Access Now’s report does not name the other 12 journalists and media workers, and CPJ was unable to immediately identify them. Previously, in 2022, CPJ called for an investigation into the use of Pegasus spyware on two Jordanian journalists, including Suhair Jaradat.

“The new revelations that journalists and media workers in Jordan have been targeted with Pegasus spyware underscores the need for an immediate moratorium on the use and sale of this technology, and a ban on vendors facilitating abuses,” said Sherif Mansour, CPJ’s Middle East and North Africa program coordinator, in Washington, D.C. “Journalists are not legitimate surveillance targets, and those responsible for these attacks should be held accountable.”

According to the report, phones belonging to Sabbagh and Dihmis, who cover the Middle East and North Africa as a senior editor and an investigative reporter, respectively, at the Organized Crime and Corruption Reporting Project (OCCRP), were targeted with Pegasus spyware.

“What bothered me most was the impact of the surveillance on my sources, and friends, and relatives,” said Sabbagh, who is also the co-founder of Arab Reporters for Investigative Journalism. “Because of the nature of OCCRP’s work, it is a principal target for surveillance agencies. They wish to keep crime and criminality hidden. We work to expose it. And with this type of work comes a very high price.”

Dihimis called the revelation “quite the violation,” adding that “as a journalist, it was a reminder of the importance of being cautious in terms of secure communication — to protect yourself but also your sources and colleagues. As a person, it spurred a lot of paranoia,” she added.

Kuttab, a Palestinian-American journalist based in Jordan and a 1996 recipient of CPJ’s International Press Freedom Award, was targeted by Pegasus spyware multiple times, according to the report.

On March 8, 2022, two weeks after the first incident, Kuttab was arrested when he arrived at Queen Alia International Airport outside of Jordan’s capital, Amman. He was detained under the Cybercrime Law for an article written in 2019 and was released a few hours later on bail, the report said.

The report detailed seven other attempts to infect Kuttabʼs mobile device with Pegasus, including a 2023 attempt in which the attacker impersonated a journalist from media outlet The Cradle asking questions about Jordanʼs cybercrime law while sending malicious links.

“I will not be intimidated, and I will not censor myself,” Kuttab told CPJ. “It is highly irritating to be spied on, but that also comes with the job nowadays. Whatever I know, I publish, but my only concern is my sources and their protection.”

Gharaibeh, director of Jordan’s Radio Husna, and the host of its morning talking show, was targeted successfully multiple times and there were also several failed attempts to infiltrate his phone, the report said.

When asked by CPJ about the apparent reason behind the recurrent attacks, Gharaibeh said that “it could be anything from monitoring the journalists and their sources to exploiting the journalists and silencing them.”

According to Access Now, the victims in the report were targeted using Pegasus with both zero-click attacks, in which spyware takes over a phone without the user’s knowledge, and attacks in which a user has to click a link. 

CPJ has documented the use of Pegasus to target journalists around the world in order to monitor their phones’ cameras, microphones, emails, texts, and calls. Journalists have been targeted with the software in Jordan, Morocco, the United Arab Emirates, and Saudi Arabia, among other countries.

CPJ emailed NSO Group for comment, but received no response. NSO Group says it only licenses its Pegasus spyware to government agencies investigating crime and terrorism.

CPJ offers guidance for journalists and newsrooms on spyware targeting and general digital safety.

This content originally appeared on Committee to Protect Journalists and was authored by Committee to Protect Journalists.

Negotiations on the European Media Freedom Act (EMFA), a draft EU law seeking to strengthen media freedom and pluralism in EU member states, are likely to conclude during a meeting scheduled for December 15.

CPJ is concerned that Article 4 of the EMFA on the protection of journalists and their sources could be problematic, despite its well-intended purpose, because EU member states have requested that a “national security” exemption be included to justify spyware against journalists.

A 2022 CPJ report found that zero-click spyware, which secretly takes over electronic devices without being detected, has had a chilling effect on press freedom worldwide by putting journalists at risk of increased harassment and violence and hampering their ability to find sources.

Around the world, spyware, which secretly takes over electronic devices without being detected, puts journalists at risk of increased harassment and violence, and sometimes precedes imprisonment.

Media law experts have consistently called for the EMFA to include precise judicial safeguards, like court orders or proportionality requirements, as detailed by CPJ in its report, “Fragile Progress: The struggle for press freedom in the European Union.”

Article 4, they argue, must also be in line with the European Convention on Human Rights (ECHR) and its case law, which guarantee journalists’ right to protect their sources.

“The growing use of surveillance to spy on journalists has sent shivers around the media community in Europe, and governments have been using national security as a justification to avoid coming clean about their reasons for surveilling journalists,” said Tom Gibson, CPJ’s EU representative. “If the EU genuinely wants to protect journalists from spyware, it needs to insert clear legal checks and balances into the European Media Freedom Act.”

In light of the Pegasus Project revelations in 2021 that spyware was used to hack the phones of dozens of journalists, government officials and human rights activists globally, the European Parliament set up the PEGA Committee to investigate abuses of spyware. In May, it published its comprehensive recommendations, including to the European Commission, and called for EU action on the use of spyware.

In September, some 500 journalists complained to the European Parliament that intrusive surveillance threatened their ability to work, their right to privacy, and their sources’ confidentiality, and called for a complete ban on spyware.

