I think we are all aware, that we live in an age where information is currency and every page we visit is gathering data. Rationally we know, that TikTok listens to everything we say, and can have access to our browser history. However, this knowledge does not really prevent me, nor the other 1.7 billion users from using the platform. It’s not like I am being personally targeted, right? Right. So what happens when you are being personally targeted? A single download can turn a smartphone into a surveillance device, and an extremely good one at that, as we tend to store our entire lives there. If there is an actor that deploys such a powerful tool, it is important to examine who has access to the obtained data and what are the objectives for the invigilation. There has been a similar debate surrounding Pegasus spyware.
What is Pegasus Spyware?
Pegasus spyware was developed by an Israeli cyber-intelligence company, the NSO Group. It is one of the most advanced surveillance technologies available, used to target exclusively mobile devices. The objectives of Pegasus are, according to the NSO Group’s webpage, “to prevent and investigate terrorism and crime.” Their products are aimed at government agencies. The spyware allows the operator to download all data from the infected device, therefore gaining access to various types of information, including messages, photos, or passwords. Furthermore, the operator can take control of the camera, microphone, and location, turning a smartphone into a device of surveillance. The installation technologies are getting progressively more advanced. Downloading spyware on the device required the user to manually click on an installation link. For this purpose, fake text messages containing installation links, pretending to be from a familiar for the victim webpage, were sent to the targeted devices, to trick the victims into opening them. Moreover, the NSO Group used to exploit a vulnerability in Apple’s iMessage app to infect iPhones, which has since been resolved. Currently, spyware can be downloaded without any action from the user, making it harder to track and control.
What Does It Actually Mean?
Pegasus spyware has been purchased by multiple government agencies around the world. The main issue with spyware is while it is meant to prevent terrorism, it is deployed by both authoritarian and democratic governments to spy on its citizens, and it is often quite unclear what are the objectives of the invigilation. Because of it, Pegasus has been under investigation by various actors, such as an interdisciplinary laboratory the Citizen Lab at the University of Toronto, the collaboration of several news outlets under the name The Pegasus Project, and more recently, the Committee of the Council of Europe. The investigation revealed that Pegasus spyware is not used purely to prevent crime. The Pegasus Project unveiled multiple governmental clients of the NSO Group and their targets for surveillance. The Citizen Lab reached out to some victims of Pegasus invigilation, for many of whom it was how they learned they were being invigilated in the first place. In Poland, Pegasus has been deployed by the Central Anticorruption Bureau (CBA, Centralne Biuro Antykorupcyjne), to target people affiliated with the opposition.
The Polish Case
The invigilation of civilians without their knowledge triggered a response in the Polish media. The CBA is an organ controlled by the government of the ruling party, the PiS (Prawo i Sprawiedliwość). PiS has had the decisive majority in most institutions. An important exception has been the Senate. Senators from the opposition established a committee to investigate the use of Pegasus on Polish citizens. The committee has deemed the purchase of Pegasus spyware illegal. Furthermore, the committee found, that the way Pegasus has been used by CBA contradicts the democratic values that the agency should protect. A particularly significant case in this context is the one of Krzysztof Brejza, a senator of the Koalicja Obywatelska, an opposition party, and the head of the election campaign of the opposition in 2019. As confirmed by the Citizen Lab, his phone was targeted 33 times in 2019, during the election campaign. This evidence undermines the integrity of the 2019 election. The Senate committee confirmed, that if the Supreme Court had the knowledge of the invigilation of Brejza at the time, they would have grounds to invalidate the 2019 Parliament election.
Pegasus has become a topic also for the Parliamentary Assembly of the Council of Europe, which established a committee investigating the use of spyware in the context of the European Convention on Human Rights. The committee is a recently published report that warranted 5 states, including Poland, to investigate the abuse of Pegasus spyware. Pegasus is a tool, and therefore in itself is not evil. Surely it could be a helpful tool in prosecution. Its use, however, has to be questioned, as it can be very easily abused. With the advancements in technology, appropriate changes need to be made in policymaking, as such invigilation can have an enormous influence on the political landscape of the world. A few questions arise for me. What makes one a criminal? How can one justify the surveillance of unaware citizens?
On a more personal note, I was planning this piece before Sunday, 15th of October, which was the day of elections for Parliament. It was extremely difficult to predict the outcome of the elections. Now the results are official: the PiS party, which was in power since 2016 will not have the majority in the Parliament anymore. It is a crucial development for the main issue of my article, the employment of Pegasus Spyware by the Polish security agencies. Today I am hopeful, that the issue of Pegasus might finally be resolved, a development that would not be possible otherwise.
What do you think about this? Let me know in the comments.