Research by CPJ and other organizations shows sophisticated spyware products marketed to governments to fight crime have been used to target the press. Secret surveillance of journalists and their sources poses a severe threat to press freedom globally. That’s why we are calling for national and international action to slow the proliferation and wrongful use of spyware.
Use and share this information—because when journalists can’t protect themselves or their sources, everyone’s right to information is at risk.
Spyware is designed to monitor a target’s activity without their knowledge. Once on a victim’s device, it can provide an attacker with access to passwords, accounts, calls, emails, and encrypted communications; some versions can activate a cellphone’s camera and microphone to conduct surveillance. Spyware may be installed or operated via a vulnerability in other software, or by tricking the target into clicking on a link or attachment.
CPJ is monitoring numerous public reports of spyware attacks that undermine press freedom – particularly those involving products sold by private companies to state agencies. Journalists say spyware has the potential to expose their sources, their movements, and other private information that could be used to censor or obstruct them, or imperil them or their sources. Spyware attacks often go hand in hand with other press freedom violations, CPJ has found:
In 2019, David Kaye, in his former capacity as U.N. special rapporteur on freedom of expression, called for a moratorium on the sale, transfer, or use of spyware, pending strict human rights safeguards. “Surveillance of individuals – often journalists, activists, opposition figures, critics and others exercising their right to freedom of expression – has been shown to lead to arbitrary detention, sometimes to torture and possibly to extrajudicial killings,” he wrote. CPJ submitted written testimony to the special rapporteur on the press freedom impact of the surveillance trade.
CPJ is working with human rights groups around the world to call for accountability in spyware sales, including joining an amicus brief in relation to a lawsuit against NSO Group in December 2020. WhatsApp, which is owned by Facebook, filed the suit in 2019 accusing NSO Group of facilitating efforts to spy on its users; NSO Group denied the allegation, CPJ noted at the time, and is challenging the suit in court. Citizen Lab and WhatsApp said that over 100 journalists, activists, and other civil society actors were suspected targets of an attack which installed Pegasus via a WhatsApp vulnerability that the company has since fixed.
The map includes 38 journalists, commentators, and their associates—including friends and family members—subject to spyware attacks attributed to state actors since 2011. At least some of the attacks were reported to have successfully infected the target’s device.
Last updated on March 4, 2021, the map draws on technical research by Citizen Lab, Amnesty International, and others, as well as investigative news reports and CPJ interviews. A link to source material is provided for each target. These sources attribute each incident to state actors, though with varying degrees of certainty; CPJ could not independently confirm this attribution.
The map indicates which spyware product was allegedly used in each incident and the company that sold it; each company has said publicly that they sell only to state agencies. Criminal groups suspected of deploying these products would have had to obtain them from a corrupt official, according to the Cartel Project, an investigative journalism project that investigated spyware used against journalists in Mexico.
The exception is spyware that Reuters reported was used to target several people writing about the UAE. It isn’t known which company provided the capabilities used in those attacks, but there is a strong link to a state actor: some of the people involved told Reuters they were working on behalf of Emirati security forces.
CPJ contacted representatives of all named state and corporate actors for comment. Their responses are below.
The map captures only a subset of a potentially vast number of journalists subjected to surveillance using spyware. Some hacking groups with resources suggestive of government sponsorship are known to target journalists, but details needed to attribute them to state actors are missing. For example, Argentinian journalist Jorge Lanata was targeted in 2014 with AlienSpy, spyware that has been available in various forms for purchase online, according to Citizen Lab and The Intercept; Lanata does not appear on the map, though Citizen Lab said the attack was “most likely” sponsored by a state actor. Similarly, experts say they have traced the hacking group OceanLotus to Vietnam, but lack proof of state sponsorship – despite the scale of the group’s activity and its suggestive choice of targets, including journalists and government critics.
Spyware attacks are by their nature secretive, and the exact motivation is rarely known. For this reason, the map includes some targets who have faced repercussions for publishing information in the past, even though they were not practicing journalism when the surveillance was identified. Researchers report that the UAE’s Ahmed Mansoor has been targeted multiple times, starting in 2011, when CPJ documented threats and legal action in connection with his blog. Morocco’s Aboubakr Jamai, CPJ’s International Press Freedom Award winner in 2003, was notified that he had been targeted with spyware in 2019, according to The Guardian. Jamai told CPJ in January 2021 that he is a professor and consultant in France. While he was not certain why he had been targeted, he believed his years as a prominent journalist and press freedom advocate were a factor, he said.
The map does not include incidents where the name of the targets are not publicly available. Examples of this include:
Incidents where some technical details remain unclear are also not on the map, including the alleged hacking of The Washington Post owner and Amazon founder Jeff Bezos, and a separate attack alleged by Al-Jazeera broadcaster Ghada Oueiss, who told CPJ in early 2021 that she could not discuss technical details because they are the subject of a pending lawsuit.
Targets are displayed by their likely primary location at the time of the incidents; they are not necessarily nationals of that country. Where their location and date targeted was not indicated in the source, CPJ determined it through additional reporting. Emilio Aristegui, whose location in the U.S. was not disclosed, is displayed in Washington, D.C.
