Surveilled (2024) Movie Script
1
[mellow music playing]
[bird squawking]
So, you have agreed to talk,
but you want to make sure
your face isn't shown
and your voice
isn't identifiable.
We'll make sure that you're
protected in those ways.
So you're hacking these phones.
What kinds of
reactions did you get?
[altered voice]
What was the pitch that you
were offering these governments?
What should the average citizen,
in any country in the world,
know about this company
and this technology?
Should people be concerned?
[tense electronic music playing]
- [music fades]
- [chatter]
[phone camera clicking]
[man] The software Pegasus
is perhaps the most
notorious spyware
in the world.
It allows law
enforcement officials
or government authorities
to secretly hack into
a target's smartphone.
And that gains you access to
photos, videos, messages...
Pegasus can also
remotely control
a phone's microphone and camera,
all without any
indication at all
that a hack has occurred.
New Yorker contributor Ronan
Farrow has a new piece out
about Pegasus and the
company that makes it.
So, Ronan, let's just
begin from the beginning.
What drew you to this story
above all other stories?
Well, as you know, I
tangled with some old-school
private investigation
tactics, uh, and surveillance.
And we reported on
that in the magazine.
I had worked on a series
of investigative stories
that pissed off people
with a lot of resources.
Some of what they threw
at me was traditional:
on-the-ground spies
following me around.
But there was also this digital
surveillance I ran into, like,
those spies used my phone's
GPS data to track me.
I realized that the bleeding
edge of surveillance
is these digital tools,
and that they are getting
way more powerful.
[phone camera clicks]
The most advanced spyware
can turn your smartphone
into a spy in your pocket.
It can copy everything,
your photos, your
texts, your emails,
even if you're using
encrypted apps.
It can turn on your
camera, your microphone,
it can record you without
you ever knowing...
And then just...
disappear without a trace.
[tense electronic music playing]
Private commercial
spyware companies
are selling these tools
mostly to governments.
It's a booming,
multi-billion-dollar industry.
And a war is being waged
over the future of
this technology.
See, to infect your phone,
spyware has to go
through the apps on it.
So the Silicon Valley companies
that control those apps,
they're in this battle
to defend themselves
against incoming digital fire.
In May of 2019,
engineers at WhatsApp
discovered suspicious code
hidden within the instructions
that get sent to their servers
to initiate calls.
At the time, Claudiu Gheorghe
was the lead
engineer responsible
for WhatsApp voice
and video calling.
You were really on the
front lines of this hack.
What was on the line for you
as you launched
into this crisis?
I felt directly responsible, um,
because it's a product
that I built from scratch.
[Ronan] Someone had found a hole
in, essentially,
your work, right?
[Claudiu] Yeah, and that
was really personal.
I was really
motivated to fix it.
And not just to fix it. I think
what was really important to me,
um, starting that day, was
understanding the attack.
So, when you're setting
up WhatsApp calls,
there's routine messages
that go back and forth
between the user
and your servers,
and in one of these messages...
there was something weird.
At that point, it wasn't
clear that this is
something intentional.
However, what we
ended up finding
was actually the
tip of the iceberg.
At what point was
there, kind of, a first,
all-hands-on-deck, emergency
meeting about this?
The first meeting that I had
was maybe around 10:00 a.m.
with the security team.
Everything was on
fire at that point,
and on high alert status.
[tense music playing]
[Ronan] It took just over a week
for WhatsApp to
patch its servers
and release an update for the
app, blocking the attacks.
Then they went public,
announcing that at least
1,400 WhatsApp users
had been targeted with
commercial spyware
made by the Israeli
company NSO Group.
WhatsApp is urging its one
and a half billion users
to update the app right now.
[reporter] NSO Group
has been accused
of being responsible
for the hack.
They deny it.
[Ronan] NSO is the
most infamous vendor
in the growing spyware market.
The company says it
developed its Pegasus spyware
to help governments fight
crime and terrorism.
Famously, it's been reported
that it was used to capture
Mexican drug lord,
Joaquin "El Chapo" Guzmn.
But there have also been
years of allegations
that Pegasus has been used
to target journalists,
human rights activists,
and political dissidents.
[reporter] Royalty and
heads of state are some
of the 50,000 people
around the world
who may have had their
smartphones hacked.
That's according to a new report
by 17 media organizations.
An investigation published
Sunday in the Washington Post
says the spyware at
play is called Pegasus
and was licensed to governments
by a private Israeli tech firm.
[reporter 2] It was
used to track and target
Saudi journalist
Jamal Khashoggi,
who was critical
of Crown Prince
Mohammed bin Salman.
[reporter 3] It was at the
Saudi consulate in Istanbul
that Jamal Khashoggi
met his brutal end.
He was strangled as soon
as he entered the building
by a team of Saudi assassins,
who then dismembered his body.
I can guarantee to you,
our technology was not used
on Jamal Khashoggi
or his relatives.
[Ronan] In November 2021,
I was reporting on all of this
and trying to get
answers out of NSO
and its chief
executive, Shalev Hulio.
That's when the Biden
administration placed NSO
on a Commerce
Department blacklist.
[reporter] NSO's inclusion
on the U.S. blacklist
does make business a lot harder,
with other firms now maybe
needing to think twice
before doing business with them
for fear of violating
regulations.
[Ronan] The next day, NSO's
spokesperson called me
and asked me to meet
with Shalev in New York.
[soft electronic music playing]
Will you have your
phone on in the meeting?
- I'll try. I'll ask.
- Okay.
- This is my colleague, Unjin.
- Hi.
- Nice to meet you.
- [man] Hi, nice to meet you.
[music fades]
[computer chimes]
Hello there.
I'm in a bar, Ronan.
I thought you were closing
the magazine or something.
[David] I was just meeting with
a Justice Department official.
But I cut the interview
off early, so... [laughs]
So that you could hear from
one of your wayward reporters
about what he's up to?
So I talked to, uh, Shalev
for two and a half hours.
[David] Wow.
Tell me about the conversation.
They're still reeling from
this announcement yesterday
that they're on this
export blacklist.
- And...
- Were they worried?
They weren't worried
in the substance
of their answers so much as...
There was a lot of
reference to, you know,
"Better schedule that
trip to Tel Aviv quick.
We might not exist
as a company."
Which I think is a joke.
I don't know that
their bottom line
is that vulnerable,
but I do think
that it's a serious moment
of-of worry for them.
So the kind of, the high-level
philosophical picture
that he paints is,
"This is a technology
that's blossoming
around the world anyway.
If we're not doing it,
someone else is gonna be."
So his case is kind of like,
"Hey, there's all these
people doing this.
This is the new reality."
The digital Wild West.
Yeah, and he acknowledges
there's a potential for abuse,
but he says, "We are,
relative to the competition,
the ones willing to subject
ourselves to more scrutiny
and answer more questions in
the press and be regulated."
They, as of now, are saying that
they'll go fully on the record
and actually allow me to
bring cameras in, in Tel Aviv.
That's great. It sounds
like a great meeting.
It's great you made it happen.
- I-I have to go...
- Oh, you have to run, right.
Go, go, go. Thank
you for making time.
[David] Thank you. Bye.
[Ronan] Israel is at the center
of surveillance innovation.
There's a pipeline of expertise
from the country's military
and intelligence services
into tech start-ups.
And the Israeli state
uses some of that tech,
including in the conflict over
the Palestinian territories.
According to an Amnesty
International report
released in the fall of 2021,
six Palestinian human
rights activists
had their phones
hacked using Pegasus.
Knesset member Sami Abu Shehadeh
says that's part of a long
history of surveillance
of Palestinian citizens.
So, it was reported
a few months ago
that Pegasus, from NSO Group,
was found on the phones
of six Palestinian
human rights activists.
The defense minister claimed...
these were, uh, subjects
of terrorism investigation.
Yeah, yeah, yeah. So Israel...
unfortunately,
has been doing this
for its citizens.
Mainly for the
Arab Palestinians.
I think what-what-what-what is
making Israel so... important
in this destruction industry
is that they have a huge
laboratory to work in,
and they are using
the Palestinian people
to do their, uh, tests.
Then they sell it to
the rest of the world.
[Ronan] Israel says
it uses surveillance
for self-defense and
national security.
[suspenseful music playing]
I started talking
to NSO in 2019.
It wasn't until 2022
that they agreed to let
me do some reporting
inside their
headquarters in Tel Aviv.
Most companies that do this
work are pretty secretive.
But NSO has always
courted the press...
up to a point.
Hi there.
Ronan Farrow.
[man] Uh, you have
an appointment?
[Ronan] Yes. With NSO.
They were opening
their doors to me
but also trying to
keep a tight leash.
I'd be talking to everyone
from software engineers
to salespeople,
and I realized quickly,
NSO's PR team was
gonna be hovering.
Hey. Ronan.
Come, let's, uh, take
some coffee, tea.
I may take pictures as
I go, if that's okay.
- Yeah.
- So I can write about it,
you know, for color.
Want to get a sense of the digs.
It's a swanky office space.
It's very American
tech start-up vibes.
- Fancy cafeteria.
- Thank you!
You want some coffee? Tea?
- What do you want to drink?
- Coffee sounds great. Thank you.
I just wanted to start
with introducing our team.
Yes! I'm very much looking
forward to talking to all of you
and hear about the working
level experiences you have.
So this is great.
Should we get started?
What made you want this job?
[in Hebrew]
What specifically do you think
people have gotten wrong?
[in Hebrew]
You have been involved
in relationships
where there's been
some kind of a finding,
or at least a suspicion,
that there was
inappropriate targeting.
What would you
say to the targets
of that kind of misuse
of your technologies?
[in Hebrew]
[Ronan] How-How
have you navigated
the sort of moral questions
being raised about your
work in such a public way?
[in Hebrew]
[Ronan] You know,
what happens in a case
where maybe the government
thinks these are criminals,
but outside observers say,
"Hey, those are activists"?
I'm a tech guy and I'm an
intelligence guy, okay?
I know how to create
investigation systems
and now I can know how
to make it technically
the best way possible. Okay?
The question you're asking
now, this is for the big guys.
Big questions.
NSO claims that
potential customers
are thoroughly vetted,
and it emphasizes that each
sale needs to be approved
by the Israeli
Department of Defense.
