David Remnick: The software known as Pegasus is probably the most notorious spyware in the world. It allows users, law enforcement officials, or government authorities to hack into a target smartphone. That gains them access to photos, videos, and messages. Pegasus can also remotely control a phone's microphone and camera, all without your knowing it.

The software is aimed at catching the worst of the worst, terrorists and other violent criminals, but once a surveillance tool is on the market, it can be very difficult to control. Ronan Farrow has a new piece out in the New Yorker about Pegasus and the company that makes it, an Israeli firm called NSO Group.

Ronan Farrow: One of the things that I think is distinctive about this story against a backdrop of a lot of good reporting from a lot of good outlets about this spyware is I really got to spend time inside NSO Group and their offices in Tel Aviv talking to their software engineers who take evident pride in cracking encryption methods and opening up people's phones.

In the conversations that I had with both the working level people at NSO and their executives, what comes out is, I think at times a sincere belief that this is a tool with a lot of power to assist law enforcement. Critics, particularly in the human rights world, I think, would say that that's a dog and pony show. I do emerge from the reporting seeing evidence that there are law enforcement agencies around the world who perhaps otherwise would not have elaborate surveillance capabilities in-house. I'm talking about, for instance, smaller European countries, and who now have a tremendously powerful surveillance tool in their hands.

David Remnick: Now, do they have any banner headline crimes that this software has stopped? If they're advertising themselves, what do they announce through the world as their great successes?

Ronan Farrow: This is part of the problem and one of the challenges of reporting on this spyware. They say that confidentiality with their customers and the inherently confidential nature of law enforcement investigations prevents them from talking about specifics. Now, people around this world have talked about various European counter-terrorism investigations where it's claimed that Pegasus or other commercial spyware tools were helpful. Very hard to verify because it isn't people willing to put that on the record. This descends into the realm of whispers and rumors very quickly.

David Remnick: Just to be clear, what about encrypted apps like Signal or WhatsApp? Are those things immune from this spyware because it seems like not.

Ronan Farrow: Not at all. Pegasus specifically focuses on commandeering wide control of your phone. It allows the phone to disgorge all of your texts, all of your photos, all of your calendar entries. It also affords the operator of the software the ability to turn on your microphone and turn on your camera and get real-time surveillance. The protections of end-to-end encryption on a platform like WhatsApp or like Signal are meaningless if someone targets you with this kind of spyware.

David Remnick: Ronan, I've got my cell phone right here in front of me. It's a beautiful little device and I've been to Russia, I've been to China, and many other places. Can I assume as a journalist that I've got spyware on my phone now?

Ronan Farrow: Well, one of the things I did in the course of this reporting was to actually have my devices tested. I went in for some legs of this reporting in some parts of the world with only a burner phone, not my usual phone because the risk of surveillance is so high, particularly when you're writing about issues in some of these places. Then I had all those devices tested, so you can see for yourself if you would like, David. Those are proprietary testing tools developed by places like Amnesty International and Citizen Lab.

David Remnick: Countries have deployed the software not just against terrorists and criminals as you've made plain, but also against journalists and human rights leaders. This was a very big story last summer. Pegasus was allegedly used to monitor phones belonging to people around the well-known Saudi journalist Jamal Khashoggi before his murder by Saudi dispatched thugs in 2018. In your reporting, you've narrowed in on a series of Pegasus attacks on people involved in the Catalan Independence Movement in Spain. Why was that used against those people?

Ronan Farrow: It's worth noting that on the Khashoggi murder, NSO Group is adamant that they had nothing to do with it. Their technology had nothing to do with it. There's been a lot of back and forth on whether it was in fact found on the phone of his wife, but it does seem like the preponderance of evidence suggests that this software was found on the devices of a number of Khashoggi's associates.

That is consistent with a pattern that we've seen around the world of this being found either on the devices of a person who comes in harm's way, who's run afoul of a regime using this software, or people around them. That's exactly what we see on a massive scale in Catalonia. This is the largest forensically documented cluster of attacks and infections through Pegasus that has ever been revealed that we know of.

David Remnick: This presumably has to do with the independence movement, which the Spanish government views as a very serious threat. There was an independence referendum in Catalonia in 2017 that Madrid considered illegal. People were sent to jail, and eventually, it all descended into violence. Who was targeted with Pegasus?

