How the booming spyware industry is making life hell for journalists around the world
Asmae Moussaoui couldn’t shake the feeling that she was being watched.
Her husband, Moroccan journalist Taoufik Bouachrine, had recently been arrested by Moroccan authorities on what his supporters viewed as trumped-up charges of sex crimes. In April 2019, Moussaoui called a U.S. communications firm and asked it to help her place ads in American newspapers to build support for Bouachrine’s cause.
Just a day later, an outlet with links to Rabat’s security services claimed that Moussaoui, who is also a journalist, had paid the firm with tens of thousands of euros acquired via human trafficking.
Shocked by the story, she hatched a plan to confirm that she was being surveilled. Moussaoui instructed her lawyer to call her and suggest that they try to “reconcile” with her husband’s alleged victims.
“The next day, tabloids published an article saying that our family is planning to bribe each victim with two million dirhams [US$20,150] so they drop the case,” she told the Committee to Protect Journalists. “I became very sure then.”
Moussaoui’s story is just one of many found in a new CPJ report about how the booming spyware industry has impacted journalism. The document lays out a grim picture of how private surveillance companies, many of which operate from the soil of U.S. allies, have provided authoritarians around the world with the tools they need to spy on journalists.
These new forms of surveillance, which can effectively take over a target’s phone without a trace, have had a chilling effect on reporters, many of whom fear that their conversations can never be truly private. And as evidence of advanced surveillance programs continue to mount, sources who were once willing to act as whistleblowers have stopped answering journalists’ calls in many countries, according to the report.
Notably, it is almost impossible to find “smoking-gun evidence” of an attack, and it takes enormous amounts of time and expertise to even make a serious accusation against a specific company. In the case mentioned above, the University of Toronto’s Citizen Lab found that Bouachrine may have been targeted by Pegasus, a powerful spyware created by the infamous Israeli firm NSO Group, but that remains unconfirmed. And Moussaoui has nothing besides her home-grown experiment to prove that she was targeted.
“That uncertainty may be the most pernicious aspect of spyware,” wrote journalist Fred Guterl, the report’s author. “In the long-term, journalists who feel threatened by an invisible enemy that could expose their sources and their private lives to public scrutiny may start to shy away from controversial investigations, curtailing their publications’ coverage, and dealing a blow to press freedom.”
Gypsy Guillén Kaiser, the advocacy and communications director at CPJ, told Responsible Statecraft that this amounts to an “existential crisis” for journalism.
“The basic fabric of reporting is being able to ask questions and obtain information freely and safely,” Guillén Kaiser said. “If you have someone — an entity, a government — in your device unknowingly, it fundamentally prevents you from doing that.”
And the problem is no longer restricted to NSO Group and its Pegasus software, which has reportedly been used to surveil officials, journalists, and dissidents around the world. (Among other notable hacks, the UAE reportedly infected the phone of Jamal Khashoggi’s wife with Pegasus just months before the journalist’s gruesome death at the hands of Saudi agents.) Following NSO’s success, other firms have scurried to get a piece of the spyware market, with new companies cropping up throughout the world.
In the Middle East, Israel and the UAE “have become regional hubs for the nascent spyware industry,” according to the report. Besides NSO, Israel is also home to Candiru, an unusually secretive company whose tech has likely been used to target journalists, activists, and other public figures in at least ten countries, according to Microsoft.
The report also mentions Italian company RCS Labs — whose spyware has reportedly been used in Italy, Kazakhstan, and Syria — and North Macedonian firm Cytrox — whose software appears to have been sold to Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain. China also uses “home-grown surveillance methods,” including a mandatory app for reporters who want press credentials that doubles as a sort of spyware, according to the report.
Some American firms have also gotten into the game. D.C.-based Zerodium is a broker for “zero days,” or security vulnerabilities in software, and “exploits” that take advantage of those vulnerabilities. While the company claims that its customers are mainly Western governments, one of its exploits was used to surveil an Emirati blogger who is now in prison on charges of “publishing false information to damage the country’s reputation,” according to Reporters Without Borders.
In practice, the spyware industry faces the same issue as many other areas of tech: it’s grown too fast for regulators to catch up. “The industry’s lack of regulation makes it impossible to prevent abuse of spyware,” Guterl wrote.
Further complicating matters is the fact that governments really want access to high quality surveillance technology, which can have a huge impact on their ability to deal with terrorism and organized crime. And unlike the United States, many countries don’t have the resources to develop these tools themselves.
Take Mexico, which has spent more than $61 million on NSO’s Pegasus software, according to the report. The government has used that technology to great effect in fighting cartels, even using it in the effort to finally capture notorious drug lord El Chapo. But, as the report notes, there is significant evidence that Mexican journalists and activists have also been targeted by Pegasus. This further adds to the difficulty of doing journalism in Mexico, which is already among the world’s most dangerous countries for reporters.
Guillén Kaiser says the only way to fight back against this is to convince governments that, on balance, spyware does more harm than good.
“We have to show the cost that’s at the other end,” she said. “We are losing the freedom and the ability to be informed.”
Meanwhile, the report notes that the United States has taken some steps to fill the regulation gap. Among other things, the Department of Commerce has imposed export controls on the NSO Group’s products and created a new rule that sets up controls on the “export, reexport, or transfer of items that can be used to spy on journalists,” according to the report.
But CPJ argues that Washington still has many steps to take in order to meet the threat. The report calls for a global moratorium on the “development, export, sale, transfer, servicing, and use of spyware technologies” until governments can put proper regulations in place, and it argues that all governments should stop working with companies that sell spyware to countries that misuse it.
For the United States in particular, CPJ says Congress should pass the Foreign Advanced Technology Surveillance Accountability Act, which would require the State Department to note how countries misuse surveillance tech in its annual human rights reports. The report also calls on the State Department to create a list of companies that sell spyware to bad actors, which it is mandated to do under a 2021 law.
But some researchers believe that regulation is not enough to stop the misuse of the powerful technology. One such expert is David Kaye, who previously served as the UN’s special rapporteur for freedom of opinion and expression. Though he acknowledges that a ban is unlikely in the near term, Kaye argued in a column for CPJ that the potential for abuse is simply too high to allow countries to use spyware.
“No government should have such a tool, and no private company should be able to sell such a tool to governments or others,” he wrote.