It takes a network to catch a network
Read more 
The story behind the uncovering of the Pegasus spyware scandal
Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy by Laurent Richard and Sandrine Rigaud depicts the tireless efforts of journalists and researchers that revealed the abuses of Pegasus spyware
Image generated using Chat GPT-4o
The spyware industry’s impact on democracy, human rights, and privacy is well-documented. One of the largest spyware companies, the NSO Group, became notorious in 2021 because its software, Pegasus, was used to surveil high-profile individuals and in human rights abuses. In Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy, Laurent Richard and Sandrine Rigaud tell the story behind the story – an inside look at the journalists and human rights defenders who worked tirelessly to uncover the widespread targeting of NSO’s Pegasus spyware.
The book presents a compelling case for the dangers of unregulated and easy-to-use surveillance technology. Through detailed accounts of individuals targeted by Pegasus, Richard and Rigaud, journalists at Forbidden Stories, illustrate how these technologies can support blackmail, imprisonment, and even the murder of dissidents.
A valuable first-hand perspective
One of the book’s strengths is its portrayal of the coalition of journalists and researchers who joined forces to piece together evidence of spyware abuses. The authors offer an insightful first-hand perspective on this collaborative effort. For example, they highlight challenges figuring out who they could trust and what technology they could rely on that arose when some members of the team appeared on leaked target lists. The book also showcases the impressive efforts of Claudio Guarnieri, senior technologist at Amnesty International’s Security Lab, and his colleague Donncha Ó Cearbhaill – whose willingness to dig deep helped reveal flaws in Pegasus’s implementation, aiding both attribution of specific infections from states using Pegasus and victim identification.
Throughout the book, readers encounter noteworthy details – already revealed through media reporting – that underline the pervasive reach of Pegasus. Mexico emerged as NSO’s most active client, selecting over fifteen thousand phone numbers for potential targeting (pp. 8, 33). Even major politicians, such as French President Emmanuel Macron, were not exempt from digital intrusion (p. 43). The infrastructure required to operate Pegasus was significant, including two separate rooms constantly cooled to 65°F, with an uninterrupted power system, fibre optic network, and four different servers (p. 80). One notable passage involves Siddharth Varadarajan, co-founder of The Wire, a prominent investigative news outlet in India. Pegasus initially failed to compromise his device, only to succeed immediately after he updated his phone – a testament to the advanced capabilities of the software and the vulnerabilities it exploits (p. 137).
While the authors convey the gravity of Pegasus effectively, the narrative sometimes loses focus. The inclusion of stories from past journalistic investigations, such as those involving drug cartels, can detract from the main narrative of spyware. Parallels with other forms of organised crime can be informative, but these digressions occasionally feel misplaced, pulling attention away from the core story.
Another key shortcoming of Pegasus is its oversimplification of the technical aspects of digital forensics. Despite the vital role that Amnesty International’s Security Lab played in identifying Pegasus infections, the technical process is often glossed over in favour of dramatic phrases like ‘impenetrable lines of code filling the screen’ (p. 254). The intention might be to emphasise the complexity of the work, but it inadvertently distances non-technical readers, making it seem incomprehensible. A more detailed explanation of the forensic tools and methods could have been an effective way to illustrate the challenges of spyware detection – and other journalists like Kim Zetter and Andy Greenberg have shown that these details can be added without losing the reader.
NSO Group in context
Overall, the book could have done more to contextualise NSO Group within the broader spyware industry. Although there is a chapter on Hacking Team, an early pioneer in the field, a more comprehensive historical overview of the rise of private surveillance firms and their positioning in the global marketplace would have added depth. As the authors note, ‘NSO was a little late to the first frame of the contest’ (p. 56), and yet, with the exception of the Hacking Team chapter, there is little analysis of how NSO’s emergence fits into the broader ecosystem of surveillance technology providers.
Similarly, the authors occasionally do not sufficiently contextualise the implications of the investigation. For example, they stress the volume of fifty thousand phone numbers targeted by Pegasus, implying it is an unambiguously excessive number. While alarming, considering the global scope of NSO’s clientele and the potential use of Pegasus for ‘legitimate’ targeting of criminal groups like drug cartels, the sheer volume is not entirely surprising (although the exact ratio of use to abuse is unverifiable due to government secrecy). A more nuanced analysis would consider both the potential benefits and risks associated with surveillance tools, providing a more balanced perspective on their role in contemporary security practices.