Ronan Farrow: It appears that just about, I'm speaking figuratively, but just about everyone and their mother.

David Remnick: Of the main figures.

Ronan Farrow: What was hacked of the central political movement. In fact, part of the arc of the story is there's a Catalonian investigator who is analyzing phones and realizing how vast this campaign is. By the end of the story, he's realized it's not just these politicians he's vetting, his own parents have been hacked again and again. There's a feeling of a lack of safety. There is--

David Remnick: Which is sometimes as much the point as the actual information that's being accrued.

Ronan Farrow: Yes. That's a really important and good point. This is not just an information-gathering tool for repressive regimes or, as we're learning increasingly in this piece, Western democracies using the technology. It's an intimidation tactic, and it works.

[music]

David Remnick: One of the people you talk to is Jordi Cuixart. Who is Jordi Cuixart and why was he such a important source for you?

Ronan Farrow: Jordi is a local businessman in Catalonia. His company makes packaging machinery and it's distributed all over the world. More importantly, he was the president of an organization called Òmnium Cultural.

Jordi Cuixart: Òmnium Cultural, it's one of the most important civil organization in Europe. We have around 200,000 members.

Ronan Farrow: That group is about the cultural independence of Catalonia and it backs the independence movement.

Jordi Cuixart: What we are doing is to defend the civil rights and also the human rights, so that means the right of Catalonia and the Catalonians to decide their own future.

Ronan Farrow: What's interesting about Catalonia is this isn't surveillance without stakes. A number of activists in this community, including Jordi, have gone to jail.

Was there a specific trigger that prompted your arrest? Obviously, it was your leadership in the community and so forth, but what was the actual catalyst?

Jordi Cuixart: What the court said is that we, personally me as a president of Òmnium Cultural, I had a lot of capacity and power to mobilize the society. It was the reason why they decide to put me in jail.

Ronan Farrow: Cuixart's lawyer and also his wife were targeted as well.

Txell Bonet: When I learned that my telephone was infected, I was visiting Jordi in the prison, living alone with one baby, but I was pregnant from the other baby.

Ronan Farrow: His wife's name is Txell Bonet.

Txell Bonet: It's like you never know what is going to happen with you and the information that they have about you if it's going to be twist for create invented news or invented facts.

Jordi Cuixart: It's very difficult for us to defend ourself if the prosecutor knows exactly which is our strategy of defense.

Ronan Farrow: Do you think that was the objective to spy on your legal strategy and--

Jordi Cuixart: Not only this, also to know exactly what we were preparing in order to protest against the decision to sentence us from these higher years of prison.

Ronan Farrow: It's been fascinating to spend time with people and communities who are in receipt of this level of widespread surveillance. One of the things that it creates is just an atmosphere of paranoia and mistrust.

Jordi Cuixart: For example, yesterday, we went to dinner together, yesterday night, but we decided to keep the mobile phones in the jacket and talked between us without the mobile phones. Why?

Txell Bonet: The mobile phones far from us.

Jordi Cuixart: You feel that all the times, there is a micro here who is listening. If we want to discuss about personal issues, or whatever, I want to feel sure that nobody's listening me.

[music]

Ronan Farrow: It's something that I think has a profound destructive effect on families, on people's personal lives on all of these individuals I talked to who now have to wonder whether any personal photo is going to be weaponized against them, any text message? If they've been discussing politically sensitive things, is that going to be the basis for an arrest warrant if you're in a place like Catalonia?

Jordi Cuixart: I think that this is one thing that from my point of view, all the people who is infected or who was infected or who will be infected, it's important to keep calm. Calm down. If not, then appears the paranoia and then you imagine that you have micros at home and somebody's following you and we can step by step because if not, then the emotional shock arrives, and then it's difficult to manage.

[music]

David Remnick: Ronan, were you able to confirm these hacks with NSO or the Spanish government?

Ronan Farrow: We have former NSO employees saying that the company does indeed have an account in Spain. Citizen Lab, the watchdog group has undertaken analysis that suggests that there is a Pegasus account being operated in Spain. The Spanish government for their part won't answer questions about this. Certainly, they didn't respond to our requests for comments about it. Catalan politicians are convinced that Spanish law enforcement or intelligence entities are behind this campaign, and are in this story demanding transparency.

David Remnick: What does NSO say about all this?