General Counsel Shmuel Sunray
is in charge of that
compliance process
and of the internal
investigations
the company says it conducts
when there's an
allegation of abuse.
- Hello.
- Hi.
- Pleasure to have you here.
- Yes, it's good to be here.
It's an interesting
time to be here.
You're up against a pretty
widespread perception
that this talk of
compliance efforts
and internal investigations
is-is viewed as being
non-substantive.
First of all, the efforts
are truly substantive.
Unfortunately, I think one
of the main problems we have
on the perception side
is that all the good
work that we do,
um, cannot be published
in its details.
I mean, it cannot be...
we cannot share, like,
when we disqualify
a certain customer
for a due diligence reason,
or we shut down a
system for a misuse.
Even if we would have wanted to,
we are prohibited from doing so.
As you might imagine in the
course of this reporting,
I'm gonna be talking
to quite a few targets
of NSO's technology,
some of whom, you
know, really feel
that this was destructive
in their life.
What would you say
to targets of Pegasus
and other NSO software?
[Sunray] Anyone who
feels he's a target,
I would really
appeal for them to go
and go through our process.
I think that our record
has proved itself.
We, you know, don't
want our technology
to go and be used in such a way.
And if it was our
technology that was used,
we feel very bad about it
and we'll make our
utmost to make sure
that no other targets
will be in that situation.
[Ronan] I asked
Sunray repeatedly
to give me specifics
about these investigations
or proof that contracts had
been canceled as a result.
He declined.
- Should we break for lunch?
- Yeah, yeah...
[laughing]
Okay, great.
[Ronan] Oh, so this
is the Shalev suite.
- [Ariella]
- [Ronan] Okay.
I convinced Shalev
Hulio, the CEO,
to go on the record for
my New Yorker article,
but he refused to
appear on camera.
When I pressed him about
the allegations of abuse,
he also wouldn't
provide specifics
about the company's
internal investigations,
citing the privacy
of NSO's clients.
Both he and Sunray
compared their company
to an arms dealer,
just in a field that
doesn't yet have regulations
like the Geneva Conventions.
I needed to find
unvarnished takes
on how NSO really operates.
One of the calls I made
was to Israeli journalist,
Chaim Levinson.
What has the experience
of reporting on NSO
been like for you?
[dog barking]
At the beginning they
were very closed,
didn't talk to journalists,
"You all are against us,
you don't understand,
it's a security
issue," et cetera.
But lately, in the last year,
they've become very friendly.
[Ronan] Do you buy
what NSO is selling
to journalists and
governments around the world
when they say, you know, "Yes,
there have been some missteps,
but we want to be, and we
are now, the good guys"?
I think they understand they are
in a very, very bad PR situation
and the previous
policy didn't work.
And now they're thinking if
they explain to the people
what exactly they are
doing, it will help them.
If you ask me, the head of
the problem is not the PR.
The problem is the issue.
NSO can hack your phone
with zero-click technology.
And this is a tool
that, until NSO,
only very industrial
countries had...
United States, security
services of Israel.
But for countries like Angola,
it's impossible to
develop such a technology.
They don't have the
human resources to breach
Apple and Google engineers.
[Ronan] What makes NSO special?
They are willing to
sell to countries
with huge democracy and
human rights problems.
Other companies are not
willing to sell, and NSO are.
[Ronan] Chaim introduced
me to something rare...
a former employee who
had firsthand knowledge
of NSO's sales efforts
and was willing to speak
without the company's
permission...
if I promised to
conceal their identity.
Is there anything specific
that makes you fearful
of how they would react
if they did see your
face and your identity?
[altered voice]
[Ronan] So tell me from your
standpoint why you think
it's important to have
this conversation.
What's the most objectionable
thing that you saw
in your time at the company?
So you sold Pegasus to
these different governments?
Pre-sold.
You pitched Pegasus to
governments around the world?
What were the-the main customers
that you saw the
company deal with?
Um, they claim
most Western European
countries use them.
Is that true?
[former employee] Um...
Some examples?
And beyond Europe. Any examples
that were sort of
significant in your mind
or that gave you pause?
Mm-hmm.
Any African? Oman.
Yeah, yeah, yeah.
What was the price tag on this?
What was NSO
charging for Pegasus?
[Ronan] Does NSO know
that some of its customers
that it's selling to
for those big-ticket
prices you mentioned
are abusing this technology?
[mellow music playing]
[phone ringing]
[phone clicks]
Hi, Oded.
[Oded on phone]
More importantly, how are you?
[Oded on phone]
[Ronan] Yeah. As
you can imagine, uh,
I'm-I'm gonna call
everyone around the story.
Um, I think it's been a
fairly short list of formers.
But, you know, if there's anyone
you suggest I add to that list,
I welcome it.
[Oded]
Mm-hmm.
Yeah. Oded, you know, I'm always
an open book on this stuff.
We've talked about
this at length.
I have been very glad to see
that I think you're savvy
about knowing that
more transparency
is a good thing for
NSO at this point.
I know it's been a,
kind of, a hard time
with a lot of controversy.
Any time you have a
concern, you know, raise it.
And I'll answer honestly.
[Oded] Okay.
Okay.
[Oded]
- Bye.
- Bye.
[tense electronic music playing]
[Ronan] Though NSO was
wary of me speaking
to its former employees,
the company was
willing to let me speak
to one of its current
Western European clients.
[computer chimes]
Hello.
He's going to be
ten minutes late.
He's on his way to
his laptop right now.
How many other outlets, uh,
has, uh, our friend
who's about to come on,
uh, spoken to in this way?
- No one.
- [Ronan] No one?
I was assuming that
he was the source
of the Wall Street
Journal article.
I think that was also a Western
European law enforcement.
[Ariella] We have several
customers from Western Europe,
but we don't have
a lot of customers
that are willing to
speak with journalists.
I will need to know
his-his full name
and identity and everything.
Only for your... But
only for your knowledge.
Yes. You don't have to worry.
If I verbally agree
that a source is an
unidentified background source,
uh, you know, described as a
European intelligence official
then-then that is, uh,
that's the ground rule.
Yes, you can even say, you know,
West European law
enforcement agency,
I mean, whatever
that will not...
will not expose the name
of the country, the agency,
or, of course, his name.
Tal, is he joining?
He's connecting right now.
Okay, great.
- [computer chimes]
- [scrambled voice]
[Ronan] Hello!
Thank you for doing this.
I appreciate your
taking the time.
[NSO client]
So when did your, uh, agency
first become a customer of NSO?
[NSO client]
How much did you pay
for the software?
[NSO client]
Tens of millions of euros?
What's the... what's the...
Okay. Understood.
And what type of product
did you purchase?
Is this Pegasus, primarily?
And what is the
software being used for?
Do you think it
would be a scandal
if it was known widely
that you were using Pegasus?
Do you have to get a
warrant to use Pegasus?
And how many people
have you targeted, uh,
since 2015, with, uh, Pegasus?
Roughly. Roughly.
Mm-hmm.
[NSO client] Okay. So, um...
Very helpful.
- All right. Take care.
- [Tal] Thank you.
Okay.
Are we all, uh, dispersing now?
- And sorry for the mistake.
- Oh yeah, I saw.
So it's two-two
journalists he talked to.
Do you remember which ones?
He was the Wall
Street Journal source?
[Oded] It was... it was one
of the Wall Street Journal
and one is Israeli TV.
[Ronan] An Israeli
one. Okay. Got it.
Okay. Um, this is
very helpful to know.
Thank you again, everyone.
- Enjoy.
- Okay. Take care.
[computer chimes]
I don't doubt these law
enforcement officials
when they tell me
they love having
such a powerful
surveillance tool...
and that they sincerely want
to use it to ensnare criminals.
But there's evidence that
Pegasus is being used
in at least 45 countries.
And it's mostly happening
under a veil of secrecy,
without public
input or oversight.
Pegasus might have
lived up to the promise
that it's undetectable...
if it weren't for a group
of researchers in Canada.
[soft, dramatic music playing]
The vast majority of what
we know about NSO abuse
comes from researchers
at the University of
Toronto's Citizen Lab.
They have found examples
of the spyware being used
to conduct surveillance
on dissidents, human
rights activists,
and journalists
around the world.
- Hey!
- Ronan, how you doing?
- It's great to finally meet you.
- Great to meet you too.
Thanks for letting us
into the inner sanctum.
[Ron] Of course.
[Ronan] For more than a decade,
Ron Deibert and the
team at Citizen Lab
have been studying the
pieces of malicious code,
known as exploits,
that target vulnerabilities
in your phone's apps
or operating system
to install spyware.
[Ron] We're really lucky
to have this space.
This is, uh, the lab.
These are the spaces where
most of the work gets done.
[Ronan] Got it.
So what are they doing in there?
[Ron] We have a
person who suspects
that they've been
targeted with spyware.
And so what they will be
doing is walking them through
how to gather the
data that we need
to do forensic
analysis of a phone.
How difficult has it been
to catch these exploits?
'Cause many of them,
including Pegasus,
are designed to clean
up after themselves.
We've been fortunate
now, uh, to capture
several different vendors'
spyware in the wild,
usually from targets.
Um, the one that really
stands out for me
is the case of the Saudi
women's rights activist,
whose phone was
hacked with Pegasus.
Which is why that excuse
that NSO Group and others use
is so specious.
You know, "Don't worry.
Nothing to see here,
because we only sell
it to governments
to be used for
crime or terrorism."
It's not a-a good way to think
about the limits of
this type of technology.
How do you see the industry
evolving from here?
If we succeed, you could imagine
a much different environment
ten years from now,
where there is robust
oversight mechanisms,
and much more transparency.
That would be my ideal world.
The way things
are going, though,
frankly, frightens me
because we live in a time
where there is obvious,
well-documented
democratic backsliding.
Authoritarian practices
are spreading worldwide.
I firmly believe the
surveillance industry,
unchecked as it is,
is one of the major contributing
factors to those trends.
[Ronan] A lot of the coverage
of the dangers of spyware
has focused on the way
autocrats and dictators
outside the Western
world use it.
But Citizen Lab's work shows
that Western democracies
are abusing spyware too.
They tipped me off
to an investigation
they were conducting
in Catalonia,
a region of Spain,
where they suspected
Pegasus was being used
to surveil local
politicians and activists
on a massive scale.
[tense music playing]
- Hey!
- Hi.
- How are you?
