When The Guardian, as part of its report on the use of Israeli-made spyware to infiltrate the phones of civilians the world over, informed Hatice Cengiz that she had been hacked, she was not surprised. The fiancé of murdered journalist Jamal Khashoggi was told that just four days after her husband-to-be was killed by Saudi Arabian operatives her phone was infiltrated by the Saudi’s close ally, the UAE. Her response was simply: “I was thinking this. But what can you do?”
There is not an awful lot of new information in the Pegasus investigation. It has been public knowledge for months that the Saudi Arabian and Emirati government have been using Pegasus software to spy on the phones of Qatari-linked journalists without them knowing. The big revelation in the report is the number of different governments with access to Pegasus and the broad scope of their targets, which number tens of thousands, including some 180 journalists.
But although this is unwelcoming news, it is not surprising. Even without knowing the details of the Pegasus investigation we should, by this point, already assume a steady progression in the sophistication of spyware technology and increase in those with access to it. Cengiz’s fatalism is entirely appropriate: What can you do?
Until very recently, this wasn’t a rhetorical question. It was only eight years ago that Edward Snowden blew the whistle on the scope and tactics of NSA and other government intelligence agencies’ surveillance of civilians. The disclosures sparked not just anger but a rush among journalists and other privacy conscious individuals to take more care in their communications. Terms like “VPN” and “end-to-end encryption” entered the everyday lexicon of the computer-literate world. and as demand grew for extra security encrypted messaging applications like Signal and Telegram entered the market; WhatsApp introduced end-to-end encryption as standard shortly after. While Snowden’s disclosures were shocking, there was still a sense that, with diligence, you could defend yourself against the most egregious government snooping.
This is no longer the case. Access to spyware has increased around the world, including in countries where intelligence services work without legal oversight and with little concern for human rights. In 2018, The New York Times journalist Ben Hubbard revealed that Saudi Arabia had tried to hack his phone with an earlier version of Pegasus which requires the user to click on a link sent to him by the hacker. Hubbard, who was suspicious of the link arabnews395.com, declined to do so. We now know that Pegasus no longer requires any interaction from the target to infiltrate a phone.
So can you protect yourself? Short of getting rid of your mobile, there’s nothing much you can do. The encrypted messaging apps that many have us have put so much stock in do nothing to stop spyware like Pegasus from hacking the phone itself. As my software-engineer brother said when we discussed the investigation on the day it broke: “It’s rather like agonizing over which courier service to use to stop your flat mate reading your post.” Buying a new handset will replace a compromised phone with a clean one, but of course the new handset can then be hacked just as easily. The uncomfortable truth is, if a well-equipped force is intent on infiltrating your phone, there’s practically nothing you can do to stop them.
This isn’t to say that we shouldn’t be angry. The Guardian has listed some 50,000 phone numbers that have been hacked which doesn’t included anybody that those targeted emailed, called, texted, or visited. Pegasus can theoretically turn phones into a remote listening device so can even spy on in-person conversations conducted within earshot of the handset. Hacked journalists face inadvertently compromising their sources not only putting them at danger but making it more difficult for reporters to do their work in the future. Those involved in the development and distribution of spyware like Pegasus are morally culpable and have much to answer for.
And I don’t want to argue that we should do nothing. On the first day of the Pegasus investigation’s release, Edward Snowden called for an international ban on the sale of spyware, something that all of us should support. And I’m sure that far cleverer people than me can see the market for technology to protect the individual from government spyware. Just as Signal and Telegram grew out of public demand for privacy after the Snowden leaks, anti-malware software developers will hope to convince customers that their products can provide some protection from sophisticated spyware.
But we need to find some acceptance. Software like Pegasus is becoming more widely available to questionable institutions and spyware technology will only become more invasive and harder to detect. We should be aware of this and know that whatever precautions we take to prevent snooping, it is likely to be insufficient. Those with reason to fear targeting should consider every gadget they own compromised. It’s a sorry situation to be in, and a damning indictment of the information age. But for the time being at least, it’s not going to change.
Comments