Follow us on social

Shutterstock_1389409868-scaled

How the booming spyware industry is making life hell for journalists around the world

A new report lays out a grim picture of how surveillance tech has helped governments crack down on reporters.

Reporting | Military Industrial Complex

Asmae Moussaoui couldn’t shake the feeling that she was being watched. 

Her husband, Moroccan journalist Taoufik Bouachrine, had recently been arrested by Moroccan authorities on what his supporters viewed as trumped-up charges of sex crimes. In April 2019, Moussaoui called a U.S. communications firm and asked it to help her place ads in American newspapers to build support for Bouachrine’s cause.

Just a day later, an outlet with links to Rabat’s security services claimed that Moussaoui, who is also a journalist, had paid the firm with tens of thousands of euros acquired via human trafficking.

Shocked by the story, she hatched a plan to confirm that she was being surveilled. Moussaoui instructed her lawyer to call her and suggest that they try to “reconcile” with her husband’s alleged victims.

“The next day, tabloids published an article saying that our family is planning to bribe each victim with two million dirhams [US$20,150] so they drop the case,” she told the Committee to Protect Journalists. “I became very sure then.”

Moussaoui’s story is just one of many found in a new CPJ report about how the booming spyware industry has impacted journalism. The document lays out a grim picture of how private surveillance companies, many of which operate from the soil of U.S. allies, have provided authoritarians around the world with the tools they need to spy on journalists.

These new forms of surveillance, which can effectively take over a target's phone without a trace, have had a chilling effect on reporters, many of whom fear that their conversations can never be truly private. And as evidence of advanced surveillance programs continue to mount, sources who were once willing to act as whistleblowers have stopped answering journalists’ calls in many countries, according to the report.

Notably, it is almost impossible to find “smoking-gun evidence” of an attack, and it takes enormous amounts of time and expertise to even make a serious accusation against a specific company. In the case mentioned above, the University of Toronto’s Citizen Lab found that Bouachrine may have been targeted by Pegasus, a powerful spyware created by the infamous Israeli firm NSO Group, but that remains unconfirmed. And Moussaoui has nothing besides her home-grown experiment to prove that she was targeted.

“That uncertainty may be the most pernicious aspect of spyware,” wrote journalist Fred Guterl, the report’s author. “In the long-term, journalists who feel threatened by an invisible enemy that could expose their sources and their private lives to public scrutiny may start to shy away from controversial investigations, curtailing their publications’ coverage, and dealing a blow to press freedom."

Gypsy Guillén Kaiser, the advocacy and communications director at CPJ, told Responsible Statecraft that this amounts to an “existential crisis” for journalism. 

“The basic fabric of reporting is being able to ask questions and obtain information freely and safely,” Guillén Kaiser said. “If you have someone — an entity, a government — in your device unknowingly, it fundamentally prevents you from doing that.”

And the problem is no longer restricted to NSO Group and its Pegasus software, which has reportedly been used to surveil officials, journalists, and dissidents around the world. (Among other notable hacks, the UAE reportedly infected the phone of Jamal Khashoggi’s wife with Pegasus just months before the journalist’s gruesome death at the hands of Saudi agents.) Following NSO’s success, other firms have scurried to get a piece of the spyware market, with new companies cropping up throughout the world.

In the Middle East, Israel and the UAE “have become regional hubs for the nascent spyware industry,” according to the report. Besides NSO, Israel is also home to Candiru, an unusually secretive company whose tech has likely been used to target journalists, activists, and other public figures in at least ten countries, according to Microsoft.

The report also mentions Italian company RCS Labs — whose spyware has reportedly been used in Italy, Kazakhstan, and Syria — and North Macedonian firm Cytrox — whose software appears to have been sold to Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain. China also uses “home-grown surveillance methods,” including a mandatory app for reporters who want press credentials that doubles as a sort of spyware, according to the report.

Some American firms have also gotten into the game. D.C.-based Zerodium is a broker for “zero days,” or security vulnerabilities in software, and “exploits” that take advantage of those vulnerabilities. While the company claims that its customers are mainly Western governments, one of its exploits was used to surveil an Emirati blogger who is now in prison on charges of “publishing false information to damage the country’s reputation,” according to Reporters Without Borders.

In practice, the spyware industry faces the same issue as many other areas of tech: it's grown too fast for regulators to catch up. “The industry’s lack of regulation makes it impossible to prevent abuse of spyware,” Guterl wrote.

Further complicating matters is the fact that governments really want access to high quality surveillance technology, which can have a huge impact on their ability to deal with terrorism and organized crime. And unlike the United States, many countries don’t have the resources to develop these tools themselves.