- Thank you for coming.
Yeah! I'm looking forward to it.
It's also stunning here.
I was not fully expecting that.
Elies Campo was born here.
He's worked in Silicon Valley
for WhatsApp and for Telegram.
And now, he's Citizen
Lab's investigator
on the ground in Catalonia.
A few people from Catalonia
messaged me and said,
"Hey, I just received
this message on WhatsApp
about being, uh, targeted or
being hacked at some point,
um, and I don't know if
it's, um, it's real or not."
I contacted my
ex-colleagues at WhatsApp.
They told me that they couldn't
communicate anything with me
because of privacy issues but
I should contact Citizen Lab
and see if they could help. So
I reached out to Citizen Lab.
The conversation went that
these cases from WhatsApp
were probably just the
tip of the iceberg, um,
and that we... if we
organized a little bit
and had some kind of strategy,
we'd probably find more.
Why should people
around the world care
about the hacking that
you're documenting
here in Catalonia?
[Elies] This is gonna be
one of the first cases
where there's such a large and
vast number of affected people
and from a vast and
different type of categories
of, um, of society.
So we've had the Parliament
of Catalonia targeted.
We've had the government
of Catalonia targeted.
We've had lawyers targeted.
We've had, uh, civil leaders
of org... cultural organizations
of Catalonia targeted.
[Ronan] This is not some
future Orwellian scenario.
It really... It happened here.
- It's happening here.
- It's happening here.
[solemn music playing]
[Ronan] Citizen Lab suspects
that people in Catalonia
are being targeted
for political reasons.
Catalonia is a semi-autonomous
region in Spain,
with Barcelona as its capital.
There's a significant segment
of the population there
that wants Catalonia to
be an independent country.
[crowd chanting]
[Ronan] In 2017, Catalan
leaders organized a referendum
where they asked
voters to decide
if the region should
be independent.
The Spanish government in Madrid
declared the referendum illegal
and even raided polling
sites on Election Day.
Tensions are still
pretty high today
between Catalonia and Madrid.
And there's a lot of
Catalan politicians
that still favor independence.
I joined Elies in the
Parliament of Catalonia,
where he was testing
politicians' phones.
Walk me through what
you've been doing
and what you're finding
with these ones.
- Yeah, so we analyze the device.
- Yeah.
And we try to find traces
that there was the malware
at some point in
that... in that device.
And how we do that is through
some analysis on the device.
We extract the file, and
uploading it to the cloud,
and the cloud is
doing the analysis
of, uh, of trying
to find traces.
What's next? You have members
of Parliament coming in, right?
Yeah, a European member
of the Parliament
that's currently in Barcelona,
and, uh, his name is Jordi Sole,
and, uh, we're gonna talk to him
and look at his device now.
- [Ronan] Great.
- [chatter in Catalan]
Hola, que tal?
Hola. Laura.
[in Catalan]
[ominous music playing]
Uh-huh.
Mm-hmm.
When does it look like
you were infected?
[Jordi] I have to
check, uh, the date.
But around that day,
I was appointed, um,
member of the
European Parliament.
[Ronan] How do you feel knowing
that you may have been
compromised in this way?
Well, I feel surprised and angry
at the same... at the same time.
Uh, and it's, uh,
somehow it's ironic
because next week, in
the European Parliament,
we are gonna vote to set up an
inquiry committee on Pegasus.
Um, so it's...
it's-it's only...
it's only ironic
that just a few days
before, I learn,
as member of the
European Parliament,
that I've been
infected by Pegasus.
[Ronan] What about you, Elies?
What goes through your
mind each time you see
a positive result pop
up on that screen?
[Elies] I think about the
gravity of the situation.
Especially these cases where
there are members of
the European Parliament
'cause it affects, uh,
450 million people,
citizens, and the
violation of their rights.
Um... Yeah, each
time we discover one
is-is, um, similarly intense
in terms of realizing, uh,
the importance of it
and the gravity of it.
Why do you think
you were hacked?
[Jordi] Well, I've been hacked
for sure because I am, uh,
pro-independence.
So I'm sure that
there is the will here
to keep under control
politicians representing,
uh, the will for independence
in Catalonia in
several institutions.
Are you looking at
any legal remedies?
Do you think that you'll
bring suit in some way?
[Jordi] I'll defend my
rights until the end.
[Ronan] Jordi wasn't alone.
Elies was steadily uncovering
more and more infections
on the phones of activists
and lawyers and politicians.
And it also wasn't just Pegasus.
These tests were
turning up evidence
that the Catalans were
also being targeted
with other forms of spyware
from competing companies.
One day, Citizen Lab found
evidence of something rare.
A local activist had
a spyware infection
on his personal laptop
that was still live
and in the middle of its attack.
- Hello, Joan.
- Hello. Hi.
It's great to finally
meet in person.
Thank you for doing this.
[Ronan] Joan Matamala
is an activist
connected to
separatist politicians.
His laptop was
infected by spyware
made by another Israeli
company called Candiru.
Elies worked to try to
exfiltrate the software
and study it before
it self-destructed.
[in Catalan]
[in English] This is where
you were, uh, sitting
when the, uh... when you
learned about the hack?
[speaking in Catalan]
He was working over there
when he received the call
that he currently
had a live infection.
[Ronan] And what date
and time was this?
[speaking in Catalan]
[Elies] February 2021.
[Joan in Catalan]
[Ronan] Tell me what
you did from there.
[Joan speaking in Catalan]
[Elies] Yeah. So he took some
time to get that aluminum foil.
He wrapped two computers.
[aluminum foil crinkling]
[Ronan] What's the goal
of the tin foil wrapping?
You're creating what's
called a Faraday cage, right?
By wrapping it and-and
creating a Faraday cage,
uh, we're actually
protecting the device
from receiving
outside instructions
to have the software delete
itself or self-destruct
in order to, uh, remove
or potentially remove
the evidence of... that
software was there.
It's particularly important
to be able to capture
the software live or
active in the computer
so we can understand
how it works, uh,
how it compromises
the operating system.
So he was really doing something
that's a service to researchers
on these kinds of technologies.
[Elies] Yeah, his action
actually helped Microsoft
understand how this
particular software,
Candiru, was affecting
this operating system.
And a few months later,
Microsoft actually
developed a patch
that, uh, resolved
the vulnerability
that this, uh, software
was actually exploiting.
[Ronan] It's surprising
that just tin foil can work.
- Yeah, it's physics. [laughs]
- Yeah, yeah. It makes sense.
A little tinfoil
went a long way.
[tense music playing]
The proliferation of
spyware around the world
has left governments
scrambling to respond.
And that includes
the United States.
Even though NSO claims
that it blocks its spyware
from targeting
American phone numbers,
U.S. government employees
working overseas
have had their foreign
phones hacked using Pegasus.
Apple is warning at least
11 United States diplomats
that their iPhones were hacked
in the last several months.
The hackers reportedly
used the spyware technology
called Pegasus.
[Ronan] But the U.S. government
is also a buyer of
commercial spyware,
including Pegasus.
Internal documents obtained
by the New York Times reveal
some FBI officials
made a push to deploy
Israel's Pegasus hacking tool.
So I understand that you
did purchase a program
and you tested it.
Is that accurate?
We had a limited license
for testing and evaluation.
We've tested and evaluated,
and that's... that's over.
It hasn't been used in any
investigation of anyone.
[Ronan] It's been reported
that NSO also pitched
American police departments
on a Pegasus-like software
designed to be
used on U.S. soil.
Lawmakers are grappling
with both sides of this...
how to protect Americans
against these attacks
and how to control America's
use of this technology.
Jim Himes is the ranking member
of the House
Intelligence Committee,
which oversees U.S.
intelligence agencies,
including the FBI and the CIA.
- Hey, Ronan.
- Hey.
- How are ya?
- Thanks so much for doing this.
Yeah. Good to see you in person.
I know we talked on the phone,
but I don't think we've
ever met in person.
What is your feeling
on how much ability
the U.S. government should have
to purchase this kind of tech?
First of all, it would
be a very serious mistake
to simply prohibit the
purchase of the technology.
We need our experts to
know what is out there.
I have no objection to the FBI
purchasing the technology
to understand it.
Then comes the more
complicated question of,
"Do we want the FBI
to be able to use it?"
Do you think the answer is
a ban on the operational use
of foreign commercial spyware
by the U.S. government?
[Himes] No.
No, abs-absolutely not.
The answer is,
do the hard work of assuring
that law enforcement uses it
consistent with our
civil liberties.
We're using a lot of
abstractions here right now.
I have two daughters.
What if one of my
daughters were kidnapped?
I want that tool.
I want that tool.
And it would be profoundly
irresponsible of me to say,
"There's this amazing
tool out there
that could fall into the
hands of the Iranians,
the North Koreans,
the Chinese...
and we're not gonna
let the FBI use it."
We're going to let
the FBI use it.
We're going to make sure that
they use it in the context
of our civil liberties, and,
well, will it be perfect?
No, it will not.
It will, from time
to time, be abused.
But the notion that, for the
first time in our history,
we're gonna say we're gonna let
all the bad guys have technology
that we're not going to use,
um, that's a novel concept.
And-And when you really
think it through, uh,
a little bit of a scary concept.
A lot would have to change
for it to be transparent
and have an approvals process
that-that meets that threshold.
That's not the space
we're operating in now
when this technology is
used by the U.S. government.
That's correct. And
this is why I say
one of the urgent things we
would need... we should do,
we should be doing, is
building the protections
around how U.S. law enforcement
might use this technology.
In terms of the hacking
of American officials,
are American officials
abroad, and maybe in general,
subject to more attacks
using this kind of technology
than the public is aware of?
Yes.
- And...
- Significantly more.
Significantly more.
And are you aware of
infections of this type
that have played
out on U.S. soil?
Maybe the best way to answer
that is that this technology
knows no borders.
I don't happen to know of
the deliberate targeting
of Americans on U.S. soil.
I'm also...
I have no confidence
that it hasn't happened.
[soft, tense music playing]
[Ronan] The White House told me
they were still investigating
how spyware affects
national security.
And then they told me
something I'd be making public
for the first time...
that the Biden
administration was planning
an executive order banning
government agencies
from buying or using
at least some types
of foreign spyware.
I'd been reporting on
this for a few years,
and I really hadn't
found any governments
that provide
meaningful transparency
about how they use these tools.