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

“CPJ is deeply disturbed by the disclosures that attackers used Pegasus spyware to infect the phone of exiled journalist Galina Timchenko, one of the world’s most prominent Russian media figures,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Journalists and their sources are not free and safe if they are spied on, and this attack on Timchenko underscores that governments must implement an immediate moratorium on the development, sale, and use of spyware technologies. The threat is simply too large to ignore.”

Timchenko’s phone was infected by Pegasus, a spyware produced by the Israeli company NSO Group, while she was in Berlin on or around February 10, 2023, according to a Meduza report and a joint-investigation by rights groups Access Now and research organization Citizen Lab. The investigation found that the infection took place shortly after Russia’s Prosecutor General designated Meduza as an “undesirable” organization –  a measure that banned the outlet from operating on Russian territory – and likely lasted several days or weeks.

According to the investigation, Apple had warned Timchenko and “other targets” in June that their devices may have been targeted with state-sponsored spyware. Meduza editor-in-chief Ivan Kolpakov told CPJ via messaging app that Apple’s warning prompted them to request that Access Now check Timchenko’s device.

According to Access Now, this is the first documented case of Pegasus surveillance of a Russian journalist; the investigation reported that the attack could have come from Russia, one of its allies, or an EU state may have been responsible for the attack.

The fact that some European government may have used Pegasus against Timchenko is “beyond our comprehension,’” Kolpakov said in a statement shared with CPJ. “As the developers claim, this software is used to fight terrorism — yet it is systematically used against the opposition and journalists.”

Meduza operates in exile, with most of its staff based in Berlin and the Latvian capital of Riga and covers various topics, including politics, social issues, culture, and the war in Ukraine. CPJ awarded Timchenko its 2022 Gwen Ifill Press Freedom Award.

“We often repeat to ourselves and our employees that Europe gives a feeling of complete security. But it is only a feeling – an illusion of security,” Kolpakov said in the statement.

Meduza journalist Elena Kostyuchenko recently reported that she may have been poisoned in Germany in October 2022.

Kolpakov said he hoped to be able to identify those responsible for the attack and obtain explanations from them as well as from the NSO Group.

NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.

A 2022 CPJ special report noted that the development of high-tech “zero-click” spyware like Pegasus– the kind that takes over a phone without a user’s knowledge or interaction – poses an existential crisis for journalism and the future of press freedom around the world. The report included CPJ’s recommendations to protect journalists and their sources from the abuse of the technology and called for an immediate moratorium on exporting this technology to countries with poor human rights records. CPJ has also joined other rights groups in calling for immediate action to stop spyware threatening press freedom.

CPJ emailed NSO Group and the German Federal Ministry of the Interior for comment on the Timchenko findings but did not immediately receive any replies.

This content originally appeared on Committee to Protect Journalists and was authored by Arlene Getz/CPJ Editorial Director.

For all governments

• Implement an immediate moratorium on the development, export, sale, transfer, servicing, and use of spyware technologies until governments have enacted robust regulations that guarantee its use in line with international human rights standards.
• Bar government agencies from purchasing or licensing the export of spyware technology from companies that sell to governments with a track record of attacking press freedom and/or journalists, or that lack mechanisms to prevent their clients from unlawfully targeting the press. 
• Commit to not using spyware technology against journalists and pursue efforts to make it explicitly illegal in national legislation. 
• Establish accountability and remedy mechanisms in documented cases of abuse against the media 
• Where governments continue to engage in the use or sale of this technology, require public reporting and consultation about spyware purchases and exports 
• Use targeted actions – including visa and economic sanctions and export control listings – to hold accountable those who have spied or facilitated spying on journalists through the sale or use of spyware, and to deter future spying. 
• If not a member, join the Export Controls and Human Rights Initiative, an international effort to codify rights-respecting policy approaches to surveillance technology exports, and use it to build consensus for global action through concrete action.

For the U.S. government 

• Comply with the Congressional requirement to create a list of companies known to sell such spyware to countries with a record of using it unlawfully or with poor human rights records. [Note: the State Department was required to do this by National Defense Authorization Act 2021 but hasn’t complied yet. State said they are working on it.] 
• Continue to use the Department of Commerce’s (DoC) Entity List for Malicious Cyber Activities to impose export controls on spyware-producing companies, such as was done with NSO Group. 
• Stringently enforce a new DoC rule establishing controls on the export, reexport, or transfer of items that can be used to spy on journalists.
• Ensure U.S. businesses are complying with the State Department’s September 2020 Guidance on “Implementing the UN Guiding Principles for Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities.”
• Congress should adopt the Surveillance Technologies Disclosure Rule, which would require companies to conduct human rights due diligence and provide transparency in the surveillance technologies’ supply chain.
• Congress should adopt the Foreign Advanced Technology Surveillance Accountability Act, which would require the U.S. State Department to report on the wrongful use of surveillance technologies in the annual Country Reports on Human Rights Practices. 

For European Union institutions 

• EU member states should fully implement the European Parliament regulation on the export of dual-use surveillance technology by EU-based companies and prevent the export of this technology from harming human rights in countries where journalists are targeted and under surveillance because of their work. 
• The European Parliament’s Committee of Inquiry into Pegasus and equivalent spyware should conduct full and independent investigations into all allegations of abuse of Pegasus in EU member states and in third countries. The committee should issue ambitious and robust recommendations to EU member states, and the institutions, with a structured plan for continued scrutiny and timely monitoring to ensure all recommendations are implemented in full.
• EU member states should fully and independently investigate all national reports that Pegasus has been used to spy on journalists, providing full access to remedy for journalists targeted, including guarantees of non-repetition and restitution.
• The European Commission should assess the extent to which the Pegasus revelations have breached EU law, seek all sanctions against violating member states, including infringement procedures, and consider its own competencies to defend EU citizens against such abuse in the future.

