The gentle clatter of hooves made by Pegasus sounds magical in the Greek mythical world where nature bloomed under his majestic wings. However, in our contemporary society, the name of this divine winged horse carries a darker significance, unveiling a concealed dystopian society hiding in plain sight. Dubbed as one of the most sophisticated cyber weapons, the Pegasus spyware is used to suppress dissent and opposing views, targeting the individuals who advocate for human rights and justice or simply expose state crimes.

BY Denisa Damian

Introduction

The gentle clatter of hooves made by Pegasus sounds magical in the Greek mythical world where nature bloomed under his majestic wings. However, in our contemporary society, the name of this divine winged horse carries a darker significance, entwined with an arcane tale that unveils a concealed dystopian society hiding in plain sight. Akin to Orwell’s Big Brother society where intrusive surveillance over the citizens is maintained to ensure that any form of dissent is suppressed, the Pegasus spyware is used to carry out similar actions, sometimes even deployed to take the lives of those who stand up for justice. Already present in 45 different countries across the Globe, [1] this spyware is dubbed as one of the most sophisticated cyber weapons.

What is it and how does it work?

The Pegasus spyware was developed by an Israeli private high-tech company known as the NSO group, one of the most well-known cyber enterprises in the world when it comes to the provision of surveillance technology and cyber espionage. As frequently argued by its founders, this spyware was created to help the governments and their associated security apparatus in their quest to prevent and control the occurrence of serious crimes (mainly those associated with the drug trade or human trafficking) and terrorism among the civilian population [2]. However, multiple non-governmental organisations such as Citizen Lab, Amnesty International and Forbidden Stories discovered that this software has become “the new terrain of warfare against activists and civil society groups around the world” [3], targeting journalists, human rights activists, lawyers, religious figures, and political opposition leaders [4]. It is by no means the only surveillance programme that creates controversies, see for example Snowden’s allegations related to the National Security Agency in 2013, or FinSpy. Nonetheless, what sets this spyware apart is the fact that under the aegis of crime prevention, counterterrorism measures and the protection of civilians, Pegasus functions akin to a military-style surveillance operation that is aimed at eliminating some of the gatekeepers of justice from our society. They perform what is known as “sousveillance”, which refers to the ability to monitor the actions of the powerful authorities from below, effectively reversing the traditional top-down surveillance hierarchy [5]. Without these critical voices, the fabric of our society will significantly erode.

For instance, a particular concern is that the NSO sells the malware to countries that have a poor record of human rights such as Saudi Arabia, Mexico, India, Türkiye, El Salvador, and Qatar. Once deployed in these states, the spyware exacerbates the infringement of civilians' human rights as it is used to exert, maintain, and buttress the power of state figureheads by suppressing opposition and dissent, thus implicitly constraining their ability to expose state crimes or exercise their freedom of speech.

Interestingly, Pegasus’ modus operandi came into light following the notorious press leak related to the extrajudicial killing of Jamal Khashoggi (a Saudi journalist that criticised the Saudi Prince and his government). The US news outlets claimed that the man was purposefully targeted by the Saudi government, which used the spyware to track him via his phone [6]. This sparked the interest of the investigative journalists who brought to light the clandestine methods used by Pegasus to infect devices, notably by targeting phones, thus enabling the attack to target multiple people simultaneously and ensuring the success of the spyware. The aforementioned NGOs discovered that Pegasus started off as “spear-phishing” [7] where a person would receive a message with a link which, once clicked, would activate the spyware. However, it has subsequently evolved to a ‘zero-click attack’ or ‘zero-day exploit’ [8] which implies that the victim does not have to click on anything to download Pegasus on their phone. Rather, the software has progressed to such an extent that vulnerabilities present within different applications on the mobile devices can be exploited to make the malware infection successful [9].

This is an extremely intrusive malware, thus, once the device is infected, the individual’s activity is constantly monitored, from prior phone interactions and any associated digital footprints to the individual’s current online activities [10]. This englobes access to emails, messages, contacts, live keyboard strokes as the person is typing something on their device, passwords, along with access to data from all the downloaded or built-in apps on the phone [11]. For example, a missed call on WhatsApp is enough for a successful hack [12]. Additionally, it allows for the activation of the device’s microphone, camera, and GPS location at any time without any tale-tell signs [13]. As such, unbeknownst to the targeted individual, their device becomes an espionage device that is actively monitoring them in an unethical manner [14]. In fact, even the journalists that were targeted could not tell that their phones were infected; rather, evidence of the malware contamination was available thanks to the subsequent NGOs’ digital forensic analysis [15].

Crafting the narrative is key

Moreover, it is worth noting the NSO group’s attempt to control the narrative with the aim of ensuring its spyware remained profitable. Even though the Biden administration officially banned the NSO group, its founders keep claiming that the governments that they sell this technology to are thoroughly vetted; they believe that the ongoing resentment towards them is simply an attack aimed at their Israeli national identity from hostile countries, not the intrusive malware itself [16]. This is further exacerbated by the rhetoric claiming they are one of the most transparent companies in the dirty world of cyber security, with a particular emphasis on their visibility and transparency as they openly talk about the spyware. What is more, the securitisation strategy behind their claim that during the early stages of a zero-click technology development, they were contacted by a European intelligence agency pleading for access to the spyware as the encryption on citizens’ devices makes it difficult for intelligence officers to gather valuable data [17]. Securitisation here implies that surveillance is something inescapable, thus being an existential threat, but they are the ‘good guys’ by openly providing this spyware for people’s safety (extraordinary measures reframed as being justified, fulfilling the criteria for a successful securitisation).

