Pegasus, Phantom, and Privacy
Kaavya Shah | July 7, 2022
NSO Group’s mythically monikered technologies are putting American privacy at risk, but tech users can rest assured for the time being.
Earlier this year, the New York Times broke news of the FBI’s secret use of NSO technologies, claiming it was purely to understand how leading cyberattack technologies function. However, there has been great controversy over the use of this software, with huge implications to personal privacy.
Who is NSO and what is Pegasus?
NSO Group is a cybersecurity company from Israel that creates technologies to “prevent and investigate terrorism and crime” (https://www.nsogroup.com). One of their more popular softwares is Pegasus, which can hack into the contents of any iPhone or Android without sending a suspicious link. This gives access to almost all of the contents on a phone, ranging from photos and messages, to location tracking and recording capabilities. However, there is one notable flaw in Pegasus – the Israeli government requires that by design, it cannot be used to hack into phones with an American number; this design prevents both Americans, and non-Americans, from surveilling on American phones.
This software has been incredibly useful to detect and prevent criminal and terrorist plots, but governments have also deployed it aganist journalists, activists, and protestors. Because of the many documented cases of NSO surveillance tools being used to spy, there is widespread apprehension of the creation and use of its technologies.
What is the FBI doing with it?
Given that Pegasus is inoperable on American numbers, why is there a conversation about NSO Group working with the FBI? In order for the American government to actually test out any software, NSO demonstrated a similar software called Phantom, which received special permission from the Israeli government to hack into American devices and could only be sold to American government agencies.
With this new software that could be used in America, the FBI and the Justice Department set out to determine if Phantom could be used in accordance with American wiretapping laws, strengthened by 4th Amendment’s constitutional protection from unreasonable searches and seizures. Consider CalECPA, the California Electronic Communications Privacy Act, which specifies that searching and seizing electronic information also requires a warrant that is supported by an affidavit; because of this, even if Phantom gives the technical capabilities to obtain information, there is still a high legal barrier to obtain a warrant.
However, there was public outrage over the fact that the FBI had purchased and used spyware from NSO. Due to this, the New York Times has filed a Freedom of Information lawsuit against the FBI, demanding that information on the FBI’s testing and use of NSO tools be released before August 31, 2022.
Should we be worried?
Ultimately, the FBI decided against purchasing Phantom from NSO Group to surveil Americans. In addition to this decision behind closed doors, in November of 2021, the Biden administration added NSO Group to the Commerce Department’s Entity List of blacklisted companies, severely limiting NSO’s ability to use American tech. This decision has been met with controversy, as the Israeli government took this as a political attack to the country, while the Biden administration argues that the decision was made purely on the basis of supporting human rights.
Additionally, Apple users can rejoice, with the recent announcement of “Lockdown Mode” on July 6. Apple produced this security feature as a direct response to University of Toronto’s Citizen Lab’s research, which showed that Pegasus could hack into iPhones through the iMessage feature. This feature was added specifically for people who may fear a Pegasus or Phantom attack, resulting in extreme device functionality limitations that severely reduce the potential of a successful cyberattack, effectively strengthening your security. However, it is important to note that this feature will only benefit those who can actually afford the expensive Apple devices. While the Belmont Report’s principle of justice points out that ethical solutions should provide equal treatment to all people, technological improvements continue to be restricted due to their costs, widening the injustices of access to technology. So, even though there is a solution to protect individuals from Pegasus and Phantom attacks, ownership of these devices with these capabilities is entirely dependent upon a person’s disposable income.
NSO Group’s technologies are providing government agencies across the world with highly invasive cybersecurity technologies, with little to no regulation on the use of the softwares. However, for the time being, American cell phone owners–especially American iPhone owners–do not have to worry about a Phantom attack any time soon.