News broke last week that exiled Russian investigative journalist Galina Timchenko’s phone was infected with NSO Group’s Pegasus spyware while she was in Berlin and went undetected for more than four months. It’s an alarming reminder of just how important it is for journalists everywhere to remain vigilant about threats to their digital security and to take steps to secure their devices and communications.
It’s also a reminder to Americans who care about press freedom that we must continue to push our government to do more to combat Pegasus.
Pegasus gives governments access to photos, notes, and encrypted communications stored on a phone. It can even use a phone’s microphone and camera to turn it into a listening device. Once infected, journalists’ phones can reveal their confidential sources and details of unpublished investigations.
Disturbingly, Pegasus has been found on the phones of journalists and their associates hundreds of times, including on the phone of the fiancée of Jamal Khashoggi, the Washington Post columnist brutally murdered by the Saudi Arabian government. In fact, journalists are consistently among the most frequent targets of Pegasus and other spyware used by governments, according to Citizen Lab, the leading civil society organization researching Pegasus. The founder of NSO Group once even defended the use of the software to hack journalists.
NSO Group claims it won’t allow Pegasus to be used in the United States. We have our doubts, especially since the FBI has acknowledged purchasing Pegasus. But even if Pegasus was never used to target a single phone in America, it still threatens press freedom here. For one thing, foreign governments have used Pegasus to target journalists who work with U.S. news outlets from abroad, like Khashoggi and others.
Even if governments only targeted journalists who work exclusively for foreign news organizations, it would still chill reporting that Americans rely on. Americans often watch or read non-U.S. news outlets to learn about world events or get a different perspective on U.S. news. For instance, Timchenko writes for Meduza, whose English-language website provides independent reporting about Russia’s war on Ukraine for a global audience.
While the U.S. government has taken some steps to restrict Pegasus’s funding and access to technology and dry up the market for commercial spyware, it must do more.
Under President Joe Biden, the Commerce Department added NSO Group to a government blacklist that makes it harder for it to do business in the U.S. or with Americans. But NSO Group has been furiously lobbying officials to reverse that decision, and there’s no guarantee a future administration would keep it on the blacklist. So we need legislation that permanently bars sharing technology with or providing funds to companies that create spyware that targets journalists, human rights activists, and dissidents.
The government must also enforce laws that criminalize the use of spyware like Pegasus against journalists and others. For example, the government could use the Computer Fraud and Abuse Act, or CFAA, or other computer hacking laws to prosecute NSO Group, rather than try to use these laws to go after journalists. In the absence of criminal prosecutions, U.S. courts should recognize civil claims under the CFAA against NSO Group, such as the case brought by the Knight First Amendment Institute on behalf of journalists at a Salvadoran news outlet whose iPhones were infected with Pegasus spyware.
Biden also signed an executive order prohibiting the government from using commercial spyware implicated in human rights abuses. But there’s nothing in the order to stop the U.S. government from using spyware it creates itself against journalists or others. Such an easily circumvented “ban” on spyware is really no ban at all. The U.S. should ban government use of any spyware against journalists and other human rights defenders.
These measures may not be the golden bridle that ultimately tames Pegasus. After all, there’s only so much impact that the U.S. can have on spyware created by a foreign corporation and used by foreign governments. But there’s undoubtedly more the U.S. government could be doing to rein in Pegasus, or any spyware that threatens freedom of the press, no matter where it’s deployed.