[soft, dramatic music playing]
[phone chimes]
Uh, this is... this is Ariella,
the comms person at NSO,
sending me a thumbs up that
she is going to get me a...
I'm gonna say,
"Much appreciated."
She's gonna get me a last
statement that they have.
There's a dozen countries that
are mentioned in this piece
and each of them had to
be approached for comment.
Some of them wanted to
comment, some didn't.
Some wanted to only
comment in secret,
but not on the record.
There's just a lot to
juggle with this one,
and I've got to hustle and
redline the rest of this piece.
Avey, are we in here?
- We're in here.
- We're in here. Okay.
Yeah.
- Good to see you.
- You too.
- Hello.
- We're ready? Okay, good.
- Yes.
- All right.
Avey. Great.
[Remnick] Um...
All right.
- Thanks a lot.
- Thank you.
[Remnick] Okay.
- Are you all closed up?
- Mmm...
Yes, but, like, checkers
still laying in odds and ends.
[Remnick] It's Thursday, and
the magazine closes today.
- Yeah.
- Like completement.
- [laughing]
- Yeah.
- That's it.
- Yeah.
- That's it.
- Okay.
[Ronan] I think it's...
it reads really well.
Okay, so we're just gonna power
through this pretty standard.
You know what you're
doing. Here we go.
In your reporting,
you've narrowed in
on a series of Pegasus
attacks on people involved
in the Catalan independence
movement in Spain.
Were you able to confirm
these hacks with NSO
or the Spanish government?
[Ronan] NSO Group
CEO, Shalev Hulio,
did very clearly talk
about some of the countries
that we now know use his
technology, including Spain.
And in that case,
he said, you know,
Spain is a democracy.
Uh, if they decide
to use these tools...
- That's on them.
- That's on them!
And the Spanish
government, for their part,
didn't respond to our
requests for comment about it.
Do you think it's
possible to have a world
where such a thing exists
and it's used responsibly?
[Ronan] Well, we're
watching the fights
that will dictate the
answer to that question
play out right now.
And one of the
things that we break
for the first time in this
story is-is that the White House
is actively pursuing a
U.S.-government-wide ban
on purchasing this kind
of commercial spyware.
Because they have their own?
Well, certainly certain U.S.
agencies have their own.
But, you know, in the past,
other U.S. government offices
have also purchased
these kinds of tools.
And I think there's an
increasing understanding
that this is both, uh,
technology that has
an incredibly destructive
footprint in the world,
and we've just got to hope
that some of these
regulatory efforts
can rein in the most
destructive effects of it.
In his latest investigation,
the journalist Ronan Farrow
has dug into the
spyware industry.
In explosive new reporting in
The New Yorker, Ronan Farrow
details the two years
he spent digging
into the vast spyware industry.
Ronan, my friend, this
is scary stuff! Um,
first of all, just break down,
for those who are unaware
of what it is, what is
Pegasus and who makes it?
The fundamental is,
it can crack a phone.
It feels like the cat's
out of the bag, isn't it?
How do you control this?
To your point, once data
has been exfiltrated,
the damage has, in
a sense, been done.
The article is called
"How Democracies Spy
on Their Citizens"
by Ronan Farrow.
Ronan, thanks so
much for joining us.
- [chanting, clapping]
- [whistle blowing with chants]
[Ronan] The article in The
New Yorker and the results
of the Citizen Lab
investigation led by Elies
had enormous
repercussions in Spain
and finally helped shed light
on who was behind all this.
After initially
denying the report,
the Spanish government in Madrid
acknowledged spying on
some of the Catalans.
The head of Spain's
intelligence agency
was fired amidst
the controversy.
[chanting]
[Ronan] The scandal became known
as "CatalanGate."
[in Catalan]
[Ronan] On the list of
targeted individuals
was Elies's own family.
Is your family okay?
Yeah, my family is okay.
They were surprised.
Surprised that they
got hacked too?
Yeah. So I was having a
dinner with my parents,
uh, just a few weeks
before publication.
I told my father, "We're
gonna publish this report.
It's probably gonna
have some impact
in Spain because
it's pretty serious."
And so we checked his phone,
and, a few hours later,
we got the results back
and, um, we got a confirmation.
The next day, we tested my mom
and, uh, we found that she
had also been targeted.
So they were following
you and trying
to get your communications
through your parents.
Presumably they failed
in targeting my device,
because I have an
American, uh, phone number,
and they targeted my family
in-in order to try to
get to the information
that they were looking for.
What do your parents
do for a living?
They specialized
in, uh, in pathology
and, uh, vascular diseases,
and they work at the
University of Barcelona
and the hospitals of Barcelona,
the research centers.
So, whoever had access
to those devices,
they actually had access
to, uh, potentially,
hundreds of conversations
or hundreds of data points
of emails, messages,
photographs,
of patients all
around the world.
[Ronan] Not only
did they have access
to his parents'
patients' records,
they also potentially
had the ability to record
audio or video of Elies
whenever he was in the room
with his parents' phones.
So, Elies started testing
the rest of his family
members' phones,
including his sister's.
[soft, solemn music playing]
[in Catalan]
[sister in Catalan]
[Elies in Catalan]
[sister in Catalan]
[Elies in Catalan]
[sister in Catalan]
[soft, somber music playing]
[tense music playing]
[Ronan] Including
Elies's family,
Citizen Lab found that
around 70 people in Catalonia
were targeted with spyware.
Since the publication of
those findings in Spain,
Citizen Lab has documented
Pegasus being used
against government officials
in the United Kingdom,
activists in Armenia,
journalists in Mexico,
and pro-democracy
demonstrators in Thailand.
In the summer of 2022,
Shalev Hulio stepped down
as CEO of NSO Group.
He went on to establish
a new start-up
in the cybersecurity space.
Meanwhile, in March of 2023,
the White House followed through
on the plans they'd revealed
in my New Yorker article.
Just a few hours ago,
President Biden issued
an executive order
that, for the first time,
will prohibit our
government's use
of commercial spyware that poses
a risk to our national security
or that's been misused
by foreign actors
to enable human rights
abuses overseas.
[Ronan] The executive order
banned federal agencies
from buying spyware that's been
abused by other governments,
used to target Americans,
or otherwise threatened
national security.
But it's not a blanket ban
on the purchase of all spyware.
And in fact, just days later,
the United States and
36 other countries,
including Spain,
released a statement outlining
how they believe governments
can use commercial spyware
and still respect human rights.
I went back to DC to press
Biden administration officials
about this.
Nathaniel Fick is
the first Ambassador
for the newly created
Bureau of Cyberspace
and Digital Policy.
What do you wish
this executive order
contained that it doesn't?
What do you think the
soft point is in it?
I think part of the reality is
we don't know that yet. Right?
You-You-You craft something
and you throw it
out in the world.
And the world is
a dynamic place.
Our adversaries are innovative
and smart and well-resourced.
So we'll adjust as required.
I'm struck by the fact
that it contains so little
about what we do
do with spyware.
There's no suggestion of,
once a spyware
vendor passes muster
through the lens of
this executive order,
what does that look like?
What can we then do
with that technology?
Why?
The United States uses
every tool of national power
in pursuit of our interests,
uh, grounded in our values.
And so, we do believe,
and openly acknowledge,
that there are legitimate
law enforcement
and national security uses
of these technologies.
There were a number of joint
statements circulating around...
Spain signed on to one
of these statements.
Obviously, the administration
in Madrid has been implicated
in one of the largest spying
operations domestically
in their country, in the world.
Uh, how do you feel about
them being a signatory?
I think that getting countries
to publicly align
with the principles
is always a good thing.
Even if it's hypocritical?
And then we have
to continue to hold
their feet to the fire,
just as we do ourselves,
to make sure that we're living
up to the implementation.
I've had conversations with
foreign officials who say,
"Well, you want us to have
more transparency about this.
You want us to have clearer
routes for judicial oversight
for-for these-these
kinds of tools.
Uh, where is that from
the United States?"
I think the Executive
Order is a statement that
everything that came
before was not adequate.
And-And this is a
very strong attempt
to put those
guardrails in place.
My perception, digging into
this issue, has been that
inevitably we're gonna
have the first big scandal
where this is used to
scale on American soil.
Do you think it's headed down
a path of more domestic impact?
I think we can't put
the technology genie
back in the bottle.
That's kind of an unfortunate
reality of these things.
So once they're out
there in the world, um,
any nefarious use
that we can imagine,
we're probably going to see.
And so we would be well-served
to think forward in time,
um, and anticipate
that kind of thing.
[soft music playing]
[Ronan] Spyware is here to stay.
The industry is still growing.
It's gonna keep getting
more sophisticated,
more intrusive,
and easier to hide,
especially as we witness
the dawning of a new era
of artificial intelligence.
This is still a largely
unregulated category
of technology,
one that will always
be seductively useful
for law enforcement
and always pose a
threat to democracy
and human rights.
Technology is reorganizing
the life of the world.
President Biden likes to
say that, in many ways,
we're at an inflection point,
where the decisions
that we're making now
and in the next few years
are likely to shape
the next decades.
[dramatic music playing]
[Ronan] Commercial spyware
is going to continue
to shape conflicts
around the world.
Questions remain about the
role these surveillance tools
have played in the
Israel-Gaza war.
Since Hamas's attack
on October 7th, 2023,
sources close to
NSO have claimed
the Israeli government
is using Pegasus
to try and track down hostages.
And additional investigations
have been opened in Poland
and in Jordan.
Governments and legislators
will be struggling to catch
up to this technology.
Tech companies are gonna
have to fight harder
to defend themselves
against a teeming
international landscape
of unseen adversaries.
The message is that
unchecked spyware
is a national security risk
for free societies.
[Ronan] More ordinary
civilians are being ensnared,
their most private data stolen
and potentially exploited.
[in Catalan]
[Ronan] There will be more
families and communities
upended by this.
There will be more urgent need
for the work of
activists and researchers
bringing this out
of the shadows.
This is an important issue.
I think things are gonna get
worse before they get better.
In spite of the measures
that have been taken,
the industry is only
going to continue to grow.
[Ronan] Otherwise, the
only path towards privacy
might be living
without our phones.
