Ronan Farrow: How Democracies Spy on their Citizens

CHRISTIANE AMANPOUR: And next, in his latest investigation, the journalist Ronan Farrow has dug into the commercial spyware industry and its implications for democracies around the world. And he tells Hari Sreenivasan what he found.

(BEGIN VIDEO CLIP)

HARI SREENIVASAN, CORRESPONDENT: Christiane, thanks. Ronan Farrow, thanks again for joining us. The center of the story is a piece of spyware, and when people start to think about spyware and internet and how to get it, I mean, just to break it down for us, how does this work?

RONAN FARROW, INVESTIGATIVE REPORTER AND CONTRIBUTING WRITER, THE NEW YORKER: Well, it varies. You know, the technology that’s at the heart of this latest chunk of reporting is called Pegasus. It’s made by an Israeli company, NSO Group. And it is designed to, first of all, crack open your phone’s hard drive. It will image everything on your phone. That means your personal texts, you’re e-mails, your scheduling information. It also can operate in terms of real-time surveillance. So, it can turn your microphone while you’re in a confidential meeting, it can turn your camera and photograph or take video of what you’re doing without you knowing. So, essentially, it turns every phone in every pocket into a spy. And I want to point out, that this isn’t just one piece of software that’s magical in some way, this is a $12 billion industry that is devoted to cracking either phones or computers. We are really living in technologically a post privacy age. If someone wants to put the resources into monitoring what you’re doing through your phone, they can. And to your question, you know, does it require clicking links, it varies. This is a malware that can be installed on your device and that can either happen through a link that arrives and it might be really subtle. It might be something that looks like it comes from a contact that’s already in your phone even and the link might be completely disguised, you might not know when you’re infected that way. But also, just being careful about what you click is no protection because there are zero click versions of this. There are ways that these can be installed just through a, for instance, missed WhatsApp call, is one example of an exploit that’s chronicled in this story.

SREENIVASAN: So, when you say WhatsApp, you know, one of the things that iMessages and WhatsApp sort of brags about is that they are encrypted, that there’s essentially a lock and key system between you and I when we talk. But you’re saying that this type of software can get around that or through that?

FARROW: Yes. I mean, this software circumvents the untinged encryption of any individual messaging platform because it operates by grabbing control of your entire phone. There are other competitors in the spyware industry, like technology made by the firm Paragon, is another emerging competitor, that directly targets cracking the untinged encryption you’re talking about within iMessage, within Cignal, for instance or Telegram. You know, this is now easy technology to crack. Again, if the resources are brought to bear to do it. And one of the things I dug into in this story is spending time with the secretive security teams within Facebook, within Apple, and chronicling a sea change in the last few years where companies have gone from sort of hiding their vulnerabilities in this respect to being openly on the offensive about it, to bringing lawsuits against some of the parties like NSO Group, this Israeli software company I mentioned that are in the business of cracking their platforms. And, you know, for first time to talking to journalists like me about what it takes to engage in a daily cat and mouse scam to stay ahead of these interlopers.

SREENIVASAN: So, who is the software used on? Who are the targets here?

FARROW: Well, it varies because there are a lot of players in this industry. There are rogue hackers who will sell to anyone and, you know, selling to anyone means it could be used against anyone. There are, you know, totally unregulated companies that operate out of regulation havens like, you know, such as Cyprus or Luxembourg, and that therefore, we can’t even really see what they’re doing. And then, there are these big players like the NSO Group, they like to highlight that they are ostensibly more regulated. The Israeli government signs off on their sales to foreign governments. And one of the things that they say in their defense is, we sell only to law enforcement and intelligence agencies. And they like to highlight that a lot of those customer countries are Western European democracies. But one of the things I report on in this piece is that Western European can abuse this technology as well.

SREENIVASAN: So, does the United States, for example, in this story you say that we have both been kind of users and victims of software like this. Explain that.

FARROW: So, one of the things that I dig into in this story is I think there’s been a common perception that this is a problem of the developing world or a problem that is limited too repressive regimes. There’s been a lot of coverage about how cyber offensive capabilities has been used against dissidents and journalists under, for instance, the Saudi regime. But more and more we are seeing western democracies use this technology. A big chunk of piece is about a new cluster of infections from a couple years ago but newly documented, that is, you know, targeting journalists and civil society members and politicians in the Catalonia autonomous region of Spain. You know, it seems just as a result of peaceful political demonstration that they have done. In the United States, we’ve had a complicated relationship with this technology. There are government agencies in the Department of Justice, in the Pentagon, that have purchased this kind of spyware tech. I’m not saying Pegasus specifically. Pegasus specifically was purchase and tested by the FBI. Not used against the American people, they say. Just purchased for testing reasons. But, you know, we’ve sort of have danced with wanting this capacity to supplement our own in-house surveillance tech. And then, on the other hand, realizing increasingly that’s being used against Americans. NSO Group, the makers of Pegasus, says that they do not target U.S. numbers. But that’s no great protection because there’s been evidence that there’s a lot of U.S. diplomats that have been targeted on their local numbers as they’re working at embassies abroad. There was a cluster of infections, for instance, at our embassy in Uganda. So, this is something that, you know, I think we are starting to realize, officials from every country needs to worry about.