The book also relies narrowly on commentary from Edward Snowden in an attempt to contrast the relatively muted public reception of the Pegasus story with Snowden’s more attention-grabbing 2013 disclosures of classified documents from the US National Security Agency (NSA). The true parallels are probably more uncomfortable.
Snowden’s disclosures unveiled extensive surveillance from countries in the Five Eyes intelligence alliance, but these powers and techniques did not stop afterwards. Indeed, they were underwritten with greater legal force in the Five Eyes states, and much sought-after by those outside the alliance.
Similarly, the Pegasus investigations may have contributed (along with US sanctions) to NSO’s eventual collapse, but the broader spyware industry remains largely unaffected, thriving on the continued demand from both authoritarian and democratic regimes. Ironically, the very exposure of Pegasus might have sparked greater interest among governments eager to harness the opportunities for control offered by such technologies – something also seen repeatedly in the industry, including for Hacking Team.
Where next for spyware regulation?
The involvement of private companies like NSO Group in developing and distributing sophisticated spyware raises concerns about access, regulatory oversight, and accountability. Private companies operate under commercial confidentiality, allowing them to sell products with minimal transparency, and are subject to less stringent scrutiny than many intelligence agencies. Authoritarian regimes’ use of Pegasus to target journalists, human rights activists, and political opponents illustrates how the privatisation of surveillance capabilities can facilitate widespread abuse.
Agreements such as the Wassenaar Arrangement have made some progress by including cyber surveillance tools under their export control lists, but their impact remains limited. The Wassenaar Arrangement, for example, is voluntary, with no enforcement mechanisms. This means countries can choose to adhere to the guidelines selectively or not at all. Some states have gone further: recent US and EU export controls have strengthened Wassenaar requirements.
Moreover, attempts by the United Nations to regulate digital privacy through General Assembly resolutions remain largely symbolic. These resolutions lack legal teeth and fail to hold states accountable for abuses involving surveillance technologies. Pegasus illustrates the need for more robust international agreements to define principles for the use of surveillance technologies and establish binding legal obligations for both state and non-state actors.
Other multistakeholder initiatives, such as the Pall Mall Process, Paris Call, or Cyber Tech Accord, are promising but are yet to deliver practical impact. The most high-profile private-sector interventions, other than technical investigation and disruption of spyware, have occurred in the legal realm. Apple sued NSO Group in 2021, claiming illegal targeting of users of their products with Pegasus. However, it dropped this lawsuit in September 2024 due to concerns that technical countermeasures and threat intelligence operations would be revealed during the legal discovery process and that NSO would not share required information. Apple also admitted that fragmentation of the surveillance ecosystem and new vendors joining the market significantly diminished the value of going after NSO.
The Apple lawsuit proves that producers of consumer electronics can safeguard consumers better than law enforcement, due to their greater technical proficiency and ability to deploy countermeasures at scale. In the time between the lawsuit being initiated and dropped, Apple introduced functionalities such as Lockdown Mode (which extensively limits device functionality to prevent spyware infection) and patched multiple critical vulnerabilities in the iOS system. This underscores the difference in speed between institutions that protect civil rights, like the judicial system, and vendors’ ability to quickly deploy technical security measures – if prioritised appropriately.
The story behind the story
Pegasus is an important contribution to the literature on spyware and surveillance. It adds a crucial aspect of modern digital threats to some excellent research on the issue, most notably from the Citizen Lab, think tanks like the Atlantic Council, and private-sector researchers. Richard and Rigaud tell the backstory, offering a behind-the-scenes look at the collaboration between journalists and human rights advocates that made this investigation possible.
Its shortcomings – particularly the lack of broader context, occasional narrative digressions, and insufficient technical depth – keep it from being a definitive work on the subject. Nevertheless, it remains a worthwhile read, offering a sobering perspective on the fragility of privacy in the digital age and the far-reaching implications of unchecked surveillance technology.