There is a key vulnerability here: even though people’s right to data control, privacy,  and freedom of speech have been transgressed, it is difficult to ensure private companies’ compliance with these obligations in the current framework of international law. This is due to the focus being predominantly on states' legal responsibilities, with minimal attention given to non-state actors, such as the NSO [18]. The Wassenaar Agreement, a commitment by 42 signatory countries (excluding Israel) to regulate the export of  dual-use technologies (referring to the ones intended for civilian purposes but capable of military application) is widely argued not to cover the Pegasus spyware, and lacks enforcement of some regulations. This is because the agreement is rigid in places, more centred around conventional dual-use goods and technologies (nuclear technology, missiles, etc) [19]. In turn, it allows the NSO group to operate Pegasus with fewer restrictions in place as these are tied to each state’s national laws.

Conclusion

To sum up, the Pegasus spyware seems to resemble the Orwellian Thought Police: both seek to control civil society and suppress opposition. Far away from the sanctified world of the mythical horse, the spyware is a reminder that silent weapons are also dangerous, as they challenge and limit people’s privacy and freedom in an increasingly interconnected world. Thus, it further supports the security dilemma, where things developed to provide more security end up creating even more insecurity instead.

References

[1] Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert. “Hide and seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries, Citizen Lab Report No. 113, (September 2018): pp. 1-40.

[2] Leila Katibah. "The Politics of Pegasus Spyware: Examining the Impact of Surveillance on Journalism", Bachelor’s thesis, University of California, Santa Barbara, 2023.

[3] VICE News. “The World’s Most Terrifying Spyware І Investigators”, YouTube, October 2, 2021: 03:27. Available at: https://www.youtube.com/watch?v=QX7X4Ywuotc.

[4] J. D Rudie, Zach Katz, Sam Kuhbander, and Suman Bhunia. "Technical Analysis of the NSO group’s Pegasus Spyware." 2021 International Conference on Computational Science and Computational Intelligence (CSCI), (2021): pp. 747-752. DOI: 10.1109/CSCI54926.2021.00188

[5] Maša Galič, Tjerk Timan, and Bert-Jaap Koops. "Bentham, Deleuze and beyond: An overview of surveillance theories from the panopticon to participation." Philosophy & Technology 30, (May 2017): pp. 9-37. DOI: 10.1007/s13347-016-0219-1.

[6] Bill Marczak, Siena Anstis, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert. “Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator”, Citizen Lab Research Report No. 124, (January 2020): pp. 1-13.

[7] Ibid 2.

[8] Sean D. Kaster, and Prescott C. Ensign. "Privatized espionage: NSO Group Technologies and its Pegasus spyware." Thunderbird International Business Review 65, no. 3 (2023): pp. 355-364. DOI: 10.1002/tie.2232

[9] Verma Lakshyadeep. "Pegasus Spyware Software: Is It a Threat to the Right to Privacy," Indian Journal of Integrated Research in Law 3, no. 4 (July-August 2023): pp. 1-9.

[10] Mayank Agrawal, Gagan Varshney, Kaushal Pratap Singh Saumya, and Manish Verma. "Pegasus: Zero-Click spyware attack–its countermeasures and challenges." (2022).

 [11]  Tamar Kaldani, and Zeev Prokopets. “Pegasus Spyware and Its Impact on Human Rights”. Information Society Department, Council of Europe, (2022): pp. 1-25. Available at: https://edoc.coe.int/en/data-protection/11112-pegasus-spyware-and-its-impact-on-human-rights.html.

[12]  David Pegg and Cutler, Sam. “What is Pegasus spyware and how does it hack phones?”. The Guardian, 18 July 2021. Available at: https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones

[13] Laura Cristina Dieterle. "Regulating The Invisible Spy: A Case Study of the Pegasus Spyware examining Surveillance Technology Regulation." Bachelor's thesis, University of Twente, 2023.

[14] Osama Hussien, Usman Butt, and Rejwan Bin Sulaiman. "Critical Analysis and Countermeasures Tactics, Techniques and Procedures (TTPs) targeting civilians: A case study On Pegasus", 2023. https://doi.org/10.48550/arXiv.2310.00769

[15] Ibid 2.

[16] Dan M. Kotliar, and Elinor Carmi. "Keeping Pegasus on the wing: legitimizing cyber espionage." Information, Communication & Society (2023): pp. 1-31. https://doi.org/10.1080/1369118X.2023.2245873

[17]  Ibid 15.                              

[18]  Atul Alexander and Tushar Krishna. "Pegasus Project: Re-Questioning the Legality of the Cyber-Surveillance Mechanism." Laws 11, 85 (November 2022): pp. 1-17. https://doi.org/10.3390/laws11060085.

 [19] Ibid 17.