Published October 13, 2022
Aida Alami has always been wary of surveillance. As a journalist from Morocco, a state with a track record of intercepting phone calls and messages of political rivals, activists, and journalists, she habitually took precautions to protect her sources. She avoided using certain keywords and full names in her communications and conducted interviews over Signal, a messaging app that encrypts all content before it leaves a phone. “For some time, we felt really safe on Signal,” she told the Committee to Protect Journalists in an interview.
That feeling of safety from using end-to-end encryption evaporated in 2019, when WhatsApp-owner Facebook revealed a vulnerability that allowed hackers to infiltrate smartphones simply by calling someone via the messaging app, without the target having to click on a link. Moroccan authorities had allegedly exploited this now-patched flaw to gain secret access to the phones of journalists and activists, including Aboubakr Jamai, CPJ’s International Press Freedom Award winner in 2003.
Like Signal, WhatsApp uses end-to-end encryption to scramble all calls, messages, audio, photo, and video both in transmission as well as on the company’s server – an important security feature that prevents governments from intercepting or subpoenaing communications. However, the Facebook disclosure showed that surveillance software could be inserted onto any phone via any app.
That was when Alami realized that just about every precaution she had been taking was now obsolete. “That was really scary,” she said.
Since then, Alami has continued to write and report for The New York Times and other publications. But working under the constant threat of surveillance has made her job that much harder. “I know for a fact that a lot of people are scared to talk to me,” she said. “A lot of people are scared of writing me, they’re scared that my phone is watched. What happens is that you’re just paranoid all the time. You assume that your conversations are being read by someone else.”
There’s nothing new about governments or criminal gangs spying on journalists or activists they fear might expose or discredit them. But the development of high-tech “zero-click” spyware – the kind that takes over a phone without a user’s knowledge or interaction – poses an existential crisis for journalism and the future of press freedom around the world.
In interviews with reporters, tech experts, and press freedom advocates in multiple countries, the Committee to Protect Journalists (CPJ) has found that the fear of surveillance extends far beyond those able to prove infiltration of their phones. These attacks – or the mere possibility of them – have already had a chilling effect on sources, who fear their conversations with reporters could expose them to retribution from authorities. Many journalists told CPJ that they are concerned not just for their own personal safety, but for friends and family who may be targeted along with them. Newsroom leaders tell of taking extra security precautions when discussing coverage plans. The awareness that any journalist could be tapped without their knowledge has created profound feelings of powerlessness that could prompt many to leave the profession – or not enter it to begin with. “Violence against journalists is rising,” John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, told CPJ. “So are digital threats. The damage by tools like Pegasus is contributing to the rise in violence.”
Pegasus, a product of the Israeli firm NSO Group, is probably the best-known mobile surveillance program. Like other spyware, it works by insinuating itself into smartphones, but gives the infiltrator particularly free run of the device – access to its microphone and camera, any files or photos stored on the phone, any network connections, contact information, message and browsing histories, passwords, email accounts, recordings and so forth. The purchaser can listen to conversations – even ones that take place over encrypted messaging apps like Signal – all without owners knowing that their phones have been turned into instruments of surveillance.
Perhaps one of the most alarming aspects of the new generation of spyware is that the old methods of defense don’t work. Infection can be a zero-click operation; targets needn’t open a link or download an attachment. All it takes to pierce the phone’s defenses is an unanswered call or an invisible text message. Measures like encryption are only a good protection against a spy who intercepts messages such as texts or emails or voice calls after they’ve left the phone. When spyware takes possession of a phone, it can eavesdrop on a call before encryption takes place, much like reading a letter over a writer’s shoulder before it is sealed in an envelope.
In July 2021, the Pegasus Project found phone numbers of more than 180 journalists on a list of what appear to be potential targets of Pegasus spyware that could turn their mobile phones into listening devices. The NSO Group denies any connection with the Project’s list and says that it only sells its product to vetted governments with the goal of preventing crime or terrorism.
Pegasus, however, is just one part of a private surveillance industry now bringing the tools of high-tech spycraft to any nation – or, in theory, any organization or individual – that has the millions needed to pay for the service, experts say. “It’s no longer the super states and the super cyber powers, but just about anybody who wants to find out who reporters are talking to, who their sources are, where they’re getting their information from,” Michael Christie, general manager of global logistics and security at global news agency Reuters, told CPJ.
“Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life,” Szabolcs Panyi, the investigative reporter “Of course, I have much more difficulty meeting and communicating with sources, who are increasingly afraid of the trouble I might bring into their life,” Szabolcs Panyi, the investigative reporter who, along with Direkt36 editor András Pethő, broke the news that Hungary’s government had bought Pegasus spyware and was himself a target of the surveillance, said in an interview with CPJ. “Among Hungarian journalists, the biggest fear now is that this [Pegasus] affair will have a chilling effect on sources, and paradoxically this enormous scoop will hinder our work in the long run.”
Journalists in multiple countries share similar concerns. For many, spyware infections have been a prelude to harassment and imprisonment under false charges – and sometimes worse. The Guardian reported that around the time Washington Post columnist Jamal Khashoggi was killed and dismembered at Saudi Arabia’s Istanbul consulate in October 2018, phones belonging to his close associates and family were targeted with Pegasus spyware. Separately, freelance Mexican journalist Cecilio Pineda Birto was selected for surveillance with the spyware a month before his assassination in 2017, The Guardian reported.
“This is above all an assault on [the] freedom of the press,” said Siddharth Varadarajan, founding editor of The Wire, a news website in India, at the International Journalism Festival in Perugia, Italy, in April. “Because when you use Pegasus or…deploy spyware against journalists, you are clearly intending to hamper the work that they do.”
Private spyware firms have been on the scene for more than a decade, but these were mainly small operations, Etienne Maynier, a security researcher at Amnesty International, told CPJ. The rise of NSO marked an increase in scale, attracting investors into the spyware market. Last year, NSO was considering an initial public offering.
The publication of the Pegasus Project, an investigative collaboration between Forbidden Stories, Amnesty International, and 17 global media outlets, disrupted those plans. The reporting group acquired a leaked list of 50,000 phone numbers of potential targets of NSO clients. They managed to identify about 1,000 people whose phone numbers were on the list, including 189 journalists. They selected 67 people who they thought were most likely to have been hacked. Amnesty’s security lab analyzed the phones and, by July 2021, had found evidence of infections on 23 phones and of attempted penetration on another 14; the count has continued to swell. Among them were heads of state, cabinet ministers, diplomats, military security officers, and journalists from the world’s top media organizations.
After the report came out, the U.S. Commerce Department added NSO to its export-restriction list, blocking hopes of an initial public offering (IPO). (CPJ is part of a coalition of human rights and press freedom groups calling on the U.S. government to keep NSO Group on that list and to hold it responsible for providing Pegasus spyware to governments that have used it for secret surveillance of journalists.) Investors once valued the firm at $1 billion but, according to filings to a London court as reported in the Financial Times in April, came to consider it “valueless.” In July, U.S. military contractor L3Harris abandoned its efforts to buy NSO; in August the company’s CEO stepped down as part of an internal reorganization.
Still, the spyware industry, which also includes firms like Candiru, Cytrox, and RCS Labs, remains open for business. In June, Google researchers warned victims in Kazakhstan and Italy that they were being targeted by a sophisticated RCS Labs program – known as Hermit – that could go beyond stealing data to recording and making calls. “The emergence of Hermit spyware shows how threat actors – often working as state-sponsored entities – are pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyber attacks against dissidents, activists and NGOs, as well as the murders of journalists,” wrote cybersecurity news outlet Threatpost.
Zero-click spyware penetrates smartphones by exploiting flaws in the phones’ software. The most sought-after is a “zero-day,” a term that originally referred to the number of days since a product’s release, but which has come to mean any flaw in a device that its manufacturer is not aware of and hence has taken no action to fix. The flaws arise mainly because smartphones are designed to interact easily with the outside world. They are also extremely complex. The latest chips that Apple uses in its iPhones, for instance, have 16 billion physical components (transistors), on top of which are layers of immensely complicated software that govern basic operations of the devices, coordinate all the apps and cellular network connections and Wi-Fi, and handle a constant flow of data into and out of the phone. Inevitably a new phone hits the marketplace with security vulnerabilities – zero-days – which, for hackers, are like doors left unlocked.
Apple, Google, and other manufacturers of smartphones are constantly on the lookout for zero-days, and they pay hackers for pointing them out. Hackers can make more money, though, by selling zero-days and “exploits” – computer code that takes advantage of the vulnerability to breach the phone’s security – to brokers. The highest prices go to “high-risk” vulnerabilities – those that can cause the most damage to the integrity of a phone. Zerodium, a zero-day broker based in Washington, D. C., advertises on its website bounties of up to $2.5 million for “high-risk vulnerabilities with fully functional exploits.” Spyware firms like NSO package such exploits for government clients.
