Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

The story behind the uncovering of the Pegasus spyware scandal

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy by Laurent Richard and Sandrine Rigaud depicts the tireless efforts of journalists and researchers that revealed the abuses of Pegasus spyware
Main Top Image
Image generated using Chat GPT-4o

The spyware industry’s impact on democracy, human rights, and privacy is well-documented. One of the largest spyware companies, the NSO Group, became notorious in 2021 because its software, Pegasus, was used to surveil high-profile individuals and in human rights abuses. In Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy, Laurent Richard and Sandrine Rigaud tell the story behind the story – an inside look at the journalists and human rights defenders who worked tirelessly to uncover the widespread targeting of NSO’s Pegasus spyware.

The book presents a compelling case for the dangers of unregulated and easy-to-use surveillance technology. Through detailed accounts of individuals targeted by Pegasus, Richard and Rigaud, journalists at Forbidden Stories, illustrate how these technologies can support blackmail, imprisonment, and even the murder of dissidents.

A valuable first-hand perspective

One of the book’s strengths is its portrayal of the coalition of journalists and researchers who joined forces to piece together evidence of spyware abuses. The authors offer an insightful first-hand perspective on this collaborative effort. For example, they highlight challenges figuring out who they could trust and what technology they could rely on that arose when some members of the team appeared on leaked target lists. The book also showcases the impressive efforts of Claudio Guarnieri, senior technologist at Amnesty International’s Security Lab, and his colleague Donncha Ó Cearbhaill – whose willingness to dig deep helped reveal flaws in Pegasus’s implementation, aiding both attribution of specific infections from states using Pegasus and victim identification.

Throughout the book, readers encounter noteworthy details – already revealed through media reporting – that underline the pervasive reach of Pegasus. Mexico emerged as NSO’s most active client, selecting over fifteen thousand phone numbers for potential targeting (pp. 8, 33). Even major politicians, such as French President Emmanuel Macron, were not exempt from digital intrusion (p. 43). The infrastructure required to operate Pegasus was significant, including two separate rooms constantly cooled to 65°F, with an uninterrupted power system, fibre optic network, and four different servers (p. 80). One notable passage involves Siddharth Varadarajan, co-founder of The Wire, a prominent investigative news outlet in India. Pegasus initially failed to compromise his device, only to succeed immediately after he updated his phone – a testament to the advanced capabilities of the software and the vulnerabilities it exploits (p. 137).

While the authors convey the gravity of Pegasus effectively, the narrative sometimes loses focus. The inclusion of stories from past journalistic investigations, such as those involving drug cartels, can detract from the main narrative of spyware. Parallels with other forms of organised crime can be informative, but these digressions occasionally feel misplaced, pulling attention away from the core story.

Another key shortcoming of Pegasus is its oversimplification of the technical aspects of digital forensics. Despite the vital role that Amnesty International’s Security Lab played in identifying Pegasus infections, the technical process is often glossed over in favour of dramatic phrases like ‘impenetrable lines of code filling the screen’ (p. 254). The intention might be to emphasise the complexity of the work, but it inadvertently distances non-technical readers, making it seem incomprehensible. A more detailed explanation of the forensic tools and methods could have been an effective way to illustrate the challenges of spyware detection – and other journalists like Kim Zetter and Andy Greenberg have shown that these details can be added without losing the reader.

NSO Group in context

Overall, the book could have done more to contextualise NSO Group within the broader spyware industry. Although there is a chapter on Hacking Team, an early pioneer in the field, a more comprehensive historical overview of the rise of private surveillance firms and their positioning in the global marketplace would have added depth. As the authors note, ‘NSO was a little late to the first frame of the contest’ (p. 56), and yet, with the exception of the Hacking Team chapter, there is little analysis of how NSO’s emergence fits into the broader ecosystem of surveillance technology providers.

Similarly, the authors occasionally do not sufficiently contextualise the implications of the investigation. For example, they stress the volume of fifty thousand phone numbers targeted by Pegasus, implying it is an unambiguously excessive number. While alarming, considering the global scope of NSO’s clientele and the potential use of Pegasus for ‘legitimate’ targeting of criminal groups like drug cartels, the sheer volume is not entirely surprising (although the exact ratio of use to abuse is unverifiable due to government secrecy). A more nuanced analysis would consider both the potential benefits and risks associated with surveillance tools, providing a more balanced perspective on their role in contemporary security practices.

