pegasus potential target is erroneous and false. NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.” The company has told CPJ that it investigates credible claims of misuse made against its vetted clients.

CPJ emailed requests for comment to the Saudi Center for International Communications under the media ministry; the UAE’s ministry of foreign affairs and international cooperation; and the Chinese ministry of foreign affairs but received no responses before publication.

How did you learn you were on the list that is the focus of the Pegasus Project?  

The Guardian contacted me and let me know that I was a target. We did some forensic analysis of my current phone which was considered clean. I was changing my phone frequently when I was a reporter at The Wall Street Journal – I was not particularly worried about the UAE, but more concerned about other characters in the 1MDB case who have a lot of money and a lot of reasons to try and sabotage our reporting. I used best practices to avoid this kind of risk, so if it’s true that they infiltrated a phone of mine, it would have been for a short period.

I was disappointed on one level. I try and have a relationship with all parties that I’m covering, even people that hate my coverage. I always try and [let] them put their point of view. I don’t rush them at the last minute, I give them more time than you would think to respond to anything. I would hope that the UAE would continue to engage me at that level rather than resorting to black ops techniques.

In a way I was surprised that it was NSO software that was allegedly used. They had been briefing many journalists – some that I know – saying that this software couldn’t be used on U.S. or U.K. numbers. I’ve seen in the press recently that they referred only to U.S. numbers, but I’ve heard that they disable its use against U.K. numbers [like the one Hope was using at the time]. I’ve never been a fan of this kind of software but [that idea] was some tiny bit of reassurance.

I wasn’t worried about NSO, I was worried about [actors] that are not well known that have similar software or employ hackers. When it turned out to be the most well-known company – that was surprising.      

Jamal Khashoggi, whose associate Omar Abdulaziz was targeted with Pegasus spyware, features prominently in “Blood and Oil.” Were you surprised to learn that more of his connections, including his fiancée Hatice Cengiz, were also listed?

From the perspective of people like myself, in America or Europe, he was a Saudi commentator writing opinion pieces. From the perspective of Saudi Arabia, he was a traitor for a variety of reasons. So knowing that, I’m not surprised that they would be trying to find [proof] that he was working for other countries.

The classic technique to find out about someone is to go through family members. In this case they might have been targeted after he was killed. It would be partially because they’re trying to understand what countries are working with those family members to elevate that story or whether his family members were being paid or anything like that – evidence for what they believe to be true. 

What were you working on yourself?

I was doing some reporting that would have been viewed in Abu Dhabi by some parties as problematic. We wrote a series of stories [for the Journal] about the UAE’s main conspirator in the 1MDB scandal. That would likely be very annoying for different parties in the UAE.

The fact-checking part of [“Billion Dollar Whale”] was the culmination of all that, where we really laid out all the damaging things we had found. That would have been reason for somebody in the UAE potentially to put my phone number on a list because they’d be wanting to know, “Who are the sources for this journalist?” They’d be wondering what other country was supplying this information – even though it was never the case, many people in the government would think that way.  

After the prime minister of Malaysia was voted out of office, all these documents were released [including] talking points between China and the Malaysian government. Chinese officials offered to penetrate [“Billion Dollar Whale” co-author] Tom [Wright]’s devices and do physical surveillance of him in Hong Kong, where he lived at the time. Another time when Tom was reporting in Malaysia, a source close to the bad guy called us and said they were thinking about arresting him and he had to escape through Singapore very rapidly.

I never once really worried about physical threats in my career particularly because I was an American journalist at a major international newspaper. But cybersecurity [threats] I was always afraid of, and things like [the Pegasus Project], they kind of highlight it.   

[Editor’s note: In January 2019, Hope and Wright reported in the Journal that a Chinese domestic security official had established “full scale residence/office/device tapping, computer/phone/web data retrieval, and full operational surveillance,” in order to “establish all links that WSJ HK has with Malaysia-related individuals.” Neither that official nor the Chinese government information office responded to their requests for comment at the time.]

Where were you at the time you could have been targeted, and how does that factor into the risk of surveillance?

I would have been mostly located in the U.K. [with a U.K. number] at that time. I didn’t travel to the Middle East. If I was in the country, it would be a lot easier to insert something [on the device].

In many countries in the world – Gulf countries, countries in Asia like China – there is no safe way to travel there with any of your technology. If you’re doing reporting in those places you have to leave everything behind and not log into anything while you’re there. I would bring a new phone. [When you leave] you have to assume that everything you’ve taken with you is no longer usable. You have to have a temporary set of equipment. 