The growth of the industry appears to have generated a rise in stealth surveillance of opposition leaders, activists, and journalists, as the Pegasus Project and other reports from Amnesty International, Citizen Lab, and other organizations have documented. With infections notoriously difficult to confirm, exact numbers are hard to determine. On the media front, some non-investigative journalists may have been targeted because they’d been in contact with sources already under surveillance. However, the most likely targets are journalists who have written articles that make autocratic governments uncomfortable, such as exposing corruption.
In Morocco, for instance, the Pegasus Project reported that journalist Soulaiman Raissouni was selected for surveillance prior to becoming editor-in-chief of Akhbar al-Youm, one of the country’s few independent newspapers. He is now serving a five-year prison sentence for sexual assault, which his supporters believe was fabricated. The editor that Raissouni replaced, Taoufik Bouachrine, was also reported to be on the surveillance list. Bouachrine is currently serving a 15-year prison sentence on numerous sexual-offense charges that local journalists and press freedom advocates believe are in retaliation for his critical reporting. Forbidden Stories was unable to obtain access to their phones to confirm the presence of spyware and the Moroccan government has denied ever using Pegasus, but Bouachrine’s wife, Asmae Moussaoui, believes she proved her own phone was being monitored after a local tabloid published reports based on false information she’d deliberately used as bait in her calls.
The industry’s lack of regulation makes it impossible to prevent abuse of spyware. NSO Group general counsel Chaim Gelfand refused to name specific clients when he addressed the European Parliament’s spyware investigative committee in June, but stressed that NSO only sells Pegasus to legitimate governments and said the company had terminated contracts with eight countries in recent years, with some of the cancellations made after the publication of the Pegasus Project. “The system is sold to save lives [but] anything can be misused,” he told the parliamentarians.
There is ample evidence to suggest that some who came under surveillance were targeted for political reasons: seemingly because they were opposition politicians or activists or, in the case of journalists, because their work could prove embarrassing to authorities.
In India, for example, the Pegasus Project found traces of the spyware on the phones of two founding editors of The Wire – Siddharth Varadarajan and M.K. Venu – and identified four others writing for the news website as potential targets. The Wire has long been a thorn in the side of the leadership for connecting the ruling Hindu nationalist Bharatiya Janata Party with allegations of corruption, promotion of sectarian violence, and use of technology to target government critics online. Police investigations, criminal defamation suits, doxxing, and threats have dogged the paper’s staff, particularly in BJP-led states.
The Indian government denies that it has engaged in unauthorized surveillance, but has not commented directly on a January New York Times report that it acquired Pegasus from Israel in 2017 and has not cooperated with an ongoing inquiry by an expert committee appointed by the country’s Supreme Court to investigate illegal use of spyware. In late August, the court revealed that the committee had found malware in five out of the 29 devices it examined, but could not confirm that it was Pegasus.
India’s spyware revelations have taken fears of surveillance to new levels. Journalists associated with The Wire told CPJ that the disclosures have made them much more cautious. “We would not talk [about sensitive stories] on the phone,” said Ajoy Ashirwad Mahaprashasta, the site’s political editor. “Even when we were meeting, we kept our phones in a separate room.” Although regular editorial meetings at The Wire are held through Google Meet, sensitive stories are discussed in person.
Swati Chaturvedi, an investigative journalist on the target list, said her immediate concern following the revelations was protecting her sources. “In Delhi, everyone I know who is in a position of power no longer talks on normal calls,” she told CPJ.
Outside the newsroom, the spying revelations have affected journalists’ families and friends. “After Pegasus, my friends and family members did not feel safe enough to call me or casually say something about the government,” said Arfa Khanum Sherwani, who broadcasts for The Wire on YouTube and is known as a critic of Hindu right-wing politics.
Journalists are equally concerned in other regions around the world. In the Middle East, governments invested heavily in surveillance technology after the Arab Spring protests began over a decade ago. In particular, Israel and the United Arab Emirates have become regional hubs for the nascent spyware industry. At the same time, ruling authorities region-wide passed “cybercrimes” laws, ostensibly for curtailing the spread of misinformation or hate speech. But the laws are vague enough to encompass journalism that officials do not like.
In recent years, several high-profile cases of spyware attacks against international reporters, prominent local journalists, and associates of well-known columnists such as Khashoggi have come to light. Citizen Lab has identified dozens of likely spyware operators throughout the region, particularly in the Gulf, and estimates that the region has some of the highest number of spyware infections in the world.
In Jordan, Suhair Jaradat was one of two journalists who were targets of a Pegasus attack by an unknown operator publicized earlier this year. Front Line Defenders, an international human rights group, and Citizen Lab analyzed her phone and determined that it had been hacked six times in 2021. Jaradat, whose coverage includes arrests of political opposition figures, told CPJ that she believes whoever initiated the attacks were seeking the identities of her sources; at a cybersecurity conference in February, she learned that her phone had been compromised anew.
The near impossibility of finding smoking-gun evidence that implicates the instigator of an attack is one of the most vexing aspects of hacking in general and mobile spyware in particular. What’s left is circumstantial evidence and motives. Authorities in Jordan, for instance, have denied using Pegasus. “In Jordan, authorities stated before that they don’t use this spyware, and that people inside the Royal Court were also attacked by it,” said Jaradat. “Then who is behind this attack?”
In late 2018, Citizen Lab published a report that also found evidence of Pegasus throughout Africa, including Côte d’Ivoire, Togo, Uganda, Kenya, Rwanda, Zambia, South Africa, and most North African countries. “I spent nightmarish nights thinking about all my phone activities. My private life, my personal problems in the hands of strangers,” Togolese journalist Komlanvi Ketohou said after the Pegasus Project reported last year that his phone number was allegedly selected for potential surveillance.
The use of Pegasus on the phones of three reporters from Togo has not been confirmed, but that’s done little to ease their fears. Speaking to CPJ 12 months after the Pegasus Project report, they said the prospect of being monitored still generates pervasive paranoia and hinders their communications with sources. “There is a kind of permanent fear,” said Ferdinand Ayité, director of Togo’s L’Alternative newspaper. “Sources treat us differently. Several people are reluctant to take our phone calls.”
In Mexico, one of the world’s most dangerous countries for journalists, federal agencies spent more than $61 million on Pegasus alone and up to $300 million on surveillance technology between 2006 and 2018, according to statements by federal Public Safety Secretary Rosa Icela Rodríguez in 2021. New disclosures emerged in October 2022, when a joint investigation by three Mexico-based rights groups and Citizen Lab found evidence of Pegasus infections on the devices of two Mexican journalists and a human rights defender between 2019 and 2021 – infiltration that occurred after Mexican President Andrés Manuel López Obrador’s 2018 promise to end illegal surveillance. López Obrador denied on October 4 that his administration had used Pegasus to spy on journalists and activists.
The previous Mexican administration also denied using the technology on high-profile journalists, including investigative reporter Carmen Aristegui and several people close to her, as well as Griselda Triana, the widow of journalist Javier Valdéz, who was murdered in Sinaloa in May 2017, and two journalists of RíoDoce, the magazine he co-founded.
In Latin America, the International Network of Journalists found that almost every country has purchased or expressed interest in licenses for surveillance technology over the last decade. A trove of leaked documents published by Wikileaks in 2015 and summarized in a 2016 report from Chile-based digital rights organization Derechos Digitales found that 13 countries in the region bought licenses from or contacted Hacking Team, a now defunct Italian company that sold surveillance malware to public officials around the world.
In January 2022, an investigation by Access Now, a global digital rights organization, and Citizen Lab, in collaboration with Front Line Defenders and other organizations, confirmed 35 cases of journalists and members of civil society in El Salvador whose phones were infected with Pegasus spyware between July 2020 and November 2021. The hacking took place while the journalists and outlets were reporting on sensitive political issues involving the administration of President Nayib Bukele, according to the report.
“Surveillance technology is so dangerous in Latin America because of the absolute lack of transparency,” Gaspar Pisanu, Access Now’s Latin America policy and advocacy manager, told CPJ in an interview. “There’s no way of knowing what technology is being used, or how. We don’t know any statistics, what kind of data is being accessed, who is in charge of these programs, what type of contracts they have. Regardless of whether it’s a democratic or authoritarian government, we’re not able to know.”
While headlines tend to focus on illegal surveillance and the use of spyware to target high-profile individuals, sources told CPJ that the gray area between what’s legal and what’s not leaves ample space for abuse by authorities. “Laws on access to information have very broad exceptions for national security concerns,” which allows officials to justify surveillance with relatively little oversight, said Veridiana Alimonti, associate director for Latin America policy at the U.S. digital rights group Electronic Frontier Foundation.
“Even the possibility that these tools may be used affects journalists, media outlets, the entire community,” said Ángela Alarcón, Access Now’s campaigner for Latin America and the Caribbean. “Journalists are going to engage in self-censorship, they have to invest in other means of communicating, safer tools and channels, mental health support. It impacts the work of journalists, their finances, their motivation.”
In Hungary, journalists told CPJ that meetings with sources have gotten slower and more complicated to arrange. Sources are more reluctant to meet. Interviews often take place outdoors with cell phones left behind. Panyi, the investigative journalist for Hungarian outlet Direkt36, found out from Amnesty International that he’d been hacked with Pegasus for six months. He subsequently investigated the hacking of other high-profile media targets, including Zoltán Varga, investor and owner of the country’s biggest independent news site, 24.hu.