The book also relies narrowly on commentary from Edward Snowden in an attempt to contrast the relatively muted public reception of the Pegasus story with Snowden’s more attention-grabbing 2013 disclosures of classified documents from the US National Security Agency (NSA). The true parallels are probably more uncomfortable.

Snowden’s disclosures unveiled extensive surveillance from countries in the Five Eyes intelligence alliance, but these powers and techniques did not stop afterwards. Indeed, they were underwritten with greater legal force in the Five Eyes states, and much sought-after by those outside the alliance.

Similarly, the Pegasus investigations may have contributed (along with US sanctions) to NSO’s eventual collapse, but the broader spyware industry remains largely unaffected, thriving on the continued demand from both authoritarian and democratic regimes. Ironically, the very exposure of Pegasus might have sparked greater interest among governments eager to harness the opportunities for control offered by such technologies – something also seen repeatedly in the industry, including for Hacking Team.

Where next for spyware regulation?

The involvement of private companies like NSO Group in developing and distributing sophisticated spyware raises concerns about access, regulatory oversight, and accountability. Private companies operate under commercial confidentiality, allowing them to sell products with minimal transparency, and are subject to less stringent scrutiny than many intelligence agencies. Authoritarian regimes’ use of Pegasus to target journalists, human rights activists, and political opponents illustrates how the privatisation of surveillance capabilities can facilitate widespread abuse.

Agreements such as the Wassenaar Arrangement have made some progress by including cyber surveillance tools under their export control lists, but their impact remains limited. The Wassenaar Arrangement, for example, is voluntary, with no enforcement mechanisms. This means countries can choose to adhere to the guidelines selectively or not at all. Some states have gone further: recent US and EU export controls have strengthened Wassenaar requirements.

Moreover, attempts by the United Nations to regulate digital privacy through General Assembly resolutions remain largely symbolic. These resolutions lack legal teeth and fail to hold states accountable for abuses involving surveillance technologies. Pegasus illustrates the need for more robust international agreements to define principles for the use of surveillance technologies and establish binding legal obligations for both state and non-state actors.

Other multistakeholder initiatives, such as the Pall Mall Process, Paris Call, or Cyber Tech Accord, are promising but are yet to deliver practical impact. The most high-profile private-sector interventions, other than technical investigation and disruption of spyware, have occurred in the legal realm. Apple sued NSO Group in 2021, claiming illegal targeting of users of their products with Pegasus. However, it dropped this lawsuit in September 2024 due to concerns that technical countermeasures and threat intelligence operations would be revealed during the legal discovery process and that NSO would not share required information. Apple also admitted that fragmentation of the surveillance ecosystem and new vendors joining the market significantly diminished the value of going after NSO.

The Apple lawsuit proves that producers of consumer electronics can safeguard consumers better than law enforcement, due to their greater technical proficiency and ability to deploy countermeasures at scale. In the time between the lawsuit being initiated and dropped, Apple introduced functionalities such as Lockdown Mode (which extensively limits device functionality to prevent spyware infection) and patched multiple critical vulnerabilities in the iOS system. This underscores the difference in speed between institutions that protect civil rights, like the judicial system, and vendors’ ability to quickly deploy technical security measures – if prioritised appropriately.

The story behind the story

Pegasus is an important contribution to the literature on spyware and surveillance. It adds a crucial aspect of modern digital threats to some excellent research on the issue, most notably from the Citizen Lab, think tanks like the Atlantic Council, and private-sector researchers. Richard and Rigaud tell the backstory, offering a behind-the-scenes look at the collaboration between journalists and human rights advocates that made this investigation possible.

Its shortcomings – particularly the lack of broader context, occasional narrative digressions, and insufficient technical depth – keep it from being a definitive work on the subject. Nevertheless, it remains a worthwhile read, offering a sobering perspective on the fragility of privacy in the digital age and the far-reaching implications of unchecked surveillance technology.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.