NSO Group’s Pegasus spyware can turn any infected smartphone into a remote microphone and camera, spying on its own owner while also offering the hacker – usually in the form of a state intelligence or law enforcement agency – full access to files, messages and, of course, the user’s location.

Pegasus is one of a number of proprietary tools sold as part of the hacker-for-hire industry – and one found at the very high-end of that dark market. Other companies offer less expensive services – for example, only providing geolocation services for its clients.

“Netanyahu bet everything on Trump”: Inside Israel’s Iran bind. LISTEN

<<< The NSO File: A Complete (Updating) List of Individuals Targeted With Pegasus Spyware >>>

So how can you protect yourself? And how can you check to see if your phone has been targeted in the past or is infected now?

Haaretz offers a simple, nontechnical explanation on how to check and stay safe…

The weakest link

Most cellphone spyware operates in a similar fashion: a message is sent to a phone with a nefarious message. The message usually contains a link that will either download the malware onto your device directly, or refer it to a website that will prompt a download – all unbeknown to the phone’s owner.

There are other ways to get your phone to download something that don’t involve a message. However, from the moment of infection, most spyware tools follow a similar protocol: once installed, the spyware contacts what is called a “command-and-control” server, which provides it with instructions remotely.

“Let’s say the Israel Police are the ones who installed Pegasus on your smartphone and they want to know where you – or, more precisely, your phone – has been in the previous 24 hours. To get that information, instructions to obtain that data are sent to a C&C server connected to the phone,” explains Dr. Gil David, a researcher and cybersecurity consultant.

The best way to stay safe, any cybersecurity expert will tell you, is to never – ever! – open any link sent to you, unless it’s a link you are expecting from someone you know and trust.

The reason is that, once infected, “the C&C server communicates between the hacker and the spyware installed on your phone. Without it, the hacker has no way of relaying instructions to Pegasus, and Pegasus has no way to get information from the victim’s phone back to the hacker,” David writes in Haaretz Hebrew.

Many times, the links sent to you will appear innocent. It may look like a message from the Post Office or Amazon. But don’t be fooled: Through some simple social engineering and a process called “DNS spoofing,” even an official-looking URL may be a trap.

Double zero

Sadly, staying safe is not always possible.

What makes Pegasus so expensive is its ability to not just potentially infect any smartphone selected for targeting remotely, but to do so with a “zero click” infection. This means your phone can be infected without you even having to click on a link – for example, with the code instructing your phone to reach out to the server secretly encoded into a WhatsApp message or even in a file like a photo texted to you via iMessage.

These “zero click” attacks make use of what is called “zero-day” exploits: unknown loopholes in your phone’s defenses that allow these hidden bits of code to kick into action without the victim doing anything.

So, another good practice is to make sure your phone’s operating system is as updated as possible: As new exploits are discovered, they are quickly “patched” by the likes of Apple and Google.

According to digital forensics experts Amnesty International and Citizen Lab, Pegasus’ zero click infections have only been found on iPhones. “Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021,” Amnesty notes in its instructive report “How to Catch NSO Group’s Pegasus.”

It seems Pegasus’ ability to infect iPhones was based on a previously unknown loophole in the iMessage service, and this too has subsequently been patched. However, other Israel firms, for instance QuadDream, reportedly have such abilities as well.

“From 2019, an increasing amount of vulnerabilities in iOS, especially iMessage and FaceTime, started getting patched thanks to their discoveries by vulnerability researchers, or to cybersecurity vendors reporting exploits discovered in-the-wild,” Amnesty writes – so make sure your phone is updated.

Indicators of compromise

Groups like Amnesty and Citizen Lab find NSO’s spyware on phones using two different methods. Both involve searching for what is termed “indicators of compromise,” or IOCs.

Amnesty maintains a database of nefarious domains used by NSO’s clients. The list is constantly updating as more bogus URLs are found. Citizen Lab, meanwhile, also maintains a database of so-called vectors: messages sent to victims containing nefarious code or URLS. The two groups each maintain updated lists of Pegasus’ related processes that together permit attribution.