The surveillance of Varga started during a dinner party – “just a friendly gathering,” he told CPJ – at his house in Budapest in June 2018, shortly after Viktor Orbán won a third consecutive term as prime minister. All seven people at the dinner were selected for possible surveillance, and at least one had traces of Pegasus on their phone, according to a forensic analysis. “Using this kind of technology in such a situation for me just shows how much the government is afraid of its opponents,” Varga told CPJ.
Privately sold spyware is not the only tool government authorities use for high-tech digital spying, of course. Little has been reported, for example, about any widespread use of targeted spyware in countries like China and Myanmar, identified as the world’s top two jailers of journalists in CPJ’s 2021 prison census.
China has home-grown surveillance methods for tracking its citizens in general and specific groups like reporters in particular. In late 2019, Chinese authorities began requiring journalists wanting to obtain press cards to download an app called “Study the Great Nation,” which effectively doubles as spyware. According to the Washington Post, Radio Free Asia’s initiative Open Technology Fund found that the Android version of the app “collects and sends detailed log reports on a daily basis, containing a wealth of user data and app activity.” In June, a New York Times investigation found that Chinese authorities collected more personal data about its citizens than was previously known. “Phone-tracking devices are now everywhere,” said the report. “The police are creating some of the largest DNA databases in the world. And the authorities are building upon facial recognition technology to collect voice prints from the general public.”
In Myanmar, CPJ has been unable to confirm if spyware was used to obtain information about the scores of journalists who have been arrested and detained since the February 2021 military coup or if it came from forensic data extracted from phones at checkpoints. Local journalists, however, remain hyper-aware of the threat that military authorities still have access to the surveillance technologies bought by the previous civilian-military government.
“Ever since the coup, we journalists are on high alert and vigilant about being spied upon by the authorities given the country’s history with the notorious military intelligence unit,” said Dominic Oo, the pseudonym under which a local Yangon-based freelance reporter contributes to both local and foreign publications because he fears military reprisals. “Long gone are the days where I am able to walk around town and interview people or just call up a contact on my phone, as this would risk both the interviewer and the interviewees,” Oo told CPJ. “It’s a dystopian nightmare for local journalists reporting the truth about the junta’s brutality.”
Nyan Linn Htet, editor of the independent Mekong News Agency, told CPJ via messaging app that journalists were aware of reports that Myanmar’s military is using spyware and other forms of surveillance to monitor calls by journalists and activists. “We feel totally unsafe using direct phone calls and have had to change our behavior in gathering the news,” said Nyan Linn Htet. “The impact is that it makes it difficult to gather news, data and information, particularly in verifying reports because most people in rural areas are not familiar with encrypted messaging apps.”
Since spyware can be so stealthy, it’s impossible to know for sure how many journalists have been hacked.
Getting a definitive example of spyware that is installed in a phone is “exceedingly rare,” said Steven Adair, CEO of Volexity, a cyber security firm that performs forensics for The Associated Press, in an interview with CPJ. “There isn’t a really good way to track a lot of the malware, and there’s not really a good way to inspect phones. By and large, no one can actually tell you, ‘Hey my phone got compromised.’ Because there isn’t really any [diagnostic test] you can run that will tell you your phone has been exploited.”
Citizen Lab’s Scott-Railton did a back-of-the-envelope calculation based on an investigation of WhatsApp infections in 2019. During two weeks of observation, Citizen Lab found that 1,400 Android users had been infected with Pegasus (though not all were zero-click infections). Assuming infections occurred in iPhones at the same rate, that comes to 2800 infections in two weeks, a rate of 75,000 infections a year. “And that’s just for Pegasus,” he said. “It’s never been a less safe time to be a journalist.”
Security experts at news organizations Reuters and The Associated Press, who between them employ several thousand journalists around the world, say that while they consider spyware a huge potential threat, they haven’t yet seen much of it in practice. “We have 4,000 journalists working for us, divided between staff and freelancers,” said Reuters’ Christie. “That said, when it comes to malware and Pegasus and the like it’s very hard to quantify the threat.”
That uncertainty may be the most pernicious aspect of spyware. In the long-term, journalists who feel threatened by an invisible enemy that could expose their sources and their private lives to public scrutiny may start to shy away from controversial investigations, curtailing their publications’ coverage, and dealing a blow to press freedom.
“All the previous incidents of phone tapping seemed like an innocent act compared to this,” The Wire’s Venu told CPJ. “Earlier it was just one conversation they would tap into. They wouldn’t see what you would be doing in your bedroom or bathroom.” Now, fear of being bugged may lead to “self-censorship,” he said. “When someone gets attacked badly, that journalist can start playing safe.”
Several factors conspire to make spyware difficult to find on phones. The phones themselves are designed to be hard to break into, which makes them impervious to low-level nuisance malware but also, ironically, makes it more difficult to devise anti-spyware protection. Pegasus-like hacks also generally happen silently, though on occasion targets report their phones operating “hot” or having shorter-than-usual battery life. And since spyware is likely to be erased when a phone is updated or reset, it’s difficult for security experts to study.
Amnesty’s forensics team had to work mightily to overcome these limitations during the Pegasus Project investigations. Their evidence did not include Pegasus code nor any observation of the actual program in action. Rather, the team used several indirect indicators that Pegasus had once been active on the phones. They made use of an iPhone feature that tracks certain kinds of activity on the phone’s operating system to flag “suspicious processes” consistent with Pegasus infection. They found records of website addresses (URLs) that Pegasus software has been known to use. And they found other suspicious behavior related to Apple’s iMessage, iMusic, and Facetime apps, which had known vulnerabilities.
“What we found is that the backups of iPhones and several other logs have some data that keep traces of Pegasus,” Maynier told CPJ. “Since NSO moved in 2018 to zero-click attacks, [forensics] has been more challenging.”
Protecting against spyware is equally challenging.
Absent solid information on how many infections journalists have acquired, Reuters and AP have focused on making sure they’re taking whatever security precautions they can and emphasizing the need to educate journalists on the risks. AP advises its reporters to keep separate phones for work and personal use. It also installs “mobile device management” software on reporters’ work phones, which allows the security staff to monitor the phones for suspicious activity. “In terms of tracking Pegasus, we’re not doing anything in that area right now,” said Ankur Ahluwalia, a member of AP’s security team. “The tool sets available to do that remotely are very limited.”
CPJ’s digital safety team recommends that journalists always take measures like updating their operating systems, apps, and browsers, and that high-risk targets consider having several phones that they cycle through – perhaps changing their phone every week or buying low-cost burner phones every few months.
Harlo Holmes, chief information security officer and director of digital security at the U.S. nonprofit Freedom of the Press Foundation, cautions against giving in to a feeling of helplessness. “I see a lot of what I call security nihilism, in that they’ll say, ‘Nope. It doesn’t matter. I had a password manager, I had two-factor authentication. I did all of these things to protect myself. And guess what, everybody still got Pegasus.’ As an advocate for digital security in newsrooms, that’s something I really do worry about.” Holmes advocates “compartmentalization” – using different phones for work and personal lives. “Newsroom managers and editors, and anybody who has control over a budget, should be mindful of this.”
The difficulty of individuals being able to defend themselves against spyware makes it clear that governments and global institutions have to step in. Surveillance technology – and the demand for it – is unlikely to disappear. The challenge now is for governments and rights advocates to find ways to regulate the industry and prevent their products being used as a tool to abuse freedom of speech and other rights.
David Kaye, a law professor at the University of California Irvine and a former United Nations special rapporteur for freedom of opinion and expression, believes that it’s time for governments to ban spyware for its violation of international human rights law. “No government should have such a tool, and no private company should be able to sell such a tool to governments or others,” he writes in a column for CPJ.
Other potential measures suggested to curb the use of spyware include:
* A moratorium on the sale, use, and transfer of surveillance tools pending implementation of regulations that respect human rights – as called for by more than 180 civil society organizations and independent experts, including CPJ.
* Restrictions on imports and exports: The U.S. has imposed import restrictions on NSO Group and pressure is growing in the European Union to implement a regulation (EU law) on the export of dual-use surveillance technology by EU-based companies. The legislation seeks to prevent exports from leading to human rights harm in countries where journalists are targeted and under surveillance because of their work.
* An internationally regulated treaty allowing sales only to signatory governments that pledge to obey the rules of spyware use – a version of the “non-proliferation agreement” suggested by NSO Group’s vice president for compliance, Chaim Gelfand, at a June hearing of the European Parliament.
* Holding spyware manufacturers legally accountable for illicit surveillance using their programs, as in lawsuits filed by Apple and WhatsApp-owner Facebook against the NSO Group after Pegasus infiltrated users’ phones through the tech companies’ devices and platforms.
However, this patchwork of responses leaves those targeted for surveillance with limited options for finding accountability or justice.