Take Mexico, which has spent more than $61 million on NSO’s Pegasus software, according to the report. The government has used that technology to great effect in fighting cartels, even using it in the effort to finally capture notorious drug lord El Chapo. But, as the report notes, there is significant evidence that Mexican journalists and activists have also been targeted by Pegasus. This further adds to the difficulty of doing journalism in Mexico, which is already among the world’s most dangerous countries for reporters.

Guillén Kaiser says the only way to fight back against this is to convince governments that, on balance, spyware does more harm than good. 

“We have to show the cost that’s at the other end,” she said. “We are losing the freedom and the ability to be informed.”

Meanwhile, the report notes that the United States has taken some steps to fill the regulation gap. Among other things, the Department of Commerce has imposed export controls on the NSO Group’s products and created a new rule that sets up controls on the “export, reexport, or transfer of items that can be used to spy on journalists,” according to the report.

But CPJ argues that Washington still has many steps to take in order to meet the threat. The report calls for a global moratorium on the “development, export, sale, transfer, servicing, and use of spyware technologies” until governments can put proper regulations in place, and it argues that all governments should stop working with companies that sell spyware to countries that misuse it.

For the United States in particular, CPJ says Congress should pass the Foreign Advanced Technology Surveillance Accountability Act, which would require the State Department to note how countries misuse surveillance tech in its annual human rights reports. The report also calls on the State Department to create a list of companies that sell spyware to bad actors, which it is mandated to do under a 2021 law.

But some researchers believe that regulation is not enough to stop the misuse of the powerful technology. One such expert is David Kaye, who previously served as the UN’s special rapporteur for freedom of opinion and expression. Though he acknowledges that a ban is unlikely in the near term, Kaye argued in a column for CPJ that the potential for abuse is simply too high to allow countries to use spyware.

“No government should have such a tool, and no private company should be able to sell such a tool to governments or others,” he wrote.

Thanks to our readers and supporters, Responsible Statecraft has had a tremendous year. A complete website overhaul made possible in part by generous contributions to RS, along with amazing writing by staff and outside contributors, has helped to increase our monthly page views by 133%! In continuing to provide independent and sharp analysis on the major conflicts in Ukraine and the Middle East, as well as the tumult of Washington politics, RS has become a go-to for readers looking for alternatives and change in the foreign policy conversation. 

 

We hope you will consider a tax-exempt donation to RS for your end-of-the-year giving, as we plan for new ways to expand our coverage and reach in 2025. Please enjoy your holidays, and here is to a dynamic year ahead!

(Shutterstock/ Stokkete)
Reporting | Military Industrial Complex
ukraine war

Diplomacy Watch: Will Assad’s fall prolong conflict in Ukraine?

QiOSK

Vladimir Putin has been humiliated in Syria and now he has to make up for it in Ukraine.

That’s what pro-war Russian commentators are advising the president to do in response to the sudden collapse of Bashar al-Assad’s regime, according to the New York Times this week. That sentiment has potential to derail any momentum toward negotiating an end to the war that had been gaining at least some semblance of steam over the past weeks and months.

keep readingShow less
Ukraine Russian Assets money
Top photo credit: Shutterstock/Corlaffra

West confirms Ukraine billions funded by Russian assets

Europe

On Tuesday December 10, Treasury Secretary Janet Yellen announced the disbursement of a $20 billion loan to Ukraine. This represents the final chapter in the long-negotiated G7 $50 billion Extraordinary Revenue Acceleration (ERA) loan agreed at the G7 Summit in Puglia, in June.

Biden had already confirmed America’s intention to provide this loan in October, so the payment this week represents the dotting of the “I” of that process. The G7 loans are now made up of $20 billion each from the U.S. and the EU, with the remaining $10 billion met by the UK, Canada, and Japan.

keep readingShow less
Shavkat Mirziyoyev Donald Trump
Top image credit: U.S. President Donald Trump greets Uzbekistan's President Shavkat Mirziyoyev at the White House in Washington, U.S. May 16, 2018. REUTERS/Jonathan Ernst

Central Asia: The blind spot Trump can't afford to ignore

Asia-Pacific

When President-elect Donald Trump starts his second term January 20, he will face a full foreign policy agenda, with wars in Ukraine and the Middle East, Taiwan tensions, and looming trade disputes with China, Mexico, and Canada.

At some point, he will hit the road on his “I’m back!” tour. Hopefully, he will consider stops in Central Asia in the not-too-distant future.

keep readingShow less

Trump transition

Latest

Newsletter

Subscribe now to our weekly round-up and don't miss a beat with your favorite RS contributors and reporters, as well as staff analysis, opinion, and news promoting a positive, non-partisan vision of U.S. foreign policy.