‘Collaboration is Protection’: Journalists Talk About Investigating Pegasus Spyware
Laurent Richard, founder and executive director of Forbidden Stories, and Sandrine Rigaud, the nonprofit’s editor-in-chief, speak to someone in a still from "Global Spyware Scandal: Exposing Pegasus."
In July 2021, 17 news organizations worldwide, including FRONTLINE, published a major investigation known as the Pegasus Project. Led by the French journalism nonprofit Forbidden Stories, the investigation revealed that Pegasus, a powerful spyware sold to governments around the world by the Israeli company NSO Group, was being used on journalists, human rights activists and others, including people close to the murdered Saudi journalist Jamal Khashoggi.
Global Spyware Scandal: Exposing Pegasus, a two-part documentary from FRONTLINE and Forbidden Films, follows journalists who worked on the months-long investigation. Among them are Laurent Richard, the founder and executive director of Forbidden Stories, and Sandrine Rigaud, the nonprofit’s editor-in-chief.
Richard and Rigaud, who are also producers on the documentary, spoke with FRONTLINE about their reporting process, challenges they faced and measures they took to protect themselves from the very spyware they were investigating.
This interview has been edited for length and clarity.
At the start of the investigation, you gained access to a leaked list of more than 50,000 phone numbers. What did you do first?
Rigaud: One of our first missions was to try to identify who [the phone numbers belonged to]. We understood the scale of this cyber surveillance scandal when we discovered dozens of journalists, when we saw lawyers, when we saw human rights activists, when we saw heads of state.
Something else we did was to fact-check the list. We suspected it contained numbers selected for potential surveillance with Pegasus. So we had to cross-check the numbers we saw with the numbers already known as having been targeted or infected by Pegasus.
The second thing we did for fact-checking purposes was to try to analyze as many phones as we could, to see if we could see traces of infection or targeting. This was a very complicated and sensitive process, because we needed to reach out to people who were potentially surveilled and who live in countries with very authoritarian regimes that might harm [the people] if they knew what we were doing.
We first decided to contact journalists we knew or knew through sources, and we had to do that very carefully. Once they accepted, we needed to convince them to give us the phone for analysis. We worked on that with Amnesty International’s Security Lab, [who had] set up a platform that allowed us to analyze the contents of the phone. This is how we found many phone numbers in the list that were indeed infected by Pegasus. The success rate we had was extremely high. The forensic analysis was able to confirm an infection or attempted infection in 37 of more than 60 smartphones that were examined.
You collaborated with more than 80 journalists on this investigation. How did you choose which partners to work with?
Rigaud: We knew that any state we were investigating, or any NSO clients, would want to have that list, if they knew we had it. We had to be very careful and select the journalists we knew the most and the partners we could trust and we already had worked with. We knew journalists from Le Monde and The Washington Post. We worked with Süddeutsche Zeitung. We worked with The Guardian. So we gathered that team of very trusted and long-term partners.
But then, in some countries, specifically during COVID, it was very complicated to reach out to victims. We decided to contact and include partners who were journalists we saw on the list. This is how we contacted Szabolcs Panyi from Direkt36. He’s a Hungarian journalist famous for his work on Viktor Orbán and corruption.
[Journalists from the project contacted Panyi] and made the trip to Hungary to meet him in a room without any computer, without phones, to tell him about our knowledge of him being potentially surveilled and to convince him to have his phone analyzed. Once we got the evidence that he was spied on, because his phone was indeed hacked with Pegasus, we explained the whole project. He had the big picture, and we included him in the collaboration so he could investigate the Hungarian part of our project.
What were some of the challenges of coordinating such a large investigation with so many partners?
Richard: The main thing in collaboration — the key thing — is trust. Collaboration is protection.
This [project presented] a kind of specific danger. We were investigating not only one government, but more than 10 governments, plus a very secretive company. The thing that we always had in mind is that we didn’t want to be the next one on the list.
We set up, with the help of Amnesty, a very secure, entirely encrypted system to have 80 reporters connected to each other in the most secure way. So that means we had to forget about phones. It raised a lot of questions about how to investigate, with efficiency, a story without your regular device and with very strict rules of communication.
Laurent, in the documentary you warn your colleagues that, at some point, you will all be closely monitored. Can you talk more about the measures you took to protect yourselves and your partners?
Richard: When we revealed to the team that we were getting access to that huge leak, the first advice I gave was to make sure you do not talk to any people outside the group about what you’re working on.
A lot of the governments we’re talking about are very dangerous governments. If we were communicating on unsecure channels about a person being surveilled, the risk would have been the governments [becoming] aware and then informing NSO Group.
To prevent the risk, [you] first compartmentalize where you are communicating: having a specific phone for personal communication, another one for professional communication and even a third one for highly confidential conversation. It’s crucial for us, and it’s crucial for the trust of our sources. Without protection of sources, there is no way we can do good journalism.
The first part of the documentary tells the stories of Hanan Elatr, Jamal Khashoggi’s wife, and Hatice Cengiz, his fiancée, as well as Carmen Aristegui, a journalist based in Mexico, and Khadija Ismayilova, an Azerbaijani journalist. How did you decide which stories to focus on?
Richard: The idea of the documentary was to show the real lives of the real victims of the Pegasus spyware. So Khadija Ismayilova, Hatice [Cengiz], Carmen Aristegui, Hanan Elatr are four women whose trajectories tell us how traumatizing it is to be a victim of Pegasus.
Khadija has been surveilled because she’s [an] independent journalist in Azerbaijan. She has been jailed for 18 months. She has suffered a lot. Despite all those threats, she decided she wanted to stay in Azerbaijan, to report about what is going on within her country. Because of all that, she was on the list.
So by telling those stories, it can show the audience how this global misuse of spyware is targeting people who are fighting to defend democracies. And that was crucial to tell people what kind of victims we’re talking about. We’re not talking about criminals and terrorists — the official narrative of NSO and governments.
How did you go about breaking the difficult news to people that their devices potentially had been targeted?
Richard: It’s a traumatizing moment. Claudio Guarnieri of Amnesty International’s Security Lab says that in the documentary — you are announcing something that will be creating a trauma. Of course, you need to tell the person in person.
I think the scene [where Ismayilova learns she’s been hacked] is really precisely about that moment: how your life will change once you know that you have been trapped; once you know that your enemies, people who want to endanger you, that they know everything about you; they know all your secrets; they have been able to take all your photos, your videos, your messages. They’re [experiencing] a very traumatic moment, thinking, “What did they take from my phone and how much did I endanger other people?” That’s what Khadija is saying in the documentary: She felt guilty. You are infected, but you are contaminating [others] as well.
And it’s not ending. You still have to live the rest of your life with this, because you don’t know when the people who got this information from you will use this information against you.