Ronan Farrow: I spent a lot of time with NSO Group CEO, Shalev Hulio, and he makes a number of arguments in defense of the company and the technology. He's also very cagey and careful when it comes to identifying customers. He always gives the caveat of, "I'm declining to identify any of the countries that we work with." That said, he did very clearly talk about some of the countries that we now know use his technology, including Spain. In that case, he said Spain is a democracy. If they decide to use these tools-

David Remnick: That's on them.

Ronan Farrow: -that's on them.

David Remnick: I assume you talk with their General Counsel.

Ronan Farrow: We talked to their General Counsel at length, Shmuel Sunray.

Shmuel Sunray: First of all, anyone who feels he's a target, I would really appeal for them to go and go through our process.

Ronan Farrow: He says that if people suspect there has been abuse of the software, they should report it to NSO.

Shmuel Sunray: We are going to take this every complaint seriously, investigate it to its fullest, and take the appropriate measures that are derivative from.

Ronan Farrow: The obvious response there that I imagine a lot of dissidents who feel they've been subjected to illegal repressive activity from a regime they're under, and they feel that your company is involved in a relationship with that regime, those are the last people we would call. How can we trust that we'll be safe in that process? How can we trust that a company that is, of course, self-interested in business terms, is going to have a thorough process of due diligence? What's your response to that?

Shmuel Sunray: I think that our record has proved itself that we take these issues seriously. We will continue to take them seriously. All I can say that if it was our technology that was used, we feel very bad about it, and we'll make our utmost to make sure that no other targets will be in that situation.

Ronan Farrow: Their central argument is that there is a Geneva convention for conventional forms of warfare. There are all sorts of treaties on conventional weaponry, and they are a weapons manufacturer, but in a space that doesn't yet have adequate regulation. They freely admit this, and they say, "Well, we're the lesser of evils. We're at least the guys letting an investigative reporter into the offices, answering questions, trying to put on a show of legitimacy."

David Remnick: So you think they were trying to use you as a way to show what swell guys they are?

Ronan Farrow: I think everyone is always trying to use us, David. Yes. Look, I'm under no illusions, but I did think that it afforded us a new and closer look at this company and an opportunity to inspect their arguments, which are now playing out in court. They're being sued by a number of the biggest tech companies in the world, Facebook.

David Remnick: That's the pot calling the kettle black a little bit, no?

Ronan Farrow: Certainly, Shalev Hulio, the CEO of NSO Group, cries hypocrisy on Facebook's case. The Facebook dynamic is interesting because, yes, Facebook has played this very disruptive role in our society, but they also are the guardians of the security of a huge population of people who use their messaging platforms around the world. WhatsApp is a Facebook property, and that is the most popular messaging platform in the world. All kinds of sensitive communication by dissidents, by journalists, happens on that platform.

David Remnick: What has to happen in order for this to be reformed?

Ronan Farrow: Well, right now, it's now a fight that is in the hands of coders. That is in the hands of the courts. It's not enough, I think, in the domain of international and domestic law. I think we're at the beginning of a period where that is starting to change. One of the things that we break for the first time in this story is that the White House is actively pursuing a US government-wide ban on purchasing this kind of commercial spyware.

I think there's an increasing understanding that this is both a technology that has an incredibly destructive footprint in the world, in terms of the effect on these journalists and activists and dissidents. Also that it's technology we can't fully control.

[music]

Jordi Cuixart: It's like monsters. The mobile phone, it's like monsters. Unfortunately, we don't know exactly today who is using this softwares. Of course, the mobile phones help the humanity to move forward, and to improve, and to be a better society for sure, but many times probably, it's the most important criminal, and that we have in the pocket. It's important to manage these two faces of the same device.

Ronan Farrow: Whatever the progress gained through them, what's the cost? They are monsters in our pockets.

Jordi Cuixart: Yes, definitely. Definitely.

Ronan Farrow: This is not technology that's going away, and we've just got a hope that some of these regulatory efforts can rein in the most destructive effects of it.

David Remnick: Ronan Farrow, thank you so much.

Ronan Farrow: Thank you.

David Remnick: You can read Ronan Farrow's story, How Democracies Spy On Their Citizens at newyorker.com.

[music]

Copyright © 2022 New York Public Radio. All rights reserved. Visit our website terms of use at www.wnyc.org for further information.

New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.