One reason is that spyware has proliferated at such a speed that many governments do not have the legal and regulatory structures in place to hold violators accountable. Another is that it’s seldom possible for victims even to prove who is spying on them without cooperation from the spyware companies, which invariably refuse to identify their clients on the basis of non-disclosure agreements and national security claims.
Victims and civil society seeking investigations are also often dependent on governments to transparently investigate themselves. If the intrusion takes place beyond national borders, prosecuting or seeking civil remedies can be difficult, especially if the offending state is authoritarian or has a history of evading accountability.
Even in democratic societies, the political will to restrict spyware may be lacking. A New York Times investigation notes that Pegasus helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo, and that European investigators have used the program to uncover terrorist plots and combat organized crime. Governments are reluctant to lose this surveillance capability for themselves, and many citizens may be willing to sacrifice their private information in the name of protecting national security.
The challenge now is whether legislators and rights advocates can craft an effective global combination of laws, regulations, awareness, and technological solutions to prevent abuse of surveillance technology – and whether they can do it before journalists’ ability to do their jobs is irreparably damaged by the threats to their safety and sources.
Editor’s note: This 12th paragraph of this report has been updated to include the name of András Pethő as a co-writer of Direkt36’s Pegasus investigation.
About the author
Fred Guterl is an award-winning journalist and editor who has covered science and technology for more than 30 years. Currently special projects editor for Newsweek, he is a former executive editor of Scientific American and the author of “The Fate of the Species: Why the Human Race May Cause Its Own Extinction and How We Can Stop It.”
With additional reporting by Jan-Albert Hootsen in Mexico City, Kunal Majumder in New Delhi, Attila Mong in Berlin, Alicia Ceccanese in Washington D.C., Shawn Crispin in Bangkok, Tom Gibson in Brussels, Iris Hsu in Taipei, Muthoki Mumo in Nairobi, Jonathan Rozen in New York, Justin Shilad in New York and Natalie Southwick in New York.
This year, however, reflected a different trend. While CPJ’s annual prison census documented a record 293 journalists jailed around the world because of their work, the Middle East and North Africa saw its regional number drop from 89 in 2020 to 72 as of December 1, 2021 – mainly as a result of releases in Egypt and Saudi Arabia. And for the first time in more than 20 years, CPJ confirmed just one case – Lebanese journalist Lokman Slim – of a journalist being murdered in relation to their work.
One murdered journalist, of course, is one too many. Plus, CPJ is also still investigating the killings of two other reporters to determine whether they too were targeted for their journalism. Yemeni journalist Rasha Abdullah al-Harazi was killed in a car bomb attack on November 9, 2021, while she was driving to a medical appointment with her husband, also a journalist, in the southern port city of Aden. Yousef Abu-Hussein was killed on May 19, 2021, when an Israeli warplane bombed the Gaza City apartment building where he lived with his family.
The question now: why is the regional data moving in a different direction to years past? Unsurprisingly, there’s no single or simple answer.
RELATED COVERAGE
Interactive map and more regional analysis of CPJ’s 2021 data
The overall decline, particularly in the number of journalists killed, may partly be due to the subsiding of the military and political conflicts in the countries most roiled by the uprisings and protests of the Arab Spring as well as the forced exile of journalists from countries like Syria.
Perhaps a bigger factor: governments in the region are making increasing use of methods like censorship, surveillance, and the criminalization of journalism as well as fresh arrests to silence outspoken reporters.
Thus while Egypt might have seen a decline in its overall number of incarcerated reporters in the last 12 months, the 25 it still held on December 1 make it the world’s third-worst jailer of journalists. Saudi Arabia ties with Russia for eighth place.
Or take Syria, which became one of the world’s deadliest countries for journalists when protests against Bashar al-Assad expanded into civil war. The numbers of those targeted by the government declined as the country saw an exodus of journalists first to opposition areas, then outside the county. From 2011 to 2015 CPJ helped more than 100 Syrian journalists go into exile and more than 70 to relocate after the U.S. withdrew its forces from opposition areas in 2019.
More recently, countries including Saudi Arabia and the United Arab Emirates have been documented as purchasers of spyware like Pegasus, allegedly used to surveil scores of journalists around the world.
Against this backdrop, the seemingly encouraging drop in the number of attacks and jailings of journalists in the Middle East and North Africa is still not reason to celebrate. But the trajectory is worth watching.
]]>Sullivan is traveling to the region today to meet with Saudi Crown Prince Mohammed bin Salman, Saudi Deputy Defense Minister Khalid bin Salman, and unspecified U.A.E. officials to discuss the ongoing conflict in Yemen, according to news reports.
“Given the ongoing Saudi and Emirati role in the conflict in Yemen, U.S. National Security Adviser Jake Sullivan must push both countries’ leaders to end press freedom violations committed by parties they support, and call for all sides to end attacks on journalists in Yemen as a first step to any peace settlement,” said CPJ Middle East and North Africa Program Coordinator Sherif Mansour. “Additionally, the U.S. should address Saudi and Emirati leaders’ press freedom records throughout the region, including the use of spyware, and make it clear that security concerns are not a free pass for targeting journalists.”
Forces loyal to the Saudi-backed internationally recognized Yemeni government have detained journalists, and those loyal to the U.A.E.-backed secessionist Southern Transitional Council have held journalists for months and raided news outlets, as CPJ has documented. Amid violations from all sides, including the Houthis sentencing four journalists to death, journalists have told CPJ that they fear for the future of independent journalism in the country.
Both Saudi Arabia and the United Arab Emirates have also deployed spyware and surveillance technology extensively in the region and around the world, as CPJ has documented, making both countries’ press freedom records an international concern, particularly ahead of the October 2 anniversary of Saudi journalist Jamal Khashoggi’s 2018 murder in the Saudi consulate in Istanbul, Turkey.
]]>“I’ve had many experiences of these – sometimes clumsy – surveillance attempts,” Hope said.
More recently, Hope may have been singled out for more sophisticated surveillance. A veteran newspaper reporter specializing in complex international stories, Hope was identified by investigative collaboration the Pegasus Project as one of nearly 200 journalists potentially targeted by clients of the Israel-based technology company NSO Group, which manufactures Pegasus spyware to help governments and law enforcement secretly infiltrate cellphones.
The Guardian, which contributed to the Pegasus Project, reported that a client believed to be the UAE began selecting Hope’s phone number for possible surveillance while he was working for The Wall Street Journal in London in early 2018.
Hope has since left the Journal to launch his own investigative project with his reporting collaborator Tom Wright. It’s dubbed Project Brazen, he said, after the codename the pair used while uncovering a corruption scandal implicating former Malaysian Prime Minister Najib Razak in the embezzlement of funds from the 1Malaysia Development Berhad (1MDB) company. That investigation became the focus of their September 2018 book, “Billion Dollar Whale,” a story that led them to conspirators in the UAE.
Hope spoke to CPJ about the press freedom implications of the Pegasus Project’s list – which also includes some of slain Saudi journalist Jamal Khashoggi’s close associates. Khashoggi’s violent 2018 death features in Hope’s second book, “Blood and Oil,” on Saudi Crown Prince Mohammed bin Salman, whom the CIA has concluded ordered the journalist’s murder.
This interview has been edited for length and clarity. CPJ asked NSO Group to comment on Hope’s remarks; in an emailed statement, a spokesperson said “any claim that a name on the list was necessarily related to a Pegasus target or Pegasus potential target is erroneous and false. NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.” The company has told CPJ that it investigates credible claims of misuse made against its vetted clients.
CPJ emailed requests for comment to the Saudi Center for International Communications under the media ministry; the UAE’s ministry of foreign affairs and international cooperation; and the Chinese ministry of foreign affairs but received no responses before publication.
How did you learn you were on the list that is the focus of the Pegasus Project?
The Guardian contacted me and let me know that I was a target. We did some forensic analysis of my current phone which was considered clean. I was changing my phone frequently when I was a reporter at The Wall Street Journal – I was not particularly worried about the UAE, but more concerned about other characters in the 1MDB case who have a lot of money and a lot of reasons to try and sabotage our reporting. I used best practices to avoid this kind of risk, so if it’s true that they infiltrated a phone of mine, it would have been for a short period.
I was disappointed on one level. I try and have a relationship with all parties that I’m covering, even people that hate my coverage. I always try and [let] them put their point of view. I don’t rush them at the last minute, I give them more time than you would think to respond to anything. I would hope that the UAE would continue to engage me at that level rather than resorting to black ops techniques.
In a way I was surprised that it was NSO software that was allegedly used. They had been briefing many journalists – some that I know – saying that this software couldn’t be used on U.S. or U.K. numbers. I’ve seen in the press recently that they referred only to U.S. numbers, but I’ve heard that they disable its use against U.K. numbers [like the one Hope was using at the time]. I’ve never been a fan of this kind of software but [that idea] was some tiny bit of reassurance.
I wasn’t worried about NSO, I was worried about [actors] that are not well known that have similar software or employ hackers. When it turned out to be the most well-known company – that was surprising.
Jamal Khashoggi, whose associate Omar Abdulaziz was targeted with Pegasus spyware, features prominently in “Blood and Oil.” Were you surprised to learn that more of his connections, including his fiancée Hatice Cengiz, were also listed?
