INTRODUCTION
Rachel Maddow
The call appeared urgent, in that it was coming at close to midnight Tel Aviv time, August 5, 2020, from somebody in senior management at the NSO Group. Cherie Blair, former First Lady of the United Kingdom, longtime barrister, noted advocate for women entrepreneurs in Africa, South Asia, and the Middle East, a prominent voice for human rights worldwide, was obliged to pick up the phone. Mrs. Blair had recently signed on as a paid consultant to the Israeli firm NSO to help “incorporate human rights considerations into NSO activities, including interactions with customers and deployment of NSO products.”
This was a delicate high-wire act, ethically speaking, because NSO’s signature product, cybersurveillance software called Pegasus, was a remarkable and remarkably unregulated tool—extraordinarily lucrative to the company (NSO grossed around $250 million that year) and dangerously seductive to its clients. Successfully deployed, Pegasus essentially owns a mobile phone; it can break down defenses built into a cell phone, including encryption, and gain something close to free rein on the device, without ever tipping off the owner to its presence. That includes all text and voice communications to and from the phone, location data, photos and videos, notes, browsing history, even turning on the camera and the microphone of the device while the user has no idea it’s happening. Complete remote personal surveillance, at the push of a button.
NSO insists its software and support services are licensed to sovereign states only, to be used for law enforcement and intelligence purposes. They insist that’s true, because—my God—imagine if it weren’t.
The cybersurveillance system the company created and continually updates and upgrades for its sixty-plus clients in more than forty different countries has made the world a much safer place, says NSO. Tens of thousands of lives have been saved, they say, because terrorists, criminals, and pedophiles (pedophiles is a big company talking point the last few years) can be spied on and stopped before they act. The numbers are impossible to verify, but the way NSO describes it, the upsides of Pegasus, used within legal and ethical boundaries, are pretty much inarguable. Who doesn’t want to stop pedophiles? Or terrorists? Who could be against it?
“Mission Control, we have a problem,” was the message Cherie Blair got from the call that warm summer evening in August 2020.
“It had come to the attention of NSO that their software may have been misused to monitor the mobile phone of Baroness Shackleton and her client, Her Royal Highness Princess Haya,” Blair explained in a London court proceeding some months later. “The NSO Senior Manager told me that NSO were very concerned about this.”
NSO’s concern appeared to be twofold, according to the evidence elicited in that London court. The first was a question of profile. Pegasus had been deployed against a woman who was a member of two powerful Middle Eastern royal families, as well as her very well-connected British attorney, Baroness Fiona Shackleton. Shackleton was not only a renowned divorce lawyer to the rich and famous—including Paul McCartney, Madonna, Prince Andrew, and Prince Charles—she was also herself a member of the House of Lords. Even more problematic for NSO, it was an outside cybersecurity researcher who had discovered the attacks on the baroness and the princess. If he’d figured out this one piece of how Pegasus was being used, what else had he figured out? And how much of this was about to become public knowledge?
The caller from NSO asked Cherie Blair “to contact Baroness Shackleton urgently so that she could notify Princess Haya,” she explained in testimony. “The NSO Senior Manager told me that they had taken steps to ensure that the phones could not be accessed again.”
The details of the late-night call to Blair and the spying on the princess and her lawyer didn’t really shake out into public view until more than a year later, and only then because it was part of the child custody proceedings between Princess Haya and her husband, Sheikh Mohammed bin Rashid Al Maktoum, prime minister of the United Arab Emirates and the emir of Dubai. The finding by the president of the High Court of Justice Family Division, released to the public in October 2021, held that the mobile phones of the princess, her lawyer, the baroness, and four other people in their intimate circle were attacked with cybersurveillance software, and that “the software used was NSO’s Pegasus.” The judge determined it was more than probable that the surveillance “was carried out by servants or agents of [the princess’s husband, Sheikh Mohammed bin Rashid Al Maktoum], the Emirate of Dubai, or the UAE.” The surveillance, according to the judge, “occurred with [the Sheikh’s] express or implied authority.”