The only thing that has changed with Pegasus over the years is the way your phone is referred to the server, and the way the so-called payload is delivered.

“While SMS messages carrying malicious links were the tactic of choice for NSO Group’s customers between 2016 and 2018, in more recent years they appear to have become increasingly rare,” Amnesty wrote in its July 2021 report.

The newer trend, discovered in the case of Moroccan journalist Omar Radi, who was infected with Pegasus in 2020, is what is known as “packet injection.” This means that the download order is delivered not through a message but instead through your network, in the form of a hidden command “injected” into the phone through what Amnesty describes as “tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator.

“The discovery of network injection attacks in Morocco signaled that the attackers’ tactics were indeed changing. Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators,” it explained.

As NSO’s clients are state agencies, they can easily make use of the mobile infrastructure to infect phones.

Therefore, and though such injection infections can also be forced upon you, other good practices include never using free Wi-Fi; never connecting to wireless networks you do not absolutely know are secure – as these networks can easily be hacked so they infect your phone and refer it to the snooping server. Not using so-called VPNs is also advisable for the same reason.

Get checked, get vaccinated

Chances are you have not been infected with Pegasus. However, if you have cause for concern and are scared you are or were infected, there are a few options:

Amnesty offers a useful, free and open source tool called the Mobile Verification Toolkit that can check a backup of your device or its logs for any IOC. The MVT will scan your iPhone’s logs for Pegasus-related processes or search your Android’s messages for nefarious links.

The tool can be downloaded here. The bad news is that it requires some technical know-how and is currently devoid of a simple-to-use interface.

To get it to work, you first need to make a specific type of backup of your phone, and then you need to download the program and run the code on your computer so it can scan the file you created.

Running the program requires you to download Python. Luckily, the tool comes with very clear instructions, and even those unskilled in code can make use of it with a bit of effort. Furthermore, it also allows you to conduct the test yourself.

A similar product is iMazing, a phone-backup platform that runs on your desktop and provides a MVT-like analysis of your device. It does not prevent infections but can check your phone for IOCs.

If the best offense is defense, there’s also a growing cellphone security market. Cyberdefense firms like ZecOps offer organizations like the BBC and Fortune 2000 companies a platform that inspects phones for current infections or traces of historic attacks. ZecOps also provides this service pro bono for journalists involved in the Pegasus Project.

Private users can also buy such services. For example, the Israeli-Indian security firm SafeHouse Technologies offers an app called “BodyGuard” that provides defenses for your phone, for a small price. It already has more than a million users, mostly in India.

If you can’t get the Mobile Verification Toolkit to work and are reluctant to use an app, and you genuinely fear you have been targeted, you can also drop us a tip here and we at Haaretz will get you checked.

In Israel’s legislature, Arab politicians are leading a modest movement to examine the state’s relationship with NSO. The Arab party leader Sami Abou Shahadeh told me, “We tried to discuss this in the Knesset twice . . . to tell the Israeli politicians, You are selling death to very weak societies that are in conflict, and you’ve been doing this for too long.” He added, “It never worked, because, first and morally, they don’t see any problem with that.” Last fall, an investigation by the watchdog group Front Line Defenders identified Pegasus infections on the phones of six Palestinian activists—including one whose Jerusalem residency status had been revoked. Abou Shahadeh argued that the history of Israel’s spyware technology is tied to the surveillance of Palestinian communities in the West Bank, East Jerusalem, and Gaza. “They have a huge laboratory,” he told me. “When they were using all the same tools for a long time to spy on Palestinian citizens, nobody cared.” Asked about the targeting of Palestinians, Hulio said, “If Israel is using our tools to fight crime and terror, I would be very proud of it.”

