The Pegasus project, a special investigation by the Guardian, Washington Post and the Forbidden Stories Network of media partners, is among the recipients of the prestigious 2021 George Polk awards in journalism.
The joint investigation into NSO Group, which sells hacking spyware to governments, revealed how the technology had been used by repressive governments to commit widespread human rights abuses.
Using forensic analysis of iPhones, the project uncovered widespread surveillance of journalists, human rights defenders and lawyers by authoritarian government clients of NSO around the world.
Katharine Viner, the Guardian’s editor-in-chief, said: “This award is a huge honour for the Guardian and our reporting partners who helped bring this powerful, global investigation to millions of readers around the world.
“Rigorous investigative reporting is the lifeblood of the Guardian and the Pegasus project was one of the biggest and boldest investigations in our history, resulting in major impact around the world. In an age when public interest journalism faces more threats than ever, this is a timely reminder of the power of investigative reporting and the importance of independent, quality journalism.”
Paul Lewis, the Guardian’s head of investigations, said: “The Pegasus project revealed widespread abuse of a powerful surveillance tool – and showed what can be achieved with collaborative investigative reporting. Thanks to Long Island University and the George Polk awards for this accolade, and recognition of this vital journalistic effort that held both people and power to account.”
It is the third time that the Guardian has won a George Polk award, having also won in 2014 for investigative stories on NSA surveillance based on top-secret documents disclosed by the former intelligence analyst Edward Snowden, and in 1960 for a foreign correspondent dispatch.
The awards were established in 1949 by Long Island University to commemorate George Polk, a CBS correspondent murdered in 1948 while covering the Greek civil war. The 2021 awards will be presented at the Yale Club in New York on Friday 8 April.
The Guardian and its partners revealed how Hungary’s government was spying on journalists, Narendra Modi’s government monitored political opponents, and Dubai’s ruler, Sheikh Mohammed bin Rashid al-Maktoum, spied on his daughter and ex-wife.
The Pegasus project also drew on a list of 50,000 phone numbers that was leaked to Forbidden Stories and is understood to have consisted of persons of interest to government clients of NSO. It included the numbers of the French president, Emmanuel Macron, relatives of the murdered Washington Post journalist Jamal Khashoggi and close associates of the Dalai Lama. NSO strongly denied that the data had any connection to the Israeli firm and said the phone numbers on the list were not targets of NSO customers.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
The Guardian’s reporting team included Stephanie Kirchgaessner, Paul Lewis, David Pegg, Sam Cutler, Dan Sabbagh, Nina Lakhani, Michael Safi, Shaun Walker, Angelique Chrisafis and Martin Hodgson. Other media partners included Süddeutsche Zeitung, Le Monde, Die Zeit and the Organized Crime and Corruption Reporting Project (OCCRP).
Others honoured in the Polk awards included Clarissa Ward and her crew for their real-time coverage of the rapid rise of the Taliban as the US withdrew from Afghanistan; the staff of the Washington Post for the three-part online series The Attack that cited systematic security failures in advance of the January storming of the US Capitol; and Jeff Horwitz and the staff of the Wall Street Journal for the Facebook Files, documenting how Facebook ignored internal findings that company practices promoted anger, divisiveness and extremism, protected drug cartels, human traffickers and dictators, and endangered teenage girls susceptible to body-image concerns, anxiety and depression.