Surveilled #79 — A weekend project: test your phone NSO’s Pegasus tool
My archives tell me it’s slightly more than a month since the last issue of Surveilled, although it feels like it was decades ago to me. Pandemic fatigue (we’ve been in lockdown in Malaysia since early May again, with little sign of improvement) plays a big part, but the main reason behind this gap is undoubtedly that I’ve been unhappy with the format of the newsletter for some time.
And yet, the urge to write still appears to be there, hence a new issue. After the first hiatus of the newsletter, I said I wanted to write more long-form content, to develop underlying themes and concepts more, instead of focusing on news, which others do far better than me. The “Goodbye for now” issue at the end of last year contains a few pointers for news, if you’re interested.
Unfortunately, that kind of writing proved incompatible with a weekly frequency though, and hence most issues focused on “newsy” links. But with all the other sources of news out there, and a noticeable uptick in tech coverage from mainstream outlets, I feel this adds less and less value, and I want to move away from it. Hence, I’ll focus on long-form content from now on, and that probably means this newsletter will become less regular, and certainly not weekly. There may still be links, but more in the spirit of “this is interesting” rather than “this is what happened last week”.
As always, thanks for reading and let me know what you think by replying to this mail.
A weekend project: check your phone for signs of NSO’s Pegasus snooping tool
Israeli cybersurveillance company NSO has appeared many times in Surveilled (their first mention was in issue 2!), and they hit the news again recently. A list allegedly containing some 50,000 phone numbers that NSO was asked to surveil was leaked to a coalition of journalists and activists, including Amnesty International.
This coalition did a deep dive on the list’s content and identified numerous politicians, activists and journalists, from all over the globe. They contacted some of them to analyse their phones and look for any sign of NSO’s Pegasus tool, and did indeed find traces of infection on a number of them. The Verge has a useful overview to bring you up to speed on the whole story. Bottom line, this seems to confirm that NSO doesn’t limit the use of its tools to criminals only.
As part of the investigation, Amnesty International also released a tool (see Section 11) that allows you to check your own phone for signs of infection. A word of warning before you rush in, it’s not for the faint-hearted. Using the tool requires installing development tools and using the command line. Amnesty’s documentation is a useful reference, and again The Verge has a good guide providing more help.
So much for the alarm and paranoia at this point: in fact the odds are very small that your phone is compromised, unless of course you actually are a high-profile criminal or perhaps a high-ranking opposition politician in an authoritarian state. The reason is that NSO’s Pegasus is a tool for targeted cybersurveillance, as opposed to the mass cybersurveillance that we all fall victim to through the ad-tech business model.
The bad news is that if you are a valuable enough target for targeted cybersurveillance, you practically have no means to defend yourself at all. A tool like Pegasus depends on flaws in the software of your phone, and despite manufacturers’ best efforts, such flaws will always exist, and will always be exploited. In fact, there are flaws all along the infrastructure that powers our digital world (cellular networks, internet routers, servers...), and companies exist to exploit all of them for surveillance.
What that world looks like and what it could mean for our politics and society is beautifully and thrillingly described in Cory Doctorow’s latest book, Attack Surface. The book does a great job at explaining the technology, business and politics (some of the groups involved with the reporting on NSO provided advice, such as Citizen Lab), and what it means for ordinary citizens. After finishing it, you’re left with a vague unease about the direction we’re heading, but it remains abstract.
And that’s why, despite the low risk of infection, it’s still worth checking your phone for signs of Pegasus. At a minimum, the process will yield new insights into how your phone works, and seeing the output of Amnesty’s tool will bring home just how much information can be gleaned from it. For example, the log of my message interactions alone weighs in at some 9MB, or some 5,000 A4 pages, and I’m not a particularly prolific “messager”...
Of course, by now there is no chance we will give up our phones or the internet, both are completely intertwined with our lives. But additional technical insight is always useful, and will hopefully nudge us to be more mindful of how we use these powerful tools, and more vigilant of the increase in surveillance enabled by our systems of politics and business. So by all means, block out a couple of hours next weekend to check your phone.