- [camera phones clicking]
- [indistinct chatter]
[dramatic music continues]
- [phone camera clicks]
- [music ends]
[pensive electronic
music playing]
[mellow music playing]
[bird squawking]
So, you have agreed to talk,
but you want to make sure
your face isn't shown
and your voice
isn't identifiable.
We'll make sure that you're
protected in those ways.
So you're hacking these phones.
What kinds of
reactions did you get?
[altered voice]
What was the pitch that you
were offering these governments?
What should the average citizen,
in any country in the world,
know about this company
and this technology?
Should people be concerned?
[tense electronic music playing]
- [music fades]
- [chatter]
[phone camera clicking]
[man] The software Pegasus
is perhaps the most
notorious spyware
in the world.
It allows law
enforcement officials
or government authorities
to secretly hack into
a target's smartphone.
And that gains you access to
photos, videos, messages...
Pegasus can also
remotely control
a phone's microphone and camera,
all without any
indication at all
that a hack has occurred.
New Yorker contributor Ronan
Farrow has a new piece out
about Pegasus and the
company that makes it.
So, Ronan, let's just
begin from the beginning.
What drew you to this story
above all other stories?
Well, as you know, I
tangled with some old-school
private investigation
tactics, uh, and surveillance.
And we reported on
that in the magazine.
I had worked on a series
of investigative stories
that pissed off people
with a lot of resources.
Some of what they threw
at me was traditional:
on-the-ground spies
following me around.
But there was also this digital
surveillance I ran into, like,
those spies used my phone's
GPS data to track me.
I realized that the bleeding
edge of surveillance
is these digital tools,
and that they are getting
way more powerful.
[phone camera clicks]
The most advanced spyware
can turn your smartphone
into a spy in your pocket.
It can copy everything,
your photos, your
texts, your emails,
even if you're using
encrypted apps.
It can turn on your
camera, your microphone,
it can record you without
you ever knowing...
And then just...
disappear without a trace.
[tense electronic music playing]
Private commercial
spyware companies
are selling these tools
mostly to governments.
It's a booming,
multi-billion-dollar industry.
And a war is being waged
over the future of
this technology.
See, to infect your phone,
spyware has to go
through the apps on it.
So the Silicon Valley companies
that control those apps,
they're in this battle
to defend themselves
against incoming digital fire.
In May of 2019,
engineers at WhatsApp
discovered suspicious code
hidden within the instructions
that get sent to their servers
to initiate calls.
At the time, Claudiu Gheorghe
was the lead
engineer responsible
for WhatsApp voice
and video calling.
You were really on the
front lines of this hack.
What was on the line for you
as you launched
into this crisis?
I felt directly responsible, um,
because it's a product
that I built from scratch.
[Ronan] Someone had found a hole
in, essentially,
your work, right?
[Claudiu] Yeah, and that
was really personal.
I was really
motivated to fix it.
And not just to fix it. I think
what was really important to me,
um, starting that day, was
understanding the attack.
So, when you're setting
up WhatsApp calls,
there's routine messages
that go back and forth
between the user
and your servers,
and in one of these messages...
there was something weird.
At that point, it wasn't
clear that this is
something intentional.
However, what we
ended up finding
was actually the
tip of the iceberg.
At what point was
there, kind of, a first,
all-hands-on-deck, emergency
meeting about this?
The first meeting that I had
was maybe around 10:00 a.m.
with the security team.
Everything was on
fire at that point,
and on high alert status.
[tense music playing]
[Ronan] It took just over a week
for WhatsApp to
patch its servers
and release an update for the
app, blocking the attacks.
Then they went public,
announcing that at least
1,400 WhatsApp users
had been targeted with
commercial spyware
made by the Israeli
company NSO Group.
WhatsApp is urging its one
and a half billion users
to update the app right now.
[reporter] NSO Group
has been accused
of being responsible
for the hack.
They deny it.
[Ronan] NSO is the
most infamous vendor
in the growing spyware market.
The company says it
developed its Pegasus spyware
to help governments fight
crime and terrorism.
Famously, it's been reported
that it was used to capture
Mexican drug lord,
Joaquin "El Chapo" Guzmn.
But there have also been
years of allegations
that Pegasus has been used
to target journalists,
human rights activists,
and political dissidents.
[reporter] Royalty and
heads of state are some
of the 50,000 people
around the world
who may have had their
smartphones hacked.
That's according to a new report
by 17 media organizations.
An investigation published
Sunday in the Washington Post
says the spyware at
play is called Pegasus
and was licensed to governments
by a private Israeli tech firm.
[reporter 2] It was
used to track and target
Saudi journalist
Jamal Khashoggi,
who was critical
of Crown Prince
Mohammed bin Salman.
[reporter 3] It was at the
Saudi consulate in Istanbul
that Jamal Khashoggi
met his brutal end.
He was strangled as soon
as he entered the building
by a team of Saudi assassins,
who then dismembered his body.
I can guarantee to you,
our technology was not used
on Jamal Khashoggi
or his relatives.
[Ronan] In November 2021,
I was reporting on all of this
and trying to get
answers out of NSO
and its chief
executive, Shalev Hulio.
That's when the Biden
administration placed NSO
on a Commerce
Department blacklist.
[reporter] NSO's inclusion
on the U.S. blacklist
does make business a lot harder,
with other firms now maybe
needing to think twice
before doing business with them
for fear of violating
regulations.
[Ronan] The next day, NSO's
spokesperson called me
and asked me to meet
with Shalev in New York.
[soft electronic music playing]
Will you have your
phone on in the meeting?
- I'll try. I'll ask.
- Okay.
- This is my colleague, Unjin.
- Hi.
- Nice to meet you.
- [man] Hi, nice to meet you.
[music fades]
[computer chimes]
Hello there.
I'm in a bar, Ronan.
I thought you were closing
the magazine or something.
[David] I was just meeting with
a Justice Department official.
But I cut the interview
off early, so... [laughs]
So that you could hear from
one of your wayward reporters
about what he's up to?
So I talked to, uh, Shalev
for two and a half hours.
[David] Wow.
Tell me about the conversation.
They're still reeling from
this announcement yesterday
that they're on this
export blacklist.
- And...
- Were they worried?
They weren't worried
in the substance
of their answers so much as...
There was a lot of
reference to, you know,
"Better schedule that
trip to Tel Aviv quick.
We might not exist
as a company."
Which I think is a joke.
I don't know that
their bottom line
is that vulnerable,
but I do think
that it's a serious moment
of-of worry for them.
So the kind of, the high-level
philosophical picture
that he paints is,
"This is a technology
that's blossoming
around the world anyway.
If we're not doing it,
someone else is gonna be."
So his case is kind of like,
"Hey, there's all these
people doing this.
This is the new reality."
The digital Wild West.
Yeah, and he acknowledges
there's a potential for abuse,
but he says, "We are,
relative to the competition,
the ones willing to subject
ourselves to more scrutiny
and answer more questions in
the press and be regulated."
They, as of now, are saying that
they'll go fully on the record
and actually allow me to
bring cameras in, in Tel Aviv.
That's great. It sounds
like a great meeting.
It's great you made it happen.
- I-I have to go...
- Oh, you have to run, right.
Go, go, go. Thank
you for making time.
[David] Thank you. Bye.
[Ronan] Israel is at the center
of surveillance innovation.
There's a pipeline of expertise
from the country's military
and intelligence services
into tech start-ups.
And the Israeli state
uses some of that tech,
including in the conflict over
the Palestinian territories.
According to an Amnesty
International report
released in the fall of 2021,
six Palestinian human
rights activists
had their phones
hacked using Pegasus.
Knesset member Sami Abu Shehadeh
says that's part of a long
history of surveillance
of Palestinian citizens.
So, it was reported
a few months ago
that Pegasus, from NSO Group,
was found on the phones
of six Palestinian
human rights activists.
The defense minister claimed...
these were, uh, subjects
of terrorism investigation.
Yeah, yeah, yeah. So Israel...
unfortunately,
has been doing this
for its citizens.
Mainly for the
Arab Palestinians.
I think what-what-what-what is
making Israel so... important
in this destruction industry
is that they have a huge
laboratory to work in,
and they are using
the Palestinian people
to do their, uh, tests.
Then they sell it to
the rest of the world.
[Ronan] Israel says
it uses surveillance
for self-defense and
national security.
[suspenseful music playing]
I started talking
to NSO in 2019.
It wasn't until 2022
that they agreed to let
me do some reporting
inside their
headquarters in Tel Aviv.
Most companies that do this
work are pretty secretive.
But NSO has always
courted the press...
up to a point.
Hi there.
Ronan Farrow.
[man] Uh, you have
an appointment?
[Ronan] Yes. With NSO.
They were opening
their doors to me
but also trying to
keep a tight leash.
I'd be talking to everyone
from software engineers
to salespeople,
and I realized quickly,
NSO's PR team was
gonna be hovering.
Hey. Ronan.
Come, let's, uh, take
some coffee, tea.
I may take pictures as
I go, if that's okay.
- Yeah.
- So I can write about it,
you know, for color.
Want to get a sense of the digs.
It's a swanky office space.
It's very American
tech start-up vibes.
- Fancy cafeteria.
- Thank you!
You want some coffee? Tea?
- What do you want to drink?
- Coffee sounds great. Thank you.
I just wanted to start
with introducing our team.
Yes! I'm very much looking
forward to talking to all of you
and hear about the working
level experiences you have.
So this is great.
Should we get started?
What made you want this job?
[in Hebrew]
What specifically do you think
people have gotten wrong?
[in Hebrew]
You have been involved
in relationships
where there's been
some kind of a finding,
or at least a suspicion,
that there was
inappropriate targeting.
What would you
say to the targets
of that kind of misuse
of your technologies?
[in Hebrew]
[Ronan] How-How
have you navigated
the sort of moral questions
being raised about your
work in such a public way?
[in Hebrew]
[Ronan] You know,
what happens in a case
where maybe the government
thinks these are criminals,
but outside observers say,
"Hey, those are activists"?
I'm a tech guy and I'm an
intelligence guy, okay?
I know how to create
investigation systems
and now I can know how
to make it technically
the best way possible. Okay?
The question you're asking
now, this is for the big guys.
Big questions.
NSO claims that
potential customers
are thoroughly vetted,
and it emphasizes that each
sale needs to be approved
by the Israeli
Department of Defense.
General Counsel Shmuel Sunray
is in charge of that
compliance process
and of the internal
investigations
the company says it conducts
when there's an
allegation of abuse.