“I know there have been misuses,” Hulio said. “It’s hard for me to live with that. And I obviously feel sorry for that. Really, I’m not just saying that. I never said it, but I’m saying it now.” Hulio said that the company has turned down ninety customers and hundreds of millions of dollars of business out of concern about the potential for abuse. But such claims are difficult to verify. “NSO wanted Western Europe mainly so they can tell guys like you, Here’s a European example,” the former Israeli intelligence official, who now works in the spyware sector, said. “But most of their business is subsidized by the Saudi Arabias of the world.” The former employee, who had knowledge of NSO’s sales efforts, said, “For a European country, they would charge ten million dollars. And for a country in the Middle East they could charge, like, two hundred and fifty million for the same product.” This seemed to create perverse incentives: “When they understood that they had misuse in those countries that they sold to for enormous amounts of money, then the decision to shut down the service for that specific country became much, much harder.”

Asked about the extreme abuses ascribed to his technology, Hulio invoked an argument that is at the heart of his company’s defense against WhatsApp and Apple. “We have no access to the data on the system,” he told me. “We don’t take part in the operation, we don’t see what the customers are doing. We have no way of monitoring it.” When a client buys Pegasus, company officials said, an NSO team travels to install two racks, one devoted to storage and another for operating the software. The system then runs with only limited connection to NSO in Israel.

But NSO engineers concede that there is some real-time monitoring of systems to prevent unauthorized tampering with or theft of their technology. And the former employee said, of Hulio’s assurances that NSO is technically prevented from overseeing the system, “That’s a lie.” The former employee recalled support and maintenance efforts that involved remote access by NSO, with the customer’s permission and live oversight. “There is remote access,” the former employee added. “They can see everything that goes on. They have access to the database, they have access to all of the data.” The senior European law-enforcement official told me, “They can have remote access to the system when we authorize them to access the system.”

NSO executives argue that, in an unregulated field, they are attempting to construct guardrails. They have touted their appointment of a compliance committee, and told me that they now maintain a list of countries ranked by risk of misuse, based on human-rights indicators from Freedom House and other groups. (They declined to share the list.) NSO also says that customers’ Pegasus systems maintain a file that records which numbers were targeted; customers are contractually obligated to surrender the file if NSO starts an investigation. “We have never had a customer say no,” Hulio told me. The company says that it can terminate systems remotely, and has done so seven times in the past few years.

The competition, Hulio argued, is far more frightening. “Companies found themselves in Singapore, in Cyprus, in other places that don’t have real regulation,” he told me. “And they can sell to whoever they want.” The spyware industry is also full of rogue hackers willing to crack devices for anyone who will pay. “They will take your computers, they will take your phone, your Gmail,” Hulio said. “It’s obviously illegal. But it’s very common now. It’s not that expensive.” Some of the technology that NSO competes with, he says, comes from state actors, including China and Russia. “I can tell you that today in China, today in Africa, you see the Chinese government giving capabilities almost similar to NSO.” According to a report from the Carnegie Endowment for International Peace, China supplies surveillance tools to sixty-three countries, often through private firms enmeshed with the Chinese state. “NSO will not exist tomorrow, let’s say,” Hulio told me. “There’s not going to be a vacuum. What do you think will happen?”

NSO is also competing with Israeli firms. Large-scale hacking campaigns, like the one in Catalonia, often use tools from a number of companies, several founded by NSO alumni. Candiru was started in 2014, by the former NSO employees Eran Shorer and Yaakov Weizman. It was allegedly linked to recent attacks on Web sites in the U.K. and the Middle East (Candiru denies the connection), and its software has been identified on the devices of Turkish and Palestinian citizens. Candiru has no Web site. The firm shares its name with a parasitic fish, native to the Amazon River basin, that drains the blood of larger fish.

QuaDream was founded two years later, by a group including two other former NSO employees, Guy Geva and Nimrod Reznik. Like NSO, it focusses on smartphones. Earlier this year, Reuters reported that QuaDream had exploited the same vulnerability that NSO used to gain access to Apple’s iMessage. QuaDream, whose offices are behind an unmarked door in the Tel Aviv suburb of Ramat Gan, appears to share with many of its competitors a reliance on regulation havens: its flagship malware, Reign, is reportedly owned by a Cyprus-based entity, InReach. According to Haaretz, the firm is among those now employed by Saudi Arabia. (QuaDream could not be reached for comment.)

