The call appeared urgent, in that it was coming at close to midnight Tel Aviv time, August 5, 2020, from somebody in senior management at the NSO Group. Cherie Blair, former First Lady of the United Kingdom, longtime barrister, noted advocate for women entrepreneurs in Africa, South Asia, and the Middle East, a prominent voice for human rights worldwide, was obliged to pick up the phone. Mrs. Blair had recently signed on as a paid consultant to the Israeli firm NSO to help “incorporate human rights considerations into NSO activities, including interactions with customers and deployment of NSO products.”
This was a delicate high-wire act, ethically speaking, because NSO’s signature product, cybersurveillance software called Pegasus, was a remarkable and remarkably unregulated tool—extraordinarily lucrative to the company (NSO grossed around $250 million that year) and dangerously seductive to its clients. Successfully deployed, Pegasus essentially owns a mobile phone; it can break down defenses built into a cell phone, including encryption, and gain something close to free rein on the device, without ever tipping off the owner to its presence.
That includes all text and voice communications to and from the phone, location data, photos and videos, notes, browsing history, even turning on the camera and the microphone of the device while the user has no idea it’s happening. Complete remote personal surveillance, at the push of a button.
NSO insists its software and support services are licensed to sovereign states only, to be used for law enforcement and intelligence purposes. They insist that’s true, because—my God—imagine if it weren’t. The cybersurveillance system the company created and continually updates and upgrades for its sixty-plus clients in more than forty different countries has made the world a much safer place, says NSO.
Either this is a scandal we understand and get ahold of and come up with solutions for, or this is the future, for all of us, with no holds barred.
Tens of thousands of lives have been saved, they say, because terrorists, criminals, and pedophiles (pedophiles is a big company talking point the last few years) can be spied on and stopped before they act. The numbers are impossible to verify, but the way NSO describes it, the upsides of Pegasus, used within legal and ethical boundaries, are pretty much inarguable. Who doesn’t want to stop pedophiles? Or terrorists? Who could be against it?
“Mission Control, we have a problem,” was the message Cherie Blair got from the call that warm summer evening in August 2020.
“It had come to the attention of NSO that their software may have been misused to monitor the mobile phone of Baroness Shackleton and her client, Her Royal Highness Princess Haya,” Blair explained in a London court proceeding some months later. “The NSO Senior Manager told me that NSO were very concerned about this.”
NSO’s concern appeared to be twofold, according to the evidence elicited in that London court. The first was a question of profile. Pegasus had been deployed against a woman who was a member of two powerful Middle Eastern royal families, as well as her very well-connected British attorney, Baroness Fiona Shackleton. Shackleton was not only a renowned divorce lawyer to the rich and famous—including Paul McCartney, Madonna, Prince Andrew, and Prince Charles—she was also herself a member of the House of Lords. Even more problematic for NSO, it was an outside cybersecurity researcher who had discovered the attacks on the baroness and the princess. If he’d figured out this one piece of how Pegasus was being used, what else had he figured out? And how much of this was about to become public knowledge?
The caller from NSO asked Cherie Blair “to contact Baroness Shackleton urgently so that she could notify Princess Haya,” she explained in testimony. “The NSO Senior Manager told me that they had taken steps to ensure that the phones could not be accessed again.”
The details of the late-night call to Blair and the spying on the princess and her lawyer didn’t really shake out into public view until more than a year later, and only then because it was part of the child custody proceedings between Princess Haya and her husband, Sheikh Mohammed bin Rashid Al Maktoum, prime minister of the United Arab Emirates and the emir of Dubai. The finding by the president of the High Court of Justice Family Division, released to the public in October 2021, held that the mobile phones of the princess, her lawyer, the baroness, and four other people in their intimate circle were attacked with cybersurveillance software, and that “the software used was NSO’s Pegasus.”
The judge determined it was more than probable that the surveillance “was carried out by servants or agents of [the princess’s husband, Sheikh Mohammed bin Rashid Al Maktoum], the Emirate of Dubai, or the UAE.” The surveillance, according to the judge, “occurred with [the Sheikh’s] express or implied authority.”
The story of the princess, the baroness, and Pegasus might have faded into gossip columns and then into oblivion after a few weeks. A rich and powerful man used a pricey bit of software to spy on his wife and her divorce lawyer? Well, if you marry a sheikh and then cross him, you damn well might expect things to get weird. NSO also did a fairly nice job of cleanup on Aisle Spyware. The court finding pretty much accepted the word of NSO that it had terminated the UAE’s ability to use its Pegasus system altogether, at a cost to the company, the judge noted, “measured in tens of millions of dollars.” And maybe they did, but who can say.