For companies

• Embrace corporate accountability by making  a public commitment to press freedom and protecting journalists and media outlets from covert surveillance. 
• Prohibit clients from deploying technology to spy on journalists by inserting explicit terms in contracts and licenses. 
• Revoke access to spyware when abuse is detected, and report abuse to affected individuals, relevant authorities, and oversight bodies. 
• Establish procedures to review complaints and support human rights monitors investigating allegations of abuse involving specific products. 

For international organizations 

• Consult with civil society, report on the use of spyware against journalists around the world, and raise cases with governments. 
• Use human rights review mechanisms, including the Universal Periodic Review, and related processes to ensure that commitments to limit the abusive use of surveillance technologies, including spyware, translate to appropriate action, laws and policies that align with international human rights standards on targeted surveillance. 
• Promote public debate about the abusive use of spyware and encourage member states to adopt policies and laws to stem the problem by requiring corporate actors to respect human rights and implement measures as prescribed by the United Nations Guiding Principles on Business and Human Rights.

See CPJ’s 2021 policy brief for summarized recommendations.  

Read CPJ’s complete special report on how spyware threatens journalists, their sources, and global press freedom.

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp.

The hearing started unsurprisingly enough. Chaim Gelfand, the NSO Group lawyer, laid out the company line that Pegasus is designed for use against terrorists and other criminals. He promised that the company controlled its sales, developed human rights and whistleblowing policies, and took action against those governments that abused it. He wanted to “dispel certain rumors and misconceptions” about the technology that have circulated in “the press and public debate.” He made his case.

Then, surely from NSO Group’s perspective, it went downhill. MEP after MEP asked specific questions of NSO Group. For instance: if Pegasus is sold only to counter terrorism or serious crime, how did it come to be used in EU member states? How did it come to be used to eavesdrop on staffers at the European Commission, another public allegation? Can NSO provide examples of when it terminated contracts because a client misused Pegasus? Can NSO clarify what data it has on its clients’ uses of Pegasus? How does NSO Group know when the technology is “abused”? More personally: How come you spied on me?

MEPs were angry. Increasingly their questions became more intense, more personal, more laced with moral and legal outrage. And this tenor only deepened over the course of the hearing, as the NSO lawyer stumbled through his points and regularly resorted to the line that he could not speak to specific examples, cases or governments. Few, if any, seemed persuaded by the NSO Group claim that it has no insight into the day-to-day use of the spyware by the “end-user”. To the contrary, the PEGA hearing ended with one thing clear: NSO Group faces not only anger but the reality of an energized set of legislators.

More than a year after release of the Pegasus Project, the global reporting investigation that disclosed massive pools of potential targets for Pegasus surveillance, the momentum for action against spyware like Pegasus is gathering steam. 

Read CPJ’s complete special report: When spyware turns phones into weapons

In 2019, in my capacity as a U.N. Special Rapporteur, I issued a report to the United Nations Human Rights Council that surveyed the landscape of the private surveillance industry and the vast human rights abuses it facilitates, calling for a moratorium on the sale, transfer and use of such spyware. At the time, few picked up the call. But today, with extensive reporting of the use of spyware tools against journalists, opposition politicians, human rights defenders, the families of such persons, and others, the tide seems to be turning against Pegasus and spyware of its ilk.

The U.N. High Commissioner for Human Rights, several U.N. special rapporteurs, the leaders of major human rights organizations, and at least one state, Costa Rica, have joined the call for a moratorium. The Supreme Court of India is pursuing serious questions about the government’s use of Pegasus. The United States Department of Commerce placed NSO Group and another Israeli spyware firm on its list of restricted entities, forbidding the U.S. government from doing any business with them. Apple and Facebook’s parent company Meta have sued NSO Group for using their infrastructure to hack into individual phones.

All of these steps suggest not only momentum but the elements of a global process to constrain the industry. They need to be transformed into a long-term strategy to deal with the threats posed to human rights by intrusive, mercenary spyware. State-by-state responses, or high-profile corporate litigation, will generate pain for specific companies and begin to set out the normative standards that should apply to surveillance technologies. But in order to curb the industry as a whole, a global approach will be necessary. 

In principle, spyware with the characteristics of Pegasus – the capability to access one’s entire device and data connected to it, without discrimination, and without constraint – already violates basic standards of necessity and proportionality under international human rights law. On that ground alone, it’s time to begin speaking of not merely a moratorium but a ban of such intrusive technology, whether provided by private or public actors. No government should have such a tool, and no private company should be able to sell such a tool to governments or others.

In the land of reality, however, a ban will not take place immediately. Even if a coalition of human rights-friendly governments could get such negotiations toward a ban off the ground, it will take time.

Here is where bodies like the European Parliament and its PEGA Committee – and governments and parliamentarians around the world – can make an immediate difference. They should start to discuss a permanent ban while also entertaining other interim approaches: stricter global export controls to limit the spread of spyware technology; commitments by governments to ensure that their domestic law enables victims of spyware to bring suits against perpetrators, whether domestic or foreign; and broad agreement by third-party companies, such as device manufacturers, social media companies, security entities and others, to develop a process for notification of spyware breaches especially to users and to one another. 

