We interviewed Philip Di Salvo, researcher at the Università della Svizzera Italiana, currently Visiting Fellow at the London School of Economics and Political Science (LSE) and author of the book “Leaks. Whistleblowing e hacking nell’età senza segreti” (“Leaks: Whistleblowing and hacking in the age without secrets,” Luiss University Press, 2019).
What does this mega-investigation tell us?
The results of the Project Pegasus investigation paint a detailed picture of how widespread the use of the Pegasus spyware is, produced by the Israeli company NSO, already known to computer security experts as one of the most active and prominent in this market.
Thanks to a leak obtained by the Parisian editorial office of Forbidden Stories and Amnesty International, whose content was then shared with The Guardian and other newspapers, the investigation revealed the existence of a list of 50,000 phone numbers potentially targeted by NSO’s clients and the Pegasus spyware. So far, information on its use against journalists, activists, lawyers and other figures active in the defense of human rights in numerous countries has been identified in the leak.
According to Forbidden Stories, there are at least 180 journalists involved. Prominent names that have emerged so far include family members of Jamal Khashoggi, the Saudi journalist killed in Istanbul in 2018, and several Hungarian journalists who have been placed under observation by the Orban government.
It is still not entirely clear whether each user included in the list was actually monitored via Pegasus as a result, but the first forensic analyses released by Amnesty International confirmed a correlation between being on the list and the actual presence of Pegasus on the smartphones concerned. Further details will be published in the coming days, according to The Guardian.
Why is this so serious?
Spyware like Pegasus actually allows remote access to the infected devices. In essence, attackers have access to the same information available to the users under surveillance: contacts, messages, phone calls. Spyware can be installed via phishing attacks—fraudulent emails or messages that invite you to click on a link that causes the software to be downloaded—but increasingly via “zero-click” tactics that bypass this step as well. In such cases, infection can occur through certain vulnerabilities in operating systems and without the victim having any opportunity to notice.
For a journalist, for instance, this is a nightmare scenario: attackers could, for example, gain access to confidential sources or materials from an investigation, thus defeating any other security strategy aimed at protecting that information. Indeed, if the attackers are already “inside” the devices, encrypting incoming and outgoing messages is essentially futile.
How large is the market in which NSO operates and how many other companies like NSO are out there?
It’s an enormous market, in which NSO is certainly a major player, but not an isolated one: it’s a piece of a bigger puzzle. This investigation sheds light on, and will continue to shed light on, who NSO’s customers are and how its services are used in different countries around the world.
In any case, several similar companies produce spyware of this kind, tools that can be likened to digital weaponry. The field of spyware is, for example, one where “made in Italy” is (unfortunately) also a mark of excellence, since there are several Italian companies active in this market. For example, in 2015, the Milan-based Hacking Team was “exposed” with a hacker attack that revealed its operations and clientele.
This is a very poorly regulated sector, which, even though there are restrictions on exports to countries that are non-democratic (or worse), often operates under the radar and without due transparency. These investigations are fundamental because they allow us to have accountability on the use of such dangerous tools and to shed light on the ramifications of the existence of this world and those who frequent it—which are apparently much wider than feared. For the purpose of gauging the level of secrecy and lack of transparency in the sector, I think it is relevant that these investigations are only made possible, for the most part, thanks to leaks of various kinds.
You have written a book on “whistleblowing”: how is it possible that there is still no equivalent term in Italian for this increasingly important practice for our democracies?
There is a term: “whistleblowing.” I believe this is one of those English words that does not need to be translated, and which could be adopted as such. It is difficult to find an equivalent in Italian that reflects the complexity of the concept.
Nonetheless, it is a fundamental practice of transparency and democracy that has recently been at the center of crucial journalistic investigations and revelations, from Snowden to the Panama Papers. It is not yet clear whether a whistleblower is also behind the Pegasus Project, or whether the leak happened in some other way, but if it’s the former, this would be a major contribution to democracy and one that should be rewarded for its courage and the public service it performs.
How is it possible to protect oneself, especially for journalists working on ultra-confidential material, and how can national legislations limit these methods—and is anything being done?
As we were discussing before, spyware can frustrate a large part of information security techniques, and its presence is often only identifiable thanks to complex forensic analysis. Unfortunately, there is no such thing as 100% security. The risk can be mitigated by keeping operating systems up to date, paying extra attention to the links and attachments that are forwarded to us, and developing careful digital hygiene. However, I fear that the producers of such software are always one step ahead of their customers’ victims. What is needed, without a doubt, is stricter regulation and control of the industry, so that these tools—which are by default surveillance tools—are not used to violate anyone’s human rights.