The reports from the Guardian, in the Washington Post, and 15 other media organizations are based on a leak of tens of thousands of phone numbers that appear to have been targeted by Pegasus. While the devices associated with the numbers on the list weren’t necessarily infected with spyware, outlets were able to use the data to establish that journalists and activists in several countries were targeted –and in some cases hacked well.
The leaks indicate the scope of what journalists and cybersecurity experts have been saying for years: that while the NSO Group claims that its spyware is intended to target criminals and terrorists, its actual applications are much broader. (The company issued a statement in response to the investigation, denying that their data was leaked, and that any of the resulting reports were true.)
My colleague Patrick Howell O’Neill has for some time been reporting claims against the NSO Group, which “has been linked to cases including the assassination of Saudi journalist Jamal Khashoggi, the target of scientists and activists pushing for political reform in Mexico, and Spanish government surveillance of Catalan separatist politicians, “he wrote in August 2020. In the past, the ONS has denied these allegations, but has also argued more broadly that it cannot be held responsible. if governments abuse the technology that sells them.
The company’s central argument, we wrote at the time, is one “that is common among weapon manufacturers”. To say, “The company is the creator of a technology that governments use, but it doesn’t attack anyone itself, so it can’t be held responsible.”