Other Israeli firms pitch themselves as less reputationally fraught. Paragon, which was founded in 2018 by former Israeli intelligence officials and includes former Prime Minister Ehud Barak on its board, markets its technology to offices within the U.S. government. Paragon’s core technology focusses not on seizing complete control of phones but on hacking encrypted messaging systems like Telegram and Signal. An executive told me that it has committed to sell only to a narrow list of countries with relatively uncontroversial human-rights records: “Our strategy is to have values, which is interesting to the American market.”

In Catalonia, Gonzalo Boye, an attorney representing nineteen people targeted by Pegasus, is preparing criminal complaints to courts in Spain and other European countries, accusing NSO, as well as Hulio and his co-founders, of breaking national and E.U. laws. Boye has represented Catalan politicians in exile, including the former President Carles Puigdemont. Between March and October of 2020, analysis by the Citizen Lab found, Boye was targeted eighteen times with text messages masquerading as updates from Twitter and news sites. At least one attempt resulted in a successful Pegasus infection. Boye says that he now spends as much time as possible outside Spain. In a recent interview, he wondered, “How can I defend someone, if the other side knows exactly everything I’ve said to my client?” Hulio declined to identify specific customers but suggested that Spain’s use of the technology was legitimate. “Spain definitely has a rule of law,” he told me. “And if everything was legal, with the approval of the Supreme Court, or with the approval of all the lawful mechanisms, then it can’t be misused.” Pere Aragonès, the current President of Catalonia, told me, “We are not criminals.” He is one of three people who have served in that role whose phones have been infected with Pegasus. “What we want from the Spanish authorities is transparency.”

Last month, the European Parliament formed a committee to look into the use of Pegasus in Europe. Last week, Reuters reported that senior officials at the European Commission had been targeted by NSO spyware. The investigative committee, whose members include Puigdemont, will convene for its first session on April 19th. Puigdemont called NSO’s activities “a threat not only for the credibility of Spanish democracy, but for the credibility of European democracy itself.”

NSO Group also faces legal consequences in the U.K.: three activists recently notified the company, as well as the governments of Saudi Arabia and the U.A.E., that they plan to sue over alleged abuses of Pegasus. (The company responded that there was “no basis” for their claims.)

NSO continues to defend itself in the WhatsApp suit. This month, it filed an appeal to the U.S. Supreme Court. “If we need to go and fight, we will,” Shmuel Sunray, NSO’s general counsel, told me. Lawyers for WhatsApp said that, in their fight with NSO, they have encountered underhanded tactics, including an apparent campaign of private espionage.

On December 20, 2019, Joe Mornin, an associate at Cooley L.L.P., a Palo Alto law firm that was representing WhatsApp in its suit against NSO, received an e-mail from a woman who identified herself as Linnea Nilsson, a producer at a Stockholm-based company developing a documentary series on cybersecurity. Nilsson was cagey about her identity but so eager to meet Mornin that she bought him a first-class plane ticket from San Francisco to New York. The ticket was paid for in cash, through World Express Travel, an agency that specialized in trips to Israel. Mornin never used the ticket. A Web site for the documentary company, populated with photos from elsewhere on the Internet, soon disappeared. So did a LinkedIn profile for Nilsson.

Several months later, a woman claiming to be Anastasia Chistyakova, a Moscow-based trustee for a wealthy individual, contacted Travis LeBlanc, a Cooley partner working on the WhatsApp case, seeking legal advice. The woman sent voice-mail, e-mail, Facebook, and LinkedIn messages. Mornin identified her voice as belonging to Nilsson, and the law firm later concluded that her e-mail had come from the same block of I.P. addresses as those sent by Nilsson. The lawyers reported the incidents to the Department of Justice.

The tactics were similar to those used by the private intelligence company Black Cube, which is run largely by former officers of Mossad and other Israeli intelligence agencies, and is known for using operatives with false identities. The firm worked on behalf of the producer Harvey Weinstein to track women who had accused him of sexual abuse, and last month three of its officials received suspended prison sentences for hacking and intimidating Romania’s chief anti-corruption prosecutor.