Some of this would be hard to accomplish. It’s not as if the present moment, dominated as it is by tensions like Russian aggression against Ukraine, is conducive to international negotiations. Some steps could be achieved by governments that should be concerned about the spread of such technologies, already demonstrated by U.S. and European outrage. Either way, governments and activists can begin to lay the groundwork, defining the key terms, highlighting the fundamental illegality of spyware like Pegasus, taking steps in domestic law to ensure strict controls on export and use. 

There is precedent for such action in the global movement to ban landmines in the 1990s, which started with little hope of achieving a ban, focused instead on near-term controls. Ultimately human rights activists and like-minded governments were able to hammer out the Ottawa Convention to ban and destroy anti-personnel landmines in 1997. It is, at least, a process that activists and governments today could emulate and modify.

Human rights organizations and journalists have done the work to disclose the existence of a major threat to freedom of expression, privacy, and space for public participation. It is now the duty of governments to do something about it.

This content originally appeared on Committee to Protect Journalists and was authored by David Kaye.

The indignation and humiliation were from seeing himself and other prominent journalists included on a list of convicted criminals and known mob figures considered to be threats to Hungary’s national security. The pride was because the Hungarian government, which routinely ignored his reporting questions, thought it was worth spending tens, if not hundreds, of thousands of dollars on his surveillance; the relief was the validation that his earlier suspicions about being spied on were not a sign of paranoia.

Other Hungarian journalists targeted for surveillance expressed similarly ambiguous emotions in interviews with CPJ. And all were skeptical that any future recommendations by the European Parliament’s committee of inquiry into Pegasus and other spyware, expected next year, would bring much relief in a country where independent media face an increasingly hostile press freedom climate under the government of right-wing Prime Minister Viktor Orbán.

Panyi, who continues to relentlessly investigate the surveillance scandal, is one of the few journalists still giving regular interviews to Hungarian and international media about his surveillance. Three other CPJ interviewees said that while they were making an exception in talking to the organization, they’d otherwise stopped making public statements on their experience because they did not want their Pegasus targeting to define their lives.

Read CPJ’s complete special report: When spyware turns phones into weapons

The three – crime reporter Brigitta Csikász, Zoltán Varga, owner of one of the country’s biggest independent news sites, 24.hu, and a reporter who asked not to be identified for fear that further publicity would negatively impact his career – were named as targets in July 2021, when Panyi broke the story for Direkt36 as part of its reporting for the Pegasus Project, an international investigation that found the phone numbers of more than 180 journalists on a global list of potential spyware targets. (The NSO Group, which makes Pegasus, denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.)

Along with Panyi, all the journalists recounted signs that they were under physical and digital surveillance before they were aware of Pegasus being used against them, and all said that their private and professional lives had changed since the scandal broke last year.

Csikász, who covers corruption, told CPJ in a phone interview that she had seen numerous signs that people might be watching her and was warned by friends for years that her phone might be monitored. “I did not get a heart attack, I was not at all traumatized,” she told CPJ in a phone interview about her reaction to the news that Pegasus was used to monitor the contents of her phone between early April and mid-November 2019.   

Csikász has even managed to find some humor in her situation. “My friends took it real easy, most of them just crack jokes and my family took it as a sign of prestige and importance. For them, it is as if I was awarded with a special journalism prize,” she said. She added that the publicity surrounding the disclosures had even prompted some sources to contact her because they heard about her in the news. “I was not, and I have not, become paranoid,” she told CPJ.

Still, Csikász, who currently works for daily tabloid newspaper Blikk and was reporting for the investigative outlet Átlátszó, remains concerned about the intrusion. “As a journalist, I respect my country’s laws and my profession’s ethical standards and I consider the possibility of being spied on as part of my job,” she said. However, she would like to know which of her numerous investigations were considered threats to national security.

Varga told CPJ in a video interview that he’d attracted government attention when he started investing in media in 2014. This scrutiny increased, especially when he made it clear around 2017 that he would not be willing to sell his assets in spite of quiet threats and warnings from businesspeople linked to the government. In recent years, he said, he had spotted people sitting in cars parked outside his house and apparent eavesdroppers sitting next to his table at restaurants. He recalled that his phone calls were often interrupted, he once heard a recording of a call played back from the start, and at one point German tech experts provided proof that his android phone had been hacked.

Panyi’s investigation found Varga’s Pegasus surveillance started around the time he invited six people to a dinner in his house in Budapest in June 2018, two months after Orbán won a third consecutive term as prime minister. All seven participants of the dinner were selected as potential candidates for surveillance and at least one of their phones showed evidence of infection under Amnesty’s forensic analysis.  

“I was only surprised that the regime used this type of high-level technology to spy on an otherwise innocent gathering of intellectuals,” Varga told CPJ in a video call. “It was far from being a coup, it was just a friendly gathering. We discussed the very high level of corruption in Hungary’s ruling elite and how to find ways to expose it. Using this kind of technology in such a situation for me just shows how much the government is afraid of its opponents,” he said.

The reporter who spoke on condition of anonymity was also surprised that the government would deploy such high-tech spyware against journalists. Although he’d seen indications of occasional physical surveillance, the Pegasus infiltration “came out of the blue and was a real shock to me,” he said in a phone interview. His “dark period” only eased when the fact of his surveillance was publicly reported. “Since then, I prefer not to speak about it and share my experiences with anyone but my friends,” he told CPJ.

