Tips from the Pegasus Project: How to Report on Predatory Spyware-by GIJN

The 80 reporters who worked on the Pegasus Project had to quarantine their personal mobile phones for long periods to avoid compromising the six-month-long investigation that exposed mass digital spying by 11 governments.

This revelation emerged during an interview with Laurent Richard and Sandrine Rigaud — the founder and editor-in-chief, respectively, of nonprofit investigative outlet Forbidden Stories, a GIJN member that led the collaborative project — and the precaution illustrates the extreme surveillance threat posed by Israeli NSO Group’s Pegasus spyware.

Thanks to the collaboration of 16 news organizations, the Pegasus Project revealed that thousands of activists, dissidents, and other citizens, from India to Hungary — including 180 journalists — were selected as government targets of spyware that can invade a smartphone, and even turn on its camera, without the user knowing or clicking on anything. Later forensic analysis of a sample of these targets’ iPhones by the project’s technical partner, Amnesty International Security Lab, found evidence that 85% of the devices were either infected or attacked by the Pegasus system.

The impact of the revelations have already included several parliamentary demands for government investigations, public protests, calls for regulation, and, in September, a call for a global ban of the Pegasus system at the European Parliament.

The collaboration exposed Pegasus as a digital master weapon widely used to attack democracy and silence journalists. NSO Group has disputed the findings — stating that “the list is not a list of targets or potential targets of Pegasus. The numbers in the list are not related to NSO Group” — and continues to claim that its tool is used only to help governments combat crime and terrorism.

The Pegasus Project investigation found evidence that journalists in these countries were infected with Pegasus spyware. Graphic: Courtesy of Forbidden Stories

A Collaboration Where Communication Couldn’t be Trusted

Richard said the ever-present surveillance threat posed special challenges for the investigation — both for the reporters, and for the victims they needed to notify, including politicians, civil society workers, and fellow journalists.

For instance, the team used a series of “creative ways” to contact those they believed had been hacked, including contacting them via friends — since direct phone calls and other digital communications could be compromised — and meeting them in-person, with COVID-19 protocols.

He said investigative reporters also had to hide their cellphones in “a big black, closed suitcase” during in-person meetings, which were then held far from that trunk.

“This investigation was extremely robust from the beginning,” Richard says. “With the help of our technical partner, Amnesty International Security Lab, we were able to collect traces of infection of the Pegasus spyware on many devices. For the first time in cyber surveillance, journalists were able to show the real face of the victims, and show the misuse of the spyware.”

These hacking victims included investigative journalists like Siddharth Varadarajan, co-founder of Indian outlet The Wire, family members of murdered Saudi journalist Jamal Khashoggi, and 14 heads of state, including French President Emmanuel Macron.

Triggered by an initial data leak of some 50,000 phone numbers purporting to represent potential hacking targets for client governments, the investigation moved through four phases: fact-checking the database and identification of the targets; notification and interviews with listed victims via collaborative partners; forensic analysis of victims’ phones as well as peer-review of that analysis by Citizen Lab; and investigation of NSO Group and its 11 government clients, with follow-up calls for their response.

“In the first phase, we tried to put faces to the numbers we had, in parallel with the fact-checking on the data,” explains Rigaud. “We used our own contact books, contact lists from other journalists, and open source data to verify as many numbers as we could.”

Rigaud says reporters also looked at the context of the infections — especially, what stories journalists were working on, and who they were talking to, at the time they were hacked.

Fact-Checking the Leak

Rigaud said the investigation began with just that long list of phone numbers — with no names and little context.

The team cannot disclose any details about the sources of the leak for both security and legal reasons. In fact — in an illustration of the grave counter-intelligence risk — Rigaud said she could not even disclose exactly when the investigation began, for fear that government spies could use the timeline to hunt sources.

But the project did start with the Forbidden Stories team spending months fact-checking the leaked data before reaching out to those 16 news organization partners and launching the consortium.

“It was a lot about choosing talented partners who we could trust; a dream team of people with specific skills and in specific territories,” says Richard. “The spirit of collaborative journalism really is a new paradigm — rather than being the lone wolf, you need to share everything you learn on a daily basis, because if you don’t do that, it will not work.”

Reporters could not simply call the numbers to find the phone owners, for several reasons — one being that they suspected the devices were being surveilled, and another, Rigaud notes, was that some phone numbers could have been for legitimate terrorist or crime targets.

Instead, Rigaud says the team started by cross-checking the list against phone numbers for the few previously-known Pegasus targets and reports by Citizen Lab as well as other civil society watchdogs.

