Senior human rights officials have repeated calls for a ban on the powerful Israeli spyware Pegasus until safeguards are in place to protect civilians from illegal hacking by governments.
Calls for a moratorium on the sale and use of the military-grade spyware were made on Wednesday at a hearing of the Inter-American Commission on Human Rights (IACHR) into widespread unlawful surveillance using Pegasus spyware against journalists and activists in El Salvador.
“There’s no doubt that malware marketed for complex security threats is being manipulated and used against the media and civil society … which is having a chilling effect on democracy,” said Scott Campbell, senior human rights and technology officer of the UN office of the high commissioner for human rights.
“Pegasus malware should stop being marketed and used until there are better global and national safeguards.”
The IACHR hearing follows a joint investigation published in January by Access Now and Citizen Lab which confirmed the use of NSO Group’s Pegasus spyware against 35 journalists and human rights defenders in El Salvador.
The hacking took place over 18 months from July 2020 to November 2021 and included 22 from the investigative news outlet El Faro. One journalist was hacked 49 times, another almost constantly for 269 days.
Amnesty International’s Security Lab peer-reviewed the findings and independently verified forensic evidence showing the military-grade spyware was being operated by a single customer within the country, suggesting the Salvadoran government was the likely operator.
“We urge El Salvador to implement an immediate moratorium on the use of spyware technology,” said Likhita Banerji from Amnesty International, which is calling for international standards and domestic legislation to limit surveillance, require greater oversight and transparency about contracts, as well as remedies for victims who are targeted illegally.
El Salvador is one of the most deadly countries in the Americas where gangs, extrajudicial violence, corruption and poverty have forced hundreds of thousands to migrate over the past decade.
The illegal cyber-surveillance took place amid mounting attacks on independent news outlets and human rights groups following the election of self-proclaimed reformer Nayib Bukele in June 2019, the hearing was told. This included El Faro being banned from government press conferences, ministries withholding information, a surge in online and in-person harassment, and threats and physical violence (including threats of sexual violence) against female journalists.
Carlos Dada from El Faro said the hacking coincided with investigations into controversial and potentially embarrassing stories about the president’s negotiation with the street gangs, dealings with Venezuelan officials, government corruption and the adoption of bitcoin as legal tender. “We fear for ourselves, our families and our sources,” said Dada, whose phone was under surveillance for 167 days.
The El Salvador cases add to the findings of the Pegasus project, an international consortium of 17 news organizations including the Guardian, on abuses of the spyware by the governments of at least 10 countries including Mexico, Saudi Arabia and India.
The project, coordinated by the French non-profit group Forbidden Stories, last year reported on a leaked database containing tens of thousands of phone numbers of activists, lawyers, academics, journalists, political figures, business leaders, priests and dissidents who are believed to have been selected as people of interest by NSO’s government clients.
Once infected with Pegasus, operators have total access to the phone, including the ability to intercept calls, read text messages and emails, control the microphone and camera, infiltrate encrypted apps and track an individual’s physical location.
In Wednesday’s hearing, the Salvadoran government denied any knowledge of the illegal hacks, arguing that officials had also been targeted by the Pegasus spyware. “An extensive investigation is under way,” said a representative from the attorney general’s office, who accused the victims of stalling the investigation by failing to share information – an accusation vehemently refuted by the journalists.
NSO says that it only sells its software to vetted government clients to prevent “terrorism and serious crime”.
John Scott Railton, senior researcher at Citizen Lab with years of experience tracking Pegasus, said that it was not uncommon for governments to spy on their own officials, and questioned the government’s so-called extensive investigation. “I am unaware of any contact by the government with my team.”
IACHR representatives also seemed unconvinced by the government’s investigation.
“This was a serious attack on democracy and democratic standards … one doesn’t wish to keep a list but so many rights were violated,” said Margarette May Macaulay, the rapporteur on the rights of persons of African descent and against racial discrimination. “The investigation must be as rigorous as possible and as quickly as possible … [But] there seems to be no urgency from the state.”