Ronan Farrow on investigating the world's most notorious spyware company: NSO Group
DANIEL ESTRIN, HOST:
A princess from Dubai, The British prime minister's office, a Saudi women's rights activist, prominent politicians, lawyers and activists in Catalonia - they were all victims of hacking by the world's most notorious spyware company. The Israeli firm NSO Group sells software worldwide that takes total control of cell phones. Now, big tech and the U.S. government are going after it. And the question is, will they succeed? To talk about this, we're joined by Ronan Farrow, who's been following the company for the last few years and writes about it in the current issue of The New Yorker. Welcome.
RONAN FARROW: Good to be here. Thanks, Daniel.
ESTRIN: So first, NSO makes spyware called Pegasus. Give us an example of what it's capable of.
FARROW: So Pegasus can work along two axes. The first is cracking your hard drive, getting your phone to disgorge anything and everything on it, you know, your personal texts, your emails, your scheduling information, any photographs. And then the second is that it can operate in terms of real-time surveillance. So that means it will hijack your camera, your microphone in your pocket. It can do that without the user ever knowing.
ESTRIN: You say it's being used in 45 countries. And the CEO, Shalev Hulio, the CEO of NSO, told you that all governments practically in Europe are using it. So who has access to this spyware, and is it also being used in the U.S.?
FARROW: NSO Group says, well, we only sell to government-affiliated law enforcement and intelligence outfits. But the supposed restriction of selling only to government-affiliated law enforcement agencies offers very little assurance that there's not going to be abuse. So one of the things that we look at in this piece is a newly documented, in fact, the largest-ever documented spyware attack in Catalonia, the autonomous region of Spain. There's all sorts of evidence that this may be a Pegasus account operated by the Spanish government, by Spanish-government-affiliated entities, and it is in a Western democracy. This is the kind of company that actually NSO defends its right to sell to. And yet there has been a terrible human consequence even in that setting, with person after person affiliated with a political movement there hacked, in many cases both hacked and imprisoned by the government for supporting an independence movement.
And to your question about the relationship the United States has with this, the U.S. government has purchased and tested this technology. The Times reported that. And yet U.S. diplomats have also been the target of this technology. This is despite the fact that NSO Group assures the world that it doesn't hack U.S. numbers. And the United States government under the Biden administration is now trying to get tougher on this. They had the Commerce Department blacklist NSO from purchasing American technology. And in this story, the Biden White House announces that they're planning to do an even more muscular move, the inverse essentially, and ban U.S. government agencies from purchasing Pegasus.
ESTRIN: Now, you have visited NSO's offices in Israel. And you've spoken to employees. So what does it look like from the inside?
FARROW: NSO on the inside it looks very much like a glossy U.S. tech startup. And you've got people in open-plan workspaces with fancy cafeterias nearby. And you've got engineers who are, you know, in hoodies in both places, with very similar skill sets. You know, in the NSO offices, every programming group has a PlayStation 5, and they like to play FIFA. And, you know, they take evident pride when there's, for example, a report from Google's, you know, cyber monitoring group saying they've developed the most nefarious and sophisticated exploit in the world.
ESTRIN: You also interviewed a former NSO employee who quit because he was concerned about what the spyware was up to. What did he say?
FARROW: So I talked to a lot of people around this industry and certainly former employees from these companies. And the employee that you highlight talked about a moment of crisis within NSO specifically. They have been so kind of bludgeoned at this point by press linking them to murder that, you know, this former employee said there really has been an exodus of personnel and a moment of soul searching for people like this person who looked at, for example, the news of Jamal Khashoggi's brutal murder and evidence that people around Khashoggi were targeted with Pegasus, and said, you know, I can't be a part of a company whose technology is maybe being used to track and in some cases kill people who are opposition voices.
ESTRIN: Wow, so an exodus of some employees from NSO.
FARROW: I mean, NSO obviously doesn't like to frame it that way, as you could imagine. And they also denied involvement in the murder. And we've got their statements in the piece, as we should. But I do think it is telling that there has been a lot of coverage that suggests there was a link in that case. And regardless of the particulars, there certainly is a contingent within this company and within this industry that thinks that there's a link.
ESTRIN: They're now facing this war with big tech. Apple WhatsApp have filed lawsuits against NSO. The U.S. government has sanctioned NSO. It can't technically access American products like iPhones. Can NSO truly survive? And what is the future of spyware around the world?
FARROW: The important thing is that this kind of technology is not going away, and that, you know, NSO may continue in one form or another, but its progeny, these firms founded in many cases by alumni of NSO or as a response to NSO, are trying to sort of fill the markets that NSO has failed to fill, trying to sell to U.S. law enforcement. These companies are going to go on and are going to thrive.
ESTRIN: And it's not just Israeli companies. You describe Chinese companies doing the same thing.
FARROW: Yes. China and Russia both provide this tech to other states as a way of currying influence and as part of their kind of soft power efforts around the world. The United States does the same, by the way. So this is a genie that is not going back in the bottle any time soon. And there is reason for skepticism at a lot of the things that NSO says in this piece. But one point they make that I think is really worth all of our looking at closely is they say, well, we're an arms dealer. And it's a new kind of arms. And it's not a kind of, you know, arms sale that is subject to the same extent of regulation as traditional arms. So we as a private company are trying to, you know, put in guardrails. You can buy that part or not. But certainly the comparison and this sense that there is a powerful weapon that is not being restricted in the way that chemical weapons or nuclear weapons are is something that I think we should all think about.
ESTRIN: One last question. You have been following this spyware company for a couple of years now. Have you checked your phone for spyware?
FARROW: Yes, I have. And to my knowledge, you know, I've been targeted by other kind of cyber tactics like geolocation tactics and stuff. But to my knowledge, knock on - I'm trying to find the nearest wood - no Pegasus.
ESTRIN: Ronan Farrow of The New Yorker. His latest piece, "How Democracies Spy On Their Citizens." Thanks for being here.
FARROW: Thanks, Daniel. Transcript provided by NPR, Copyright NPR.