When asked what superpower they would wish for, quite a lot of people choose invisibility. The desire to be able to spy unnoticed on others appeals to something in our nature: a wish for knowledge without retribution.
The arrival of the mobile phone, and then the smartphone, has brought that power of invisible oversight to governments willing to pay the comparatively small cost – some millions of pounds – of licensing invasive software that will silently monitor a phone. The most popular one (that we know about) is called Pegasus, created by an Israeli company called NSO.
Pegasus originally arrived in the form of a text message from an unfamiliar number. If the recipient clicked on it, the phone would be infected. Later versions didn’t even need that interaction: the text message alone could be the agent of infection. The phone then became a portal for the government controllers: they could download any content, surreptitiously turn on the camera or microphone, listen to any call. The infection persisted until the phone was restarted – at which point the controllers would notice, and send another infecting message.
The fundamental problem with Pegasus is that of any superpower: it’s too easy, and tempting, to misuse. NSO, and especially its chief executive, have publicly insisted that sales are conditional on the software being used only to target criminals. (And never American phone numbers; NSO knows not to anger the biggest beast.) But plenty of authoritarian states, and those wobbling on the edge, see telling the truth as a criminal act – and thus target journalists and lawyers too.
NSO implies that it can’t know which individuals have been targeted. The opening of Pegasus appears to contradict that: two journalists, Laurent Richard and Sandrine Rigaud of the French investigative journalism outlet Forbidden Stories, receive a list of 50,000 phone numbers from all over the world with a mysterious series of dates and times attached. As they discover, the numbers, dates and times accord with mobile phones in multiple countries, and the time of attempted or successful infection. (The leak’s timing overlaps intriguingly with a case heard in London in 2021, during which it emerged that Pegasus was used to spy on a British lawyer, Baroness Shackleton, and her client, Princess Haya, who was seeking a divorce from Sheikh Mohammed bin Rashid al-Maktoum, the ruler of Dubai.)
The book focuses on how the duo first builds up a team that can establish who has been targeted and then coordinates media partners, including the Guardian, to reveal how widespread this abuse is. It makes for absorbing reading, in which key roles are played by an app called Truecaller, which once installed on a phone will upload your contacts’ names and numbers to create a global “identity list”, and a former hacker from the LulzSec group, which for a few wild months in 2011 made headlines around the world for, among other things, leaking the names of 73,000 X Factor US contestants. He spots the tiny residues left behind by Pegasus on infected phones.
Overall, it’s a celebration of journalism and hacking being used to unmask the bad guys. As part of their work, the team also released an app that would let people find out if they’d been infected by Pegasus. It’s a neat piece of table-turning on the surveillance society.
The one frustration is that NSO refuses to be held accountable for how its product is abused. This spites our sense of justice. Since the book was written, the US Department of Commerce has blacklisted NSO, and its CEO is leaving while NSO says it will focus on sales to Nato members. But the latter still includes countries that targeted journalists. We are not yet safe from the invisible man.
after newsletter promotion