If you have a smartphone or use Facebook, Google, or Alexa, you have probably long resigned yourself to the idea that technology is steadily eroding your privacy. Tech companies have a near-perfect profile of our habits and tastes. They know what we like, where we click, how we shop.
Yet I have held onto the idea, perhaps very naively, that we still maintain a certain degree of online anonymity. Now, a chilling new case that involves journalists and a pernicious type of spyware has me rethinking the notion.
Fifteen members of El Faro, a digital news outlet based in El Salvador, recently filed a lawsuit in a US federal court in California against the NSO Group, an Israeli-based company that makes the spyware Pegasus. The lawsuit alleges that Pegasus was used to hack dozens of times into the smartphones of several El Faro journalists — one of whom is a US citizen. The plaintiffs allege that the NSO Group, which has already been taken to court by Apple and WhatsApp in the United States for cybersurveillance in high-profile lawsuits that are pending, violated a federal law that bans gaining access to devices without authorization. The El Faro complaint alleges that some of the wrongdoing occurred in the United States, where some of the apps in the hacked devices (like WhatsApp and Facebook) have servers.
Pegasus can be installed on a smartphone just by sending it to device, without the user having to click on a link or execute any function. This type of attack usually exploits a vulnerability in the device’s operating system. Once a phone is infected, whoever deployed the covert attack has control of the device and access to all data: texts, contacts, passwords. The hacker can use the phone as a listening or recording device.
This isn’t the first time that the NSO Group has been accused of selling Pegasus to countries whose governments have deployed it maliciously against citizens, politicians, or journalists, such as Mexico and Poland. But it is the first time journalists have sued the NSO Group in US court.
“Pegasus is currently being used all over the world to spy on journalists,” Carlos Dada, the founder of El Faro and one of the plaintiffs of the case, told me in an interview. “Their safety is at risk. We saw a window of opportunity and we felt we had a moral obligation to sue” and hold NSO accountable for their product, he said.
El Faro, which translates to “the lighthouse,” is an award-winning independent media outlet that’s been called a paragon of investigative journalism. It covers Central American governments aggressively. But the job has become increasingly dangerous as the region has recently seen democratic norms and freedom of the press backslide, particularly in Nicaragua, El Salvador, and Guatemala. El Faro, with the help of watchdog nonprofits like Citizen Lab and Access Now, “identified 226 Pegasus infections between June 2020 and November 2021 on devices used by El Faro employees,” according to the lawsuit. It also found a correlation between the day each reporter was hacked and their investigative work in El Salvador, such as stories on Salvadoran president Nayib Bukele’s various controversial policies, including Bukele’s plan to make Bitcoin a national currency.
Dada told me that he believes the Salvadoran government is behind the attacks. “The NSO Group has previously said that they only sell [Pegasus] to nation states or government security agencies,” he noted. Among other remedies, Dada and the other plaintiffs are asking the NSO Group to reveal who its client is in this case, according to the suit.
Roman Gressier, the US citizen in the lawsuit who works abroad for El Faro, told The New Yorker’s Ronan Farrow — who has previously reported on the threat that NSO Group’s surveillance products represent — that whoever the NSO Group’s client is wants to send a message that “nowhere is safe” and that “your sources aren’t safe.” (In a statement, the NSO Group told Farrow that the analysis of El Faro’s smartphones by the watchdog groups are speculative, inaccurate, and unreliable because they are not based “on actual forensics and evidence.” Meanwhile, the Bukele administration told the Associated Press in June that El Salvador is not a client of NSO Group.)
Sources are the lifeblood of journalists — and that’s what makes Pegasus a whole different level of threat. The El Faro lawsuit will raise all manner of new and significant questions in US court about free press and tech privacy. A First Amendment lawyer told me this case reminds them of the failed attempts to hold US-based gun manufacturers accountable when the product they make is used to commit mass murder.
But spyware makers may not be able to claim such broad immunity. A spyware attack is a fundamental invasion of privacy. Pegasus is the kind of weapon that enemy states use against each other, but it’s apparently become another way of declaring war against the media. It’s what Trump tried to do: to make an enemy of the press. And it’s what dictators who have no checks and balances try to do to silence journalists.