SREENIVASAN: You had access in your reporting over the past couple years to some of the employees that are making this software. I mean, how do they feel about this? Do they understand how their tools are being abused? Where there any points where they said, that is, this is a line that’s crossed. I don’t want any part of this anymore?

FARROW: Well, as you might imagine, the current employees tell a very different story. They buy into the company’s narrative that NSO Group is predominantly making tools for law enforcement and that those tools are integral in cracking into terrorist and criminal groups. And it is true that I talked to officials in European democracies who said, well, we use this tech, sometimes secretly, to catch criminals. And it’s useful for that. But, of course, that doesn’t mean the tech can’t be abused. And I also spoke to former employees of the NSO Group who were involved in either making or selling Pegasus who said, well, I quit — you know, one told me, I quit after Jamal Khashoggi was murdered by the Saudi regime and it emerged that Pegasus have been used to target people around him. You can look at the story for, you know, the various denials the NSO Group offers as to why, you know, they believe they weren’t linked to this. But it certainly troubled a large number of employees at that company.

SREENIVASAN: University of London, I think, a research group linked to the Pegasus software to 300 different acts of violence. Give me some examples besides the murder of Jamal Khashoggi about how has this been used inappropriately.

FARROW: This has been used, certainly, if you buy the research of a number of very credible watchdog groups against journalists and dissidents and opposition politicians in just about every corner of the war old at this point. You know, I just mentioned the western European example of Catalonia and separatists’ politicians. You know, we’ve seen it in African countries, in Middle Eastern countries, used against people like, you know, at Saudi, women’s rights activists. We have seen it used in Mexico. And there are several lawsuits related to the misuse of this tech in Mexico now. It showed up on phones around the slain journalist, Javier Valdez, who was investigating cartels. So, you know, this does seem to be a pattern. Now, every case is different. And, for instance, in the Valdez case, you know, I spoke to people inside NSO Group who said, well, there was a law enforcement investigation into his murder and that is why there were infections of people around him. So, you know, it’s important, obviously, to err those kinds of defenses and to look closely at each case. But it does seem like the preponderance of evidence now suggests that in literally hundreds of cases, there have been misuses of this technology that are violent in nature, that, you know, either facilitated or were closely connected to acts of violence.

SREENIVASAN: What are these big tech companies doing? Because part of the bargain that they make with us, the end user, is that our communications are safe, more private, but here you are describing a technology that can get right through that.

FARROW: Well, these companies have sizeable security teams that they are continuing to beef up. And they engage in — you know, if I use the term cat and mouse game, because that’s how programmers on both sides of this fight describe it, you know, a back and forth where essentially, they and hackers around the world are popping out from behind pieces of digital cover and exchanging sniper fire, you know, with the hackers trying to infiltrate these platforms, and find new and exotic exploits every single day and the teams within these technology platforms working around the clock to try to plug up these breaches as they arise and, you know, this is one reason why it’s important to keep your phones patched every single day.

SREENIVASAN: Yes. Are they taking them to court?

FARROW: Yes. So, another big development, and part of this kind of sea change in the posture of big tech on this issue is, where once companies like Apple were very secretive about any breaches they had encounter, they are now going to court and describing these exploits in detailed legal filings. You know, they offer willingly on the record voices from within these guarded security teams to talk about the saga of what happens when one of these breaches arises. So, it’s very interesting new window that we have in this reporting into what these teams do. And we are seeing the real-world results in these lawsuits, it’s not just Apple, WhatsApp, you know, obviously, now owned by Meta, is also in a hope high-profile legal battle with NSO Group. Thus far, NSO’s arguments, which are, you know, various, but one of the big ones is that they enjoy the sovereign immunity of the countries that they work with. So, you shouldn’t be able to sue them in U.S. court. Thus far, those arguments have not succeeded in American courts.

SREENIVASAN: So, what has that pressure done to companies like the NSO Group and others? Are the U.S. administration — are we able to put any pressure on them either from a commerce or intelligence perspective?

