Ma’ti Monjib speaks slowly, like a guy who is heard.
It’s his 58th birthday when we talk, but there’s little party in his voice. “Surveillance is hell,” Monjib tells me. “It’s hard. He controls everything I do in my life.
This fairytale component of our September 2020 issue
A professor of history at Mohammed V University in Rabat, Morocco, Monjib remembers very well the day of 2017 when he changed his life. Accused of endangering state security through the government, which he fiercely and publicly criticized, he sat outdoors in a courtroom when his iPhone suddenly appeared with a series of number text messages he did not recognize. They contained links to salaces news, requests and even offers to buy Black Friday.
A month later, an article accusing him of treason gave the impression on a popular national news site heavily connected with Moroccan royal leaders. Monjib used to attack, but now it seemed that his stalkers knew everything about him: some other article contained data on a pro-democracy occasion he intended to attend and which he had told almost no one. One story even proclaimed that the professor “had no secrets for us.”
It had been hacked. All the messages led to the fact that, according to the researchers, they were created as decoys to infect the devices of visitors with Pegasus, the most infamous spyware in the world.
Pegasus is a successful product of NSO Group, a $1 billion secret Israeli surveillance company. It is sold to law enforcement and intelligence agencies around the world, who use the company’s team to decide on a human target, infect the person’s phone with spyware and then take the device. Once Pegasus is on your phone, it’s no longer your phone.
NSO sells Pegasus in the same tone that arms dealers use to sell traditional weapons, positioning it as a major aid in the search for terrorists and criminals. In an era of ubiquitous generation and strong encryption, this “legal hack” has a strong tool for public protection when the police want to access the data. NSO insists that the vast majority of its consumers are European democracies, although, since it does not publish consumer lists and the countries themselves remain silent, this has never been verified.
Monjib’s case, however, is part of a long list of incidents in which Pegasus was used as a tool for oppression. It has been linked to cases such as the murder of Saudi journalist Jamal Khashoggi, attacks on scientists and activists pushing for political reform in Mexico, and surveillance by the Spanish government of Catalan separatist politicians. Mexico and Spain have denied Pegasus to spy on their opponents, however, accusations that they did are backed by really extensive technical evidence.
NSO’s fundamental argument is that he is the author of a generation used by governments, but that, since he does not attack anyone on his own, he cannot be held responsible.
Some of the evidence is contained in a lawsuit filed last October in California through WhatsApp and its parent company, Facebook, alleging that Pegasus manipulated WhatsApp’s infrastructure to infect more than 1,400 cell phones. Facebook researchers have detected more than a hundred human rights defenders, hounds and public figures among the targets, according to court documents. Each intercepted call, they notice, send malicious code through the WhatsApp infrastructure and force the recipient’s phone to download spyware from NSO-owned servers. This, according to WhatsApp, is a violation of American law.
NSO has long faced such silent accusations. By stating that many of its activities are a secret from the Israeli state, it has presented few important public points valuable about its operations, consumers or guarantees.
Now, however, the corporation suggests that things change. In 2019, NSO, which owned it through a personal justice company, sold its founders and another personal justice company, Novalpina, for $1 billion. The new owners have opted for a new strategy: to get out of the shadows. The company has hired elite public relations firms, developed new human rights policies and developed new self-government documents. It has even begun to show some of its other products, such as a covid-19 tracking formula called Fleming and Eclipse, which can hack drones considered a security threat.
For several months, I spoke to ONS leaders to see how the company works and what it says it’s doing to save them from human rights violations committed using their tools. I have spoken to his critics, who see him as a danger to democratic values; those who call for greater regulation of piracy; and Israeli regulators guilty of governing it today. Company executives discussed NSO’s long-term and its problem-solving policies and procedures, and shared documents detailing their relationships with the agencies Pegasus sells to and other tools. What I discovered was a successful arms broker – within the company, workers recognize that Pegasus is a genuine weapon – suffering with new degrees that threaten the discoveries of their entire industry.
From the first day Shmuel Sunray joined NSO as attorney general, he faced one foreign incident after another. Hired a few days after filing the WhatsApp report, he discovered other legal disorders that awaited him at his table as soon as he arrived. They were all focused on the same fundamental accusation: NSO Group’s piracy teams are sold to rich and repressive regimes, and can be abused through them, with little or no responsibility.
Sunray enjoyed a lot of secrecy and controversy: his former position as vice president of a major gun manufacturer. In several conversations, he was kind enough to tell me that the owners had asked him to replace the culture and operations of the ONS, making it more transparent and seeking to save him from human rights violations. But he was obviously also frustrated by the secret he said prevented him from responding to criticism.
“It’s a complicated task,” Sunray told me over the phone from the company’s headquarters in Herzliya, north of Tel Aviv. “We perceive the strength of the tool; we perceive the effect of misuse of the tool. We’re looking to do the right thing. We have genuine situations of demand with the government, intelligence agencies, confidentiality, operational requirements, operational limitations This is not an old case of human rights violations across a company, because we do not operate the systems, we are not interested in the genuine functioning of the systems, but we perceive that there is a genuine threat of misuse of the customer component. We seek to find the right balance”.
