Spyware threat haunts journalists and muzzles press in Togo
“I am a journalist on borrowed time.”
That’s how Togolese reporter Ferdinand Ayité, director of the West African nation’s L’Alternative newspaper, described himself last year after learning that his phone may have been infected with spyware.
The revelations came from the now infamous Pegasus Project. The multi-newsroom investigation exposed the stunning global reach of Pegasus, a sophisticated spyware tool developed by the Israeli company NSO Group. The investigation centered on a leaked list of 50,000 phone numbers that clients of NSO, mostly autocratic and democratic governments alike, had allegedly selected for potential surveillance. Among those on the list were nearly 200 reporters from around 20 countries, including Togo’s Ayité, an enterprising investigative reporter.
A lot has happened in the twelve-plus months since the news came to light. Protestors took to the streets from Hungary to India and the list of confirmed Pegasus victims continues to expand. Meanwhile, NSO Group is facing a growing international backlash: The Biden administration blacklisted the company; Apple sued the Israeli spyware firm for allegedly violating its user terms and services agreement; and the European Parliament and several jurisdictions have launched official investigations into Pegasus. The pushback shows that there is at least some institutional appetite to crack down on Pegasus a year after the revelations, even if privacy advocates say it’s been too little, too late.
But for the targets of the spyware, people spied on perhaps by their own governments, the consequences have been deep and long-lasting.
After the news broke, the Committee to Protect Journalists (CPJ) talked to Ayité and the two other Togolese journalists on the Pegasus Project list — Komlanvi Ketohou, and Luc Abaki — about the impact of the revelations. “I spent nightmarish nights thinking about all my phone activities. My private life, my personal problems in the hands of strangers,” Ketohou said. “It’s scary. And it’s torture.” Ayité described the “huge psychological impact of knowing that someone in this country is taking control of your phone, violating your privacy.”
A year later, the experience continues to harm the journalists’ personal and professional lives, says Jonathan Rozen, a senior researcher with CPJ’s Africa program. While the journalists could not confirm that their phones were definitively infected with the spyware, “essentially they moved through life as though they had been,” Rozen told me. That awareness has eroded the journalists’ sense of personal safety and damaged their ability to communicate securely with sources. “The concern is pervasive,” Rozen, who recently spoke to the Togolese journalists, explained. “It doesn’t go away. It changes people’s behavior. It’s a real panopticon effect.”
The revelations have also left Togolese citizens wary of talking to the press. One reporter, Komlanvi Ketohou, told Rozen that his colleagues and sources were afraid to talk to him after finding out that his number was on the Pegasus Project list, fearful that their conversations could expose them to government surveillance. “People are concerned that being in contact with someone who was alleged to have any connection with spyware might put them in danger,” Rozen said.
For the journalists, the spyware threat has coincided with a deteriorating press freedom landscape, as Togolese authorities ramp up attacks on independent media. A local press freedom group described 2021 as the “darkest [year] of the democratic era in Togo in terms of press freedom.”
Investigative reporter Ayité was arrested a few months after the revelations over an online broadcast and spent nearly a month in jail. Ketohou, meanwhile, fled Togo in early 2021, after publishing an article alleging government corruption that landed him in detention. He has continued to cover Togo from abroad, but the paranoia that was brought on by the prospect of surveillance hasn’t gone away even though he is no longer within the country’s borders.
“He explained that this kind of surveillance remained as a sort of transnational concern,” Rozen said. “Of course, they can reach across borders. They can reach across oceans with this spyware into his device.”
IN GLOBAL NEWS:
Federal jury charges ex-Twitter employee in dramatic foreign agent case: After a two-week trial in California, a former Twitter media partnership manager has been convicted in the U.S. for taking bribes from Saudi officials in exchange for “accessing, monitoring and conveying the private information” of Twitter users, including emails, phone numbers and IP addresses. One of the accessed accounts belonged to a popular anonymous activist who tweeted gossip about the royal family and was rumored to be a royal insider. The Twitter employee, Ahmad Abouammo, provided the information to his Saudi handlers in exchange for a $42,000 watch and payments totalling at least $300,000, some of which was deposited into an account in his father’s name and then laundered into the U.S., according to evidence presented in the trial.
During the case, a Russian former colleague of Abouammo’s told the court how media partnership managers were encouraged to talk up “Very Important Tweeters” in government, media, and entertainment to increase revenue for the company. The Russian employee also said it was expected that he would work with officials in the Russian government, including Vladimir Putin. “I was responsible for Twitter in Russia,” he testified. “The more successful I was at my job of talking to our media partners and getting them to tweet more, the more content it would get. The more tweets, the more advertising Twitter could sell and it would get more revenue.”
China’s internet regulator has grown into an all-powerful behemoth since its inception, extending into policy and regulation on cybersecurity, data security, and privacy. While the Cyberspace Administration of China (CAC) has become increasingly influential over the eight years of its existence, much remains unknown about its operations, according to a preview of a forthcoming in-depth report from the DigiChina Project at Stanford University. The report found the country’s cyber regulator “lacks many formal attributes of an administrative agency in the Chinese system,” such as accountability and institutional transparency. “In light of the CAC’s growing clout, its dual party-state status raises questions concerning its decision-making, daily operations, and accountability to its regulated public,” the authors conclude, “which in addition to Chinese online actors includes foreign companies, organizations, and individuals doing business in and with China.”
More abortion surveillance dystopia. Facebook gave police in Nebraska a 17-year-old girl’s private chats about her abortion, according to court records recently obtained by Motherboard. The DMs were then used to seize the teenager’s laptop and phone. The teen allegedly bought medication abortion to terminate her pregnancy at 28 weeks pregnant, in violation of the Nebraska’s 20-week abortion ban. She is now being tried as an adult and has been charged with five crimes. While the abortion allegedly took place before the U.S. Supreme Court overturned the landmark abortion ruling, Roe v. Wade, in June, “they show in shocking detail how abortion could and will be prosecuted in the United States, and how tech companies will be enlisted by law enforcement to help prosecute their cases,” Motherboard explained. For more on what the end of Roe means for surveillance and content moderation, you can check out our previous reporting here and here.
This newsletter is curated by Coda’s senior reporter Erica Hellerstein. Liam Scott and Frankie Vetch contributed to this edition.