The story of the princess, the baroness, and Pegasus might have faded into gossip columns and then into oblivion after a few weeks. A rich and powerful man used a pricey bit of software to spy on his wife and her divorce lawyer? Well, if you marry a sheikh and then cross him, you damn well might expect things to get weird. NSO also did a fairly nice job of cleanup on Aisle Spyware. The court finding pretty much accepted the word of NSO that it had terminated the UAE’s ability to use its Pegasus system altogether, at a cost to the company, the judge noted, “measured in tens of millions of dollars.” And maybe they did, but who can say.
A FUNNY THING happened on the way to that divorce court gossip column item, though. Because right around the time Cherie Blair got that call from Israel, a very brave source offered two journalists from Paris and two cybersecurity researchers from Berlin access to a remarkable piece of leaked data. The list included the phone numbers of not one or two or ten Emirati soon-to-be divorcees, or even twenty or fifty suspected pedophiles or drug traffickers. It was fifty thousand mobile phone numbers, all selected for possible Pegasus targeting by clients of that firm in Israel, NSO. Fifty thousand?
What exactly to make of that initial leaked list—that crucial first peek into the abyss—is a question that took nearly a year to answer, with a lot of risk and a lot of serious legwork to get there. The answer to the question matters. Because either this is a scandal we understand and get ahold of and come up with solutions for, or this is the future, for all of us, with no holds barred.
THIS BOOK IS the behind-the-scenes story of the Pegasus Project, the investigation into the meaning of the leaked data, as told by Laurent Richard and Sandrine Rigaud of Forbidden Stories, the two journalists who got access to the list of fifty thousand phones. With the list in hand, they gathered and coordinated an international collaboration of more than eighty investigative journalists from seventeen media organizations across four continents, eleven time zones, and about eight separate languages. “They held this thing together miraculously,” says an editor from the Guardian, one of the partners in the Pegasus Project. “We’ve got, like, maybe six hundred journalists. The Washington Post is maybe twice the size. And to think that a small nonprofit in Paris, with just a handful of people working for it, managed to convene a global alliance of media organizations and take on not just one of the most powerful cybersurveillance companies in the world but some of the most repressive and authoritarian governments in the world, that is impressive.”
In the daily back-and-forth of American news and politics—my wheelhouse—it is rare indeed to come across a news story that is both a thriller and of real catastrophic importance. Regular civilians being targeted with military-grade surveillance weapons—against their will, against their knowledge, and with no recourse—is a dystopian future we really are careening toward if we don’t understand this threat and move to stop it. The Pegasus Project saga not only shows us how to stop it; it’s an edge-of-your-seat procedural about the heroes who found this dragon and then set out to slay it. I have never covered a story quite like this, but Laurent and Sandrine sure have, and it is freaking compelling stuff.
The engine of the narrative you’re about to read is the risky investigation itself, from the minute these guys first got access to that leaked list in the last half of 2020 to publication in July 2021. But herein also is the story of the company NSO, its Israeli government benefactors, and its client states, which takes the reader from Tel Aviv to Mexico City to Milan, Istanbul, Baku, Riyadh, Rabat, and beyond. The company’s ten-year rise—from its unlikely inception, to its early fights with competitors, to its golden era of reach and profitability—reveals the full history of the development, the weaponization, and the mindless spread of a dangerous and insidious technology. “If you’re selling weapons, you better make sure you’re selling those to someone who is accountable for their actions,” one young Israeli cybersecurity expert says. “If you’re giving a police officer a gun and if that police officer starts shooting innocent people, you are not to be blamed. But if you’re giving a chimpanzee a gun and the chimpanzee shoots someone, you can’t blame the chimpanzee. Right? You will be to blame.” Turns out this story has armed chimpanzees up the wazoo. And a lot of innocent people shot at by the proverbial police, too.