Panyi said that the way he communicates with sources has now become much slower and more complicated. “Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life,” he told CPJ in a phone interview. He uses various secure digital tools and applications, is mindful about what networks he connects to on his computer or mobile phone, regularly goes to meetings without his phone, and continues to take physical notes.

Varga says the spyware disclosures have harmed some of his business ventures. “The Pegasus scandal made it obvious for both my business and private contacts that it might be risky to talk to me and they might also get exposed, which people obviously try to avoid,” Varga told CPJ, adding that acquaintances now crack Pegasus “jokes” in most of his meetings. “As a result of this whole affair, I have much less phone calls, more walking meetings outside, without phones in the pocket,” he said.

Many companies, including advertising agencies and advertisers for his news site, seem to prefer to avoid doing business with him, and their loss is not offset by the small number of ad-buyers who now see the site as an important media voice, said Varga. “I have become kind of toxic for my environment,” he told CPJ. 

The reporter who preferred not to be named said that his phone now “stays outside” whenever he sees friends and family and he uses a special anti-tracking case when he attends professional meetings.

Hungary’s government acknowledged in November 2021 that it had bought Pegasus spyware, but says that its surveillance of journalists and political critics was carried out in accordance with Hungarian law.

A government spokesman said that journalists might have been monitored because some of their sources were under surveillance on suspicion of crimes or terrorist links, not because the journalists were the direct targets of the investigations.

In January, the Hungarian National Authority for Data Protection and Freedom of Information issued a 55-page report, which concluded that in all the cases they investigated, including those involving journalists, all legal criteria for the application of the spyware were met and the spyware was used to protect Hungary’s national interests.  

These responses have left the journalists who spoke to CPJ with little hope that anyone will be held accountable for the intrusion on their lives. Nor do they expect help from the institutions of the European Union, where officials themselves have been targeted by spyware as they grapple with mounting political pressure over how to hold member states accountable for any breaches of the rule of law.

As the European Parliament’s committee of inquiry looks at the mountain of evidence that surveillance spyware has been used in EU countries and against EU citizens, the EU Commission lacks the powers to hold member states to account, and has been forced to refer those seeking justice to their national courts.    

Surveilled journalists might eventually get EU relief if a new draft European Media Freedom Act, released on September 16, becomes law. The Act could give journalists a path to file a complaint to the EU’s Court of Justice if they or those close to them are subject to the unjustified use of spyware. However, the Act still has to be reviewed by EU institutions and member states and may not survive in its current form.  

Meanwhile, Panyi does not believe Hungary’s courts can provide any relief. “The laws regulating national security, including surveillance, are so broadly formulated that it is legal to wiretap and surveil anyone,” he told CPJ. Noting that there was no independent oversight of the surveillance process, he added that “legal” in these cases meant only that “everything has been properly documented, and the necessary stamps are where they should be.”

In June, Panyi saw his concerns confirmed when the Central Investigation Prosecutor’s Office announced it had terminated its own investigation into the allegations of illegal surveillance of journalists and opposition politicians, citing absence of a crime. “A broad investigation which included classified documents found no unauthorized and secretive collection of information or the unauthorized use of a concealed device,” said the investigators. 

Additional reporting by Tom Gibson in Brussels

This content originally appeared on Committee to Protect Journalists and was authored by Attila Mong/CPJ EU Correspondent.

Last July, when the Pegasus Project investigation revealed that imprisoned Moroccan journalist Soulaiman Raissouni was selected for surveillance by Israeli-made Pegasus spyware, the journalist could only laugh. 

“I was so sure,” his wife Kholoud Mokhtari said Raissouni told her from prison. 

Raissouni is one of seven local journalists named by the Pegasus Project – an investigative consortium of media organizations – as a potential or confirmed target of Pegasus spyware. The news only validated what Moroccan’s journalist community had long suspected: that the state’s vast intelligence apparatus has been monitoring some journalists’ every move. 

Moroccan journalists were among the first worldwide to complain of the use of spyware against reporters, pointing to digital surveillance as early as 2015. In 2019 and 2020, Amnesty International announced the findings of forensic analyses confirming that Pegasus had been used on the phone of at least two Moroccan journalists, Omar Radi and Maati Monjib. Subsequent state action against some of the surveilled journalists underscored the ongoing threat to Morocco’s independent media – and reinforced CPJ’s conclusion that spyware attacks often are precursors to other press freedom violations. 

Both Raissouni and Radi are imprisoned in Morocco for what family and colleagues describe as trumped up sex crimes charges. Taoufik Bouachrine, another journalist whom the Pegasus Project said was targeted with the spyware, is imprisoned on similar charges. 

Read CPJ’s complete special report: When spyware turns phones into weapons

The Pegasus Project was unable to analyze the phones of all of those named as surveillance targets to confirm the infection and the Moroccan government has repeatedly denied ever using Pegasus. However, many of the three journalists’ private pictures, videos, texts, and phone calls, as well as those belonging to family members, were published in pro-government newspapers and sites like Chouf TV, Barlamane.com, Telexpresse, and then later used as evidence against the journalists in court.   

Bouachrine, former editor-in-chief of local independent newspaper Akhbar al-Youm, was arrested in February 2018, and is serving a 15-year prison sentence on numerous sexual assault and human trafficking charges. His wife, Asmae Moussaoui, told CPJ in a phone call in May 2022 that she believes she was surveilled, too. 

