trust in media
Murdered journalist Jamal Khashoggi (Image: Flickr)

This week, the world has been getting rolling snapshots showing just how much governments and their agencies track and monitor citizens. It came with a look under the hood at the shadowy network of largely unregulated private companies that build the tools governments use.

It’s been the biggest exposé of government spying since the 2013 Snowden revelations and came courtesy of a global investigative journalism collaboration working off leaked data, exposing the largest government-backed hacking of phones belonging to journalists, human rights activists, political opposition — even people complaining of sexual harassment.

It demonstrated that the Pegasus hack has become the tool of choice for authoritarian governments wanting to keep an eye on inconvenient citizens. Reports are still rolling out but it’s already shaking politics from Mexico to India. Here’s what we know so far:

How does the hack work?

Named as a pun on Trojan Horse malware, Pegasus is smuggled on to phones by tricking users to click on a link in message apps like WhatsApp, SMS or Apple’s iMessage (in tech jargon known as “social engineering”) or by exploiting vulnerabilities in common apps (so-called “zero-click” attacks). Once activated, it harvests data on the phone, including end-to-end encrypted chats (WhatsApp), email, contacts, calendars and GPS location data.

Its developer, the Israeli firm NSO Group, says the product is sold only to carefully vetted governments, police and military (and only with Israeli government approval) for use against major criminals or terrorists. It is reported to have clients in 46 countries.

Sounds legit, so what’s the problem?

Pegasus has been used for more mundane personal and political purposes:

  • In Mexico, about 50 phones of people in the inner circle of now-President Andrés Manuel López Obrador were hacked by government entities before his 2018 election
  • In India, as well as the Dalai Lama and opposition leaders, the phone of a Supreme Court ex-staffer (and family) who had accused the former chief justice of sexual harassment were monitored.

At least 180 reporters, editors and executives from the Financial Times, CNN, The New York Times, The Economist, Associated Press and Reuters were hacked. In India, the list of 40 hacked journalists is like a who’s who of the country’s media stars.

In Mexico — one of the most dangerous countries for journalists — at least 25 were targeted, including Cecilio Pineda Berto, who was tracked to a car wash and murdered in 2017 after reporting on police corruption. (No evidence it was Pegasus data, says NSO. His phone is still missing.)

Why is this in the news now?

Last year the French not-for-profit organisation Forbidden Stories (which publishes stories reporters can’t publish in their home country) and Amnesty International were leaked access to a data-base of 50,000 phone numbers, said to be the numbers of persons of interest to Pegasus clients. (Not our list, says NSO. We don’t say it is, says Amnesty.)

They linked up with 17 media companies and a consortium of investigative reporters — including The Guardian, The Washington Post and India’s The Wire — who identified more than 1500 people in 10 countries connected to the numbers. (Some numbers were defunct. Others had changed phones.) They forensically examined a small cross-section of phones, finding about half had traces of Pegasus.

In 2018 The Washington Post journalist (and Saudi dissident) Jamal Khashoggi was murdered and dismembered in Turkey. This data drop confirms that Pegasus was used to track him, and at least five people associated with Khashoggi or the subsequent investigation were on the list.

In a Bond-villain twist, Saudi Crown Prince Mohammed bin Salman planted malware thought to be Pegasus on the phone of billionaire Jeff Bezos.

Australia wouldn’t be part of this, would it?

There have been no reports of Australian names on the leaked list. We don’t know (and may not be allowed to officially know) whether any Australian agencies have bought Pegasus.

In December last year the University of Toronto’s Citizen Labs named Australia as a client for a separate NSO product, Circles, which hacks the mobile phone network to monitor calls, texts, and location.

Nothing to hide, nothing to fear, right? Absolutely right, Peter Dutton, absolutely right.

Do you think, like Dutton, that we have nothing to fear? Write to letters@crikey.com.au and include your full name to be considered for publication in Crikey’s Your Say section.