28 March 2023

29 Viewed 29

The magnitude of the job we had before us was dizzying. Fifty thousand possible leads, spread across the world. At least I felt dizzied by it. The only thing to do, I knew, was to maintain composure and proceed methodically. One step at a time. The first step was not difficult to identify: we had to begin the process of assessing the list. We trusted the source, but mere trust was a shaky foundation on which to build a major investigation. We would never publish a story that relied only on the data on the list. We had to authenticate the data independent of the source, and we had to understand and interpret the meaning of that enormous list of mobile phone numbers that had been handed over to us. Did an appearance on the list represent an actual spyware infection, or a targeting, or simply a selection for targeting? And was that spyware in question NSO's Pegasus system? We would have to find out, which would take time. We had to put names to as many of the tens of thousands of phone numbers on the list as possible, and we had to convince a handful of those people to allow us to check their mobile devices for any evidence of infection with Pegasus malware.

We had one small advantage at the start, which was our work on the Cartel Project. Mexican entities-government and perhaps otherwise-were reported to have been the most active

end users of NSO spyware, and the list bore out this allegation. More than fifteen thousand of the data points represented targets selected by somebody in Mexico. One of the first things we had done on the Cartel Project was to gather a roster of every journalist who had been killed in Mexico in recent years. So we made a new subset-every Mexican journalist murdered after 2016, the earliest time stamps in the leaked list-put those names up on a board, and tasked Paloma and an intern with the job of finding the cell phone numbers each of those victims was using at the time of his or her death. Maybe some would match the new list. Maybe a few had even left behind phones we could run through a forensics analysis.

The rest of the team helped out by gathering Mexican phone books that would be useful in trying to match as many of the numbers on the list as we could. But that was only the first of many, many steps, and my job was to conceive the first step, the last step, and every one in between required to get us to final publication. It was like reckoning how to lay down, one by one, a series of flat stones that allowed us to cross a wide body of water of unknown depths and dangers, with rapids we couldn't yet see, and likely some very angry crocodiles guarding the final shore, too. Along the way we would have to maintain the absolute anonymity of our source, who could be in real danger, at risk of physical injury or even death, if unmasked.

The added tension of designing a plan for this investigation was the plain fact that the project would be the safest and most secure if we simply kept it within our family circle at Forbidden Stories and Amnesty International's Security Lab. Every outside partner we brought into the project would increase the possibility that the investigation into Pegasus would be found out. 

More Books by Macmillan Publishers

empty-viewNo Book Found
Pegasus is widely regarded as the most effective and sought-after cyber-surveillance system on the market. The system’s creator, the NSO Group, a private corporation headquartered in Israel, is not shy about proclaiming its ability to thwart terrorists and criminals. “Thousands of people in Europe owe their lives to hundreds of our company employees,” NSO’s cofounder declared in 2019. This bold assertion may be true, at least in part, but it’s by no means the whole story. NSO’s Pegasus system has not been limited to catching bad guys. It’s also been used to spy on hundreds, and maybe thousands, of innocent people around the world: heads of state, diplomats, human rights defenders, political opponents, and journalists. This spyware is as insidious as it is invasive, capable of infecting a private cell phone without alerting the owner, and of doing its work in the background, in silence, virtually undetectable. Pegasus can track a person’s daily movement in real time, gain control of the device’s microphones and cameras at will, and capture all videos, photos, emails, texts, and passwords—encrypted or not. This data can be exfiltrated, stored on outside servers, and then leveraged to blackmail, intimidate, and silence the victims. Its full reach is not yet known. “If they’ve found a way to hack one iPhone,” says Edward Snowden, “they’ve found a way to hack all iPhones.” Meticulously reported and masterfully written, Pegasus shines a light on the lives that have been turned upside down by this unprecedented threat and exposes the chilling new ways authoritarian regimes are eroding key pillars of democracy: privacy, freedom of the press, and freedom of speech.