CPJ contacted representatives of each government alleged to have purchased the spyware used to target journalists on the map for comment. None provided a substantive response:
CPJ’s emails to Mexico’s office of the attorney general in November 2020 and January 2021 were acknowledged, but a follow up email to an address provided received no response. Emails sent at the same time to the office of Mexico’s presidency went unanswered. In 2017, the government under former President Enrique Peña Nieto denied allegations that it spied on journalists, but charged the attorney general’s office – which is accused of purchasing spyware – with investigating the reported abuse, according to reports published by CPJ and the Columbia Journalism Review.
Indian authorities have called reports of the WhatsApp hack an attempt to “malign the government” and tasked a government committee with investigating alleged Indian targets, CPJ reported in February 2020. In November 2020 and January 2021, CPJ requested comment and an update on that investigation by email from the offices of India’s IT Minister, Ravi Shankar Prasad, and Shashi Tharoor, a member of parliament who chairs the committee, but neither responded.
CPJ emailed the offices of Ethiopia’s prime minister and attorney general in November 2020 and January 2021 about the incidents involving Ethiopian targets, which took place between 2013 and 2017 under a previous administration, but received no response.
CPJ emailed questions to a publicly listed media contact for the Saudi Arabian government in November 2020 and February 2021, but received no response.
CPJ emailed questions to the U.S. embassy of the United Arab Emirates in November 2020 and February 2021, but received no response. CPJ attempted unsuccessfully to contact DarkMatter, the UAE cybersecurity company that Reuters reported in January 2019 had spied on journalists as part of an Emirati intelligence operation. A Twitter account listed on their website appears inactive since October 2019 and did not respond to direct messages, while a message to a publicly listed contact email bounced back. Reuters noted that DarkMatter did not respond to 2019 requests for comment but said the company “denies involvement in state-backed hacking efforts.”
A representative at Morocco’s ministry of communications reached by phone on November 19, 2020, referred CPJ to the director of communications, but subsequent calls to the number provided went unanswered. Calls made in November 2020 and February 2021 to the ministry of interior also went unanswered. In the past, Moroccan authorities have said they “categorically reject” claims that they used spyware against journalists, according to The Associated Press.
CPJ requested comment from each of the companies named in the map that are alleged to have sold the spyware used to target journalists or their associates:
The Israel-based NSO Group says it licenses Pegasus spyware solely to government agencies investigating crime and terrorism. In November 2020, the company provided CPJ with a statement through the U.S.-based lobbying firm Mercury Public Affairs. “We take the responsibility to ensure the proper use of our products very seriously and fully investigate any credible allegation of misuse,” the statement said. In response to a question about Moroccan journalist Omar Radi, who Amnesty International reported was attacked with Pegasus after NSO announced a human rights policy, the statement said, “NSO was deeply troubled by the allegations put to us by Amnesty International, and immediately reviewed the information therein and investigated it to the extent warranted.” The statement also noted that, “All customers must pass NSO’s rigorous internal compliance procedure and the export of our technology is also monitored by the Israeli Ministry of Defense.” (CPJ emailed two publicly listed emails for the ministry and called a number provided by an Israeli defense forces spokesperson in February 2021 for comment, but received no response.) CPJ’s February 2021 email to NSO about incidents documented since November 2020 received no response. In December, the company told journalists: “We do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on.” Novalpina Capital, a European private equity firm that supported NSO’s acquisition by its management team in 2019, exchanged letters with research and rights groups, including CPJ, between April and May 2019. The firm did not respond to CPJ’s follow-up emails in November 2020 and February 2021.
Germany-based FinFisher produces FinSpy software, according to Citizen Lab and media reports. CPJ emailed questions to FinFisher at an address listed on its website in November 2020 and January 2021, but received no response. FinFisher’s website, which CPJ reviewed in January 2021, said the company “partnered exclusively” with law enforcement and intelligence agencies.
Cyberbit Solutions was integrated into its parent company, Israel-based Elbit Systems, in 2018. Citizen Lab reported that its PC Surveillance System (PSS) spyware had been used to target a U.S.-based journalist in 2016 and 2017. Elbit Systems did not respond to CPJ’s November 2020 and February 2021 emails requesting comment. Cyberbit Solutions told Citizen Lab in 2017 that it offered products “only to sovereign governmental authorities and law enforcement agencies” but declined to disclose details.
News reports say Hacking Team, the company that previously sold Remote Control System (RCS) spyware to “law enforcement and intelligence” communities worldwide, was absorbed by Memento Labs in 2019, after the spyware was connected to incidents on the map. The Milan-based Memento Labs continues to sell a version of RCS and other spyware, MIT Technology Review reported in late 2019. Memento Labs’ chairman Paulo Lezzi told CPJ in a November 2020 email that the company “had no relationship” with Hacking Team and could not comment on actions that took place before the acquisition. Lezzi said that Memento Labs’ customers were all government or law enforcement agencies and that the company limited the time period for installing their technology for a period of months. Licenses for their products would not be renewed if “there is a violation of human and/or political rights by the country or, more specifically, the exact customer” during that period, Lezzi added.
— Reporting by CPJ Senior Africa Researcher Jonathan Rozen