David Kaye, the former United Nations special rapporteur for freedom of opinion and expression, as pictured when he still held the role in an interview with Reuters in Mexico City, Mexico on December 4, 2017. (Reuters/Carlos Jasso)

David Kaye on the Pegasus Project and why surveillance reform should reach beyond NSO Group and Israel

In 2020, then-United Nations special rapporteur for freedom of opinion and expression David Kaye pressed Israeli firm NSO Group in a public letter for details about its human rights due diligence and assertions that Saudi Washington Post columnist Jamal Khashoggi had not been targeted with its Pegasus spyware before his brutal 2018 murder. The group had made the assertion in interviews, but it had also said that it had limited oversight over the operation of its governmental clients in previous public correspondence with Kaye.

Kaye never got those details. “The same basic questions of transparency and accountability remain,” he said in a July 2021 Zoom call with CPJ.

There’s still no evidence Khashoggi himself was targeted with Pegasus, which can silently access the contents of a phone and monitor its surroundings. Yet as many as 10 other people connected with him have now been linked to the technology as part of the Pegasus Project, a collaborative media investigation of leaked data allegedly linked to NSO clients. The Guardian reported that nine people – including Khashoggi’s fiancée, his son, and a Turkish prosecutor who charged 20 Saudi nationals with his murder  –  appear to have been selected for surveillance, in addition to Khashoggi’s friend Omar Abdulaziz, whose targeting CPJ documented in 2018.

“[Researchers] have uncovered how Pegasus is used in the wild, and they’ve done it through forensic tools,” said Kaye, citing the work of Amnesty International, which provided forensic research for the Pegasus Project, and internet research laboratory Citizen Lab. “Not only do NSO certainly have [the same] tools, but they know who their clients are,” he continued. “How is it that outsiders with no information about their clients can get so much information about the uses of the tool? It doesn’t make a lot of sense.”

In a statement attributed to “NSO Group,” the company said, “We can confirm that our technology was not used to listen, monitor, track, or collect information regarding [Jamal Khashoggi] or his family members.” Referencing a previous response in which the company characterized the Pegasus Project as slander pushed by special interest groups, the statement said that NSO Group doesn’t see evidence of the use of its technology in the Pegasus Project’s forensic reporting and could not base an investigation on it.

“NSO will continue to push for serious international discussions about regulation of the cyber intelligence industry,” the statement said, noting that Kaye has an open invitation to visit the company to discuss these issues.

CPJ spoke to Kaye, a law professor at the University of California Irvine, about NSO Group and the moratorium on the use, sale, or transfer of surveillance tools that he and 150 individuals and rights groups – including CPJ — have called for pending implementation of human rights-respecting regulation.  Kaye is also the independent board chair of the Global Network Initiative, a multistakeholder alliance to support free expression and privacy on the internet, of which CPJ is a member. The interview has been edited for length and clarity.   

Looking back to your time as special rapporteur, why was surveillance technology on your radar as a freedom of expression issue, and as something that should concern journalists?

When I started [in 2014, it was a] little over a year since the revelations that Edward Snowden launched on bulk collection of data by the United States National Security Agency, British GCHQ [Government Communications Headquarters] and others that partner with them in the intelligence space. That puts everybody, in a way, under potential surveillance.

It became clear that [this] wasn’t the only kind of surveillance in the digital age. I became interested in the way in which small companies were making spyware available to governments that couldn’t afford to have a mass surveillance operation. These targeted tools have a direct impact, not just on privacy but on people’s willingness to communicate.

It has a particular impact on activists, and on journalists. If a journalist is tracked, that means her sources are tracked. [Her] ability to collect information, to maintain sources, is broken.

Originally when I was first thinking about this area, I thought adherence to the U.N. Guiding Principles [on Business and Human Rights] would be a meaningful step for players in this industry – not just NSO Group but many other companies. But I’ve come to think that only government regulation will impose requirements that will be meaningful [enough] for the public to know what this industry does.

What stood out to you from all the Pegasus Project reporting that you’ve seen in the past week or two? Did you learn anything you didn’t know?

It’s not surprising, but it’s shocking. What was striking was the extent to which governments – clients of NSO, but undoubtedly of other companies as well – see the [technology] as a tool to use against basic pillars of democratic life. [The reporting] highlights the very real possibility that this tool can be used against journalists, activists, and others in a way that is [supporting] autocracy, dictatorships, those who are trying to undermine democracy.

Even if [phone] numbers on these lists [being investigated by the Pegasus Project] are never actually subject to an effort to infect their phones with Pegasus, the threat is there – and the publicity of the threat is actually part of the effort to silence journalists and activists.

The fact that this is enabled by a company that operates in a democratic country [Israel, where NSO Group is based] and without real controls or constraints, that’s frightening. The Pegasus Project underscores that for people. The spy scandal in Mexico [in which Pegasus was implicated in the spying on journalists and others] really rattled Mexican society and politics. I think what we’re seeing is an expansion of that to places beyond Mexico.

Could we see something like that in Israel? The New York Times reported that Israel encouraged NSO Group’s relationship with Saudi Arabia even after Khashoggi’s murder, and Israeli lawyer Eitay Mack describes Israeli companies as heavily controlled by the Israeli Ministry of Defense. How can regulation account for that kind of dynamic?