In April 2019, Moussaoui said she called a private Washington, D.C.-based communications firm to help her run ads in U.S. newspapers about Bouachrine’s case, hoping that the publicity might aid efforts to free her husband. The next day, Barlamane published a story alleging that Moussaoui paid tens of thousands of euros to the firm, using money the journalist allegedly earned through human trafficking activities. Human Rights Watch describes Barlamane as being “closely tied with security services.” 

Suspecting she was being monitored, Moussaoui turned to one of her husband’s lawyers, who suggested the pair “pull a prank” that would help them detect whether authorities were indeed spying on her. The lawyer “called me and proposed that we speak with Taoufik’s alleged victims to reconcile, which we did not really intend to do. The next day, tabloids published an article saying that our family is planning to bribe each victim with two million dirhams [about $182,000] so they drop the case. I became very sure [of the surveillance] then,” Moussaoui told CPJ.

Moroccan journalist and press freedom advocate Maati Monjib, co-founder of the Moroccan Association for Investigative Journalism (AMJI), had a similar experience. Monjib was arrested in December 2020 and sentenced to a year in prison the following month after he was convicted of endangering state security and money laundering fraud. The latter charge stems from AMJI’s work helping investigative journalists apply for grants, Monjib told CPJ in a phone call. 

“During one of our meetings at AMJI in 2015, I mentioned that we need to look for grants to support more journalists. The next day, one of the tabloids published a story claiming that Maati Monjib is giving 5,000 euros [$4,850] to every journalist who criticizes the general director of the national security. This is a proof that they were listening to our meeting,” said Monjib. 

The revelations have forced journalists and their family members to take precautions against surveillance – no easy task given the difficulty of detecting spyware infection without forensic help. “[Raissouni] told me to try to be safe, so I am trying my best,” Mokhtari, Raissouni’s wife, told CPJ. 

“Other than the usual precautions I take to protect my phone, I regularly update it and I never keep any personal pictures or important messages or emails on it,” she said. “I also buy a new phone every three months and destroy the old one, which has taken a financial toll on my family. But honestly you can’t escape it. The most tech-savvy person I know is our friend Omar Radi. He took all the necessary precautions against hacking, and they still managed to infect his devices.” 

Monjib brings his devices to tech experts almost daily to check for bugs and to clean them, he told CPJ, adding that he also never answers phone calls, only uses the encrypted Signal messaging app, and always speaks in code.

Aboubakr Jamai, a prominent Moroccan journalist and a 2003 CPJ International Press Freedom Award winner, was selected for surveillance with Pegasus in 2018 and 2019 — and confirmed as a target in 2019 — even though he has been living in France since 2007, according to the Pegasus Project. He believes that the Moroccan government is to blame for the spyware attacks, and that the surveillance has effectively ensured the end of independent journalism in the country, he told CPJ in a phone call. 

“For years now, there haven’t been any independent media or journalism associations,” said Jamai. What’s left now is a handful of individuals who have strong voices and choose to echo it using some news websites, but mainly social media platforms.” 

CPJ emailed the Moroccan Ministry of Interior in September for comment but did not receive any response. 

Still, Jamai – who gave no credence to the government’s earlier denials of Pegasus use – did see one positive result from the spyware disclosures. “It publicly exposed Morocco’s desperation and the extent to which it is willing to go to silence journalists,” he said. “Now the whole world knows that the Moroccan state is using Pegasus to spy on journalists.”

This content originally appeared on Committee to Protect Journalists and was authored by Madeline Earp.

Over five years have passed since Villarreal and Ismael Bojórquez, RíoDoce’s co-founder and editor-in-chief, received the suspicious text messages that experts said bore telltale signs of Pegasus, the now notorious surveillance software developed by Israeli firm NSO Group. Just this month, a joint investigation by three Mexican rights groups and the University of Toronto’s Citizen Lab found evidence of Pegasus infections on the devices of two Mexican journalists and a human rights defender between 2019 and 2021 – infiltration that occurred in spite of Mexican President Andrés Manuel López Obrador’s 2018 promise to end illegal surveillance. (López Obrador denied on October 4 that his administration had used Pegasus against journalists or political opponents, saying, “if they have evidence, let them present it.”)

The previous Mexican administration also denied using the technology on high-profile journalists, even after the Pegasus Project, a global consortium of investigative journalists and affiliated news outlets that investigated the use of the spyware, reported in 2021 that more than two dozen journalists in Mexico have been targeted with the spyware. Those named included award-winning investigative journalist Carmen Aristegui and Jorge Carrasco, the editor-in-chief of the country’s foremost hard-hitting investigative magazine Proceso. Yet although the surveillance caused considerable outrage, almost nothing has changed since 2017, according to Villarreal, who spoke to CPJ from Sinaloa’s capital, Culiacán.

Read CPJ’s complete special report: When spyware turns phones into weapons

In what CPJ has found to be by far the deadliest country for journalists in the Western Hemisphere, there remains no legal protection from intrusive surveillance, no recourse for its victims, and no repercussions for those in public office who facilitated the spying.  

López Obrador’s pledge to stop illegal surveillance was one of his first major undertakings after he took office in December 2018. Eleven months later, he assured Mexicans that the use of the Israeli spyware would be investigated. “From this moment I tell you that we’re not involved in this. It was decided here that no one will be persecuted,” he said.

But with just over two years left in office – Mexico’s constitution allows presidents to serve only a single six-year term – journalists, digital rights groups, and human rights defenders say little has come of the president’s promises. Not only has the investigation into the documented cases of illegal use of Pegasus shown no meaningful progress, the critics say, but also virtually nothing has been done to prevent authorities from continuing to spy. 

