Back in April 2021 I wrote an article for this newsletter about the Sunburst cyberattack, referencing a blog from Microsoft President Brad Smith in which he warned that mercenary-style technology companies, known as private sector offensive actors (PSOAs), are increasingly selling hacking tools to nation states. He specifically urged the US administration to take action on the legal dispute between WhatsApp and an Israeli based PSOA called the NSO Group (NSO). Three months later his warnings were given extra credence by a significant data leak which uncovered the true extent of the (mis)use of one of the spyware tools sold by NSO, called Pegasus.
What is Pegasus?
Pegasus is the name of a piece of spyware produced by NSO. It has been designed to infect targeted smartphones and allows the operator of the spyware to essentially monitor the entire phone activity. This includes, but is not limited, to:
- emails sent or received on the device
- WhatsApp messages
- GPS coordinates
- activation of microphone and camera
- access to phone contacts and calendar
- recording of phone calls
The software is injected into the targeted phones as a trojan horse (it is named Pegasus after the mythical winged horse) through “zero-click” exploits which take advantage of app vulnerabilities, and also via more traditional phishing methods.
What was uncovered by the leak?
Amnesty International and a Paris-based nonprofit media organisation called Forbidden Stories initially acquired a leaked list of over 50,000 phone numbers which are believed to have been selected as belonging to people of interest by government clients of NSO. The list also includes dates and times that these phone numbers were entered into a system called HLR Lookup, operated via the Pegasus client interface, which maintains records on the networks of phone users and their general locations. According to telecoms experts, HLR data is sometimes used in the early stages of surveillance.
An investigation of the leaked data by over 80 journalists, including forensic analysis by Amnesty’s Security Lab, dubbed the “Pegasus project”, revealed that the list contained several numbers which had been infected with the Pegasus spyware. It also found a tight correlation between the instances of initial Pegasus activity on a phone and the time and date of an HLR Lookup of the associated number. These findings indicate that the list of numbers were potential targets of NSO clients, although it cannot be determined how many of the phones were actually infected. Indeed, some of the numbers were landlines so therefore could not have been infected with spyware.
Further analysis revealed that individuals across 45 countries were targeted by at least 10 governments, some with questionable human rights records, who were clients of NSO. Amongst the alleged targets of Pegasus were:
- human rights lawyers, including Rodney Dixon and Joseph Breham
- 180 journalists, including Roula Khalaf, the editor of the Financial Times
- French President Emmanuel Macron
- associates of murdered journalist Jamal Khashoggi, including lawyers who are bringing a lawsuit against NSO
- advisors of the Dalai Lama
What are the implications of the leak?
NSO has always maintained that its software is only sold to “vetted government customers” and used for purposes of law enforcement. But the revelations indicate that Pegasus is widely used by authoritarian regimes to spy on their detractors, notably journalists investigating human rights abuses. Furthermore, it appears to be used by governments to monitor foreign powers and heads of state.
NSO has questioned the veracity of the leaked list, claiming that: “The list is not a list of Pegasus targets or potential targets.” It has also published a Transparency and Responsibility Report, in which they argue that they have “rejected over US $300 million in sales opportunities as a result of its human rights review processes” and even consult Cherie Blair QC to assist them with their human rights policies. Nevertheless, the Israeli government, whose Ministry of Defence licences the export of Pegasus software, has inspected NSO’s offices in the wake of the revelations.
Legal action is being taken by alleged targets against NSO and, conversely, by NSO clients against Amnesty. Meanwhile, Amnesty is calling on the Israeli government to revoke existing export licenses to NSO Group. Whatever the outcome of the Pegasus scandal, it provides a wake up call for PSOAs. Software companies engaged in the production of tools with cyberattack capabilities will need to be increasingly careful in assessing the profile of its clients.
How should lawyers advise clients in the wake of Pegasus?
Bindmans, which is considering “litigation on behalf of a senior MP and a senior human rights lawyer” amongst others, has identified the following legal issues as potentially pertinent:
- data protection, including GDPR
- tort of misuse of private information
- human rights law
- criminal law
- Investigatory Powers Act 2016
In terms of UK criminal law, Section 37 of the Police and Justice Act of 2006 prohibits “Making, supplying or obtaining articles for use in computer misuse offences” and this includes “any program or data held in electronic form”. It would therefore seem likely that a UK company making software similar to Pegasus would be breaking the law – unless they could prove the spyware was only being used legitimately (eg for approved law enforcement purposes). Heed must also be paid to relevant provisions under the Serious Crime Act 2015 as well as export control rules.
Whether lawyers are advising targets of spyware, or the companies which produce or sell software with potential cyberattack capabilities, the same legal issues will be relevant.
Lawyers should also ensure that they routinely advise their clients on cybersecurity matters in general. And lawyers, particularly those involved in human rights, should make sure they have their own cybersecurity measures in place to protect themselves.