Amid the varied cast of people whose numbers appear on a list of individuals selected by NSO Group’s client governments, one name stands out as particularly ironic. Pavel Durov, the enigmatic Russian-born tech billionaire who has built his reputation on creating an unhackable messaging app, finds his own number on the list.
Durov, 36, is the founder of Telegram, which claims to have more than half a billion users. Telegram offers end-to-end encrypted messaging and users can also set up “channels” to disseminate information quickly to followers. It has found popularity among those keen to evade the snooping eyes of governments, whether they be criminals, terrorists or protesters battling authoritarian regimes.
In recent years, Durov has publicly rubbished the security standards of competitors, particularly WhatsApp, which he has claimed is “dangerous” to use. By contrast, he has positioned Telegram as a plucky upstart determined to safeguard the privacy of its users at all costs.
Without a forensic examination of Durov’s phone, it is not possible to say whether there was any attempt to install malware on the device.
An NSO source indicated Durov was not a target, meaning the source denies he was selected for surveillance using Pegasus, NSO’s spyware. The company insists that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.
Asked directly whether Durov’s phone was a target of Pegasus or any other activity related to the spyware, an NSO spokesperson did not directly answer the question. They said: “Any claim that a name in the list is necessarily related to a Pegasus target or potential target is erroneous and false.” Lawyers for NSO said its decision not to respond to certain allegations should not be treated as confirmation of those claims.
But the list, which the Guardian and other media had access to as part of the Pegasus project, an international collaboration, is believed to be indicative of individuals identified as persons of interest by government clients of NSO. It includes people who were later targeted for surveillance, according to forensic analysis of their phones.
Cybersecurity experts who have examined how NSO’s Pegasus spyware works say the software does not discriminate between encrypted messaging apps and can access pretty much everything on an infected phone. They say Telegram, as well as WhatsApp, Signal and other messaging apps promising end-to-end encryption, are in effect rendered powerless if the device on which they are installed is infected by hacking software as powerful as Pegasus.
Durov’s number, which appears on the list in early 2018, was the UK mobile number which has been linked to his personal Telegram account for years.
Neither the publicity-averse Durov nor Telegram’s press office responded to requests for comment sent to their Telegram accounts.
The list of governments and intelligence services that might be happy to get a look at the contents of Durov’s mobile phone is long. Durov left Russia in 2013 and has had several conflicts with the country’s security services. Telegram has also played a key role in driving protest movements in Belarus, Hong Kong and Iran.
However analysis of the leaked list suggests Durov might have been of interest to the United Arab Emirates (UAE).
Durov has a passport from the Caribbean country of St Kitts and Nevis and has lived a peripatetic existence since leaving Russia. But papers filed at Companies House in London show that in February 2018 Durov changed his official residence from Finland to the UAE. The timing coincides with the appearance of Durov’s phone in the leaked data, and suggests it may have been a case of his hosts attempting to run checks on their controversial new resident.
Despite an avowed disdain for the concept of nation states, Durov has cosied up to the rulers of his new home country since his move. In February this year, he met Sheikh Hamdan bin Mohammed bin Rashid al-Maktoum, the crown prince of Dubai. “We continue to welcome great talent and ideas to Dubai, which offers a nurturing ecosystem for their development,” said Sheikh Hamdan after the meeting, according to a press release from Dubai authorities.
The UAE and Dubai did not respond to requests for comment on the allegations regarding Durov. The Guardian understands Dubai is a former client of NSO, but had its access to Pegasus terminated after an investigation into allegations of misuse.
Durov only rarely makes public statements via his Telegram account, usually offering idiosyncratic lifestyle advice – always live alone, and eat a “seagan” diet of wild fish and nothing else, are two examples – or extolling the virtues of Telegram.
Some have doubted Telegram’s self-portrayal as a devoted privacy advocate that will bow to no government, noting that Telegram chats are not end-to-end encrypted by default, only the app’s “secret chat” function. “I am inclined to advise people to avoid using Telegram entirely because there are alternatives that are end-to-end encrypted all the time,” said Eva Galperin of the Electronic Frontier Foundation.
Galperin said it was important to note that end-to-end encryption still offered significant protection to the vast majority of users, many of whom, if they were targeted for surveillance at all, would probably be targeted by less advanced forms of surveillance than Pegasus.
In Belarus, where Telegram messages and channels have been driving revolutionary sentiment over the past year, authorities have had to resort to crude tactics to access the phones of activists – demanding arrested protesters unlock their phones and in May forcing a Ryanair plane transiting through Belarusian airspace with the administrator of a leading protest Telegram channel onboard to land in Minsk, where he was arrested.
“According to all the information we have, without physical access to the device, the Belarusian authorities can’t get into our Telegram messages,” said the administrator of another Belarusian protest channel, speaking via a Telegram voice call.
But this equation changes dramatically when the authorities in question have access to Pegasus. Belarus is not known to be among NSO’s clients, and there is nothing to suggest that it is. But several other repressive regimes in countries where human rights activists and journalists regularly use encrypted messaging apps have bought Pegasus. Additionally, the disclosures by the Pegasus papers consortium this week suggest that in many countries a broad range of people, and sometimes their families or associates, can become targets of the spyware.
Serguei Beloussov, a Singaporean tech entrepreneur who runs the data protection company Acronis, said software such as Pegasus made it hard to recommend particular messaging services as better than others. “Protecting a single application is not possible; the main vulnerability is your device,” he said. “The only fully secure device is one which is off.”