Governments are using Pegasus, the military-grade spyware sold by the Israeli firm NSO Group, to hack telephones belonging to journalists and dissidents around the world, according to research and reporting by a consortium of newsrooms and human rights organizations.

Pegasus was used in the attempted or successful hacking of 37 phones, including devices belonging to investigative journalists in Azerbaijan, Mexico, India, and two women close to the murdered Saudi Arabian Washington Post journalist Jamal Khashoggi. 

Coda Story has previously reported on the Indian government’s alleged use of Pegasus to target dissidents, including the late Father Stan Swamy, a prominent Jesuit priest and human rights activist.

The telephones infected with Pegasus spyware were included on a list of 50,000 phone numbers, according to Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International. It is unknown how many of the numbers on that list were subject to surveillance using Pegasus, but at least 10 of the countries represented — including Mexico, Saudi Arabia and Hungary — are reportedly NSO Group clients.

NSO Group has pledged to investigate allegations of human rights abuses connected to Pegasus. “From a sensational headline screaming ‘50,000 phone numbers’ we are left with 37, that we are still seeking any proof of their relation to NSO,” said an NSO Group spokesperson in a statement to Coda Story.

David Kaye is a clinical professor of law at the University of California, Irvine, and was United Nations special rapporteur on the promotion and protection of freedom of opinion and expression from 2014 to 2020. While at the U.N., he recommended a moratorium on the sale of spyware. He spoke to us about why he thinks this is necessary. 

This conversation has been edited for length and clarity. 

Coda Story: We already knew that governments use Pegasus against journalists and dissidents, but the latest leak shows the scale of the problem. What was your reaction? 

David Kaye: We’ve had example after example of journalists, activists and political opposition figures being targeted by tools like Pegasus. The surprising thing here is that this hasn’t been exposed before, and that the international community even needs this kind of wake-up call in order to do something.

When you look at all the phone numbers that have been put on lists by governments, it’s striking to see that, even if they don’t follow through on targeting all those people, they are thinking about how they can use this incredibly intrusive tool in order to get at those who are reporting on issues that hit close to home, like corruption and government criticism. The fact that companies have the ability and freedom to continue to sell these tools is really shocking to a lot of people. 

Coda Story: In 2019, when you were U.N. special rapporteur, you called for a moratorium on selling spyware like this. Why did you feel like that was necessary?

We’ve already had a huge amount of reporting on this industry and its lawlessness. The thinking that I had at the time was, ‘I’m not calling for a ban.’ It was a call for a moratorium so that, while there’s a pause, there’s no transfer of the technology, there’s no sales. During that period, governments develop the regulatory environment and also develop a set of guidelines so that companies understand the red lines. 

Governments are going to say, like the surveillance industry itself says, that some of these tools are needed in order to counter terrorism and crime. Fine. If that’s true, then neither the government nor the industry should complain if we want to have very strict controls, so that they are only used for those purposes and only used in the context of the rule of law. The moratorium creates space for that kind of policy-making.

Coda Story: Two years on, do you think Pegasus should be banned outright? 

I’m open to thinking about Pegasus as a tool that should just be banned. But we need to be realistic about what governments will do as a first order of business.

If you have a moratorium, it’s a temporary ban that allows governments to think through the implications of this tool to see whether it’s possible to imagine rule of law constraints, whether constraints on the export and use of these tools could meaningfully address all of the concerns that we’re seeing around Pegasus. I’m in a middle space where I’m not sure that’s possible.

The big question is that Pegasus and other surveillance tools are used in such a secretive way, is it possible to put them under constraint?  

Coda Story: It sometimes feels like regulations are playing catch up with systems like Pegasus. Is it too late to regulate them? 

It’s a vast industry and we hardly know the contours of it. It may very well be that it is too late. Companies are developing tools that can very easily evade these kinds of regulatory constraints. 

There was a report on Saturday in the New York Times that suggests that the government of Israel not only green-lit the use of Pegasus by Saudi Arabia, but actually encouraged it. So, we’re not just talking about a question of private actors who are operating in a lawless environment. Governments may also be implicated in these abuses. It’s a much more complicated situation than simply saying, ‘Well we need to find a way to regulate these companies.’ We also need to find a way to regulate the governments that are enabling the spread of the technology.