From the perspective of people like myself, in America or Europe, he was a Saudi commentator writing opinion pieces. From the perspective of Saudi Arabia, he was a traitor for a variety of reasons. So knowing that, I’m not surprised that they would be trying to find [proof] that he was working for other countries.
The classic technique to find out about someone is to go through family members. In this case they might have been targeted after he was killed. It would be partially because they’re trying to understand what countries are working with those family members to elevate that story or whether his family members were being paid or anything like that – evidence for what they believe to be true.
What were you working on yourself?
I was doing some reporting that would have been viewed in Abu Dhabi by some parties as problematic. We wrote a series of stories [for the Journal] about the UAE’s main conspirator in the 1MDB scandal. That would likely be very annoying for different parties in the UAE.
The fact-checking part of [“Billion Dollar Whale”] was the culmination of all that, where we really laid out all the damaging things we had found. That would have been reason for somebody in the UAE potentially to put my phone number on a list because they’d be wanting to know, “Who are the sources for this journalist?” They’d be wondering what other country was supplying this information – even though it was never the case, many people in the government would think that way.
After the prime minister of Malaysia was voted out of office, all these documents were released [including] talking points between China and the Malaysian government. Chinese officials offered to penetrate [“Billion Dollar Whale” co-author] Tom [Wright]’s devices and do physical surveillance of him in Hong Kong, where he lived at the time. Another time when Tom was reporting in Malaysia, a source close to the bad guy called us and said they were thinking about arresting him and he had to escape through Singapore very rapidly.
I never once really worried about physical threats in my career particularly because I was an American journalist at a major international newspaper. But cybersecurity [threats] I was always afraid of, and things like [the Pegasus Project], they kind of highlight it.
[Editor’s note: In January 2019, Hope and Wright reported in the Journal that a Chinese domestic security official had established “full scale residence/office/device tapping, computer/phone/web data retrieval, and full operational surveillance,” in order to “establish all links that WSJ HK has with Malaysia-related individuals.” Neither that official nor the Chinese government information office responded to their requests for comment at the time.]
Where were you at the time you could have been targeted, and how does that factor into the risk of surveillance?
I would have been mostly located in the U.K. [with a U.K. number] at that time. I didn’t travel to the Middle East. If I was in the country, it would be a lot easier to insert something [on the device].
In many countries in the world – Gulf countries, countries in Asia like China – there is no safe way to travel there with any of your technology. If you’re doing reporting in those places you have to leave everything behind and not log into anything while you’re there. I would bring a new phone. [When you leave] you have to assume that everything you’ve taken with you is no longer usable. You have to have a temporary set of equipment.
If you’re reporting on anything that relates to the leadership of those countries, I would argue it’s too dangerous to do any reporting on the ground [if] you’re not comfortable leaving a trail. It would be very hard to ask people in those countries [questions] about the leadership. It’s a funny situation. If you’re the Saudi bureau chief you’re actually restricted in what you could find out. The best place to report on the UAE, Saudi Arabia for example, would be London.
[Those] Middle Eastern countries [that] are not developing tools themselves are having to go and buy them which increases the risk to them of being exposed. In China we hear all the time about Chinese hacking initiatives, mostly through U.S. federal lawsuits that name and shame them, explaining what they did and who they hacked within America. We don’t hear about them buying the software because they develop it all within China.
The Gulf states are essentially buying those things – everything from intelligence work to cyber intrusion, and that’s much easier to get exposed, whereas China is much better at keeping a tight lid on what’s going on in China.
What does this mean for journalists?
The arms race for intrusion is so profound, there’s no real stopping it. There’s always going to be someone out there with this kind of equipment. It’s a wake-up call for journalists. We love our phones, all this high-tech stuff, using Signal – but there’s no way to protect yourself enough.
The toolbox for journalists has to change. I hope that Apple and others take up the challenge to make phones more secure, but ultimately if you’re dealing with any story where someone’s life is at risk, you have to go lo-fi and take really annoying, time-consuming steps to protect people – meeting people and leaving your phone behind. Giving your source an old-fashioned pay-as-you-go phone that you only use to plan the meeting. Tools like Signal have been such a boon for journalists, but if your phone itself is vulnerable it doesn’t help.
]]>“Twitter trolls were vicious. Sometimes I had to report up to 20 accounts a day, most of them claiming to be from Saudi Arabia, the UAE and the Gulf,” Abdellatif told CPJ via email.
Because she contributed to an Israeli newspaper, Abdellatif was also accused of being a Zionist, a term considered insulting in Gulf countries which have historically supported Palestinians in spite of Bahrain and the UAE’s recent normalization deals with the country.
Though she is based in a comparatively safe country, Abdellatif said the threats made her fear for her security. She told CPJ she reported the threats to the Dutch police who scheduled a meeting to discuss them. She also said she reported the threats to Twitter, which she said replied that the messages broke its rules but did not say if the company would take further action. CPJ contacted Twitter Human Rights Director Cynthia Wong via messaging app but did not receive a response.
Beyond the immediate impact on her life, the threats, Abdellatif said, are illustrative of the backlash against reporters who cover women’s issues in the Gulf, a backlash that is much more dangerous for journalists based in the region. Nassima al-Sada and Nouf Abdulaziz, two commentators who cover women’s issues, were both arrested in Saudi Arabia in 2018, according to CPJ research; al-Sada is still imprisoned while Abdulaziz has now been released, according to a February statement from PEN America.
Abdellatif, who has worked for the Wall Street Journal and the Los Angeles Times and is now an editor and writer at travel business website Skift, spoke to CPJ about the challenges facing female journalists in the Gulf based on her experience as a reporter in Saudi Arabia and the UAE. This interview has been edited for length and clarity.
What is it like for women journalists in the Gulf?
You can be targeted for being a journalist, a woman, and a woman of Egyptian or African descent. I faced attacks and sexism in the Gulf because I tick all three boxes.
Systemic racism and gendered attacks are huge challenges. The only difference (with the rest of the Arab world) is that some countries, including the UAE and Saudi Arabia, invest more money in PR to control the narrative and their image. Social media users and propagandists from the Gulf and Saudi Arabia have infiltrated online spaces to silence critics. Twitter has become their playground. Almost every woman journalist who dares to criticize or question authorities in the region gets threatened or trolled online.
Women journalists rarely report these attacks because there is a lack of accountability.
There has always been a fear of authority in the Middle East region due to assassinations of journalists, forced disappearances, or gendered attacks, as happened to Ghada Ouiess (a Lebanese journalist for Al-Jazeera who alleges that her phone was hacked and she faced online harassment). Others are also worried about losing their jobs. I was warned by many female colleagues to avoid speaking about my experience before I left the Gulf. Some were genuinely scared for my life or the lives of my loved ones; others warned me I might never work in media again because Saudi Arabia is invested in prominent media organizations, including Bloomberg.
This culture of silence is why perpetrators act with impunity. The global community also turns a blind eye to perpetrators in the Middle East because they think this behavior is part of the culture. It is linked to racism and perpetuates a colonialist mentality that has no place in today’s world. It puts women like me and many others at risk.
[Editor’s note: Neither Saudi Arabia’s Ministry of Media, nor the UAE Embassy in the United States replied to CPJ’s emailed request for comment.]
Your columns on topics like sexual abuse and harassment of female journalists have drawn a lot of criticism. Do you think this has to do with the outlet that published them — Haaretz — or the issues you address in your columns?
Social media accounts claiming to be from Saudi Arabia and even a few colleagues from the Middle East tried to discredit my lived experiences simply because I published in Haaretz – an Israeli newspaper. These attacks never offer constructive criticism or an invitation for dialogue. The real issue is that I am a woman of Middle Eastern descent who overstepped societal boundaries to choose where and how my testimonies get published. This is what our attackers fear more than anything: women reclaiming the narrative.
The unhinged behavior and discrimination that I witnessed while working in Saudi Arabia is very similar to the gendered attacks that I’m currently experiencing online. Twitter users claiming to be from Saudi Arabia have launched relentless attacks against me for questioning authority and discussing the need for deep structural reforms. They use profanities that are meant to break and disempower women, particularly in traditional Middle Eastern societies. The words they use to attack me and other women would never be used to describe men. The lengths they go to can be emotionally draining, nerve-wracking, and frightening at times.
As a journalist, I’ve been very active online for over a decade now, mainly covering the Middle East and the Gulf region. I lived for nearly 12 years in the Middle East, with five of those based in the United Arab Emirates. Now, the pandemic has pushed women like me further into the digital space. That’s why today, strategic information warfare is the new frontline, and journalists who question authority are on the frontlines.
What was the content of some of these attacks?
They called me names, used racist slurs against me because I am Egyptian and from Africa, told me to keep my nose away from Saudi Arabia, threatened sexual abuse and rape, made uninvited lewd sexual advances, accused me of working for the Muslim Brotherhood and Qatar.