“Unfortunately, the regulatory situation and the authorities’ capacity to intercept communication have remained intact,” said Luis Fernando García of Red en Defensa de los Derechos Digitales (R3D), a Mexico City-based digital rights group that supports reporters targeted with Pegasus. “There’s very little transparency, very little publicly available information about the use of such technologies, which makes repetition a very real possibility.”

CPJ contacted the office of President López Obrador’s spokesperson for comment before publication of the October report about the most recent infections but did not receive a reply.

NSO says it only sells Pegasus to government and law enforcement agencies to combat terrorism or organized crime. But investigative journalists report that in countries like Mexico non-state actors, including criminal groups, can also get their hands on these tools even if they are not direct clients. This poses a major threat to journalists and their sources across the region, where CPJ research has found that organized crime groups are responsible for a significant percentage of threats and deadly violence targeting the press. At least one Mexican journalist who was killed for his work, Cecilio Pineda Birto, may have been singled out for surveillance the month before his death.

Villarreal and Bojorquez received the first Pegasus-infected text messages just two days after Javier Valdez Cárdenas, Riodoce co-founder and a 2011 recipient of CPJ’s International Press Freedom Award, was fatally shot on May 15, 2017, near the magazine’s offices in northern Sinaloa state. 

“Although it had all the hallmarks of Pegasus, it took us quite a while before we realized what was happening,” Villarreal recalled. “We were in a very vulnerable state after Javier’s death. It wasn’t until approximately a month later, after contact with press freedom groups, that we realized that it was Pegasus.”

A 2018 report by R3D, citing findings by Citizen Lab, stated that the likely source of Villarreal’s surveillance was the Agency of Criminal Investigation, a now-defunct arm of the federal attorney general’s office. Two autonomous federal regulators subsequently established that the attorney general’s office used Pegasus illegally and violated privacy laws.

However, an ongoing federal investigation initiated under the previous government of President Enrique Peña Nieto has not led to any arrests of public officials. In December 2021, Mexican authorities requested the extradition from Israel of the former head of the criminal investigation agency, Tomás Zerón, in connection with various investigations – reportedly including the Pegasus abuses – but that request has not yet been granted. (CPJ contacted the federal attorney general’s office for comment on the extradition, but did not receive a reply.)

Concerningly, according to Proceso, investigators of the federal state comptroller revealed in the audit of the federal budget in October 2021 that the López Obrador administration had paid more than 312 million pesos (US $16 million) to a Mexican businessman who had facilitated the acquisition of Pegasus in the past.

The López Obrador administration has not publicly responded to Proceso’s findings or the state comptroller’s report, but the president did say during his daily press briefing on August 3, 2021, that there ‘no longer existed a relationship’ with the developer of Pegasus. The president’s office had not responded to CPJ’s request for comment on the payment by the time of publication.

Experts at R3D and Citizen Lab said Pegasus traces on a journalist’s phone indicated they were hacked as recently as June 2021, just after they reported on alleged human rights abuses by the Mexican army for digital news outlet Animal Politico. The journalist was not named in reports of the incident.

“I don’t think anything has changed,” Villarreal said. “The risk continues to exist, but the government denied everything.”

R3D, together with a number of other civil society groups, has also pushed hard for new legislation to curb the use of surveillance technologies by lobbying directly to legislators and via platforms like the Open Government Alliance. So far, the result has been disappointing. Even though López Obrador and his party, the Movement of National Regeneration (Morena), hold absolute majorities in both chambers of federal congress and have repeatedly acknowledged the need to end illegal surveillance, there has been no meaningful push for new legislation on either the state or the federal level.

“There is indignation about surveillance, but my colleagues aren’t picking the issue up,” said Emilio Álvarez Icaza, an independent senator who has been outspoken about surveillance. “It’s an issue that at least the Senate does not seem to really care about.”

R3D’s García warns that Pegasus is just a part of the problem. R3D and other civil society groups say they have detected numerous other technologies that were acquired by state and federal authorities even after the scope of Pegasus’ use became clear.

“We’ve been able to detect the proliferation of systems that permit the intervention of telephones and there are publicly available documents that provide serious evidence that those systems have been used illegally,” García said. “The [attorney general’s office], for example, has acquired the capacity to conduct more than 100,000 searches of mobile phone data, but only gave clarity about 200 of them.”

“Even with regulation, the Mexican justice state has a tremendous problem of lack of transparency and accountability. The entire system seems to have been constructed to protect public officials,” said Ana Lorena Delgadillo, a lawyer and director of the Fundación para la Justicia, which provides legal support to Mexicans and Central Americans searching for ‘disappeared’ family members. “This is why I believe it’s important that cases of this nature are ultimately brought to the Supreme Court, but it’s hard to find people willing to litigate.”

Villarreal said he will not be one of those afraid to speak out. “Ultimately we’ve left our cases in the hands of civil society organizations,” he said. “Thing is, the spyware is just a new aspect of a problem that has always existed. The authorities have spied here, they will continue to do so. We have to adapt to the reality that we’ll never know the extent of what’s going on.”

This content originally appeared on Committee to Protect Journalists and was authored by Jan-Albert Hootsen, CPJ Mexico Correspondent.

“Earlier it was just one conversation they [authorities] would tap into,” Venu told CPJ in a phone interview. “They wouldn’t see what you would be doing in your bedroom or bathroom. The scale was stunning.”