If you’re reporting on anything that relates to the leadership of those countries, I would argue it’s too dangerous to do any reporting on the ground [if] you’re not comfortable leaving a trail. It would be very hard to ask people in those countries [questions] about the leadership. It’s a funny situation. If you’re the Saudi bureau chief you’re actually restricted in what you could find out. The best place to report on the UAE, Saudi Arabia for example, would be London.  

[Those] Middle Eastern countries [that] are not developing tools themselves are having to go and buy them which increases the risk to them of being exposed. In China we hear all the time about Chinese hacking initiatives, mostly through U.S. federal lawsuits that name and shame them, explaining what they did and who they hacked within America. We don’t hear about them buying the software because they develop it all within China.

The Gulf states are essentially buying those things – everything from intelligence work to cyber intrusion, and that’s much easier to get exposed, whereas China is much better at keeping a tight lid on what’s going on in China.

What does this mean for journalists?

The arms race for intrusion is so profound, there’s no real stopping it. There’s always going to be someone out there with this kind of equipment. It’s a wake-up call for journalists. We love our phones, all this high-tech stuff, using Signal – but there’s no way to protect yourself enough.

The toolbox for journalists has to change. I hope that Apple and others take up the challenge to make phones more secure, but ultimately if you’re dealing with any story where someone’s life is at risk, you have to go lo-fi and take really annoying, time-consuming steps to protect people – meeting people and leaving your phone behind. Giving your source an old-fashioned pay-as-you-go phone that you only use to plan the meeting. Tools like Signal have been such a boon for journalists, but if your phone itself is vulnerable it doesn’t help.  

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.

Yesterday, U.S. prosecutors announced charges against five Iranian nationals for allegedly surveilling and planning to kidnap Alinejad, a New York-based journalist and human rights, according to a Justice Department statement.

The indictment did not specifically name Alinejad, but she posted on Twitter stating that she was the target of the plot. Alinejad is a contributor the U.S. government-funded broadcaster Voice of America’s Persian-language service, where she covers human rights in Iran. CPJ contacted Alinejad for comment but did not immediately receive any reply. 

“U.S. officials’ indictment of five Iranian nationals suspected of plotting to kidnap journalist Masih Alinejad shows that Iranian intelligence agents will stop at nothing to silence independent members of the press, even those abroad,” said CPJ Middle East and North Africa Program Coordinator Sherif Mansour. “U.S. authorities must ensure that the perpetrators of this scheme are held to account, and Iran must cease its efforts to harass and harm journalists globally.”

In a Voice of America broadcast she posted to Twitter, Alinejad said she had previously received threats over her coverage. She said the FBI first contacted her about the kidnapping plot eight months ago.

The indictment states that authorities arrested one of the Iranian nationals, Niloufar Bahadorifar, on July 1 in California. The other four, identified as Alireza Shavaroghi Farahani, Mahmoud Khazein, Kiya Sadeghi, and Omid Noori, are based in Iran and have not been arrested, the indictment says.

Authorities charged the five with conspiracy to violate sanctions, launder money, and commit bank and wire fraud, the indictment says. Farahani, Khazein, Sadeghi, and Noori were also charged with conspiracy to kidnap Alinejad.

The statement alleges that the group was “backed by the Iranian government,” and identifies Farahani as an intelligence official, and Khazein, Sadeghi, and Noori as intelligence assets. It alleges that Bahadorifar illegally facilitated their surveillance but was not charged with being part of the kidnapping conspiracy.

U.S. Attorney Audrey Strauss said in the indictment that the group “monitored and planned to kidnap a U.S. citizen of Iranian origin who has been critical of the regime’s autocracy, and to forcibly take their intended victim to Iran.”

Intelligence agents of Iran’s Islamic Republic Revolutionary Guards Corps have previously lured overseas journalists and activists to third countries where they kidnapped them and returned them to Iran; In 2019, authorities abducted journalist Roohollah Zam from Iraq and executed him in 2020.

Yesterday’s indictment alleged that the suspects had researched ways to bring Alinejad to Venezuela and then to Iran.

CPJ emailed Alireza Miryousefi, the head of the media office of Iran’s mission to the United Nations, for comment, but did not receive any reply.

State Department spokesperson Jennifer Viau responded to CPJ’s emailed request for comment by referring queries to the Justice Department.

Wyn Hornbuckle, a deputy director at Justice Department’s Office of Public Affairs, referred CPJ to the indictment published yesterday.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Israeli companies like NSO Group and Cellebrite market equipment to government and law enforcement agencies to fight crime, yet as CPJ has noted, journalists are vulnerable to the same sophisticated tools if they fall into the hands of repressive governments. NSO’s Pegasus spyware can remotely control a cell phone and its contents, while police say they use Cellebrite’s forensics products to extract the contents of devices seized during interrogation, potentially exposing journalists’ colleagues, family members, and sources to monitoring or reprisals.   

