A COLLABORATIVE investigation into a data leak of software sold by the Israeli surveillance company NSO Group has led to some hair-raising revelations. The company has sold Pegasus, malware that is used to conduct cyber surveillance, to authoritarian governments who want to spy on journalists, activists, politicians and government officials.

The software can infiltrate iPhones and Androids, enabling the operator to record calls, retrieve photos, messages, and emails without the knowledge of the phone user. Though the company claims it only sells its software to those who want to use it against terrorists and criminals, a massive data leak from its records shows its clients may have used it against targets who fall into neither of those categories. The leak contains the phone numbers of 50,000 individuals, and a forensic analysis of some devices has shown traces of the Pegasus malware.

Pegasus spyware: how does it work?

At least 10 governments are believed to be NSO clients, including Saudi Arabia, India and the UAE. The phone numbers in the leak span 45 countries — including Pakistan, where a number once used by Prime Minister Imran Khan was targeted for potential surveillance. The government is now investigating whether Mr Khan’s device was in fact infiltrated.

Read: PM Imran's number among those targeted for surveillance by India using Israeli spyware

Spyware like Pegasus facilitates human rights violations, especially when in the hands of authoritarian regimes. A government or intelligence agency can use the software to spy on dissidents and critics — a dangerous and worrying reality in countries where privacy and human rights are routinely flouted. It can also be used by hostile countries to spy on rivals in a new era of cyberespionage. The fact that the list of phone numbers in the data leak is linked to individuals who evidently do not have criminal or terror links speaks volumes for how this spyware is being abused. It is also a test for phone manufacturers and app developers to come up with improved protection. Although it is virtually impossible for any device to be totally bug-free or hacker-proof, both iOS and Android developers should invest in research to improve security.

It is important that the international community come together to regulate the use of such tools and curb the violation of human rights. Governments must pressure global rights bodies to monitor countries that develop and sell this software. The export of such surveillance technology should either be stopped or heavily regulated to prevent abuse. One step towards this is the consortium itself. Much like the Panama Papers investigation, a group of journalists shed light on Pegasus’ clients and their requests. This story gives hope that countries can work together on the basis of a similar template to stop the abuse of fundamental rights when it comes to digital surveillance and cyberespionage. Until such companies can demonstrate that they can respect human rights and limit abuse of their software, their widespread sale should be restricted.

Published in Dawn, July 24th, 2021