Black Cube has been linked to at least one other case involving NSO Group. In February, 2019, the A.P. reported that Black Cube agents had targeted three attorneys involved in another suit against NSO Group, as well as a London-based journalist covering the case. The lawyers—Mazen Masri, Alaa Mahajna, and Christiana Markou—who represented hacked journalists and activists, had sued NSO and an affiliated entity in Israel and Cyprus. In late 2018, all three received messages from people who claimed to be associated with a rich firm or individual, repeatedly suggesting meetings in London. NSO Group has denied hiring Black Cube to target opponents. However, Hulio acknowledged the connection to me, saying, “For the lawsuit in Cyprus, there was one involvement of Black Cube,” because the lawsuit “came from nowhere, and I want to understand.” He said that he had not hired Black Cube for other lawsuits. Black Cube said that it would not comment on the cases, though a source familiar with the company denied that it had targeted Cooley lawyers.

“People can survive and can adapt to almost any situation,” Hulio once told me. NSO Group must now adapt to a situation in which its flagship product has become a symbol of oppression. “I don’t know if we’ll win, but we will fight,” he said. One solution was to expand the product line. The company demonstrated for me an artificial-intelligence tool, called Maestro, that scrutinizes surveillance data, builds models of individuals’ relationships and schedules, and alerts law enforcement to variations of routine that might be harbingers of crime. “I’m sure this will be the next big thing coming out of NSO,” Leoz Michaelson, one of its designers, told me. “Turning every life pattern into a mathematical vector.”

The product is already used by a handful of countries, and Hulio said that it had contributed to an arrest, after a suspect in a terrorism investigation subtly altered his routine. The company seemed to have given little consideration to the idea that this tool, too, might spur controversy. When I asked what would happen if law enforcement arrested someone based on, say, an innocent trip to the store in the middle of the night, Michaelson said, “There could be false positives.” But, he added, “this guy that is going to buy milk in the middle of the night is in the system for a reason.”

Yet the risk to bystanders is not an abstraction. Last week, Elies Campo decided to check the phones of his parents, scientists who are not involved in political activities, for spyware. He found that both had been infected with Pegasus when he visited them during the Christmas holiday in 2019. Campo told me, “The idea that anyone could be at risk from Pegasus wasn’t just a concept anymore—it was my parents sitting across the table from me.” On his mother’s phone, which had been hacked eight times, the researchers found a new kind of zero-click exploit, which attacked iMessage and iOS’s Web-browsing engine. There is no evidence that iPhones are still vulnerable to the exploit, which the Citizen Lab has given the working name Homage. When the evidence was found, Scott-Railton told Campo, “You’re not going to believe this, but your mother is patient zero for a previously undiscovered exploit.”

During a recent visit to NSO’s offices, windows and whiteboards across the space were dense with flowcharts and graphics, in Hebrew and English text, chronicling ideas for products and exploits. On one whiteboard, scrawled in large red Hebrew characters and firmly underlined, was a single word: “War!” ♦

Georgia Gee conducted additional research for this piece.

An earlier version of this story misstated the time of a Pegasus infection on a device connected to the network at 10 Downing Street.

Pegasus can infect a target’s device without the victim knowing and allow a government or organization to access personal data, including turning on cameras and microphones. Activists against surveillance have called on governments to ban or at least heavily regulate spyware companies. And the United Nations’ human rights office called on governments last year to regulate the sale and use of spyware technologies.

Yet there are still no international accords restricting spyware and even governments that ban Pegasus still face a whack-a-mole problem of other less visible and less regulated spyware companies popping up. As a result, officials are stuck employing low-tech solutions to protect themselves. Macron reportedly replaced his phone and changed his phone number last year after his number was found on a list of 50,000 allegedly targeted by NSO clients using Pegasus.

After researchers reported in April that Pegasus had infected the phones of dozens of Spanish officials including Catalan president Pere Aragonès, he started leaving his phone outside the room when he goes into important policy meetings and has sensitive conversations.