- Hello.
- Hi.
- Pleasure to have you here.
- Yes, it's good to be here.
It's an interesting
time to be here.
You're up against a pretty
widespread perception
that this talk of
compliance efforts
and internal investigations
is-is viewed as being
non-substantive.
First of all, the efforts
are truly substantive.
Unfortunately, I think one
of the main problems we have
on the perception side
is that all the good
work that we do,
um, cannot be published
in its details.
I mean, it cannot be...
we cannot share, like,
when we disqualify
a certain customer
for a due diligence reason,
or we shut down a
system for a misuse.
Even if we would have wanted to,
we are prohibited from doing so.
As you might imagine in the
course of this reporting,
I'm gonna be talking
to quite a few targets
of NSO's technology,
some of whom, you
know, really feel
that this was destructive
in their life.
What would you say
to targets of Pegasus
and other NSO software?
[Sunray] Anyone who
feels he's a target,
I would really
appeal for them to go
and go through our process.
I think that our record
has proved itself.
We, you know, don't
want our technology
to go and be used in such a way.
And if it was our
technology that was used,
we feel very bad about it
and we'll make our
utmost to make sure
that no other targets
will be in that situation.
[Ronan] I asked
Sunray repeatedly
to give me specifics
about these investigations
or proof that contracts had
been canceled as a result.
He declined.
- Should we break for lunch?
- Yeah, yeah...
[laughing]
Okay, great.
[Ronan] Oh, so this
is the Shalev suite.
- [Ariella]
- [Ronan] Okay.
I convinced Shalev
Hulio, the CEO,
to go on the record for
my New Yorker article,
but he refused to
appear on camera.
When I pressed him about
the allegations of abuse,
he also wouldn't
provide specifics
about the company's
internal investigations,
citing the privacy
of NSO's clients.
Both he and Sunray
compared their company
to an arms dealer,
just in a field that
doesn't yet have regulations
like the Geneva Conventions.
I needed to find
unvarnished takes
on how NSO really operates.
One of the calls I made
was to Israeli journalist,
Chaim Levinson.
What has the experience
of reporting on NSO
been like for you?
[dog barking]
At the beginning they
were very closed,
didn't talk to journalists,
"You all are against us,
you don't understand,
it's a security
issue," et cetera.
But lately, in the last year,
they've become very friendly.
[Ronan] Do you buy
what NSO is selling
to journalists and
governments around the world
when they say, you know, "Yes,
there have been some missteps,
but we want to be, and we
are now, the good guys"?
I think they understand they are
in a very, very bad PR situation
and the previous
policy didn't work.
And now they're thinking if
they explain to the people
what exactly they are
doing, it will help them.
If you ask me, the head of
the problem is not the PR.
The problem is the issue.
NSO can hack your phone
with zero-click technology.
And this is a tool
that, until NSO,
only very industrial
countries had...
United States, security
services of Israel.
But for countries like Angola,
it's impossible to
develop such a technology.
They don't have the
human resources to breach
Apple and Google engineers.
[Ronan] What makes NSO special?
They are willing to
sell to countries
with huge democracy and
human rights problems.
Other companies are not
willing to sell, and NSO are.
[Ronan] Chaim introduced
me to something rare...
a former employee who
had firsthand knowledge
of NSO's sales efforts
and was willing to speak
without the company's
permission...
if I promised to
conceal their identity.
Is there anything specific
that makes you fearful
of how they would react
if they did see your
face and your identity?
[altered voice]
[Ronan] So tell me from your
standpoint why you think
it's important to have
this conversation.
What's the most objectionable
thing that you saw
in your time at the company?
So you sold Pegasus to
these different governments?
Pre-sold.
You pitched Pegasus to
governments around the world?
What were the-the main customers
that you saw the
company deal with?
Um, they claim
most Western European
countries use them.
Is that true?
[former employee] Um...
Some examples?
And beyond Europe. Any examples
that were sort of
significant in your mind
or that gave you pause?
Mm-hmm.
Any African? Oman.
Yeah, yeah, yeah.
What was the price tag on this?
What was NSO
charging for Pegasus?
[Ronan] Does NSO know
that some of its customers
that it's selling to
for those big-ticket
prices you mentioned
are abusing this technology?
[mellow music playing]
[phone ringing]
[phone clicks]
Hi, Oded.
[Oded on phone]
More importantly, how are you?
[Oded on phone]
[Ronan] Yeah. As
you can imagine, uh,
I'm-I'm gonna call
everyone around the story.
Um, I think it's been a
fairly short list of formers.
But, you know, if there's anyone
you suggest I add to that list,
I welcome it.
[Oded]
Mm-hmm.
Yeah. Oded, you know, I'm always
an open book on this stuff.
We've talked about
this at length.
I have been very glad to see
that I think you're savvy
about knowing that
more transparency
is a good thing for
NSO at this point.
I know it's been a,
kind of, a hard time
with a lot of controversy.
Any time you have a
concern, you know, raise it.
And I'll answer honestly.
[Oded] Okay.
Okay.
[Oded]
- Bye.
- Bye.
[tense electronic music playing]
[Ronan] Though NSO was
wary of me speaking
to its former employees,
the company was
willing to let me speak
to one of its current
Western European clients.
[computer chimes]
Hello.
He's going to be
ten minutes late.
He's on his way to
his laptop right now.
How many other outlets, uh,
has, uh, our friend
who's about to come on,
uh, spoken to in this way?
- No one.
- [Ronan] No one?
I was assuming that
he was the source
of the Wall Street
Journal article.
I think that was also a Western
European law enforcement.
[Ariella] We have several
customers from Western Europe,
but we don't have
a lot of customers
that are willing to
speak with journalists.
I will need to know
his-his full name
and identity and everything.
Only for your... But
only for your knowledge.
Yes. You don't have to worry.
If I verbally agree
that a source is an
unidentified background source,
uh, you know, described as a
European intelligence official
then-then that is, uh,
that's the ground rule.
Yes, you can even say, you know,
West European law
enforcement agency,
I mean, whatever
that will not...
will not expose the name
of the country, the agency,
or, of course, his name.
Tal, is he joining?
He's connecting right now.
Okay, great.
- [computer chimes]
- [scrambled voice]
[Ronan] Hello!
Thank you for doing this.
I appreciate your
taking the time.
[NSO client]
So when did your, uh, agency
first become a customer of NSO?
[NSO client]
How much did you pay
for the software?
[NSO client]
Tens of millions of euros?
What's the... what's the...
Okay. Understood.
And what type of product
did you purchase?
Is this Pegasus, primarily?
And what is the
software being used for?
Do you think it
would be a scandal
if it was known widely
that you were using Pegasus?
Do you have to get a
warrant to use Pegasus?
And how many people
have you targeted, uh,
since 2015, with, uh, Pegasus?
Roughly. Roughly.
Mm-hmm.
[NSO client] Okay. So, um...
Very helpful.
- All right. Take care.
- [Tal] Thank you.
Okay.
Are we all, uh, dispersing now?
- And sorry for the mistake.
- Oh yeah, I saw.
So it's two-two
journalists he talked to.
Do you remember which ones?
He was the Wall
Street Journal source?
[Oded] It was... it was one
of the Wall Street Journal
and one is Israeli TV.
[Ronan] An Israeli
one. Okay. Got it.
Okay. Um, this is
very helpful to know.
Thank you again, everyone.
- Enjoy.
- Okay. Take care.
[computer chimes]
I don't doubt these law
enforcement officials
when they tell me
they love having
such a powerful
surveillance tool...
and that they sincerely want
to use it to ensnare criminals.
But there's evidence that
Pegasus is being used
in at least 45 countries.
And it's mostly happening
under a veil of secrecy,
without public
input or oversight.
Pegasus might have
lived up to the promise
that it's undetectable...
if it weren't for a group
of researchers in Canada.
[soft, dramatic music playing]
The vast majority of what
we know about NSO abuse
comes from researchers
at the University of
Toronto's Citizen Lab.
They have found examples
of the spyware being used
to conduct surveillance
on dissidents, human
rights activists,
and journalists
around the world.
- Hey!
- Ronan, how you doing?
- It's great to finally meet you.
- Great to meet you too.
Thanks for letting us
into the inner sanctum.
[Ron] Of course.
[Ronan] For more than a decade,
Ron Deibert and the
team at Citizen Lab
have been studying the
pieces of malicious code,
known as exploits,
that target vulnerabilities
in your phone's apps
or operating system
to install spyware.
[Ron] We're really lucky
to have this space.
This is, uh, the lab.
These are the spaces where
most of the work gets done.
[Ronan] Got it.
So what are they doing in there?
[Ron] We have a
person who suspects
that they've been
targeted with spyware.
And so what they will be
doing is walking them through
how to gather the
data that we need
to do forensic
analysis of a phone.
How difficult has it been
to catch these exploits?
'Cause many of them,
including Pegasus,
are designed to clean
up after themselves.
We've been fortunate
now, uh, to capture
several different vendors'
spyware in the wild,
usually from targets.
Um, the one that really
stands out for me
is the case of the Saudi
women's rights activist,
whose phone was
hacked with Pegasus.
Which is why that excuse
that NSO Group and others use
is so specious.
You know, "Don't worry.
Nothing to see here,
because we only sell
it to governments
to be used for
crime or terrorism."
It's not a-a good way to think
about the limits of
this type of technology.
How do you see the industry
evolving from here?
If we succeed, you could imagine
a much different environment
ten years from now,
where there is robust
oversight mechanisms,
and much more transparency.
That would be my ideal world.
The way things
are going, though,
frankly, frightens me
because we live in a time
where there is obvious,
well-documented
democratic backsliding.
Authoritarian practices
are spreading worldwide.
I firmly believe the
surveillance industry,
unchecked as it is,
is one of the major contributing
factors to those trends.
[Ronan] A lot of the coverage
of the dangers of spyware
has focused on the way
autocrats and dictators
outside the Western
world use it.
But Citizen Lab's work shows
that Western democracies
are abusing spyware too.
They tipped me off
to an investigation
they were conducting
in Catalonia,
a region of Spain,
where they suspected
Pegasus was being used
to surveil local
politicians and activists
on a massive scale.
[tense music playing]
- Hey!
- Hi.
- How are you?
- Thank you for coming.