“We compared them with known cases; with public reports on victims of WhatsApp vulnerabilities — and what we saw in the public domain corresponded to the [new] information,” she explains. “We had to be very creative in the ways we warned victims of these attacks. In some cases, we even decided not to contact people where there was no safe way to do so.”

She adds: “We then sought to convince some victims to share the contents of their phones in a safe way. In almost all the cases, when the person had an iPhone and had not changed their phone since the attack, Amnesty’s analysis confirmed that there was an infection or traces of an infection attempt.”

Tips for Reporting under the Shadow of Hacking

• Understand that no encryption tool can fully protect against a Pegasus infection — but don’t allow this to intimidate or prevent a needed surveillance investigation.
• Because Pegasus works more like an eavesdropping system than a continuous archiving tool, the team found that disappearing messages are effective in minimizing — though not eliminating — the risk of interception. Use the new default timer for disappearing messages on the encrypted Signal app, which allow messages to vanish in as few as 30 seconds, and can be customized to purge in just one second. Hold in-person meetings where possible, and leave your phone at home.
• Read what you’re up against in Amnesty International’s “How to Catch Pegasus” forensic report and Forensic Architecture’s map-based Digital Violence platform. Also, reach out to expert civil society organizations like Amnesty’s Security Lab or the University of Toronto’s Citizen Lab for technical guidance. “Amnesty’s Security Lab really are fantastic — for the first time in history, they built a tool that can find traces of infection in your device, and shared it,” says Richard, referring to Amnesty’s publicly available Mobile Verification Toolkit.
• Consider using an iOS device, such as an iPhone, rather than an Android device for communications during an investigation — not because they are more secure (there is no evidence either way), but simply because you’ll have a much better chance of discovering if you’ve been attacked with Pegasus. As Amnesty states: “In [our]  experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices.”
• Identify the three or four kinds of data you really need to protect: for instance — the identity of sensitive sources, the content of the story, the date of publication, and who could potentially be in danger because of the reporting. Keep this information separate from your other files and information, think creatively about its safety, and secure it with the best encryption tools you have, such as VeraCrypt – but assume that even these excellent tools can be breached.
• Don’t confuse surveillance targeting with infection, and be careful with your language around cyber attacks. “There are many technical reasons for infections not to happen, so it’s important to be careful with the wording,” warns Rigaud.
• Separate your devices and your accounts between the project and your personal life. At your first, in-person project meeting, assign memorable code words for some of the principal actors in the story, and ensure everyone involved uses those words in communications during the research phase.
• If you need to communicate via video stream, use Jitsi – and, in general, avoid commercial tools where possible. “Jitsi is a good way to communicate,” says Richard. “The philosophy is to choose open source technologies, because at least you can check the code they use; it’s open to the community. The other thing is to check the territory where the owner of the technology is based.”

• How to Improve Surveillance Collaborations: A Partner’s Perspective

  The project’s 16 media partners included the Guardian, The Wire, and the Organized Crime and Corruption Reporting Project (OCCRP).

  While other government-deployed surveillance systems like Circles and Cerebro pose their own sinister threats to individuals, OCCRP alerted readers to the alarming ubiquity of the Pegasus threat with this summary: “Through Pegasus, corrupt and troubled regimes across the world can gain access to vast troves of personal information on just about anyone they want.”

  “The Pegasus Project was particularly challenging because of the nature of the software we were reporting on, which made every phone your enemy,” says Drew Sullivan, co-founder of OCCRP.

• Sullivan says Forbidden Stories and Amnesty International “did a good job of creating a simple system in a difficult environment.” But he warned that better tools and collaborative systems will be needed to tackle threats like Pegasus in the future.

  “Joining other people’s projects means using their tools, which can be annoying if you think yours are better,” he notes. “It will take a while before we really have all the tools we need to do this job right.”

  Sullivan suggested that future collaborations on this topic adopt these principles:

• Get everyone involved early. “There is a learning curve, and groups make mistakes by adding people late,” he notes.
• Keep the system simple. 

• Although Rigaud said the investigation of infections in 11 countries could not directly show whether these are “the tip of the iceberg” of Pegasus attacks around the world, she did offer this sobering thought: “We reported on 11 countries, but NSO has publicly stated that it has 60 customers in 40 countries.”

• Team with an expert and have them vet your processes for security beforehand. 
• Develop relationships with people you trust, and grow those relationships on multiple projects. “Don’t randomly add journalists you have never worked with just because you need someone from that country,” he advises.
• Be sure to share credit with all the media partners. “This is about building a collaborative industry,” explains Sullivan. “It costs nothing to give people credit and make them happy.”