It’s important to separate out – although they are related – the global concern with an industry that has companies throughout Europe, the U.S., and involves tools that goes beyond Pegasus to all sorts of tools sold on the open market to governments around the world – from the particulars of NSO and Israeli governmental control of Pegasus.

On the one hand, we need a global effort to identify: What are the rules around export controls of surveillance technologies? To what extent should human rights be part of the assessment of any particular export application? Once you have those rules set up, it’s up to national governments to implement those rules. That should happen.

The situation in Israel is like an instance of the global disfunction. NSO had offices in Cyprus and Bulgaria also, so there may be other export issues – but particularly when NSO required [an Israeli export] license, it’s clear that the Israeli Ministry of Defense understood who the clients were and had the potential to limit the export. But also, given how badly governments wanted access to Pegasus, the Israeli government probably understood that this could be a tool in their bilateral relations around the world.

That requires a focus on the specifics between Israel and NSO and deserves bilateral attention from the U.S. government and others, because to the extent that the government of Israel actually encouraged the export of this technology, it was supporting technologies that are in opposition to, for example, the Biden administration’s concern about transnational repression. There’s a lot of room here for a focused approach to getting Israel to rein in its own companies. It’s just that it’s harder to do the reining in if you don’t have a great set of global norms.

[Editor’s note: CPJ emailed a spokesperson at the Israeli Ministry of Defense for comment on the Times report and Kaye’s statements about Israel, but received no response before publication. The spokesperson has previously told CPJ that “human rights, policy and security issues are all taken into consideration” when defense exports are licensed.]   

What about zero-day exploits, which have been used to install Pegasus using a previously unknown vulnerability in other software? New York Times journalist Nicole Perlroth and others report that these are not subject to export control because they are often supplied by hackers. How can global rules account for those?

In some ways, [this] is no different to the black market weapons trade, which exists even though there are global rules around the transfer of weapons, [or] the private mercenary environment, where you have an emerging set of norms and some international law, but you also have [black market] operators.

We’re at the stage of creating the normative framework, and then the legal framework, that limits this trade, and also creates a kind of pressure on those who would be operating on the black market, in the shadows. Right now, it’s almost as if there are no shadows, because there are no legal constraints.

We see a lot of governments legislating to introduce fines for social media companies or even jail terms for their executives. Why do you think it’s so easy for us to pursue accountability in that area when we’re so behind in how we regulate this highly problematic surveillance industry?

The rules that guide social media, or other companies that are mediating speech – and the impact they have on the information that we see – is pretty obvious. Because social media companies are advertising companies, we all feel implicated by their choices as to what information they surface in our feeds.

By contrast, the surveillance industry is kind of a force multiplier for authoritarian regimes. They don’t need to sell to everybody, they’re perfectly happy being unknown to the public, and [their] clients only need to target a handful of people to achieve their goals. Any one of the clients that has been identified in recent reporting on NSO would need to target maybe a dozen journalists in order to intimidate them, dry up their sources of information, and make it harder for them to report information to the public.

The Pegasus Project reporting highlights for people that, “Oh — this thing that’s happening to a relatively small number of people actually affects the information I receive in a way that’s more profound than social media’s role.”

Can we talk about judicial remedy – are the courts the right way to pursue accountability in the wake of some of these revelations?

I’m not sure that any of the current revelations are actionable – and that’s a problem. We’ve been talking about export controls and company responsibility, but we’re also talking about torts – legal harms – that companies and governments together are imposing on individuals. In a normal, working legal environment, a person who is harmed should have a cause of action, a cognizable legal action they can take against the person who harmed them.

We don’t have a good domestic legal framework for that in most countries. If one government conducts surveillance of somebody in another government’s territory, the person can’t bring a claim against them because there’s sovereign immunity – that government may not be subject to legal process in their own country.

Sometimes it’s hard to identify where exactly the harm took place, which would create the jurisdiction for a court to entertain a client. Sometimes the surveillance is so opaque, it’s hard for an individual to prove the actual surveillance and then to prove there was a harm. So there needs to be a lot of legal development in order to provide individuals with the ability to actually bring cases against companies and governments.

Your recent op-ed describes an “avalanche of tools shared across borders” in this industry. Your 2019 report to the U.N. Human Rights Council called for a global moratorium on the sale and transfer of all of these, pending development of a rights-respecting framework, is that right?

There are a lot of tools out there that all need to be considered. [Digital forensic] tools are out there – there are also the kind that directly access internet traffic, that capture mobile transfer of communication. It’s not just specific tools like Pegasus – although Pegasus feels most invasive because you can visualize it. You’re holding your phone and [if] somebody has access to it – that’s your life, it’s everything. [But] some of the others are just as invasive.

As technology changes, and communication changes, bad actors – and governments that are good actors, generally – will seek to counteract that. For every improvement of encryption, there is a governmental response to limit it. We have to be [able to be] nimble in creating new rules. We don’t really have that right now. In the 2019 report, I talk about the Wassenaar Arrangement, which is this international non-binding regime to control dual-use – military and civilian – technologies. It doesn’t have a human rights component. And it should – they could have a working group for tools like Pegasus, but also regular consultations as the technologies evolve. Who knows what tools will be next?