This underlies NSO’s fundamental argument, which is not unusual among gun manufacturers: the company is the author of a generation used through governments, but it does not attack anyone by itself, so it cannot be held responsible.
However, according to Sunray, several layers of coverage are in a position to check to ensure that others do not have access to them.
Like many other countries, Israel has export controls that require weapons marks to be authorized and subject to government oversight. In addition, NSO does its own due diligence, Sunray says: he reviews a country, reviews its human rights record and examines its relations with Israel. They assess the express agency’s history of corruption, security, financing and abuse, as well as taking into account how much you want the tool.
Sometimes the negatives are balanced with the ones. Morocco, for example, has a deterioration in the human rights record, but a long history of security cooperation with Israel and the West, as well as a real terrorism problem, so a sale would have been approved. By contrast, NSO said that China, Russia, Iran, Cuba, North Korea, Qatar and Turkey are among the 21 countries that will never be customers.
Finally, before a sale is made, the ONS Governance, Risk and Compliance Committee must approve it. The corporate states that the committee, made up of executives and shareholders, would possibly reject sales or loading conditions, such as technological restrictions, which are on a case-by-case basis.
Once a sale is completed, the company says, the generation railings save you certain types of abuse. For example, Pegasus does not allow U.S. phone numbers. They become inflamed, NSO says, and swollen phones may not even be physically in the United States: if you are within U.S. borders, Pegasus software is meant to self-destruct.
NSO says Israeli phone numbers, among other things, are also protected, but who else gets coverage and why it remains uncertain.
When an abuse report arrives, an ad hoc team of up to 10 workers is formed to investigate. They inform the visitor about the accusations and request Pegasus’ knowledge records. These logs do not include content extracted from spyware, such as chats or emails (NSO insists that it never sees express information), but they come with meta-knowledge, such as a list of all the phones that the spyware tried to infect and their location at that time.
According to a recent contract I obtained, customers should “use the formula only for the detection, prevention and investigation of crimes and terrorism and ensure that the formula will not be used for human rights violations”. They will have to inform the company of any possible misuse. NSO says it has terminated 3 contracts in the afterlife for crimes, adding the abuse of Pegasus, but refuses to say which countries or agencies were concerned or which victims were concerned.
Lack of transparency is not the only problem: backups have limitations. While the Israeli government would possibly revoke NSO’s license for violations of export law, regulators are not guilty of abuse through potential consumers and are not concerned about corporate abuse investigations.
Many other procedures are also simply reactive. NSO does not have a permanent team to fight domestic abuse, unlike at most all other billion-dollar generation companies, and the maximum of its investigations is stopped only when an outdoor source such as Amnesty International or Citizen Lab claims that there has been embezzlement. ONS staff interview agencies and clients under control, but do not speak to alleged victims. While the company disputes the technical reports submitted as evidence, it also states that state secrecy and confidentiality prevent you from sharing more information.
Pegasus newspapers, which are essential for any abuse investigation, also raise many questions. NSO Group clients are hackers who work for spy agencies; How complicated would it be for them to fake the newspapers? In a statement, the company insisted that this is not possible, but refused to provide details.
If the newspapers are not questioned, NSO and its clients, in combination, will determine whether the objectives are legitimate, whether genuine crimes have been committed and whether surveillance was carried out in due process or whether autocratic regimes have spied on opponents.
Sunray, visibly exasperated, says he feels that the secret is forcing him to work with his hands tied behind his back.
“It’s frustrating,” he told me. “We are not naive. There’s been abuse. There will be abuse. We sell to a lot of governments. Even the United States government, no government is perfect. Misuse can occur and desires must be addressed.”
But Sunray also looks back on the company’s popular response, the argument behind its defense in demand for WhatsApp: NSO is a manufacturer, but it is not the spyware operator. We built it, but they did the hacking, and they’re sovereign nations.
This is not enough for many critics. “No company that thinks it can be the independent watchdog of its own products convinces me,” says Marietje Schaake, a Dutch politician and former MEP. “The concept that they have their own mechanisms when they have no challenge in promoting advertising spyware for those who need to buy it, knowing that they are being used against human rights defenders and hounds, I think shows the lack of duty of this company. more than anything.”
So why the internal tension for greater transparency now? Due to the flood of technical reports from human rights groups, the WhatsApp trial and the developing government threaten NSO’s prestige quo. And if there’s going to be a new debate about how the industry is regulated, it’s advantageous to have a harsh voice.
Lisic piracy and cyberespionage have grown significantly as a company over the past decade, with no back-up symptoms. Former NSO Group owners bought the company in 2014 for $130 million, less than one-seventh of the valuation for which it sold last year. The rest of the industry is also expanding, profiting from the expansion of communication technologies and developing global instability. “There is no doubt that each and every state has the right to buy this generation to fight crime and terrorism,” said Amnesty International Deputy Director Danna Ingleton. “States have the legal and legitimate capacity to use these tools. But this wants to be more accompanied by a regulatory formula that prevents abuses and provides a mechanism for liability for abuses. Smoothing the piracy industry, he argues, will lead to greater regulation and greater accountability.