The threats grew more serious after I published my second column for Haaretz stressing the need for the Arab world to deal with sexual harassment and assault and to break the silence surrounding these issues. Somebody claiming to be from Saudi Arabia sent me an email that I posted on Twitter and read “Die with anger and expect strong retaliation soon.” Die with anger is indeed an Arabic saying that doesn’t necessarily mean one should literally die, but when followed by such remarks as “expect strong retaliation soon,” it is worrying.
In your opinion, what needs to be done to improve the situation for female journalists in the Gulf and what should journalists bear in mind when reporting on issue like sexual harassment and abuse?
Women, activists, journalists, and survivors of gender-based violence must reclaim free agency over their stories and bodies. We must continue to exercise our basic human right to free expression.
Women in the region must also reclaim the narrative. Our stories must be told by us in ways that can empower future generations and educate global communities. By that, I mean we must forge our own paths and start believing that we have a right to take up space. The international community and nations that uphold human rights, particularly the United States, must be supportive of journalists in the region. That is the only way sustainable change can happen.
Editor’s note: The status of formerly imprisoned journalist Nouf Abdulaziz has has been corrected in the fifth paragraph.
]]>Since United Arab Emirates authorities arrested him for his advocacy in 2017, Mansoor has been in another kind of prison, according to Human Rights Watch, which reported in January 2021 that he was being kept in solitary confinement without even a mattress to sleep on. CPJ emailed the UAE embassy in Washington, D.C., to request comment on Mansoor’s case, but received no response.
Perlroth kept Mansoor in mind when researching “This is how they tell me the world ends,” her book published this year, she told CPJ. It details the little-understood market for zero-day exploits – hacking capabilities that leverage mistakes in the code populating phones and computers around the world. Governments have secretly paid hackers millions of dollars for exploits, hoping to use them before anyone fixes – or takes advantage of – the same mistake, she writes.
The result is that everyone is more vulnerable to being hacked – particularly when the exploits are turned against journalists and activists. Researchers at Citizen Lab dubbed Mansoor the “million dollar dissident” after zero-day exploits were used to infect his iPhone with Pegasus spyware produced by the Israeli firm NSO Group in 2016.
In a statement provided by a representative of Mercury Public Affairs in Washington, D.C., who declined to be named because they were not an authorized NSO spokesperson, the company said: “While our regular detractors rely on unverified claims and their own conclusions, NSO’s technology helps governments save lives in a manner that minimizes threats to the privacy of innocent individuals. […] NSO Group is fully regulated, and has now taken the undisputed lead amongst our industry peers in the protection of and respect for human rights. We have created stringent policies to help ensure that our technology is used only as designed – to investigate serious crime and terrorism – and we comprehensively investigate every credible allegation of misuse that is brought to us.”
CPJ spoke to Perlroth about her reporting, and the implications of the growing trade in exploits and spyware for journalists around the world. The interview has been edited for length and clarity.
Why did you want to take on this project?
I’d been reporting on cyberattacks since 2010, and it seemed like each attack got a little bit worse than the last. But the incentives all seemed to be stacked in favor of further vulnerability. Everyone was buying into this promise of a frictionless society, from Uber on your phone to the chemical controls at a water treatment facility. The business incentives were, “Let’s get the product to market.” Legislation to improve critical infrastructure security was watered down or never passed.
I was looking at the threat landscape for journalists and activists. I was getting my fair share of phishing attacks – who knows whether they were just spammers or some more sophisticated nation-state spyware. So I wanted to call out these patterns, but we didn’t have the transparency or the accessibility for the average person to understand that the cards were stacked against us when it came to security.
The most vivid tangible piece of this was the zero-day market, the fact that governments – including our own – were paying hackers to turn over zero-day exploits, and not to get them fixed, but to leave them open for espionage and surveillance.
That always struck me as a very clear moral hazard. Now that we’re all using the same technology, how does the United States or other Five Eyes government [members of a five-nation intelligence-sharing agreement including Australia, Canada, New Zealand, and the U.K.] justify leaving open a zero-day in iPhone iOS software, knowing that it can be and has been found by nation states and this growing industry of click-and-shoot spyware?
What’s the difference between spyware and an exploit?
A vulnerability is an error in code. If I’m a hacker and I find it and have the means, I can develop a program that can use it for other purposes. That’s an exploit.
We call it a zero-day vulnerability because when it’s discovered the manufacturer has had zero days to fix it, and until they do, anyone can exploit it against their customers. A zero-day exploit is the code to exploit that for another purpose, such as spying on your text messages, or tracking your location, or turning on your audio on your cellphone without you knowing it.
Those capabilities are obviously very valuable to a spy. But over the past 10 years groups like Hacking Team and NSO found they could bake those exploits into click-and-shoot spy tools [known as spyware] to give government agencies. Sometimes they don’t require zero-day exploits, just known flaws that manufacturers hadn’t patched for, or that people hadn’t run their software updates for.
There’s been growing [demand], particularly as companies like Apple have added better security to their customer’s mobile communications. Governments have always been worried about encryption and maintaining the access necessary to track criminals.
What kind of regulation do we need in this area to protect journalists and others?
These are dual-use technologies. Some have argued that if you try to control the sale of zero-day exploits across borders, you will be impeding defense.
The argument goes that new vulnerabilities are introduced into code every day. Knowledge of how to exploit them is of use to governments for espionage or battlefield preparation. Zero-day exploits are also used by penetration testing companies to test a company’s security. The other argument is that we do, to a very small extent, have export controls – at least here in the U.S., because of some older controls for encryption. If you do want to sell intrusion technology you have to go to Department of Commerce and get a license. But that just prevents you from selling to countries that we have sanctioned like Iran, Cuba, North Korea. There’s a lot of leeway, and as far as I know, very few people have been turned down.
I think in a lot of cases people making that argument have profited off sale of zero-day exploits and haven’t publicly disclosed it – nor can they, because the market is steeped in classification and non-disclosure agreements. My goal was to blow this wide open so that we’re not delegating the debate to those who have profited from the status quo.
One of the goals of my book was to say where is this tradecraft is going – places like the UAE, Saudi Arabia. We all saw what happened with Jamal Khashoggi. [Editor’s note: CPJ recently called on the U.S. to sanction Saudi Crown Prince Mohammed bin Salman after a declassified intelligence report published in February said that he had approved the 2018 murder of Khashoggi, a Washington Post columnist.]
We only know what surfaces when someone gets these messages one after the other and flags it for me or Citizen Lab. But tools are being developed that don’t require you to get a text message, and the companies are not doing any enforcement of their own. NSO even admitted that they can’t walk into a Mexican intelligence agency and take it back, there’s no kill switch. But we could mandate a kill switch to use if there is evidence these tools are being abused in the wild. There are steps between doing nothing and harming defense.
[Editor’s note: In the statement provided to CPJ, NSO Group said it “has made clear many times since then that our software includes a ‘kill switch’ that can shut down the system. This has been used on the occasions in which serious misuse of our products has been verified.”]
In your book, you reference a conference call with NSO in which no-one would give you their names. Why should companies operating in this industry engage with the media?
To be fair, that was the first time a spyware dealer had gotten on the phone with me for that period of time, even if no-one identified themselves. [Private equity investors] have been trying to improve NSO’s image but it’s really crisis management, we haven’t seen a lot of transparency from this space. It’s not surprising, because we’re dealing with a product that has to be invisible to work, and their customers are governments that require total secrecy. [Editor’s note: NSO said “the meeting cited by Ms. Perlroth happened five years ago, under an entirely different management structure, and with the involvement of investors who are no longer associated with us. As such, we are not in a position to comment.”]
NSO has said [they] bring in experts, look at indexes of human rights, [they] don’t sell to anyone that falls beneath a certain threshold. That’s good and dandy, but Mexico was caught spying on nutritionists and Americans, India on journalists. In the UAE, Ahmed Mansoor is sitting in solitary confinement without any books. What threshold were you looking at in those cases?
Clearly these tools are very easy to abuse. Maybe you have to bring in human rights monitors who can look at which governments are using them in abusive ways. In the U.S. – because I live here, and we call ourselves human rights respecting – maybe we need have rules about how technologies developed here is shared with those countries. I don’t think the answer is we shouldn’t legislate at all.
Can you talk about the times you’ve felt personally vulnerable because of your own reporting?
The New York Times was attacked by China to discover my colleague David Barboza’s sources for stories on corruption in China’s ruling family. That was my first realization that governments were actively hacking journalists, and since then I have been really careful with how I communicate with sources. Some I don’t communicate with [a source] online at all, and we don’t bring our devices when we meet.
In [the book] I describe going to Argentina and staying in small boutique hotel in Buenos Aires. [I came back to my room to find] the safe which had my burner laptop in it was open, though my cash was still out on the table. I’d not even used it, I’d been using pen and paper. I knew there was probably something on it, so I threw it away. Some of these [spyware] tools are so burrowed into the firmware [computer programs embedded in the hardware] of our devices that it’s the only way to get rid of it.