Yeah! I'm looking forward to it.
It's also stunning here.
I was not fully expecting that.
Elies Campo was born here.
He's worked in Silicon Valley
for WhatsApp and for Telegram.
And now, he's Citizen
Lab's investigator
on the ground in Catalonia.
A few people from Catalonia
messaged me and said,
"Hey, I just received
this message on WhatsApp
about being, uh, targeted or
being hacked at some point,
um, and I don't know if
it's, um, it's real or not."
I contacted my
ex-colleagues at WhatsApp.
They told me that they couldn't
communicate anything with me
because of privacy issues but
I should contact Citizen Lab
and see if they could help. So
I reached out to Citizen Lab.
The conversation went that
these cases from WhatsApp
were probably just the
tip of the iceberg, um,
and that we... if we
organized a little bit
and had some kind of strategy,
we'd probably find more.
Why should people
around the world care
about the hacking that
you're documenting
here in Catalonia?
[Elies] This is gonna be
one of the first cases
where there's such a large and
vast number of affected people
and from a vast and
different type of categories
of, um, of society.
So we've had the Parliament
of Catalonia targeted.
We've had the government
of Catalonia targeted.
We've had lawyers targeted.
We've had, uh, civil leaders
of org... cultural organizations
of Catalonia targeted.
[Ronan] This is not some
future Orwellian scenario.
It really... It happened here.
- It's happening here.
- It's happening here.
[solemn music playing]
[Ronan] Citizen Lab suspects
that people in Catalonia
are being targeted
for political reasons.
Catalonia is a semi-autonomous
region in Spain,
with Barcelona as its capital.
There's a significant segment
of the population there
that wants Catalonia to
be an independent country.
[crowd chanting]
[Ronan] In 2017, Catalan
leaders organized a referendum
where they asked
voters to decide
if the region should
be independent.
The Spanish government in Madrid
declared the referendum illegal
and even raided polling
sites on Election Day.
Tensions are still
pretty high today
between Catalonia and Madrid.
And there's a lot of
Catalan politicians
that still favor independence.
I joined Elies in the
Parliament of Catalonia,
where he was testing
politicians' phones.
Walk me through what
you've been doing
and what you're finding
with these ones.
- Yeah, so we analyze the device.
- Yeah.
And we try to find traces
that there was the malware
at some point in
that... in that device.
And how we do that is through
some analysis on the device.
We extract the file, and
uploading it to the cloud,
and the cloud is
doing the analysis
of, uh, of trying
to find traces.
What's next? You have members
of Parliament coming in, right?
Yeah, a European member
of the Parliament
that's currently in Barcelona,
and, uh, his name is Jordi Sole,
and, uh, we're gonna talk to him
and look at his device now.
- [Ronan] Great.
- [chatter in Catalan]
Hola, que tal?
Hola. Laura.
[in Catalan]
[ominous music playing]
Uh-huh.
Mm-hmm.
When does it look like
you were infected?
[Jordi] I have to
check, uh, the date.
But around that day,
I was appointed, um,
member of the
European Parliament.
[Ronan] How do you feel knowing
that you may have been
compromised in this way?
Well, I feel surprised and angry
at the same... at the same time.
Uh, and it's, uh,
somehow it's ironic
because next week, in
the European Parliament,
we are gonna vote to set up an
inquiry committee on Pegasus.
Um, so it's...
it's-it's only...
it's only ironic
that just a few days
before, I learn,
as member of the
European Parliament,
that I've been
infected by Pegasus.
[Ronan] What about you, Elies?
What goes through your
mind each time you see
a positive result pop
up on that screen?
[Elies] I think about the
gravity of the situation.
Especially these cases where
there are members of
the European Parliament
'cause it affects, uh,
450 million people,
citizens, and the
violation of their rights.
Um... Yeah, each
time we discover one
is-is, um, similarly intense
in terms of realizing, uh,
the importance of it
and the gravity of it.
Why do you think
you were hacked?
[Jordi] Well, I've been hacked
for sure because I am, uh,
pro-independence.
So I'm sure that
there is the will here
to keep under control
politicians representing,
uh, the will for independence
in Catalonia in
several institutions.
Are you looking at
any legal remedies?
Do you think that you'll
bring suit in some way?
[Jordi] I'll defend my
rights until the end.
[Ronan] Jordi wasn't alone.
Elies was steadily uncovering
more and more infections
on the phones of activists
and lawyers and politicians.
And it also wasn't just Pegasus.
These tests were
turning up evidence
that the Catalans were
also being targeted
with other forms of spyware
from competing companies.
One day, Citizen Lab found
evidence of something rare.
A local activist had
a spyware infection
on his personal laptop
that was still live
and in the middle of its attack.
- Hello, Joan.
- Hello. Hi.
It's great to finally
meet in person.
Thank you for doing this.
[Ronan] Joan Matamala
is an activist
connected to
separatist politicians.
His laptop was
infected by spyware
made by another Israeli
company called Candiru.
Elies worked to try to
exfiltrate the software
and study it before
it self-destructed.
[in Catalan]
[in English] This is where
you were, uh, sitting
when the, uh... when you
learned about the hack?
[speaking in Catalan]
He was working over there
when he received the call
that he currently
had a live infection.
[Ronan] And what date
and time was this?
[speaking in Catalan]
[Elies] February 2021.
[Joan in Catalan]
[Ronan] Tell me what
you did from there.
[Joan speaking in Catalan]
[Elies] Yeah. So he took some
time to get that aluminum foil.
He wrapped two computers.
[aluminum foil crinkling]
[Ronan] What's the goal
of the tin foil wrapping?
You're creating what's
called a Faraday cage, right?
By wrapping it and-and
creating a Faraday cage,
uh, we're actually
protecting the device
from receiving
outside instructions
to have the software delete
itself or self-destruct
in order to, uh, remove
or potentially remove
the evidence of... that
software was there.
It's particularly important
to be able to capture
the software live or
active in the computer
so we can understand
how it works, uh,
how it compromises
the operating system.
So he was really doing something
that's a service to researchers
on these kinds of technologies.
[Elies] Yeah, his action
actually helped Microsoft
understand how this
particular software,
Candiru, was affecting
this operating system.
And a few months later,
Microsoft actually
developed a patch
that, uh, resolved
the vulnerability
that this, uh, software
was actually exploiting.
[Ronan] It's surprising
that just tin foil can work.
- Yeah, it's physics. [laughs]
- Yeah, yeah. It makes sense.
A little tinfoil
went a long way.
[tense music playing]
The proliferation of
spyware around the world
has left governments
scrambling to respond.
And that includes
the United States.
Even though NSO claims
that it blocks its spyware
from targeting
American phone numbers,
U.S. government employees
working overseas
have had their foreign
phones hacked using Pegasus.
Apple is warning at least
11 United States diplomats
that their iPhones were hacked
in the last several months.
The hackers reportedly
used the spyware technology
called Pegasus.
[Ronan] But the U.S. government
is also a buyer of
commercial spyware,
including Pegasus.
Internal documents obtained
by the New York Times reveal
some FBI officials
made a push to deploy
Israel's Pegasus hacking tool.
So I understand that you
did purchase a program
and you tested it.
Is that accurate?
We had a limited license
for testing and evaluation.
We've tested and evaluated,
and that's... that's over.
It hasn't been used in any
investigation of anyone.
[Ronan] It's been reported
that NSO also pitched
American police departments
on a Pegasus-like software
designed to be
used on U.S. soil.
Lawmakers are grappling
with both sides of this...
how to protect Americans
against these attacks
and how to control America's
use of this technology.
Jim Himes is the ranking member
of the House
Intelligence Committee,
which oversees U.S.
intelligence agencies,
including the FBI and the CIA.
- Hey, Ronan.
- Hey.
- How are ya?
- Thanks so much for doing this.
Yeah. Good to see you in person.
I know we talked on the phone,
but I don't think we've
ever met in person.
What is your feeling
on how much ability
the U.S. government should have
to purchase this kind of tech?
First of all, it would
be a very serious mistake
to simply prohibit the
purchase of the technology.
We need our experts to
know what is out there.
I have no objection to the FBI
purchasing the technology
to understand it.
Then comes the more
complicated question of,
"Do we want the FBI
to be able to use it?"
Do you think the answer is
a ban on the operational use
of foreign commercial spyware
by the U.S. government?
[Himes] No.
No, abs-absolutely not.
The answer is,
do the hard work of assuring
that law enforcement uses it
consistent with our
civil liberties.
We're using a lot of
abstractions here right now.
I have two daughters.
What if one of my
daughters were kidnapped?
I want that tool.
I want that tool.
And it would be profoundly
irresponsible of me to say,
"There's this amazing
tool out there
that could fall into the
hands of the Iranians,
the North Koreans,
the Chinese...
and we're not gonna
let the FBI use it."
We're going to let
the FBI use it.
We're going to make sure that
they use it in the context
of our civil liberties, and,
well, will it be perfect?
No, it will not.
It will, from time
to time, be abused.
But the notion that, for the
first time in our history,
we're gonna say we're gonna let
all the bad guys have technology
that we're not going to use,
um, that's a novel concept.
And-And when you really
think it through, uh,
a little bit of a scary concept.
A lot would have to change
for it to be transparent
and have an approvals process
that-that meets that threshold.
That's not the space
we're operating in now
when this technology is
used by the U.S. government.
That's correct. And
this is why I say
one of the urgent things we
would need... we should do,
we should be doing, is
building the protections
around how U.S. law enforcement
might use this technology.
In terms of the hacking
of American officials,
are American officials
abroad, and maybe in general,
subject to more attacks
using this kind of technology
than the public is aware of?
Yes.
- And...
- Significantly more.
Significantly more.
And are you aware of
infections of this type
that have played
out on U.S. soil?
Maybe the best way to answer
that is that this technology
knows no borders.
I don't happen to know of
the deliberate targeting
of Americans on U.S. soil.
I'm also...
I have no confidence
that it hasn't happened.
[soft, tense music playing]
[Ronan] The White House told me
they were still investigating
how spyware affects
national security.
And then they told me
something I'd be making public
for the first time...
that the Biden
administration was planning
an executive order banning
government agencies
from buying or using
at least some types
of foreign spyware.
I'd been reporting on
this for a few years,
and I really hadn't
found any governments
that provide
meaningful transparency
about how they use these tools.
