The United Nations human rights chief and American whistleblower Edward Snowden on Monday joined the wide range of public figures demanding urgent action after reporting that Pegasus hacking spyware, sold by the Israeli firm NSO Group, has been used to facilitate human rights violations worldwide, including to target activists, journalists, and politicians.
"If they find a way to hack one iPhone, they've found a way to hack all of them."
—Ed Snowden, whistleblower
Their comments came in response to the Pegasus Project. Over 80 journalists from 17 media organizations across 10 countries conducted an investigation into the leak of 50,000 phone numbers of potential targets of authoritarian governments. The effort was coordinated by Paris-based Forbidden Stories, with the technical support of Amnesty International.
U.N. High Commissioner for Human Rights Michelle Bachelet, in a statement, said that the revelations "are extremely alarming, and seem to confirm some of the worst fears about the potential misuse of surveillance technology to illegally undermine people's human rights."
Bachelet highlighted that her office has previously raised concerns about the dangers of authorities using surveillance tools to hack phones and computers; emphasized the "indispensable role" that journalists and human rights defenders play in society; and pointed out that use of spyware has been linked to their arrest, intimidation, and even deaths.
"I would like to remind all states that surveillance measures can only be justified in narrowly defined circumstances, with a legitimate goal," Bachelet said. "And they must be both necessary and proportionate to that goal."
The use of tools like Pegasus "can only ever be justified in the context of investigations into serious crimes and grave security threats," she continued. "If the recent allegations about the use of Pegasus are even partly true, then that red line has been crossed again and again with total impunity."
Noting that governments have a responsibility to not only stop their own rights abuses but also to protect individuals from privacy violations, the U.N. official suggested that "one key step to effectively prevent abuse of surveillance technology is for states to require by law that the companies involved meet their human rights responsibilities, are much more transparent in relation to the design and use of their products, and put in place more effective accountability mechanisms."
"These reports also confirm the urgent need to better regulate the sale, transfer, and use of surveillance technology and ensure strict oversight and authorization," Bachelet said. "Without human rights-compliant regulatory frameworks there are simply too many risks that these tools will be abused to intimidate critics and silence dissent."
"Governments should immediately cease their own use of surveillance technologies in ways that violate human rights," she added, "and should take concrete actions to protect against such invasions of privacy by regulating the distribution, use, and export of surveillance technology created by others."
Snowden went even further than Bachelet. In a video interview with The Guardian, the whistleblower—who has lived in Russia with asylum protections since leaking classified materials on U.S. government mass surveillance in 2013—called for outlawing for-profit malware developers.
"This is an industry that should not exist," Snowden told the newspaper, which is part of the consortium that conducted the investigation. "The NSO Group is only one company of many—and if one company smells this bad, what's happening with all the others?"
In a series of statements to The Guardian and other media outlets responding to the investigation, the NSO Group said that it "firmly denies false claims made in your report, many of which are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story."
Snowden, meanwhile, said that "what the Pegasus Project reveals is the NSO Group is really representative of a new malware market, where this is a for-profit business… The only reason NSO is doing this is not to save the world, it's to make money."Play
Pointing out that "if they find a way to hack one iPhone, they've found a way to hack all of them," Snowden warned that the danger will only grow as long as the international spyware trade is allowed to exist and encouraged collective action to impose a global ban.
"Inaction is no longer an option," he said. "If you don't do anything to stop the sale of this technology, it's not just going to be 50,000 targets. It's going to be 50 million targets, and it's going to happen much more quickly than any of us expect."
While thousands of iPhones and Google Android phones were listed as potential targets for Pegasus spyware, Amnesty International was only able to confirm that Apple products were infected, because of Android's operating system, the group explained in a statement Monday.
"Apple prides itself on its security and privacy features, but NSO Group has ripped these apart," said Danna Ingleton, deputy director of Amnesty Tech. "Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO's spyware has successfully infected iPhone 11 and iPhone 12 models."
"Thousands of iPhones have potentially been compromised," she warned. "This is a global concern—anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand."
According to Ingleton: "NSO Group can no longer hide behind the claim that its spyware is only used to fight crime. There is overwhelming evidence that NSO spyware is being systematically used for repression and other human rights violations. NSO Group must immediately stop selling its equipment to governments with a track record of abusing human rights."
"These findings show that the surveillance industry is out of control," she added. "States must immediately implement a global moratorium on the export, sale, and use of surveillance equipment until a human rights-compliant regulatory framework is in place."