To be honest, where I have felt the most harm is on Twitter and I finally quit [in February]. Sometimes there’s a nation-state component to it, I’ve been called out by Russia Today who put unflattering photos of me on their Instagram account and launched Russian troll armies my way. But a lot of times it’s just the behavior that we have day by day given a pass to on these platforms. I can publish something and get viciously trolled – threats, direct messages, everything. Then I’ll watch a male competitor publish something, even with errors, and there’s not a peep. The blowback female journalists and journalists of color get is terrible. I write for the Times and that opens me up to a lot of fair criticism because we hold ourselves to a high standard. But there are days when I’ll find myself in a fetal position thinking, “Today was really abusive.”
How do you decide how much technical language to use when explaining these issues?
In my book I describe Snowden documents showing that the NSA was getting into the sweet spot where Google and Yahoo’s customer traffic was unencrypted between their data centers. I allude to [that as] “hacking.” A lot of people have hammered me on this – they weren’t hacking into servers, they were sniffing unencrypted traffic. I did go back to the publisher to change it next time. But if you’re nit-picking journalists, I think you’re picking the wrong fight.
Governments are hacking into our grid. We’re hacking into theirs. No-one’s going to care about terminology when the lights go out because of a cyberattack – it’s going to affect ordinary people. It’s very likely we’ll see something like that in the next 10 years, and it’s important to make people understand that the stakes are high and they have a reason to participate.
What can journalists who are concerned about these issues do?
Think about what you have that someone might want for nefarious reasons, likely your sources, your location data. Don’t click on links, turn on two-factor authentication, sign up to advanced protection on Google, buy a Yubikey, use Signal, and if you have to meet a sensitive source, use pen and paper.
We also need more people on the beat. I am the cybersecurity journalist at The New York Times, but we could have 10. These are huge issues, and it can’t just be up to the tech press. I describe my job as a translator. We need a lot more translators.
[See CPJ’s Digital Safety Kit for more security advice.]
]]>Oueiss, who anchors political programs covering current affairs, told CPJ she has used social media for years, but began actively tweeting in 2018 to counter abuse about her on-screen work. To CPJ’s concern at the time, Al-Jazeera was singled out for being funded by Qatar during the prolonged diplomatic blockade of the Gulf state by some of its neighbors, notably allies Saudi Arabia and the United Arab Emirates (UAE). Accounts that harassed Oueiss often had profile pictures or handles suggestive of a connection to Saudi Arabia or the UAE, she said – a pattern that continued when her private images were distributed last year.
In December 2020, Oueiss filed a lawsuit in a court in Florida accusing Saudi Crown Prince Mohammed bin Salman, Abu Dhabi Crown Prince Mohammed bin Zayed, and co-conspirators including UAE-based cybersecurity firm DarkMatter and some American social media account holders, of involvement in the hack-and-leak. (Approached by the Financial Times, one of the Americans denied participating, saying “How did I get hacked photos, and how do I work (for the) Saudi government?”)
The suit also describes a suspicious process “associated with NSO Group’s Pegasus malware” on her iPhone. Israel-based NSO says it markets products only to government agencies for law enforcement purposes, but as CPJ has noted before, researchers have documented advanced Pegasus spyware being used to target journalists, possibly including Khashoggi himself.
CPJ emailed the Saudi Ministry of Media, the Saudi Center for International Communications, and the Emirati Embassy to the U.S. in Washington, D.C. for comment in February, but did not receive a response. CPJ emailed the NSO Group and messaged DarkMatter via a Twitter account listed on their website in February for comment, but the requests were not acknowledged before publication. CPJ has documented NSO’s response to allegations of abuse in the past, which say that the company investigates credible evidence of its products being misused. DarkMatter has previously denied involvement in state-backed hacking efforts, according to Reuters.
Speaking with CPJ, Oueiss declined to discuss technical details of her allegations, citing the lawsuit. But she described the psychological effects of social media attacks, and the fact that reporting as a woman and a Christian makes her uniquely vulnerable.The interview has been condensed and edited for clarity.
You’ve said that you have been targeted by trolls and harassed before. How long has that been going on for?
After the blockade, [trolls] started attacking everyone from Al-Jazeera. I had a Twitter account, but I wasn’t really using it – I was looking at what [former U.S. President Donald] Trump tweeted. Then I realized that Saudi bots [automated accounts] were talking about me and tweeting under my name using [an account with] a falsified verification symbol. [Editor’s note: Twitter applies badges to accounts of public interest the company has assessed as authentic.] I started to tweet so I could tell people it wasn’t me. I was [also] speaking about Khashoggi.
Being attacked online could translate into a physical attack. Jamal didn’t tell the world he was being attacked by bots and trolls. One month before his murder, [he] sent me a message saying, “Ignore them, block them.” I said, “No, I want to show the world this is going on.” This was my way of showing that these dictatorships were using social media platforms to silence journalists.
It’s vicious and humiliating. They say that when you read something bad about [yourself], it’s like someone burned you with hot coffee, the same part of your brain reacts. Online humiliation became a kind of torture.
How did you know that your phone had been compromised?
At the beginning of 2020, I started reading private stories about me on Twitter – saying I had an apartment in Beirut, my brother’s name. I don’t post anything about my family.
I [thought] something was fishy, that someone was spying on me. But I never imagined they would use spyware that would cost millions of dollars just to spy on my phone. I didn’t imagine they would try this character assassination, saying that [I’m not] a journalist, I’m a prostitute.
In April, an unknown account on Twitter started tweeting photos [of me]. There was one with my colleagues, I asked [them], “Did you send this to anyone?” They said no. It was taken in a private place. I told Al-Jazeera security that my phones might be compromised.
Then in June, [there was] a second picture of me in my swimsuit in front of my building. It wasn’t even a picture, it was [a screenshot from] a video my husband took [on] a new phone. Less than 20 hours [later] there were [thousands of copies of the image] all over the internet.
How has this experience impacted your reporting, and your life in general?
I tried to put on a brave face, but I was terrified. I thought of leaving the profession, I told my husband, “Let’s open a flower shop.”
I was afraid for my life. I saw what happened to Jamal. I kept looking at the direct messages [he sent me]and thinking, “Will I be able to go back home, to travel? Will they kill my family, kidnap me?” In the end, I felt I needed professional help. When I collected evidence with the help of my lawyers and we filed the lawsuit, it helped me to maintain my mental health.
Each time [I went to work] I was telling myself, “Go on screen and prove them wrong.” I asked myself, “Do you really want them to win?” That is not what I want – I want justice. Not only for me, but for others who are being attacked, online or physically, or even like my colleague Mahmoud Hussein, imprisoned for no reason. And Loujain al-Hathloul, she refused to give up. I really admire her courage and it made me want to fight back.
[Editor’s note: Egyptian authorities arrested Mahmoud Hussein Gomaa in December 2016, according to CPJ research; on February 2, 2021, Al-Jazeera reported he had been released. Saudi human rights activist al-Hathloul was detained in 2018 as part of a broader crackdown on the women’s rights movement, and released on probation on February 10, according to the BBC.]
How did being a female journalist affect you being targeted? Do you see female journalists being targeted more?
[Throughout the] Middle East, you have this misogynistic mood against women, especially outspoken journalists. If I address a guest [who supports bin Salman] on air, they are more offended because I am a woman, [criticism] is more humiliating.
I’m attacked from three angles: I’m a woman, I’m a journalist, I’m a Christian. And even for my age, because I’m over 40! The accounts have pictures of [bin Salman] or his father, or the Saudi flag. There were some verified accounts tweeting. You can tell that it’s not a coincidence, it’s organized.
How should the US, the international community, and other allied nations respond to the UAE and Saudi Arabia?
I need the American people and the American leadership to know that we are here, and we are suffering. It’s not easy to be a journalist in this part of the world and part of the reason that we’re being attacked is because the U.S. has [been supporting bin Salman]. Now [U.S. President Joe] Biden has said that he will freeze arms sales to UAE and Saudi Arabia. [Editor’s note: In late January, the Biden administration paused U.S. arms sales to Saudi Arabia and said it was reviewing sales to the UAE, according to The Wall Street Journal.]
I also want to talk about the responsibility of the social media platforms toward us. How come Twitter and Facebook are not doing enough to protect us from this harassment? People have the right to freedom of speech, but not to interfere in my personal life or threaten me. Why do [platforms] have the courage to [block] Trump, but not Saudi bots and trolls?
]]>Across the Middle East and North Africa, many countries trace a similar arc. Ten years after the Arab Spring, revolutions calling for democratic reforms have resulted in further government repression in Bahrain, Algeria, Morocco, and other countries. Meanwhile, civil wars rage in Syria and Yemen, and up until 2017, Iraq. The historic upheaval has had profound, wide ranging, and evolving consequences for press freedom, making journalism a deadlier and more dangerous profession for its local practitioners as well as foreign correspondents based in the region.
Over the past decade, authorities across the region have used novel and traditional means to suppress independent reporting and target individual journalists. Here are seven trends in press freedom that CPJ has documented in the 10 years since the Arab Spring:
As of December 2020, there are 89 journalists jailed in 10 countries in the Middle East and North Africa, the highest number for the region since CPJ began counting in 1992. Most journalists are held on anti-state and false news charges; many are held without charge. In Egypt, most imprisoned journalists are charged but not sentenced, detained for months or years awaiting trial.