Earlier this year, Amnesty International made the impression in an Israeli court, saying the Ministry of Defence revoked NSO’s license for Pegasus abuse. But when the case began, Amnesty officials and 29 other petitioners were asked to leave the courtroom: a gag was put in the procedure at the ministry’s request. Then, in July, a trial over ruled out the case altogether.
“I do not understand by precept and law that the NSO can claim a total lack of obligation for how its equipment is used,” says Agnas Callamard, UN special rapporteur. “That’s not how it works under foreign law.”
Callamard advises the UN on extrajudicial executions and has been talking about NSO Group and the spyware industry since it became known that Pegasus was being used to spy on Khashoggi’s friends and affiliates some time before his assassination. For her, the challenge has life-or-death consequences.
If NSO loses the WhatsApp case, says a lawyer, it challenges all corporations that make a living by locating software failures and exploiting them.
“We don’t ask for anything radically new,” Callamard says. “We are saying that what is in position right now is not enough and that governments or regulatory agencies will have to temporarily move to another level. The industry is expanding and growing on the basis of an appropriate framework to regulate abuse. This is vital for world peace.”
A moratorium on translating sales has been called for until stricter regulations are adopted, but it is not known what this legal framework would look like. Unlike traditional weapons, which are subject to various foreign laws, cyber weapons are not regulated lately through any global arms control agreement. And non-proliferation treaties have been suggested, there is little clarity on how they would measure existing capabilities, how monitoring or enforcement would work, or how regulations would stick to the immediate evolution of technology. Instead, the maximum controls take a position today at the national legal level.
In the United States, the FBI and Congress are investigating the imaginable hacking of U.S. targets, while an investigation through Sen. Ron Wyden’s workplace seeks to determine whether Americans are concerned about exporting the surveillance generation to authoritarian governments. A recent U.S. intelligence bill would require a government report on the generation of surveillance and adware.
WhatsApp’s test, on the other hand, at the center of NSO’s activities. The Silicon Valley giant argues that by targeting the citizens of California, whatsApp and Facebook, NSO has given jurisdiction to the San Francisco court, and that the ruling in the case would possibly prevent the Israeli company from attempting to misuse WhatsApp and Facebook networks in the long run. . This opens the door to many possibilities: Apple, whose iPhone is the number one target of the NSO, can probably also organize a similar legal attack. Google has also detected NSO targeting Android devices.
And monetary damage is the only sword that weighs on NSO’s head. Such lawsuits also threaten a discovery in the courtroom, which has the possibility of making the public aware of the main points of NSO’s advertising agreements and consumers.
“Much depends precisely on how court regulations and how they characterize the violation NSO is alleged to have committed here,” says Alan Rozenshtein, a former Justice Department attorney now at the University of Minnesota School of Law. “At a minimum, if NSO loses this case, he calls all corporations that make their products or makes a living from the consultation by locating loopholes in messaging software and offering facilities that exploit vulnerabilities. This will create enough legal uncertainty for me to believe that these potential clients would think twice before hiring them. He does not know if the business will continue to operate, whether he will be sued, if his secrets will be revealed.” NSO declined to comment on the alleged WhatsApp hacking, as it is still an active case.
In Morocco, Monjib has been the subject of at least 4 other hacking attacks in 2019, each more complex than the previous one. At one point, your phone’s browser was redirected invisibly to a suspicious domain that researchers suspect was used to install malware silently. Instead of something like a text message that can cause the alarm and leave a visual trail, this was a much quieter network injection attack, a prized tactic as it is almost imperceptible unless they are expert researchers.
On 13 September 2019, Monjib had lunch at his home with his friend Omar Radi, a Moroccan journalist who is one of the regime’s fiercest critics. The same day, an investigation later revealed, Radi suffered the same kind of network injection attacks that had caught Monjib. The piracy crusade against Radi lasted at least until January 2020, Amnesty International researchers said. Since then, he’s been harassed by the police.
At least seven other Moroccans have won WhatsApp warnings about Pegasus to spy on their phones, adding human rights activists, journalists and politicians. Are these types of valid espionage targets (terrorists and criminals) explained in the contract signed by Morocco and all ONS consumers?
In December, Monjib and the other victims sent a letter to the Moroccan knowledge coverage authority requesting an investigation and action. Nothing came officially, however, one of the men, pro-democracy economist Fouad Abdelmoumni, said his high-level friends at the firm had told him the letter was useless and suggested that he leave the case. Meanwhile, the Moroccan government responded by threatening to expel Amnesty International from the country.
What’s in Morocco is emblematic of what’s in the world. While it is transparent that democracies are the main beneficiaries of legal piracy, a long and developing list of public, technical, detailed and credible research shows that Pegasus is being misused by authoritarian regimes with a long history of human rights violations.