The magnitude of the job we had before us was dizzying. Fifty thousand possible leads, spread across the world. At least I felt dizzied by it. The only thing to do, I knew, was to maintain composure and proceed methodically. One step at a time. The first step was not difficult to identify: we had to begin the process of assessing the list. We trusted the source, but mere trust was a shaky foundation on which to build a major investigation. We would never publish a story that relied only on the data on the list. We had to authenticate the data independent of the source, and we had to understand and interpret the meaning of that enormous list of mobile phone numbers that had been handed over to us. Did an appearance on the list represent an actual spyware infection, or a targeting, or simply a selection for targeting? And was that spyware in question NSO's Pegasus system? We would have to find out, which would take time. We had to put names to as many of the tens of thousands of phone numbers on the list as possible, and we had to convince a handful of those people to allow us to check their mobile devices for any evidence of infection with Pegasus malware.
We had one small advantage at the start, which was our work on the Cartel Project. Mexican entities-government and perhaps otherwise-were reported to have been the most active
end users of NSO spyware, and the list bore out this allegation. More than fifteen thousand of the data points represented targets selected by somebody in Mexico. One of the first things we had done on the Cartel Project was to gather a roster of every journalist who had been killed in Mexico in recent years. So we made a new subset-every Mexican journalist murdered after 2016, the earliest time stamps in the leaked list-put those names up on a board, and tasked Paloma and an intern with the job of finding the cell phone numbers each of those victims was using at the time of his or her death. Maybe some would match the new list. Maybe a few had even left behind phones we could run through a forensics analysis.
The rest of the team helped out by gathering Mexican phone books that would be useful in trying to match as many of the numbers on the list as we could. But that was only the first of many, many steps, and my job was to conceive the first step, the last step, and every one in between required to get us to final publication. It was like reckoning how to lay down, one by one, a series of flat stones that allowed us to cross a wide body of water of unknown depths and dangers, with rapids we couldn't yet see, and likely some very angry crocodiles guarding the final shore, too. Along the way we would have to maintain the absolute anonymity of our source, who could be in real danger, at risk of physical injury or even death, if unmasked.
The added tension of designing a plan for this investigation was the plain fact that the project would be the safest and most secure if we simply kept it within our family circle at Forbidden Stories and Amnesty International's Security Lab. Every outside partner we brought into the project would increase the possibility that the investigation into Pegasus would be found out.
