It’s well known the the leading spyware package bought by repressive regimes, intelligence agencies, and corporate malefactors is Pegasus, which was created by the Israeli hacking company, NSO Group. Its development has allowed NSO to thrive financially and become an attractive target for major corporate interests. Apparently, companies like Blackstone Group and Verint are drawn to the revenue potential of the product, but willing to ignore the major moral conflicts that it engenders; at least until NGOs like Access Now intervene to warm them of the moral hazard.
Now, we must factor in a new and alarming element to this moral calculus. Until now, Pegasus has been used to monitor the communications of targeted individuals who are identified by its users as troublesome or threatening to various regimes. Its use has been confirmed by Citizen Lab in numerous countries, most notably in Mexico according to a multi-part investigative series published by the New York Times. But as far as we know (and the secrecy with which Pegasus is employed don’t permit us to know fully how it’s used), the product has never been instrumental in potentially harming or killing its targets. Until now.
The Washington Post reports today that Canadian-Saudi dissident, Omar Abdelaziz, provided ten hours of recorded negotiations he conducted with two Saudi agents who confirmed implicitly that government agents had hacked him cell phone and knew about projects he had devised with murdered Saudi journalist, Jamal Khashoggi. Citizen Lab further confirmed that they used Pegasus to do so. The agents pursued the same strategy with Abdelaziz as against Khashoggi. They offered him money. They offered him advancement and reunion with family. They even offered him a new passport, suggesting he travel to the Saudi embassy in Washington to pick it up (where have we heard that before?).
With Pegasus, the Saudis were able to know virtually everything Abdelaziz did: where he traveled, what he wrote, who he spoke to and e-mailed. They monitored every keystroke, saw much of what he saw, and heard everything he said. They knew where he was at every moment of the day and night. If he had agreed to go to the embassy they would have known where he was, when he would arrive: everything necessary to kidnap him or worse.
Though it’s not known whether Saudi intelligence used Pegasus to target the murdered dissident journalist, Jamal Khashoggi, Access Now’s Peter Micek wrote this to me:
I am not aware of any attempts regarding Khashoggi himself. However, I think there is evidence it was used to track his circles, and likely scooped info on him. It’s chilling and reason for the companies to be questioned.
Nor is Abdelaziz a lone target. Citizen Lab’s research has pinpointed numerous countries which the Saudis have targeted. There may be dissidents and governments it is tracking not just for intelligence or information, but to do potential physical harm.
All this points not just to the danger of Pegasus as a tool in the hands of dictators and thugs, but to its potential to be a lethal tool of state-sponsored murder. Someone may object: yes, but it’s never been used that way yet. Indeed, that’s true. But that’s only because no target or victim whose communications are so compromised has yet been tricked into the trap Khashoggi fell into. Had Abdelaziz agreed to come to Washington, I have no doubt that Pegasus would have been an invaluable tool in implementing whatever plan MBS had for him. Further, given what we know about Khashoggi’s gruesome murder, Abdelaziz’s fate might not have been much different.
International regulatory agencies and governments must agree to protocols governing the use of such powerful and dangerous tools. If not, people will die. People whose lives make the world a better place. People who the wealthy and powerful would just as soon see silenced or worse.
Of course Israel, where NSO is based, could regulate Pegasus’ use. Theoretically it does. There is a defense ministry agency which regulates export of Israeli weapons and technology. It could place limits or otherwise monitor NSO’s commercial relationships. But Israel is not in the business of monitoring or restricting its export market. It is in the business of promoting and expanding it. Nor are moral or ethical considerations part of Israel’s policy calculus. Companies exporting such goods are barely monitored for bribery and other corrupt practices in foreign countries, practices which are rife.
So Israel is not the address to which anyone should look for regulating a dangerous product like Pegasus. Nor will NSO monitor uses of its own product. It lamely claims that once it sells Pegasus to a client, responsibility for how it is used rests solely on the user. That, of course, is a terrific moral dodge. Further, NSO claims it does have a corporate code in place regarding use of the spyware. They direct that it is to be used solely in legal activities for fighting crime and terrorism. Of course, one person’s human rights activist is another person’s ‘terrorist.’ Not to mention that in a country like Saudi Arabia, there is no proper concept of rule of law. So how do you say use of your product is governed by the client country’s laws, when there are virtually none?