Governments Should Urgently Halt Trade in Surveillance Technology
Human Rights Watch – (New York) – The targeting of a Human Rights Watch staff member with Pegasus spyware underscores the urgent need to regulate the global trade in surveillance technology, Human Rights Watch said today. Governments should ban the sale, export, transfer, and use of surveillance technology until human rights safeguards are in place.
Lama Fakih, Crisis and Conflict director and head of the Beirut office at Human Rights Watch, was targeted with Pegasus spyware five times between April and August 2021. Pegasus is developed and sold by the Israel-based company NSO Group. The software is surreptitiously introduced on people’s mobile phones. Once Pegasus is on the device, the client is able to turn it into a powerful surveillance tool by gaining complete access to its camera, calls, media, microphone, email, text messages, and other functions, enabling surveillance of the person targeted and their contacts.
Lama Fakih, Who Lives in Lebanon and Oversees Work on Conflict, Targeted by Government Attack
“Governments are using NSO Group’s spyware to monitor and silence human rights defenders, journalists, and others who expose abuse,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “That it has been allowed to operate with impunity in the face of overwhelming evidence of abuse, not only undermines efforts by journalists and human rights groups to hold powerful actors to account, but also puts the people they are trying to protect in grave danger.”
Fakih, a dual US-Lebanese citizen, oversees crisis response from countries as far ranging as Syria, Myanmar, Israel/Palestine, Greece, Kazakhstan, Ethiopia, Lebanon, Afghanistan, and the United States. This includes documenting and exposing human rights abuses and serious international crimes during armed conflicts, humanitarian disasters, and severe social or political unrest. This work may have attracted the attention of various governments, including some that are suspected NSO clients, Human Rights Watch said.
“It is no accident that governments are using spyware to target activists and journalists, the very people who uncover their abusive practices,” Fakih said. “They seem to believe that by doing so, they can consolidate power, muzzle dissent, and protect their manipulation of facts.”
On November 24, 2021, Apple notified Fakih via email, iMessage, and an alert on the AppleID login screen that state-sponsored attackers may be targeting her personal iPhone. The Human Rights Watch information security team established that Fakih’s current and former iPhones had been infected with Pegasus after they performed forensic analysis on the devices. Amnesty International’s Security Lab peer reviewed the analysis and confirmed the findings.
Fakih’s phones were infected with a “zero-click” exploit, meaning that her devices were compromised without the need for any action by Fakih such as clicking on a link. This is an advanced and sophisticated attack technique that is effective at compromising devices, while also being very difficult for the target to detect or prevent.
The targeting of Human Rights Watch with Pegasus adds to the ever-growing list of human rights activists, journalists, politicians, diplomats, and others whose devices have been compromised by the spyware in violation of their rights. In July 2021, a consortium coordinated by Forbidden Stories, a Paris-based media nonprofit, with the technical support of Amnesty International, exposed that Pegasus software had been used to infect the devices of dozens of activists, journalists, and opposition figures in multiple countries. The consortium identified potential NSO clients in Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).
Over the past three months alone, investigations have revealed that Pegasus spyware was used to infect the devices of six Palestinian human rights activists, four Kazakh civil society activists, eleven US Embassy officials in Uganda, two Polish opposition figures, a member of an independent UN human rights investigation team for Yemen, a human rights activist in Bahrain, a human rights activist in Jordan, and thirty-five journalists and members of civil society in El Salvador, among others.
In response to evidence that Pegasus has been used to target human rights defenders, journalists, and dissidents, NSO Group has said repeatedly that its technology is licensed for the sole use of providing governments and law enforcement agencies the ability to lawfully fight terrorism and crime, and that it does not operate the spyware it sells to government clients.
NSO Group responded to Human Rights Watch’s request for comment saying that it is “not aware of any active customer using [its] technology against a Human Rights Watch staff member” and that it would open an initial assessment into our allegation to determine if an investigation is warranted. The company said it takes “any allegation of the misuse of [its] system against a human rights defender most seriously,” and that such misuse would violate their policies and the terms of its contracts with customers. It referred us to its Whistleblower Policy and Transparency Report, which outline how they respond to such allegations.
Recent actions by governments and others against surveillance firms are positive steps, but coordinated and more ambitious government regulation is needed to rein in the burgeoning surveillance technology industry that includes NSO Group and others, Human Rights Watch said. Governments should implement a moratorium on the sale, export, transfer, and use of surveillance technology until human rights safeguards are in place.
“Governments need to act on the damning evidence of rights abuses that the unbridled sale of surveillance technology unleashes around the world,” Brown said. “Human rights defenders are calling for regulation, major companies are suing, while governments’ failure to take decisive action against the spyware industry constitutes a dangerous threat to fundamental human rights.”
For technical analysis of the targeting of Fakih, details of the development of surveillance technology, and recent actions by companies and governments against spyware companies, please see below.
Recent Actions Against Spyware Companies
In recent months, companies and governments have begun to take steps against spyware companies. On July 19, 2021, on the heels of the Pegasus Project reporting, Amazon Web Services announced it had disabled cloud accounts linked to NSO Group. On November 3, the US Commerce Department announced its decision to add NSO Group and Candiru, another Israel-based company that produces spyware, to its trade restriction list (Entity List), for “acting contrary to the foreign policy and national security interests of the United States.”
The decision prohibits the export from the US to NSO Group and Candiru of any type of hardware or software without a special license from the US Commerce Department. While the decision does not legally prohibit any material support (financial or technical), it effectively blacklists the two companies in the US.
On September 9, 2021, the European Union’s updated rules for the export of surveillance technology went into effect. The regulation does not go as far as human rights groups had wanted, for instance by banning the sale of surveillance technology to abusive governments. But it requires the EU Commission to publicly report the number of export license applications for each type of surveillance technology, for each member state, and the destination of the export. It also adds human rights risks as a criterion to be considered when granting an export license. The impact of the new regulation should be maximized through expansive interpretation and rigorous application, Human Rights Watch said.
In November, Apple began notifying users whom it suspects may have been targeted by a state-sponsored spyware attack, leading to the notification that Fakih received.
On November 23, 2021, Apple filed a lawsuit against NSO Group and its parent company for the surveillance and targeting of Apple users. This follows a lawsuit by WhatsApp over allegations that NSO Group spyware was used to hack 1,400 users of the app in 2019.
Continue reading at the Human Rights Watch site