FARROW: Well, the U.S. commerce department last fall blacklisted NSO Group and a couple of other spyware vendors. Candiru is another spyware maker that I talk about in this piece. And they, therefore, are now prevented from legally purchasing U.S. technology. Things like iPhone or Windows operating systems, without a special waiver. And the Commerce Department has set very clearly that their default position will be to say no to requests for that kind of a waiver. So, this is a significant inconvenience in both the day-to-day business operations of a number of these firms, like NSO, and in their quest for greater legitimacy. You know, NSO Group argues repeatedly that it is essentially an arms dealer. You know, this is the most sort of detailed picture they have given of their arguments in this story. And they say, look, this is a wild west of an industry that is unregulated to a large extent. But it should be regulated. You know, there should be equivalence to the Geneva Convention. There should be an equivalence to various treaties governing the use nuclear or chemical weapons. There aren’t right now. So, we’re flying by blind trying to put in place our own protections. Now, of course, the pivotal question is, how much do you buy the legitimacy of those self-protections they are putting in place?

SREENIVASAN: What is the role of the country that they are sitting in, in this case Israel, in allowing this to continue? Because this is — the software industry is clearly something that Israel is proud of.

FARROW: You know, they are the leader in this kind of tech. And I think one thing that has allowed this tech to flourish through several years of scandal about abusive misuse of it, is that policy makers said, well, these are companies that are closely entwined with the Israeli government. The Israeli Ministry of Defense oversees the purchases, they approve the countries to whom NSO Group, for instance, is selling. So, it lent to the proceedings an heir of legitimacy. But, you know, I talked to a lot of people both within the Israeli intelligence circles and within the private spyware industry who said, the Israeli government on this front has not been putting in place guardrails, you know, that they have been relentlessly real politic in making sure that this tech gets to whomever they want it to get to, to curry favor geopolitically, and not really considering the human rights consequences. So, I think the world is now awakening to the fact that there needs to be stricter regulation, that the international community needs to step up. There is a “Washington Post” editorial board comment, you know, citing this reporting and saying, hey, it’s time for countries to step up. The Biden administration in this piece announces its most muscular step yet. The White House says, we plan to ban the U.S. government from purchasing this kind of tech in the future. So, you know, it is a fast-moving field. But right now, you know, this company is correct. It is something of a wild west and there is a lack of regulation.

SREENIVASAN: So, the global politics and the stances of Israel would also be reflected who this software appeals to. I mean, this — or available. You pointed out that basically they were not allowed to sell the software to Ukraine because of, well, who Ukraine is fighting right now, which is Russia.

FARROW: It is important to understand now that this is a tool of soft power, apart from anything else. You know, it is used in the same way that world powers use building roads, or digging wells. And in all kinds of geopolitical relationships, you see, you know, one state helping another state get this kind of cyber offensive capability. So, I will give you an example. It has been reported by “The Times” and others in recent months that the United States CIA helped Djibouti, a military ally of United States, purchase Pegasus. And we report in this piece for the first time that that account, that Pegasus software that was used by Djibouti was actually used against its own prime minister and other civilian officials. So, you know, you see how quickly this is sort of a genie that you can’t put back in the bottle.

SREENIVASAN: It almost seems like this is an industry that is a proxy, if you will. So, say even if the Biden administration says that no U.S. government agency is allowed to buy this, well, it doesn’t stop private companies in the United States being able to buy it, right? And then — or in the case of Israel, if Mossad can’t help a country out, couldn’t they just say, well, why don’t you just go down the street here. We know these guys have some software that can do what you’re asking?

FARROW: And essentially, that’s what has happened, according to Israeli intelligence officials I spoke to, that there were cases where, you know, for instance, a European country would come to an Israeli government intelligence entity and say, we want your technological assistance, and they would say no. But, you know, some Israeli government or military entity would — you know, the Mossad, for instance, is one that has been closely tied to NCO Group, would say, well, go to these private guys, they can give you this technological capacity. So, that is exactly what’s happening. We, in the case of NSO Group, have to rely on their assurance that they are only selling to governments they claim that they put in place more and more robust vetting about what government those are. Watchdog groups are skeptical, as we have discussed. But, you know, I think what is most important to note here is this isn’t about one rogue company, this isn’t about one form of technology, this is about an industry that is growing and growing. And lots of players on the fringe of that industry that aren’t subject to any kind of oversight. And, you know, NSO Group points out correctly, if they go away, if Pegasus goes away, there is plenty of others that will fill that vacuum and indeed (INAUDIBLE).

SREENIVASAN: The article is called “How Democracies Spy on Their Citizens,” by Ronan Farrow. Ronan, thanks so much for joining us.

FARROW: Thanks so much. Always a pleasure.