When I interviewed the pro-democracy activist Farida Nabourema in July 2020, she could not – for her safety – tell me where she was. But I knew she was not in her native Togo, where she fears arrest.
As we spoke, I could hear her nine-month-old son blowing bubbles. I imagined that she was bouncing him on her knee.
I’m an investigative reporter and I cover surveillance. When I write about spyware and the way it affects people’s lives and work, it is people like Farida who I think about.
I spoke with her while I was reporting on a case of a Catholic bishop and priest from Togo who had been targeted with spyware made by NSO Group in 2019. The spyware, called Pegasus, is sold to governments and can infiltrate mobile phones to access calls, texts and photos. It can even turn a phone into a listening device. It is impossible to say for sure whether the repressive Togolese government was behind the attack, but they remain the most obvious and probable candidate. The two clergymen were known to be vocal critics of the government, and may have been perceived as a threat to President Faure Gnassingbé, who has led Togo since 2005. For nearly four decades before him, the country was ruled with an iron fist by his father. (In fact, Farida’s father was a dissident against that regime.)
For Farida and her fellow activists, the threat of surveillance is nothing new. In 2017, activists she worked with were arrested, interrogated and tortured by the Togolese authorities. The nature of the questions they were asked strongly suggested to them that the authorities had gained access to their private WhatsApp chats.
These days, Farida says, her ability to strategize and organize has been made much more difficult because of the threat of surveillance. Her ‘safe’ online space where dissent could grow and thrive has been disrupted. This is especially prohibitive for people in exile, who are trying to effect political change in Togo from afar. For dictators and despots, this is good news. It’s good news for authorities in Saudi Arabia, too, and in the UAE, and any of the dozens of countries where governments have evidently turned to spyware to control the threats to their rule.
Not only has communication between activists become more difficult for Farida, so has talking to her parents. Her righteous and rightful anger is triggered not only by the disruption that the threat of surveillance has had on her work, but by the overwhelming feeling of having one’s personal space violated by invisible intruders into one’s most intimate conversations: with friends, with lovers, with doctors, with our mothers and fathers, sisters and brothers. How might these details of my life be used against me? Anyone who seeks to challenge the very notion of spyware – activists and journalists alike – has had this question run through their mind.
I am not in danger of arrest or of facing physical threats from where I work in Washington DC. Yet there is something eerie about focusing one’s investigative attention on spyware. Its reach is borderless.
It can be difficult to capture in a single article the true cost of such surveillance and its threats. At a time when the world is reeling from an abundance of terrible news, from the Covid-19 pandemic to the undermining of democracies across the world, the sale of a spyware called Pegasus does not always register as high priority on the list of concerns.
Pegasus is however a particularly current threat: a twenty-first-century weapon. An instrument that seems to be being used, routinely and devastatingly, to keep undemocratic forces in power.
Elsewhere, this software has been exploited differently. Several supporters of Catalan independence were targeted with Pegasus in 2019, at the same time as the attacks on the bishop and priest in Togo. In Spain, no authority has taken responsibility for the targeting, which even affected senior elected officials in the Catalan parliament. Despite the nationalist hangover of Franco’s previous authoritarian regime, Spain is currently a strong democracy. What does this tell us? Perhaps that the stealthy power of Pegasus invites abuse.
In a previous case in Mexico, NSO Group’s software was alleged to have been used to target journalists and lawyers. It was even said to have been deployed against campaigners in favor of a soda tax.
The people who sell Pegasus and defend its use claim it is a necessary solution to a specific problem: the proliferation of end-to-end encryption applications like Signal and WhatsApp make it difficult for law enforcement officials to track terrorists and criminals. This is not an argument that can be ignored – not least because it is used to justify human rights abuses around the world.
Does law enforcement face a challenge from terrorists who have “gone dark”? Yes. Does that challenge need to be met with a contemporary legal response that also protects the right to freedom of expression and the right to privacy? Yes.
Some experts have recommended a moratorium on the sale of technologies like Pegasus until countries can agree on a set of rules that will protect vulnerable people. For now, there is not consensus on this.
NSO Group has unveiled a human rights policy that it says will help to protect vulnerable populations that may be targeted. However, I have yet to see any evidence that NSO Group has investigated any of the many allegations against it, including that most high-profile, in relation to Jamal Khashoggi, which is captured so vividly in Navine Khan-Dossos’s art.
It is not possible to say with certainty whether Khashoggi was personally targeted by Pegasus. But there have been credible allegations that a close confidante of his had been, in the months before the Washington Post journalist was brutally murdered.
Omar Abdulaziz, a native Saudi living in exile in Canada, was in Montreal when he was told by Bill Marczak of Citizen Lab, the research group that has tracked NSO along with other spyware groups, that he was apparently being hacked by the Saudi regime. It was August 2018 and Khashoggi was one of Abdulaziz’s confidantes.
The two spoke and plotted frequently about the tools they could use to disrupt Saudi Arabia’s notorious troll armies, which attacked and harassed Saudi dissenters and spread disinformation inside the kingdom.
If Abdulaziz’s phone had been hacked, then it is highly likely that Saudi authorities were listening in on those conversations all along. Did their access to their communication fuel their desire to kill Khashoggi? Khan-Dossos’s work is powerful because it speaks to that horrifying possibility.
NSO Group has always said its spyware was never used to target Khashoggi. One thing you learn when reporting on this technology is that an individual does not need to be personally targeted in order for a regime to listen in on conversations or see their texts. If all the associates of a primary target are being hacked, the regime will gain a great deal of information about this person’s activities. I suspect this was true in this case. Furthermore, it is unclear what NSO Group’s role may have been in targeting associates of Khashoggi.
Then there is the question of who profits from the technology. One of the biggest investors in the private equity fund that owns NSO Group is a pension fund in Oregon, the progressive northwestern state whose treasurer has talked about the importance of investing in a socially responsible way.
The fact is, the fund’s investment in NSO Group is likely paying high dividends. Even though we don’t know who NSO Group’s clients are, we can be quite sure that they are paying and making investors rich. For Oregon, a state that witnessed a glimpse of authoritarianism in the summer of 2020, as unidentified law enforcement officials took to the streets of Portland to silence protesters against racial injustice and police brutality, investment into NSO Group ought to give citizens pause.
Many who hear Farida Nabourema’s story will count her among NSO Group’s and its customers’ victims – along with Khashoggi, and many unknown others. Even when such weapons are turned on them, too, journalists will continue to tell their stories.
Stephanie Kirchgaessner in the Guardian‘s investigations correspondent, based in Washington DC. She covers surveillance and spyware and other issues. Previously, she was Rome correspondent and from 2000 to 2014 she worked as a journalist for the Financial Times in London, NY, and DC. Stephanie is a mother of two and likes to get into “good trouble”.