“When you are having to acknowledge or that someone is listening to you, you are very reluctant to talk privately with your partner or your relatives,” Aragonès said in an interview a few weeks after the hacks were discovered.

Citizen Lab, a research lab based at the University of Toronto, found “strong circumstantial evidence” tying the Spanish government to the hacks of Catalan officials (Catalonia has long fought for more autonomy) — a charge Spain has denied. It was two weeks later that Spain’s Prime Minister became a victim himself.

In the U.S. officials have confirmed that the FBI acquired Pegasus technology, though only for testing. And some lawmakers argue that privacy has to be balanced against the need to use all tools available to protect national security.

“It is a very tricky area, because we want to protect people’s privacy, but on the other hand, we want to be sure we have the tools to find terrorists and those kind of things,” Sen. Angus King (I-Maine), a member of the Senate Intelligence Committee, said in an interview.

Senate Intelligence Committee Vice Chair Marco Rubio (R-Fla.) argued that it isn’t a matter of whether governments should go after the groups, but whether they can. They “operate in the shadows,” largely outside of government control and without set addresses.

“It’s an enormous challenge, and there is no easy answer to it,” Rubio said.

Asked how he approaches the danger of his own phone getting hacked, Rubio said: “I tell everybody you should assume anything you do on a mobile device or that is connected to the internet is vulnerable. And no matter how many steps you take, these people, their full-time job is to figure out how to get into things they are not supposed to see.”

That is a big part of the conundrum: Even the most sophisticated governments have had trouble finding ways to defend themselves against these phone hacks. Pegasus works by exploiting undisclosed vulnerabilities in iOS and Android operating systems, and NSO has deployed massive resources into finding new vulnerabilities before software makers are aware of them. Pegasus is also virtually invisible: It can be installed with zero clicks, including through a text message just being sent to a user.

Pegasus has become the poster child for an industry that is among the most secretive in the world, but is increasingly widespread. Governments will rarely confirm using spyware against targets, but a spokesperson for NSO claimed to POLITICO this month that Pegasus had been key to a number of governments stopping “big terror attacks.”

Even so, governments are taking some steps to rein in the use of Pegasus. The Biden administration last year effectively blacklisted both NSO Group and Candiru, another Israeli spyware company, by adding them to the Commerce Department’s list of companies considered a threat to U.S. national security.

Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, joined more than a dozen other House and Senate Democrats in December in calling for State and Treasury to sanction NSO and three other spyware companies for alleged human rights offenses. The lawmakers argued in a letter that sanctioning NSO Group — along with other surveillance companies DarkMatter, Nexa Technologies, and Trovicor — would be a significant financial blow to the spyware industry through cutting off access to the U.S. stock market.

“The commercial surveillance industry is a threat to the national security of the United States and other democracies, because it basically makes it possible for a dictator that has a fat checkbook, they can acquire a whole bunch of sophisticated tools,” Wyden said in an interview.

On the other side of the Atlantic, Aragonès called for the EU to take steps to regulate the spyware industry, stressing that “we need public transparency or public supervision by the parliaments to the governments that are the owners of this software.”

“If the Spanish government could do this, any other government could also do this against its citizens,” Aragonès said.

Some governments are beginning to take some steps. The European Parliament in March approved the creation of a 38-member committee to investigate Pegasus and whether the use of the spyware had broken EU laws. France is investigating the impact of Pegasus on government officials following last year’s allegations that Macron’s phone was infected with Pegasus spyware. NSO Group denies that Macron was targeted by Pegasus.

“The security of the president’s means of communication is constantly monitored with the utmost care,” a spokesperson for the president said, adding that incoming ministers and their cabinets “would be made aware of this type of risk as soon as they take office.”

Still, many governments are moving slowly as they attempt to balance competing interests. A complete ban on spyware would complicate investigations and classified intelligence operations, and could lead to the growth of the surveillance black market. Banning NSO specifically could also complicate many countries’ relations with Israel, given its ties to the Israeli government. And without an international agreement to halt the use of spyware, governments may try to out-compete the other through using the technology.