Here also is the story of the other individuals besides Laurent and Sandrine who were entrusted with full access to the leaked data, Claudio Guarnieri and Donncha Ó Cearbhaill (pronounced O’Carroll), two young, incorrigible, irrepressible cybersecurity specialists at Amnesty International’s Security Lab. These men—one barely in his thirties, the other still in his twenties—shouldered incredible weight throughout the Pegasus Project. Against the most aggressive and accomplished cyberintrusion specialists in the world, Claudio and Donncha were charged with designing and enforcing the security protocols that kept the investigation under wraps for almost a full year and kept the source that provided the list out of harm’s way for good.
More than that, it was up to Claudio and Donncha to find the evidence of NSO’s spyware on phones that were on the list leaked to them by that brave source. The insidious power of a Pegasus infection was that it was completely invisible to the victim—you’d have no way to know the baddies were reading your texts and emails and listening in on your calls and even your in-person meetings until they used their ability to track your exact location to send the men with guns to meet you. For the Pegasus Project to succeed in exposing the scale of the scandal, the journalists knew they would need to be able to diagnose an infection or an attempted infection on an individual phone. Claudio and Donncha figured out how to do it. Working quite literally alone, these two took on a multibillion-dollar corporation that employed 550 well-paid cyberspecialists, many with the highest levels of military cyberwarfare training. To best that Goliath, these two Davids had to fashion their own slingshot, had to invent the methods and tools of their forensics on the fly. That they succeeded is as improbable as it is important, for all our sakes.
Here also is the story of the victims of Pegasus. Among them are those who hold enough power that you might expect they’d be protected from this kind of totalist intrusion—heads of state, high-ranking royals, senior politicians, law enforcement figures. And then there’s the people whom governments the world over have always liked to put in the crosshairs: opposition figures, dissidents, human rights activists, academics. Laurent and Sandrine rack focus tight on the group most represented in the leaked data, of course: journalists.
For me, the most unforgettable characters in this story are Khadija Ismayilova, from Azerbaijan, and Omar Radi, of Morocco. Their uncommon courage proves both admirable and costly. Their stories lay bare the awful personal consequences of challenging governments in an age of unregulated cybersurveillance, and the need for more people like them.
As antidemocratic and authoritarian winds gather force all over the world, it’s increasingly clear that the rule of law is only so powerful against forces hell-bent on eliminating the rule of law. If we’ve learned anything over the last five years, it’s this: there will be no prosecutor on a white horse, no flawless court proceedings where a St. Peter in black robes opens or closes the pearly gates based on true and perfect knowledge of the sins of those in the dock. Sometimes, sure, the law is able to help. But more often, the threat evades, outmaneuvers, or just runs ahead of the law in a way that leaves us needing a different kind of protection. Again and again, it falls to journalists to lay out the facts of corruption, venality, nepotism, lawlessness, and brutality practiced by the powerful.
The dangers of doing this kind of work are real, and growing. For all the prime ministers and royal soon-to-be-ex-wives and other high-profile targets that NSO clients hit, it is no surprise that Pegasus has been turned full blast on reporters and editors in order to harass, intimidate, and silence. If this antidemocratic, authoritarian nightmare can’t be safely reported upon, it won’t be understood. And if it isn’t understood, there’s no chance that it will be stopped.
WHERE’S YOUR PHONE right now? That little device in your pocket likely operates as your personal calendar, your map and atlas, your post office, your telephone, your scratchpad, your camera—basically as your trusted confidant. Matthew Noah Smith, a professor of moral and political philosophy, wrote in 2016 that a mobile phone “is an extension of the mind.… There is simply no principled distinction between the processes occurring in the meaty glob in your cranium and the processes occurring in the little silicon, metal, and glass block that is your iPhone. The solid-state drive storing photos in the phone are your memories in the same way that certain groups of neurons storing images in your brain are memories. Our minds extend beyond our heads and into our phones.”