A funny thing happened on the way to that divorce court gossip column item, though. Because right around the time Cherie Blair got that call from Israel, a very brave source offered two journalists from Paris and two cybersecurity researchers from Berlin access to a remarkable piece of leaked data. The list included the phone numbers of not one or two or ten Emirati soon-to-be divorcees, or even twenty or fifty suspected pedophiles or drug traffickers. It was fifty thousand mobile phone numbers, all selected for possible Pegasus targeting by clients of that firm in Israel, NSO. Fifty thousand?
What exactly to make of that initial leaked list—that crucial first peek into the abyss—is a question that took nearly a year to answer, with a lot of risk and a lot of serious legwork to get there. The answer to the question matters. Because either this is a scandal we understand and get ahold of and come up with solutions for, or this is the future, for all of us, with no holds barred.
This book is the behind-the-scenes story of the Pegasus Project, the investigation into the meaning of the leaked data, as told by Laurent Richard and Sandrine Rigaud of Forbidden Stories, the two journalists who got access to the list of fifty thousand phones. With the list in hand, they gathered and coordinated an international collaboration of more than eighty investigative journalists from seventeen media organizations across four continents, eleven time zones, and about eight separate languages.
“They held this thing together miraculously,” says an editor from the Guardian, one of the partners in the Pegasus Project. “We’ve got, like, maybe six hundred journalists. The Washington Post is maybe twice the size. And to think that a small nonprofit in Paris, with just a handful of people working for it, managed to convene a global alliance of media organizations and take on not just one of the most powerful cybersurveillance companies in the world but some of the most repressive and authoritarian governments in the world, that is impressive.”
To best that Goliath, these two Davids had to fashion their own slingshot, had to invent the methods and tools of their forensics on the fly.
In the daily back-and-forth of American news and politics—my wheelhouse—it is rare indeed to come across a news story that is both a thriller and of real catastrophic importance. Regular civilians being targeted with military-grade surveillance weapons—against their will, against their knowledge, and with no recourse—is a dystopian future we really are careening toward if we don’t understand this threat and move to stop it. The Pegasus Project saga not only shows us how to stop it; it’s an edge-of-your-seat procedural about the heroes who found this dragon and then set out to slay it. I have never covered a story quite like this, but Laurent and Sandrine sure have, and it is freaking compelling stuff.
The engine of the narrative you’re about to read is the risky investigation itself, from the minute these guys first got access to that leaked list in the last half of 2020 to publication in July 2021. But herein also is the story of the company NSO, its Israeli government benefactors, and its client states, which takes the reader from Tel Aviv to Mexico City to Milan, Istanbul, Baku, Riyadh, Rabat, and beyond. The company’s ten-year rise—from its unlikely inception, to its early fights with competitors, to its golden era of reach and profitability—reveals the full history of the development, the weaponization, and the mindless spread of a dangerous and insidious technology.
“If you’re selling weapons, you better make sure you’re selling those to someone who is accountable for their actions,” one young Israeli cybersecurity expert says. “If you’re giving a police officer a gun and if that police officer starts shooting innocent people, you are not to be blamed. But if you’re giving a chimpanzee a gun and the chimpanzee shoots someone, you can’t blame the chimpanzee. Right? You will be to blame.” Turns out this story has armed chimpanzees up the wazoo. And a lot of innocent people shot at by the proverbial police, too.
Here also is the story of the other individuals besides Laurent and Sandrine who were entrusted with full access to the leaked data, Claudio Guarnieri and Donncha Ó Cearbhaill (pronounced O’Carroll), two young, incorrigible, irrepressible cybersecurity specialists at Amnesty International’s Security Lab. These men—one barely in his thirties, the other still in his twenties—shouldered incredible weight throughout the Pegasus Project. Against the most aggressive and accomplished cyberintrusion specialists in the world, Claudio and Donncha were charged with designing and enforcing the security protocols that kept the investigation under wraps for almost a full year and kept the source that provided the list out of harm’s way for good.