As outcry has increased, NSO has been working to improve its image. The organization released a transparency report last year detailing how Pegasus is licensed, which underlined that Pegasus “is not a mass surveillance technology, and only collects data from the mobile devices of specific individuals, suspected to be involved in serious crime and terror.” The Israeli government regulates Pegasus, with an export license required before NSO can sell Pegasus to a new customer; the company claims to only license the software to governments after investigating their intentions.

“NSO continues to evolve as a company and improve its technological and contractual safeguards, customer vetting process and ability to investigate misuse,” Ariella ben Abraham, an NSO spokesperson, said during a sit down interview with POLITICO earlier this month. “We believe there is no other alternative to prevent terror and crime, and we continue to call for global regulation.”

NSO has also claimed that Pegasus cannot be used to target American phone numbers. This does not stop the targeting of Americans using foreign numbers.

As NSO fights back, government officials are not the only individuals in the crosshairs, and journalists, dissidents and their family members are among other targets of spyware. The Guardian and more than a dozen other media outlets reported last year that 50,000 phone numbers may have been targeted by governments using Pegasus since 2016, including a number of journalists and pro-democracy activists along with suspected criminals.

A consortium of 90 human rights groups, including Amnesty International and Human Rights Watch, urged top EU officials last year to sanction NSO Group due concerns over human rights abuses.

“Is there a global fairness that requires that every country in the world have the ability to hack the head of state of every country? That sounds to me like a terrifying outcome,” said John Scott-Railton, a senior researcher at Citizen Lab. “Seems like it will make us all less secure and less safe, but that’s exactly the road that NSO has set us on.”

Published: 11:11 BST, 10 September 2022 | Updated: 11:22 BST, 10 September 2022

Your humble author, as promised, is involved in litigation to extract records from the federal government. It’s easy to talk about current events. The more difficult part is suing federal agencies for documentation of their wrongdoing.

This involves initiating FOIA requests, which are rarely answered quickly or completely. Out of our 75+ FOIA requests from this past year, only one was answered quickly and fully. A small miracle.

That was where we obtained CDC e-mails disclosing how they changed the definition of “vaccine” because of the efficacy problems with the Pfizer and Moderna mRNA vaccines. It’s a must-read if you haven’t seen it already (even if it got us wrongly flagged on the Carnegie Mellon University COVID-19 “misinformation” watchlist):

Then there are the records we must fight for.

One development we can divulge is our effort to obtain the FBI’s records on Jeffrey Epstein. We made a simple request: hand over all FBI interviews with Epstein. We know those records are out there, as we were the first to report that Epstein had been a source for the FBI. (It was later confirmed that Epstein cooperated on a Bear Stearns investigation.)

But we’re not convinced that was the only time Epstein spoke with the FBI. There were other hints and rumors that he worked with the US government to recover stolen funds. Thus the FOIA request.

How did the FBI respond? Not by denying the existence of any records.

Instead, the FBI is hiding behind FOIA’s law enforcement exemption, stating that the production of the Epstein records would interfere with ongoing law enforcement investigations:

“The records responsive to your request are law enforcement records; there is a pending or prospective law enforcement proceeding relevant to these responsive records, and release of the information could reasonably be expected to interfere with enforcement proceedings.”

We’re exceedingly doubtful that the release of the Epstein records would “interfere with enforcement proceedings.” Ghislaine Maxwell has been convicted and Epstein is dead. The only potential tie might be from a grand jury investigation into “other possible co-conspirators of Jeffrey Epstein.” But that was from the summer of 2020 and we rightly assume no charges were brought against whoever was being investigated.

It’s more likely that the Epstein records might embarrass the FBI. The DOJ and FBI have been known to abuse the FOIA law enforcement exemption to hide investigative materials from public release. We’ve seen them do it. And they’re doing it again.

But here’s the good news: the FBI’s response is a tacit admission that these records exist. We’ll fight for them. And we’ll get them.

Stay tuned, and thanks for your support.

Techno