[soft, dramatic music playing]
[phone chimes]
Uh, this is... this is Ariella,
the comms person at NSO,
sending me a thumbs up that
she is going to get me a...
I'm gonna say,
"Much appreciated."
She's gonna get me a last
statement that they have.
There's a dozen countries that
are mentioned in this piece
and each of them had to
be approached for comment.
Some of them wanted to
comment, some didn't.
Some wanted to only
comment in secret,
but not on the record.
There's just a lot to
juggle with this one,
and I've got to hustle and
redline the rest of this piece.
Avey, are we in here?
- We're in here.
- We're in here. Okay.
Yeah.
- Good to see you.
- You too.
- Hello.
- We're ready? Okay, good.
- Yes.
- All right.
Avey. Great.
[Remnick] Um...
All right.
- Thanks a lot.
- Thank you.
[Remnick] Okay.
- Are you all closed up?
- Mmm...
Yes, but, like, checkers
still laying in odds and ends.
[Remnick] It's Thursday, and
the magazine closes today.
- Yeah.
- Like completement.
- [laughing]
- Yeah.
- That's it.
- Yeah.
- That's it.
- Okay.
[Ronan] I think it's...
it reads really well.
Okay, so we're just gonna power
through this pretty standard.
You know what you're
doing. Here we go.
In your reporting,
you've narrowed in
on a series of Pegasus
attacks on people involved
in the Catalan independence
movement in Spain.
Were you able to confirm
these hacks with NSO
or the Spanish government?
[Ronan] NSO Group
CEO, Shalev Hulio,
did very clearly talk
about some of the countries
that we now know use his
technology, including Spain.
And in that case,
he said, you know,
Spain is a democracy.
Uh, if they decide
to use these tools...
- That's on them.
- That's on them!
And the Spanish
government, for their part,
didn't respond to our
requests for comment about it.
Do you think it's
possible to have a world
where such a thing exists
and it's used responsibly?
[Ronan] Well, we're
watching the fights
that will dictate the
answer to that question
play out right now.
And one of the
things that we break
for the first time in this
story is-is that the White House
is actively pursuing a
U.S.-government-wide ban
on purchasing this kind
of commercial spyware.
Because they have their own?
Well, certainly certain U.S.
agencies have their own.
But, you know, in the past,
other U.S. government offices
have also purchased
these kinds of tools.
And I think there's an
increasing understanding
that this is both, uh,
technology that has
an incredibly destructive
footprint in the world,
and we've just got to hope
that some of these
regulatory efforts
can rein in the most
destructive effects of it.
In his latest investigation,
the journalist Ronan Farrow
has dug into the
spyware industry.
In explosive new reporting in
The New Yorker, Ronan Farrow
details the two years
he spent digging
into the vast spyware industry.
Ronan, my friend, this
is scary stuff! Um,
first of all, just break down,
for those who are unaware
of what it is, what is
Pegasus and who makes it?
The fundamental is,
it can crack a phone.
It feels like the cat's
out of the bag, isn't it?
How do you control this?
To your point, once data
has been exfiltrated,
the damage has, in
a sense, been done.
The article is called
"How Democracies Spy
on Their Citizens"
by Ronan Farrow.
Ronan, thanks so
much for joining us.
- [chanting, clapping]
- [whistle blowing with chants]
[Ronan] The article in The
New Yorker and the results
of the Citizen Lab
investigation led by Elies
had enormous
repercussions in Spain
and finally helped shed light
on who was behind all this.
After initially
denying the report,
the Spanish government in Madrid
acknowledged spying on
some of the Catalans.
The head of Spain's
intelligence agency
was fired amidst
the controversy.
[chanting]
[Ronan] The scandal became known
as "CatalanGate."
[in Catalan]
[Ronan] On the list of
targeted individuals
was Elies's own family.
Is your family okay?
Yeah, my family is okay.
They were surprised.
Surprised that they
got hacked too?
Yeah. So I was having a
dinner with my parents,
uh, just a few weeks
before publication.
I told my father, "We're
gonna publish this report.
It's probably gonna
have some impact
in Spain because
it's pretty serious."
And so we checked his phone,
and, a few hours later,
we got the results back
and, um, we got a confirmation.
The next day, we tested my mom
and, uh, we found that she
had also been targeted.
So they were following
you and trying
to get your communications
through your parents.
Presumably they failed
in targeting my device,
because I have an
American, uh, phone number,
and they targeted my family
in-in order to try to
get to the information
that they were looking for.
What do your parents
do for a living?
They specialized
in, uh, in pathology
and, uh, vascular diseases,
and they work at the
University of Barcelona
and the hospitals of Barcelona,
the research centers.
So, whoever had access
to those devices,
they actually had access
to, uh, potentially,
hundreds of conversations
or hundreds of data points
of emails, messages,
photographs,
of patients all
around the world.
[Ronan] Not only
did they have access
to his parents'
patients' records,
they also potentially
had the ability to record
audio or video of Elies
whenever he was in the room
with his parents' phones.
So, Elies started testing
the rest of his family
members' phones,
including his sister's.
[soft, solemn music playing]
[in Catalan]
[sister in Catalan]
[Elies in Catalan]
[sister in Catalan]
[Elies in Catalan]
[sister in Catalan]
[soft, somber music playing]
[tense music playing]
[Ronan] Including
Elies's family,
Citizen Lab found that
around 70 people in Catalonia
were targeted with spyware.
Since the publication of
those findings in Spain,
Citizen Lab has documented
Pegasus being used
against government officials
in the United Kingdom,
activists in Armenia,
journalists in Mexico,
and pro-democracy
demonstrators in Thailand.
In the summer of 2022,
Shalev Hulio stepped down
as CEO of NSO Group.
He went on to establish
a new start-up
in the cybersecurity space.
Meanwhile, in March of 2023,
the White House followed through
on the plans they'd revealed
in my New Yorker article.
Just a few hours ago,
President Biden issued
an executive order
that, for the first time,
will prohibit our
government's use
of commercial spyware that poses
a risk to our national security
or that's been misused
by foreign actors
to enable human rights
abuses overseas.
[Ronan] The executive order
banned federal agencies
from buying spyware that's been
abused by other governments,
used to target Americans,
or otherwise threatened
national security.
But it's not a blanket ban
on the purchase of all spyware.
And in fact, just days later,
the United States and
36 other countries,
including Spain,
released a statement outlining
how they believe governments
can use commercial spyware
and still respect human rights.
I went back to DC to press
Biden administration officials
about this.
Nathaniel Fick is
the first Ambassador
for the newly created
Bureau of Cyberspace
and Digital Policy.
What do you wish
this executive order
contained that it doesn't?
What do you think the
soft point is in it?
I think part of the reality is
we don't know that yet. Right?
You-You-You craft something
and you throw it
out in the world.
And the world is
a dynamic place.
Our adversaries are innovative
and smart and well-resourced.
So we'll adjust as required.
I'm struck by the fact
that it contains so little
about what we do
do with spyware.
There's no suggestion of,
once a spyware
vendor passes muster
through the lens of
this executive order,
what does that look like?
What can we then do
with that technology?
Why?
The United States uses
every tool of national power
in pursuit of our interests,
uh, grounded in our values.
And so, we do believe,
and openly acknowledge,
that there are legitimate
law enforcement
and national security uses
of these technologies.
There were a number of joint
statements circulating around...
Spain signed on to one
of these statements.
Obviously, the administration
in Madrid has been implicated
in one of the largest spying
operations domestically
in their country, in the world.
Uh, how do you feel about
them being a signatory?
I think that getting countries
to publicly align
with the principles
is always a good thing.
Even if it's hypocritical?
And then we have
to continue to hold
their feet to the fire,
just as we do ourselves,
to make sure that we're living
up to the implementation.
I've had conversations with
foreign officials who say,
"Well, you want us to have
more transparency about this.
You want us to have clearer
routes for judicial oversight
for-for these-these
kinds of tools.
Uh, where is that from
the United States?"
I think the Executive
Order is a statement that
everything that came
before was not adequate.
And-And this is a
very strong attempt
to put those
guardrails in place.
My perception, digging into
this issue, has been that
inevitably we're gonna
have the first big scandal
where this is used to
scale on American soil.
Do you think it's headed down
a path of more domestic impact?
I think we can't put
the technology genie
back in the bottle.
That's kind of an unfortunate
reality of these things.
So once they're out
there in the world, um,
any nefarious use
that we can imagine,
we're probably going to see.
And so we would be well-served
to think forward in time,
um, and anticipate
that kind of thing.
[soft music playing]
[Ronan] Spyware is here to stay.
The industry is still growing.
It's gonna keep getting
more sophisticated,
more intrusive,
and easier to hide,
especially as we witness
the dawning of a new era
of artificial intelligence.
This is still a largely
unregulated category
of technology,
one that will always
be seductively useful
for law enforcement
and always pose a
threat to democracy
and human rights.
Technology is reorganizing
the life of the world.
President Biden likes to
say that, in many ways,
we're at an inflection point,
where the decisions
that we're making now
and in the next few years
are likely to shape
the next decades.
[dramatic music playing]
[Ronan] Commercial spyware
is going to continue
to shape conflicts
around the world.
Questions remain about the
role these surveillance tools
have played in the
Israel-Gaza war.
Since Hamas's attack
on October 7th, 2023,
sources close to
NSO have claimed
the Israeli government
is using Pegasus
to try and track down hostages.
And additional investigations
have been opened in Poland
and in Jordan.
Governments and legislators
will be struggling to catch
up to this technology.
Tech companies are gonna
have to fight harder
to defend themselves
against a teeming
international landscape
of unseen adversaries.
The message is that
unchecked spyware
is a national security risk
for free societies.
[Ronan] More ordinary
civilians are being ensnared,
their most private data stolen
and potentially exploited.
[in Catalan]
[Ronan] There will be more
families and communities
upended by this.
There will be more urgent need
for the work of
activists and researchers
bringing this out
of the shadows.
This is an important issue.
I think things are gonna get
worse before they get better.
In spite of the measures
that have been taken,
the industry is only
going to continue to grow.
[Ronan] Otherwise, the
only path towards privacy
might be living
without our phones.
- [camera phones clicking]
- [indistinct chatter]
[dramatic music continues]
- [phone camera clicks]
- [music ends]
[pensive electronic
music playing]