Professor Smith was making the case back then for a zone of privacy that extended to our mobile phone. If the state has no right to access the thoughts in our head, why should it have the right to access the pieces of our thoughts that we keep in our mobile phone? We tell our cell phones almost anything these days, even things we aren’t cognizant of telling it, and use it as the conduit to offer the most intimate glimpses of ourselves. (See sexting.) If you believe your privacy is being secured by encryption, please read this book, and consider the fifty thousand people on that horror show list, who unbeknownst to them were targeted to unwillingly share every single thing that passed through their phones with people who only had to pay for the privilege.
That list of fifty thousand was just our first keyhole view of the crime scene. If they could do it for fifty thousand, doesn’t that mean they could do it for five hundred thousand? Five million? Fifty million? Where is the limit, and who is going to draw that line? Who is going to deliver us from this worldwide Orwellian nightmare? Because it turns out you don’t have to be married to the emir of anything to find your every thought, every footstep, every word recorded and tracked from afar. Turns out you just need to have a phone, and a powerful enemy somewhere. Who among us is exempt from those conditions?
Where did you say your phone is right now?
CHAPTER ONE THE LIST
Laurent
Sandrine and I had been drawn to Berlin by the kind of opportunity you get maybe once in a lifetime in journalism—a shot to break a story that could have serious implications around the world. It felt kind of fitting that our taxi from the airport to the city center skirted within a few kilometers of the Stasi Museum, a complex that once housed the apparatus of the East German secret police, “The Sword and Shield of the State.” This investigation, if we decided to undertake it, would have to contend with swords and shields wielded by a dozen or more very defensive state actors and by a billion-dollar private technology corporation operating under the protection of its own very powerful national government.
The taxi ride was the last leg of a trip that seemed to portend a rise of obstacles. The limitations put in place during the latest wave of Covid-19 had laid waste to familiar routines. The simple two-hour trip from Paris to Berlin had taken triple that, and included a connection through the food desert of an airport in Frankfurt, and the indignity of German soldiers shoving cotton swabs up our nasal cavities before we were allowed to exit the airport in Berlin.
By the time Sandrine and I stumbled into our sleekly modern and well-lighted little rented flat above Danziger Strasse, we were both so knackered that dark-of-the-night questions were already preying on us. Was this really the best time to dive into another difficult and all-consuming investigation? Our nine-person team at Forbidden Stories was deep into its third major project in just three years; the current investigation, the Cartel Project, was already shaping up as the most dangerous we had done to date. And we still had a lot of work to do to be ready for publication. We were developing leads on the most murderous drug gangs in Veracruz and Sinaloa and Guerrero, on the chemicals needed to produce the supercharged opioid fentanyl, which were being trafficked into the country from Asia, and on the lucrative gun trade filling the cartels’ private armories (as well as the bank accounts of gun manufacturers and private gunrunners in Europe, Israel, and the United States).
We were essentially picking up reporting threads left unfinished by a handful of brave Mexican journalists who had been killed, most likely by assassins from the local drug cartels whose violent and criminal activities the reporters had been investigating. Outside of active war zones, Mexico was and remains to this day the most dangerous place in the world to be a journalist committed to telling the truth about bad guys. More than 120 journalists and media staffers had been killed in Mexico in the first two decades of the twenty-first century. Another score or so had simply disappeared without a trace.
This meant the Cartel Project tied seamlessly to the mission of Forbidden Stories: we aim to put bad actors and repugnant governments on notice that killing the messenger will not kill the message. Which means collaboration is an indispensable tool. There is strength and safety in numbers. The more journalists who are working the story, the more certain it is to see print. We had begun inviting into the Cartel Project reporters from our trusted media partners, including Le Monde in Paris, the Guardian in London, and Die Zeit and Süddeutsche Zeitung in Germany. The team would eventually grow to more than sixty reporters from twenty-five different media outlets in eighteen countries. But the beating heart of the project, already, was Jorge Carrasco, who was the director of the most intrepid investigative publication in Mexico, the weekly magazine Proceso. A stubborn and celebrated reporter himself, Jorge was also a colleague, and an exact contemporary of the woman who was emerging as a figure at the center of our investigation, Regina Martínez.
Copyright © 2023 by Laurent Richard and Sandrine Rigaud
