It was in July last year that the world became aware of the Pegasus scandal thanks to an investigation by a group of 17 international publications. Presented as a tool to make the world safer, fight terrorism and save lives, it turned out to be an effective weapon to monitor and control journalists, political opponents and human rights activists. This spyware, a flagship product of the Israeli company Nso Group, has been sold to governments around the world since 2011. Saudi Arabia, Mexico, India, Morocco, but also European countries such as Poland, Hungary and, according to recent revelations, Spain, have been using this powerful control tool. For this reason, on 10 March, the European Parliament voted to set up a committee of enquiry to shed light on the use of Pegasus within Europe. But in order to fully understand the extent of this massive violation of fundamental rights, it is necessary to go over some of the steps of this affair, starting first of all with what Pegasus is and how it works.
What is Pegasus and how it works
When we talk about Pegasus we are referring to one of the most effective spyware around, one of the most sophisticated in the world. It is capable of infecting both IOS and Android phones, and once in the system it allows access to virtually everything: photos messages, emails, but also camera and geolocation can be activated. While the first version - detected in 2016 - needed the victim to interact with a message containing a link in order to infect the device, Nso has now developed a system called 'zero-click'. This means that no external action is required, but above all that Pegasus can infect the system without leaving any trace or clue to its presence. The spyware exploits what are known as 'zero-day' vulnerabilities, i.e. bugs that have not yet been identified by the operating system manufacturer.
These characteristics make it particularly dangerous, especially since there are no precautions that can be taken to avoid infection. The smartphone, which has now become central to everyday and work activities, thus becomes a real spy capable of showing everything and allowing the user to keep track of any movement or interaction. It is clear that the control that such a tool allows, 24-hour surveillance, has enormous consequences.
The "Pegasus Project" and the new revelations
The story of the major investigation that revealed the real use of Pegasus by some governments began when Amnesty International and Forbidden stories - a non-profit organisation active since 2017 - came into possession of a list containing some 50,000 phone numbers. It was soon realised that these numbers belonged to some of the victims, some de facto and some potential, of spyware attacks. After a series of investigations, the decision was taken to set up the 'Pegasus Project', involving 17 media organisations that have brought more and more details of the case to light.
The 'Pegasus Project' has highlighted the real use of spyware by governments: analyses have shown that the victims of these attacks are journalists, such as the director of the Financial Times, but also heads of state, political opponents and human rights activists. Evidence has also emerged of the use of Pegasus against some members of the family of Saudi journalist Jamal Kashoggi, who was killed in 2018 inside the Saudi embassy in Istanbul. Over time, complaints about the illicit use of the software have increased considerably, and have also involved European countries such as Poland and Hungary, states whose respect for the rule of law has long been questioned. But the list of European countries involved seems to be longer. A recent investigation by Ronan Farrow, published on 18 April in the New Yorker, reports that at least 45 countries are using Pegasus, including Spain, where some 60 Catalan politicians and activists have been attacked by the spyware.
All these elements clearly indicate that Pegasus is not used to increase security or combat international terrorism, or at least not only. On the contrary, the reality of the facts shows that it is a weapon to have a strong control over civil society, to stop investigative journalism and to silence voices of complaint. The Nso Group has so far denied any responsibility for this huge human rights violation perpetrated through its software, and has always defended its work. In July 2021, in response to the revelations of the "Pegasus Project", it issued a press release in which it described the investigation as a "planned and well-orchestrated media campaign", adding that the list of numbers was in no way connected to the Nso Group.
The consequences of the revelations
The attention on Pegasus, after the publication of the investigation, has grown over time, leading to some initial responses to the scandal. In November 2021, the Biden administration decided to blacklist the Nso Group, which means that the Israeli company cannot buy components from American companies unless it obtains a special licence. But already prior to this stance by the government, WhatsApp and Apple, in 2019 and 2021 respectively, had decided to sue Nso Group for infringements carried out through the software. The European Parliament has also decided to take action on the issue, setting up a committee of enquiry that will have the task of shedding light on the use of Pegasus within European borders, starting from the awareness that, given the scale of the issue, the problem cannot be tackled by individual states.
Pegasus is, therefore, destined to be talked about also in the future and the possibility that other elements of this intricate affair will emerge remains very high.