Revelations about widespread abuse of the powerful Israeli-made spyware have drawn international condemnation and punitive measures, including sanctions and lawsuits. The scandal has also exposed alarming regulatory gaps with regard to emerging surveillance technologies, but it’s unclear if the Pegasus controversy will spur any effective regulation.
What is Pegasus?
Pegasus is military-grade surveillance software created by NSO Group, a company headquartered in the district of Tel Aviv, and sold to foreign government agencies. Developed by former Israeli intelligence operatives, Pegasus gained a reputation as the “world’s most powerful cyberweapon” for its ability to infiltrate a target’s smartphone without requiring the user to click a link to activate the malware. Once installed, Pegasus can collect all the device’s data undetected.
Since 2011, NSO has licensed Pegasus to foreign law enforcement and intelligence agencies as a means to combat terrorism, drug trafficking, and other major crimes. At least eighteen foreign governments reportedly own the product, though the total number is unknown. The company says it can’t monitor [PDF] how its customers use Pegasus but that it has terminated several contracts over reported rights violations.
Why is it controversial?
NSO says that, when used legally, the software helps to prevent terrorist attacks and break up crime rings. For instance, the Mexican government reportedly used Pegasus to help capture the infamous drug lord Joaquin “El Chapo” Guzman in 2016. But years of reporting by organizations such as Citizen Lab show that some clients have used Pegasus unlawfully to spy on individuals not suspected of committing any crimes.
In 2021, a journalism consortium called the Pegasus Project obtained a leaked list of fifty thousand phone numbers that were reportedly entered into a Pegasus database. An analysis showed that the numbers were concentrated in ten countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates (UAE), all of which have been NSO clients at some point and have histories of spying on their citizens. The reporters linked hundreds of these phone numbers to politicians, government officials, business executives, journalists, and activists. (NSO says that the phone numbers do not belong to Pegasus targets.) Additionally, Amnesty International’s Security Lab conducted forensic analysis of about seventy phones whose numbers were on the list and found Pegasus was used to hack more than half of them. Around 150 additional hacks were later confirmed by Amnesty, other forensics groups, government agencies, and private companies. Pegasus was also used to hack the phones of a dozen U.S. diplomats who were using foreign numbers while working abroad.
How is Israel’s government involved with the spyware?
More recent reporting has thrust the Israeli government into the center of the Pegasus scandal, describing how Israeli leaders allegedly used the spyware as a diplomatic bargaining chip in pursuit of various foreign policy objectives.
As with the export of weapons systems, Israel’s defense ministry must approve all foreign sales of Pegasus and thus plays a critical oversight role in its proliferation. The government says it authorizes licenses according to the Wassenaar Arrangement’s guidelines on preventing malign actors from accessing products that could be used for illicit purposes; it has also said its export decisions are made “in accordance with diverse considerations,” including human rights. However, some unnamed Israeli officials reportedly said that Israel’s foreign policy interests outweighed human rights concerns.
Prime Minister Benjamin Netanyahu’s government reportedly offered Pegasus and similar cyber tools to purchasing countries as an incentive for stronger ties or concessions, but Israeli officials have denied any quid pro quo. An investigation by the New York Times Magazine found that countries such as Mexico and Panama started voting in Israel’s favor on some matters at the UN General Assembly after receiving the spyware, though other factors could have influenced their votes. Moreover, nearly every country that signed the 2020 Abraham Accords to normalize ties with Israel received Pegasus.
What’s been the fallout?
The allegations have embarrassed NSO and the Israeli government, and have prompted some of those harmed by the spyware to take political or legal action. In perhaps the strongest rebuke, the United States blacklisted NSO as part of a broader effort to respond to human rights violations internationally. The rule effectively bans U.S. companies from selling critical technology to NSO. Additionally, Apple and Facebook are suing the company for hacking their products and services. Hobbled by the backlash, NSO is reportedly in talks to sell its assets, possibly to a U.S. firm.
The scandal has also rekindled debates over the lack of regulation of digital surveillance tech and whether governments should take greater responsibility in how their exports are used abroad. Since cybersurveillance tools are becoming commonplace, all countries will have to decide how to regulate them, says the Israel Democracy Institute’s Tehilla Shwartz Altshuler. “Even in strong democracies, it’s very, very difficult to be able to cope with the temptation to abuse or to misuse such a system,” she says. The FBI purchased Pegasus, though it says it only bought the product to study it. (Pegasus reportedly can’t hack American phone numbers.)
Currently, cybersurveillance regulation is a mostly lawless frontier. Some countries, including Germany and the United Kingdom, have laws dictating the circumstances in which agencies can covertly extract data from devices, but Israel and many others don’t. International law is similarly lacking, though a 2019 UN report described potential rules for using commercial surveillance tech, such as spyware, facial recognition software, and computer interference tools.
Will Merrow and Michael Bricknell created the graphic for this In Brief.