More than that, it was up to Claudio and Donncha to find the evidence of NSO’s spyware on phones that were on the list leaked to them by that brave source. The insidious power of a Pegasus infection was that it was completely invisible to the victim—you’d have no way to know the baddies were reading your texts and emails and listening in on your calls and even your in-person meetings until they used their ability to track your exact location to send the men with guns to meet you. For the Pegasus Project to succeed in exposing the scale of the scandal, the journalists knew they would need to be able to diagnose an infection or an attempted infection on an individual phone.
Claudio and Donncha figured out how to do it. Working quite literally alone, these two took on a multibillion-dollar corporation that employed 550 well-paid cyberspecialists, many with the highest levels of military cyberwarfare training. To best that Goliath, these two Davids had to fashion their own slingshot, had to invent the methods and tools of their forensics on the fly. That they succeeded is as improbable as it is important, for all our sakes.
Here also is the story of the victims of Pegasus. Among them are those who hold enough power that you might expect they’d be protected from this kind of totalist intrusion—heads of state, high-ranking royals, senior politicians, law enforcement figures. And then there’s the people whom governments the world over have always liked to put in the crosshairs: opposition figures, dissidents, human rights activists, academics. Laurent and Sandrine rack focus tight on the group most represented in the leaked data, of course: journalists.
For me, the most unforgettable characters in this story are Khadija Ismayilova, from Azerbaijan, and Omar Radi, of Morocco. Their uncommon courage proves both admirable and costly. Their stories lay bare the awful personal consequences of challenging governments in an age of unregulated cybersurveillance, and the need for more people like them.
If this antidemocratic, authoritarian nightmare can’t be safely reported upon, it won’t be understood.
As antidemocratic and authoritarian winds gather force all over the world, it’s increasingly clear that the rule of law is only so powerful against forces hell-bent on eliminating the rule of law. If we’ve learned anything over the last five years, it’s this: there will be no prosecutor on a white horse, no flawless court proceedings where a St. Peter in black robes opens or closes the pearly gates based on true and perfect knowledge of the sins of those in the dock.
Sometimes, sure, the law is able to help. But more often, the threat evades, outmaneuvers, or just runs ahead of the law in a way that leaves us needing a different kind of protection. Again and again, it falls to journalists to lay out the facts of corruption, venality, nepotism, lawlessness, and brutality practiced by the powerful.
The dangers of doing this kind of work are real, and growing. For all the prime ministers and royal soon-to-be-ex-wives and other high-profile targets that NSO clients hit, it is no surprise that Pegasus has been turned full blast on reporters and editors in order to harass, intimidate, and silence. If this antidemocratic, authoritarian nightmare can’t be safely reported upon, it won’t be understood. And if it isn’t understood, there’s no chance that it will be stopped.
Where’s your phone right now? That little device in your pocket likely operates as your personal calendar, your map and atlas, your post office, your telephone, your scratchpad, your camera—basically as your trusted confidant. Matthew Noah Smith, a professor of moral and political philosophy, wrote in 2016 that a mobile phone “is an extension of the mind There is simply no principled distinction between the processes occurring in the meaty glob in your cranium and the processes occurring in the little silicon, metal, and glass block that is your iPhone. The solid-state drive storing photos in the phone are your memories in the same way that certain groups of neurons storing images in your brain are memories. Our minds extend beyond our heads and into our phones.”
Professor Smith was making the case back then for a zone of privacy that extended to our mobile phone. If the state has no right to access the thoughts in our head, why should it have the right to access the pieces of our thoughts that we keep in our mobile phone? We tell our cell phones almost anything these days, even things we aren’t cognizant of telling it, and use it as the conduit to offer the most intimate glimpses of ourselves. (See sexting.) If you believe your privacy is being secured by encryption, please read this book, and consider the fifty thousand people on that horror show list, who unbeknownst to them were targeted to unwillingly share every single thing that passed through their phones with people who only had to pay for the privilege.
That list of fifty thousand was just our first keyhole view of the crime scene. If they could do it for fifty thousand, doesn’t that mean they could do it for five hundred thousand? Five million? Fifty million? Where is the limit, and who is going to draw that line? Who is going to deliver us from this worldwide Orwellian nightmare? Because it turns out you don’t have to be married to the emir of anything to find your every thought, every footstep, every word recorded and tracked from afar. Turns out you just need to have a phone, and a powerful enemy somewhere. Who among us is exempt from those conditions?
Where did you say your phone is right now?
Excerpted from Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy by Laurent Richard and Sandrine Rigaud. Copyright © 2023. Available from Henry Holt and Company, an imprint of Macmillan, Inc.