When Mack learns that such technology is being used to commit abuses — against journalists or others — he tries to stop its export by petitioning the Israeli Ministry of Defense. The ministry is essentially in control of the industry, he said, through its marketing and license export regime; Mack petitions the ministry to withdraw the relevant license. 

His work has had an impact, according to the Israeli daily Haaretz: following Mack’s petitions, Cellebrite said that it would stop sales to Russia and Belarus in March 2021, and in September 2020, said it would not supply the government of Venezuelan President Nicolás Maduro despite previous sales to defense and police clients in the country. An Israeli High Court ruling on Mack’s petition to halt the trade of arms to Myanmar in September 2017 was subject to a gag order and hasn’t been disclosed, according to Haaretz.

CPJ spoke with Mack about his efforts to stop exports of the equipment and bring transparency to an otherwise secretive industry. His answers below have been edited for length and clarity. 

CPJ sought response to Mack’s remarks from the Defense Ministry, NSO, Cellebrite, and other entities named in the interview. Their replies are detailed below. 

How often do you come across journalists affected by surveillance technologies? 

There’s a lot of public interest if it can be proved [that the equipment was used] against a journalist or an activist. But journalists [often] rely on people on the ground with a Twitter or Facebook account, and these kinds of technologies are enabling mass surveillance. If you’re talking about NSO, their system targets [a specific] person each time. According to the company, the list of targets is a few hundred. If you’re talking about Cellebrite, Alexander Bastrykin, the head of Russia’s Investigative Committee said in 2020 that in the previous year the system was used more than 26,000 times in Russia. You connect 26,000 phones, take the information – you control the population. 

When you figure out where the technology is going, how do you try and stop it? 

I file a petition to an Israeli court. My goal is to cancel the export license given by the Ministry of Defense. 

The international media say a lot about the companies themselves, which is very comfortable for the Ministry of Defense. But companies are like subcontractors. The agreements are made between governments and the Ministry of Defense decides which company [gets] the deal. 

Even if an Israeli surveillance company wants to cancel services because it got information that the system was being used against journalists or to violate human rights, it wouldn’t be able to, because it would cause a crisis [with a] foreign government. 

The Ministry of Defense has an information security unit called MALMAB that terrorizes the companies to warn them against leaking, and there are very few people [internally] with security clearance to access the client list. If NSO or another company says, “We are like a normal international company, we have an ethics board with the greatest minds in human rights that can check our work,” [that board doesn’t] have information about what the company is doing. 

How many companies in Israel export surveillance technology? 

There’s no way to know, because we only know about the companies you see in the headlines. There is digital forensics, like the company Cellebrite; UAVs [unmanned aerial vehicles]; then the classic surveillance stories like the NSO Group’s Pegasus or PicSix in Bangladesh or the unknown Israeli company in Vietnam. 

In 2013 I petitioned the Ministry of Defense to disclose the companies in the defense export register. They [only] gave a few numbers in 2014: there were about 80,000 export licenses and 320,000 marketing licenses. In Israel, there’s a unique marketing license [that companies need to negotiate with] potential clients, then a separate export license… [Through the] marketing license, you are exposing your potential client [to the ministry] which can choose to give this client to another company.

I can identify rifles in pictures on social media, and depending on the model, I can estimate when it was exported, but surveillance systems aren’t physical. With NSO, we don’t know names of their clients, it’s hard to prove. Even with Cellebrite, [which] physically connects to the mobile phone, I only got to know that it [was being used] in Russia and Venezuela and Belarus because [local] authorities announced it. 

How is the industry regulated in Israel? 

They keep changing the bureaucracy to make people like me waste time. In the case of Cellebrite, the Ministry of Economy should approve [civilian clients]. But they told me [its sales to Hong Kong] came under the Ministry of Defense, according to the [Defense Export Control Law] of 2007 governing defense equipment. That law is very problematic, because the only limit is in case of a U.N. Security Council arms embargo, which is very rare. It’s why we are seeing Israeli defense exports around the world.  

[In February 2021] the Ministry of Defense told me they had transferred approval from the unit for defense exports to the director of the Ministry of Defense, because digital forensics [systems like Cellebrite’s] fell under a 1974 order for encrypted items. That order is much worse than the 2007 law, because it allows the director to award licenses as he sees fit. 

If two laws apply, why choose the older one? In my opinion, they wanted to widen the discretion [to approve] a company like Cellebrite for political and economic [reasons]. 

This is what I’m trying to change, to introduce a consideration of human rights and democracy. I don’t think Israeli authorities will do it on their own, and they are used to foreign criticism in international forums. It will only happen with pressure from the Israeli public.

