The risks commercial spyware poses to journalists, activists and government officials

The use of commercially developed spyware that allows governments to hack a phone and steal its data is booming. Earlier this year, the Biden administration banned federal agencies from using commercial spyware that poses risks to human rights and national security. But as Nick Schifrin reports, spyware is thriving and has already targeted journalists, dissidents and politicians around the world.

Read the Full Transcript

  • Amna Nawaz:

    The use of commercially developed spyware that's allowed some governments to hack into phones is booming.

    Earlier this year, the Biden administration banned federal agencies from using commercial spyware that the U.S. assesses poses human rights or national security risks.

    But, as Nick Schifrin reports, some of the most powerful surveillance technology has already targeted journalists, dissidents and activists around the world.

  • Nick Schifrin:

    The Saudi advocate who fought the government to gain a woman's right to drive, the Mexican journalist who reported on government corruption…

  • Woman:

    It can turn your microphone on.

  • Nick Schifrin:

    … the fiancee of a murdered Saudi critic, and the reporter whose newsroom exposed El Salvador's drift into authoritarianism.

  • Roman Gressier, El Faro English:

    I felt violated. It's a feeling that many around the world have expressed when they have been targeted with these tools.

  • Nick Schifrin:

    Those tools are commercial spyware, including one named Pegasus from the Israeli firm NSO Group. They can secretly steal all of a phone's data, location, messages conversations, social media.

    They have been installed on the phones of government officials, dissidents and journalists around the world, including Roman Gressier.

  • Roman Gressier:

    If gives you unfettered access to a device. There's no corner of your phone, there's no stone unturned for Pegasus. And this breaks through all of the security.

  • Nick Schifrin:

    How was your phone infected with Pegasus?

  • Roman Gressier:

    I'm pretty convinced that I didn't click on a link. Somebody had access to even information on doctor's appointments. That was very challenging for me personally.

  • Nick Schifrin:

    Gressier moved to El Salvador in January 2021 and reporter for El Faro English, an investigative news outlet.

    They revealed President Nayib Bukele's consolidation of power, alleged corruption and a secret truce with criminal gangs. Bukele and his government disparaged the stories and attacked the storytellers. An investigation by the organizations Citizen Lab and Access Now concluded at least 35 individuals from media organizations and two independent journalists were hacked with Pegasus.

    The investigation also said: "There is a range of circumstantial evidence pointing to a strong El Salvador government nexus."

  • Roman Gressier:

    I definitely agree with the opinion of El Faro's editorial board, which is that the Salvadoran government is, by any and all indicators, responsible.

  • Ronald Deibert  Founder, Citizen Lab:

    So this is, if you think about it, almost godlike powers that have been developed by these sophisticated surveillance firms and put into the hands of some of the most ruthless, despotic leaders around the world.

  • Nick Schifrin:

    Ron Deibert is the founder and director of Citizen Lab, the Canadian cybersecurity research group that exposed the El Faro and other hacks.

    U.S. officials say at least 50 U.S. government employees working overseas in at least 10 countries were targeted by commercial spyware. And a massive leak in 2021 revealed some 50,000 potential victims of Pegasus in 50 countries.

  • Ronald Deibert:

    The use of spyware has really exploded over the last decade. One minute, you have the most up-to-date iPhone, it's clean, sitting on your bedside table, and then, the next minute, it's vacuuming up information and sending it over to some security agency on the other side of the planet.

    Joe Biden, President of the United States: Earlier this week, I signed an executive order here.

  • Nick Schifrin:

    But it's not only foreign governments. The Biden administration has launched guardrails around the use of commercial spyware by the United States.

  • Joe Biden:

    U.S. taxpayer dollars should not, should not support companies that are willing to sell their products to abet human rights violations.

  • Nick Schifrin:

    The March executive order bans U.S. federal agencies from using commercial spyware that's been employed against activists, used to track Americans, or sold to governments that systematically repress.

  • Ronald Deibert:

    From the perspective of companies in this industry, the United States market is the pot of gold at the end of their rainbow. This executive order really deals a significant blow to some of these firms' aspirations.

  • Nick Schifrin:

    But other experts aren't so sure.

  • Stewart Baker, Former General Counsel, National Security Agency:

    That's not a problem that can be solved just by the U.S. or even by the U.S. and a few like-minded countries.

  • Nick Schifrin:

    Stewart Baker is a former general counsel for the National Security Agency with three decades of intelligence community experience.

    He says, the executive order won't prevent authoritarian governments from using commercial spyware.

  • Stewart Baker:

    There are countries who need these tools or think they need these tools are going to go looking for them. The Chinese have plenty of people, plenty of companies that would be glad to fill any gap that is created in the market by Western companies getting out.

  • Nick Schifrin:

    The U.S. has also imposed export controls to stop foreign spyware firms from using U.S. technology. And the intelligence community has now limited former intelligence officials' ability to work for foreign spyware companies.

    In 2021, former intelligence and military officials paid the U.S. government a fine for helping the Emirati firm DarkMatter creates spyware.

  • Ronald Deibert:

    You want to make sure that your investment in personnel and resources doesn't end up being used in ways that will contribute to human rights violations abroad or, more importantly, turn around and bite you in the back.

  • Nick Schifrin:

    But what the executive order doesn't do, ban spyware entirely or commit the U.S. to helping companies find phone vulnerabilities that spyware exploits.

    Do you believe the administration should go even further and issue guidance that would require all agencies of the U.S. government not to exploit the vulnerabilities, but instead to help the companies patch them?

  • Ronald Deibert:

    I absolutely think there should be an obligation written into law that this is a requirement. And then you can build in exceptions.

  • Nick Schifrin:

    But the U.S. intelligence community uses those vulnerabilities in the phones' operating systems to spy on enemies.

  • Stewart Baker:

    They're immensely important, because they get you into communications that are deeply targeted on a particular person. There are usually a lot of vulnerabilities to choose from. Any one of them can be picked to turn into a kind of Pegasus.

    If you're told, no, we can't use that Pegasus because we have now insisted on having that particular vulnerability patched, all that will happen with other countries is, they will say, fine, that was patched, but there were dozens of vulnerabilities. We will pick a different one, and then we will spend money to develop it into a full-fledged piece of spyware.

  • Nick Schifrin:

    As for Gressier, he wants accountability against the commercial spyware Pegasus and the government that weaponized it against its critics. He's joined the first case brought by journalists against NSO Group in a U.S. court.

  • Roman Gressier:

    Unless a court steps in to order them to take significant measures to investigate and rectify some of these harms, they will not do it.

    It's not an El Salvador issue, in particular. It's not even a Central American issue, in and of itself. It's a global issue. And it's one that we see ourselves as deeply embedded in.

  • Nick Schifrin:

    One that experts call a pandemic of spyware abuse that's already spread across borders.

    For the "PBS NewsHour," I'm Nick Schifrin.

Listen to this Segment