The Indian journalists were among scores around the world who learned from the Pegasus Project in July 2021 that they, along with human rights activists, lawyers, and politicians, had been targeted for possible surveillance by Pegasus, the spyware made by Israel’s NSO Group. (The company denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.) 

The Pegasus Project found that the phones of two founding editors of The Wire – Venu and Siddharth Vardarajan – were confirmed by forensic analysis to have been infected with Pegasus. Four other journalists associated with the outlet – diplomatic editor Devirupa Mitra, and contributors Rohini Singh, Prem Shankar Jha, and Swati Chaturvedi – were listed as potential targets.

The Indian government denies that it has engaged in unauthorized surveillance, but has not commented directly on a January New York Times report that Prime Minister Narendra Modi agreed to buy Pegasus during a 2017 visit to Israel. The Indian government has not cooperated with an ongoing inquiry by an expert committee appointed by the country’s Supreme Court to investigate illegal use of spyware. In late August, the court revealed that the committee had found malware in five out of the 29 devices it examined, but could not confirm that it was Pegasus.

However, Indian journalists interviewed by CPJ had no doubt that it was the government behind any efforts to spy on them. “This government is obsessed with journalists who are not adhering to their cheerleading,” investigative reporter Chaturvedi told CPJ via messaging app. “My journalism has never been personal against anyone. I don’t understand why it is so personal to this government.” For Chaturvedi, the spying was an invasion of privacy “so heinous that how do you put it in words.” 

Read CPJ’s complete special report: When spyware turns phones into weapons

Overall, the Pegasus Project found that at least 40 journalists were among the 174 Indians named as potential targets of surveillance. With six associated with The Wire, the outlet was the country’s most targeted newsroom. The Wire has long been a thorn in the side of the ruling Bharatiya Janata Party (BJP) for its reporting on allegations of corruption by party officials, the party’s alleged promotion of sectarian violence, and its alleged use of technology to target government critics online. As a result, various BJP-led state governments, BJP officials, and their affiliates have targeted the website’s journalists with police investigations, defamation suits, online doxxing, and threats.

Indian home ministry and BJP spokespeople have not responded to CPJ’s email and text messages requesting comment. However after the last Supreme Court hearing, party spokesperson Gaurav Bhatia criticized the opposition for “trying to create an atmosphere of fear” in India. “They [Congress party] were trying to spread propaganda that citizens’ privacy has been invaded. The Supreme Court has made it clear that no conclusive evidence has been found to show the presence of Pegasus spyware in the 29 phones scanned,” he said.

As in so many other newsrooms around the world, the Pegasus Project revelations have prompted The Wire to introduce stricter security protocols, including the use of encrypted software, to protect its journalists as well as its sources.

Ajoy Ashirwad Mahaprashasta, political editor at The Wire, told CPJ in a phone interview that as part of the new procedures, “we would not talk [about sensitive stories] on the phone.” While working on the Pegasus project, the Wire newsroom was extra careful. “When we were meeting, we kept our phones in a separate room. We were also not using our general [office] computers,” he said.

Venu told CPJ that while regular editorial meetings at The Wire are held via video call, sensitive stories are discussed in person. “We take usual precautions like occasional reboot, keep phones away when we meet anyone. What else can we do?” he asks.

Chaturvedi told CPJ via messaging app that she quickly started using a new phone when she learned from local intelligence sources that she might have been under surveillance. As an investigative journalist, her immediate concern following the Pegasus Project disclosures was to avoid compromising her sources. “In Delhi, everyone I know who is in a position of power no longer talks on normal calls,” she said. “The paranoia is not just us who have been targeted with Pegasus.”

“Since the last five years, any important source I’m trying to talk to as a journalist will not speak to me on a normal regular call,” said Arfa Khanum Sherwani, who anchors a popular political show for The Wire and is known as a critic of Hindu right-wing politics. Sherwani told CPJ that her politician sources were the first ones who moved to communicate with her on encrypted messaging platforms even before the revelations as they “understood that something like this was at play.”

Rohini Singh similarly told CPJ that she doesn’t have any conversations related to her stories over the phone and leaves it behind when she meets people out reporting. “It is not about protecting myself. Ultimately it is going to be my story and my byline would be on it. I’m essentially protecting people who might be giving me information,” she said. 

Journalists also say they are concerned about the safety of their family members.

“After Pegasus, even though my name per se was not part of the whole thing, my friends and family members did not feel safe enough to call me or casually say something about the government. Because they feel that they are also being audiographed and videographed [filmed or recorded],” said Sherwani.

Chaturvedi told CPJ that her family has been “terrified” since the revelations. “Both my parents were in the government service. They can’t believe that this is the same country,” she said.

Venu and Sherwani both expressed concerns about how the atmosphere of fear could affect coverage by less-experienced journalists starting out in their careers. “The simple pleasure of doing journalism got affected. This may lead to self-censorship. When someone gets attacked badly, that journalist can start playing safe,” said Venu.

Said Sherwani: “For someone like me with a more established identity and career, I would be able to get people [to talk to me], but for younger journalists it will be much more difficult to contact politicians and speak to them. Whatever they say has to be on record, so you will see less and less source-based stories.”

Ashirwad agreed. “I’m very critical of this government, which is known. My stand now is I shall not say anything in private which I’m not comfortable saying in public,” he said.  

This content originally appeared on Committee to Protect Journalists and was authored by Kunal Majumder/CPJ India Representative.