Why are cases you’re involved in often subject to a gag order? 

In all petitions on defense exports, the Ministry of Defense asks [the court] for a gag order so that only people who are part of the proceedings are able to know the ruling. [Their] representative is not even ashamed to argue that they want the gag order because they don’t have control of the media. 

It’s annoying, in 2021, that they need to keep asking. But [a gag order] has no meaning, it’s like a child putting a blanket over its head and saying it’s night. Under defamation law in Israel you can publish information that is part of the legal process, so journalists [can report on the petitions even if they can’t report on the verdict]. And I’m allowed to say whatever I want, just not what happened inside the court. 

What should be happening internationally to improve regulation of this industry?

The global framework is already there. We should think about surveillance [the same way we] think about rifles and classic defense exports. Every time we’re talking about sanctions or an arms embargo, we should be talking about surveillance systems.

There should be more demands about the technology and how it is being used, a lot of details are still unknown. Because of NSO Group’s contradictory responses to the media, we don’t know if they are technically able to dismantle [spyware] if they have knowledge of abuse. 

With Cellebrite, the problem in a legal scenario – as far as I can tell – is that the system sucks up everything, you can’t [request one] WhatsApp message. Then are [law enforcement] violating a search order, and what do [they] do with all the information? 

It seems that companies – and this is also problem with the Israeli government – they don’t see anything as a human rights crisis, but when they have a huge PR crisis, they are ready to be more transparent. 

[Editor’s note: NSO Group has told CPJ that it has used a “kill switch” to shut down its systems in cases of serious misuse, but as CPJ and other groups noted in a public letter to the company in April 2021, the company has been vague about how it terminates relationships with clients. Cellebrite told CPJ that its platform “enables selective extraction of major types of digital sources, preservation, analysis and reporting of evidence to accelerate criminal cases” and that its tools are “designed to limit the analysis to only data that might be relevant to the case.”]

Cellebrite has attracted scrutiny because it is preparing to go public on the New York stock exchange. Could that trigger a PR crisis?  

It’s an interesting development [when that happens] because it can bring more normalization to the companies. That could push companies to be more transparent, but I don’t think investors outside Israel understand the risk of being 100% dependent on the Israeli government. If the company can’t get an export license, it’s finished. And investors won’t know what the company is doing. They will read [about] it in the newspaper.     

Editor’s note: In response to CPJ’s questions about Mark’s remarks, Betty Ilovici, the foreign press advisor of the ministry of defense, said in a statement via email on behalf of the ministry that the Defense Export Controls Agency supervises exports of dual use cyber defense products in line with Israel’s Defense Export Control Law and international regulatory regimes, and with oversight from Israeli courts and the Knesset. “Human rights, policy and security issues are all taken into consideration,” she said, but declined to comment on specific licenses citing ministry policy. The statement did not explicitly address CPJ’s questions about MALMAB or Mack’s characterization of companies as ministry subcontractors.

The statement also said that Israel “is one of the few countries in the world that require a two-stage licensing process by law. In accordance with the two-stage process, the exporter is required to hold a defense marketing license ahead of any marketing or promotional activity and a defense export license, for the export of any product.”

NSO Group characterized Mack’s statements as “a complete misunderstanding of how NSO operates,” in a statement emailed to CPJ via the Mercury Public Affairs group, but refused to respond on specific points because CPJ declined to identify the interviewee in advance of publication, per CPJ’s editorial policy. The statement added that NSO investigates credible claims of misuse and shuts down a customer’s system if warranted; its Governance, Risk and Compliance Committee reviews human rights and compliance issues, and “takes every possible step to ensure NSO’s technology is sold only to those who use it as intended — to prevent and investigate terror and serious crime.”

Cellebrite said its products “can only be used lawfully — either pursuant to a court order or warrant” and “we do not enter into business with customers whose positions or actions we consider inconsistent with our mission to support law enforcement acting in a legal manner,” noting several layers of oversight, including a board. The company could terminate license agreements and block software updates in cases where the technology is used in a manner that does not comply with the company’s values, it said in an emailed statement via the Fusion PR firm.    

Al-Jazeera reported that in 2018 Bangladesh’s army secretly purchased equipment from the Israeli company PicSix to capture communications from mobile phones. Bangladesh’s foreign minister has denied purchasing interception equipment from Israel, according to that report. PicSix did not respond to CPJ’s request for comment submitted via its website. 

Haaretz reported in 2018 that Vietnam had purchased an Israeli communications interception system. CPJ called Vietnam’s Ministry of Public Security for comment but the line rang unanswered.

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp/CPJ Consultant Technology Editor.