Authorities use imprisonment as a tactic to prevent or silence reporting on political issues and human rights violations, and to muzzle dissenting opinions. They also use imprisonment to quash coverage of unrest: in Egypt, Bahrain, and Syria journalists have been arrested while documenting uprisings.
Egypt and Saudi Arabia are notable for dramatic spikes in imprisoned journalists. In 2012, the year after the initial Egyptian uprising, CPJ did not count a single journalist in prison there. Under the government of Abdel Fateh el-Sisi – who rose to power in a 2013 coup and was elected the year after – Egypt has put numerous journalists behind bars. In Saudi Arabia, there were no journalists imprisoned in 2011; the country arrested journalists in 2012 following pro-reform protests, and as of late 2020 there were at least 24 journalists held in Saudi prisons.
Authorities in several countries have used new vague censorship laws to restrict online media, as CPJ has documented. Website blocking is common across the region; in Jordan, authorities have blocked websites for allegedly lacking proper registration; in Egypt and Algeria websites have been blocked due to “false news” allegations; and Saudi Arabia, the United Arab Emirates, and Bahrain have blocked sites funded by Qatar. Authorities don’t always give explanation or warning before taking sites offline; in Egypt in 2017 news sites were blocked without prior notification; in Algeria in 2020 no governmental body claimed responsibility for blockages.
CPJ named Saudi Arabia and Iran as two of the world’s most heavily censored countries in its 2012, 2015, and 2019 reports on censorship. (The 2019 report is its most recent.) Under a 2011 regulation in Saudi Arabia, news sites and blogs must have a license from the Ministry of Culture and Information, as CPJ has documented. Iranian authorities maintain one of the toughest internet censorship regimes in the world with blocks on news and social networking sites, according to a 2018 report by CPJ.
Over the past 10 years, governments in the region increasingly charged journalists using “false news,” anti-state and terrorism laws rather than publication or media laws.
Egypt leads the world in jailing journalists on false news charges. A 2018 Egyptian law fines or suspends publications that publish “false news.” Recently, Egypt outlawed news outlets from publishing unofficial sources on the COVID-19 pandemic, as well as other “sensitive” issues, as a way to quash independent reporting on the crisis.
In Morocco, journalists are often slapped with anti-terror or other criminal charges in retaliation for their work. Since 2016, Moroccan authorities have arrested local journalists on anti-state charges for reporting on anti-government protests in the northern Rif region, as CPJ documented. (The country deported foreign journalists working on the same story.) In 2019 and 2020, authorities arrested at least three journalists working for independent media on charges of undermining state security, rape, and illegal abortion, and arrested another under investigation for money laundering, without providing proper evidence, as CPJ documented.
In Algeria in late 2019, anti-government demonstrations ousted censorious President Abdelaziz Bouteflika. But his replacement, Abdelmadjid Tebboune, has also gone after journalists; the country has two journalists imprisoned under anti-state laws, according to CPJ’s 2020 prison census. In 2020, the country also criminalized “false news.”
Since the Arab Spring, conflicts across the region have heightened the danger of reporting, resulting in a steep increase in the number of journalists killed. According to CPJ’s research, since 2011, 154 journalists have been killed in crossfire or while reporting on dangerous assignments in Yemen, Syria, and Iraq. That figure accounts for more than half of the total number of journalists killed worldwide (258) in the same two scenarios during the same period.
Of the three countries, Syria is by far the deadliest, a relatively new title. Between 1992 and 2010, CPJ did not record a single journalist killed in the country; in the past decade Syria has counted 110 crossfire and dangerous assignment deaths. Most of those deaths are due to airstrikes and bombings by military forces, including the Syrian Army and its allies and Turkey.
In both Yemen and Iraq, clashes involving political groups, including Islamic State, militias, and Ansar Allah (the Houthis) accounted for the majority of journalist deaths due to crossfire or reporting on dangerous assignments.
The last decade has seen 50 murders of journalists in the region, including two high-profile state killings for which the perpetrators have not been brought to account. CPJ defines murders as those journalists targeted in direct reprisal for their work.
In the most notorious murder cases, state officials killed journalists in a manner seemingly designed to mock the idea of justice. In October 2018, Saudi intelligence and military officials killed and dismembered Washington Post columnist Jamal Khashoggi in the Saudi consulate in Istanbul. And in December 2020, Iran executed Roohollah Zam, editor of the Amad News Telegram channel, after intelligence officials seized the journalist in Iraq. Both journalists had criticized their governments from abroad and reported on domestic protest and reform movements.
Khashoggi and Zam’s brutal killings highlight a broader trend of impunity in journalist murders. The perpetrators ranged from weakened but still dangerous state actors like the Syrian government, to non-state groups such as the Islamic State, whose most high-profile murders – including those of U.S. journalists James Foley and Steven Sotloff– were recorded and presented to the world in a ghastly, cinematic fashion. Many perpetrators remain unknown. Syria and Iraq ranked second and third, respectively, on CPJ’s 2020 Global Impunity Index, which spotlights countries where journalists are slain and their killers go free.
Non-state actors such as militias have become prominent political players across the Middle East and North Africa, and their emergence has further threatened press freedom.
In 2014, taking advantage of the weakening of state authority and power vacuums stemming from armed conflict, militant groups Islamic State and the Houthis seized large swathes of territory in Iraq, Syria, and Yemen and became de facto authorities. They also imposed a tight grip on the media; for example, Islamic State took control of media outlets in Mosul, including the broadcasters Al-Mosuliya and Sama Mosul, and detained many journalists, while forcing many others underground, to impose a de facto media blackout.
Many journalists who dared to report critically of either group ended up in jail or killed. As CPJ has documented, the Houthis have detained dozens of Yemeni journalists; four were sentenced to death and remain in custody.
Islamic State and other political groups killed 65 journalists in Iraq and Syria and abducted many others, 19 of whom remain missing. The ousting of Islamic State from Iraq and Syria in 2017 and 2018, however, hasn’t made local journalists feel safer, as CPJ has documented.
Conflict in Syria led to the emergence of a vast array of opposition armed groups that have little regard for press freedom. Al-Qaeda offshoot Hayat Tahrir al-Sham, which controls large areas in northwestern Syria, has detained journalists, at least one of whom is still being held; the group is suspected of having killed at least two.
To defeat Islamic State, Iraq relied largely on Shia militias grouped under the Popular Mobilization Forces, which are now the main threat to Iraqi journalists. Libya has also seen journalist deaths at the hands of non-state actors; at least five journalists have been killed by militias and militant groups, including the Islamic State, since 2011.
After the 2011 protests rocked the region, authorities redoubled their efforts to monitor the activities of journalists and others whom they saw as potential threats to their power. Governments imported surveillance experts from the U.S. to develop their own monitoring infrastructure and collaborated with allies and erstwhile enemies, such as Israel, to buy and sell surveillance technologies, CPJ has documented.
The United Arab Emirates has become a regional epicenter of surveillance; government operatives allegedly deployed Israeli-based company NSO Group’s technology against journalists with Qatar links, and the country created a surveillance tool with the help of former U.S. government staff, as CPJ documented in December 2020 and January 2019, respectively. (In December, CPJ requested comment from NSO Group via email; the group declined to provide a comment that could be attributed to a named spokesperson.)
Other governments around the region are suspected of having deployed spyware targeting journalists: the Saudi government allegedly monitored several close contacts of Khashoggi before its agents murdered him.
NSO Group says it markets its advanced surveillance tool only to governments for law enforcement purposes; the company has told CPJ in the past that it would investigate allegations of abuse to spy on journalists. Citizen Lab attributed some of the attacks to government operatives likely affiliated with Saudi Arabia and the UAE.
“Citizen Lab presents mounting evidence that for clients in the Middle East, the ability to spy on journalists and other critics is a feature, rather than a side benefit, of NSO Group’s surveillance products,” said CPJ Middle East and North Africa Program Coordinator Sherif Mansour. “Advanced surveillance tools should not be sold without regulation to governments with a long history of abusing the press.”
CPJ requested comment from the NSO Group by email. Via an intermediary, the company declined to provide a statement that could be attributed to a named spokesperson. In a statement published by the The Guardian newspaper, NSO Group said: “As we have repeatedly stated we do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on. However, where we receive credible evidence of misuse, combined with the basic identifiers of the alleged targets and timeframes, we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations.”
]]>Authorities took Dojčinović to a police station within the airport where they photographed him and took his fingerprints and passport, and said he was on a “blacklist” and could not enter the country, Dojčinović told CPJ.
Dojčinović said that the officers told him the Emirati government was not responsible for the blacklist, but would not provide further details about it.
He was in the airport for about twelve hours before he was put on a flight back to Serbia, he said.
Dojčinović was scheduled to speak at an international anti-corruption conference organized by the United Nations, according to a report by his employer.
CPJ emailed the Emirati Ministry of Interior and its embassy in Berlin for comment, but did not receive any replies.
In 2015, Dojčinović was detained and denied entry to Moscow, where authorities also said he was on a blacklist, he told CPJ.
]]>