CatalanGate del The New Yorker (I/III)

How Democracies Spy on Their Citizens

The inside story of the world’s most notorious commercial spyware and the big tech companies waging

The parliament of Catalonia, the autonomous region in Spain, sits on the edge of Barcelona’s Old City, in the remains of a fortified citadel constructed by King Philip V to monitor the restive local population. The citadel was built with forced labor from hundreds of Catalans, and its remaining structures and gardens are for many a reminder of oppression. Today, a majority of Catalan parliamentarians support independence for the region, which the Spanish government has deemed unconstitutional. In 2017, as Catalonia prepared for a referendum on independence, Spanish police arrested at least twelve separatist politicians. On the day of the referendum, which received the support of ninety per cent of voters despite low turnout, police raids of polling stations injured hundreds of civilians. Leaders of the independence movement, some of whom live in exile across Europe, now meet in private and communicate through encrypted messaging platforms.

One afternoon last month, Jordi Solé, a pro-independence member of the European Parliament, met a digital-security researcher, Elies Campo, in one of the Catalan parliament’s ornate chambers. Solé, who is forty-five and wore a loose-fitting suit, handed over his cell phone, a silver iPhone 8 Plus. He had been getting suspicious texts and wanted to have the device analyzed. Campo, a soft-spoken thirty-eight-year-old with tousled dark hair, was born and raised in Catalonia and supports independence. He spent years working for WhatsApp and Telegram in San Francisco, but recently moved home. “I feel in a way it’s a kind of duty,” Campo told me. He now works as a fellow at the Citizen Lab, a research group based at the University of Toronto that focusses on high-tech human-rights abuses.

Campo collected records of Solé’s phone’s activity, including crashes it had experienced, then ran specialized software to search for spyware designed to operate invisibly. As they waited, Campo looked through the phone for evidence of attacks that take varied forms: some arrive through WhatsApp or as S.M.S. messages that seem to come from known contacts; some require a click on a link, and others operate with no action from the user. Campo identified an apparent notification from the Spanish government’s social-security agency which used the same format as links to malware that the Citizen Lab had found on other phones. “With this message, we have the proof that at some point you were attacked,” Campo explained. Soon, Solé’s phone vibrated. “This phone tested positive,” the screen read. Campo told Solé, “There’s two confirmed infections,” from June, 2020. “In those days, your device was infected—they took control of it and were on it probably for some hours. Downloading, listening, recording.”

Solé’s phone had been infected with Pegasus, a spyware technology designed by NSO Group, an Israeli firm, which can extract the contents of a phone, giving access to its texts and photographs, or activate its camera and microphone to provide real-time surveillance—exposing, say, confidential meetings. Pegasus is useful for law enforcement seeking criminals, or for authoritarians looking to quash dissent. Solé had been hacked in the weeks before he joined the European Parliament, replacing a colleague who had been imprisoned for pro-independence activities. “There’s been a clear political and judicial persecution of people and elected representatives,” Solé told me, “by using these dirty things, these dirty methodologies.”

In Catalonia, more than sixty phones—owned by Catalan politicians, lawyers, and activists in Spain and across Europe—have been targeted using Pegasus. This is the largest forensically documented cluster of such attacks and infections on record. Among the victims are three members of the European Parliament, including Solé. Catalan politicians believe that the likely perpetrators of the hacking campaign are Spanish officials, and the Citizen Lab’s analysis suggests that the Spanish government has used Pegasus. A former NSO employee confirmed that the company has an account in Spain. (Government agencies did not respond to requests for comment.) The results of the Citizen Lab’s investigation are being disclosed for the first time in this article. I spoke with more than forty of the targeted individuals, and the conversations revealed an atmosphere of paranoia and mistrust. Solé said, “That kind of surveillance in democratic countries and democratic states—I mean, it’s unbelievable.”

[Support The New Yorker’s award-winning journalism. Subscribe today »]

Commercial spyware has grown into an industry estimated to be worth twelve billion dollars. It is largely unregulated and increasingly controversial. In recent years, investigations by the Citizen Lab and Amnesty International have revealed the presence of Pegasus on the phones of politicians, activists, and dissidents under repressive regimes. An analysis by Forensic Architecture, a research group at the University of London, has linked Pegasus to three hundred acts of physical violence. It has been used to target members of Rwanda’s opposition party and journalists exposing corruption in El Salvador. In Mexico, it appeared on the phones of several people close to the reporter Javier Valdez Cárdenas, who was murdered after investigating drug cartels. Around the time that Prince Mohammed bin Salman of Saudi Arabia approved the murder of the journalist Jamal Khashoggi, a longtime critic, Pegasus was allegedly used to monitor phones belonging to Khashoggi’s associates, possibly facilitating the killing, in 2018. (Bin Salman has denied involvement, and NSO said, in a statement, “Our technology was not associated in any way with the heinous murder.”) Further reporting through a collaboration of news outlets known as the Pegasus Project has reinforced the links between NSO Group and anti-democratic states. But there is evidence that Pegasus is being used in at least forty-five countries, and it and similar tools have been purchased by law-enforcement agencies in the United States and across Europe. Cristin Flynn Goodwin, a Microsoft executive who has led the company’s efforts to fight spyware, told me, “The big, dirty secret is that governments are buying this stuff—not just authoritarian governments but all types of governments.”

NSO Group is perhaps the most successful, controversial, and influential firm in a generation of Israeli startups that have made the country the center of the spyware industry. I first interviewed Shalev Hulio, NSO Group’s C.E.O., in 2019, and since then I have had access to NSO Group’s staff, offices, and technology. The company is in a state of contradiction and crisis. Its programmers speak with pride about the use of their software in criminal investigations—NSO claims that Pegasus is sold only to law-enforcement and intelligence agencies—but also of the illicit thrill of compromising technology platforms. The company has been valued at more than a billion dollars. But now it is contending with debt, battling an array of corporate backers, and, according to industry observers, faltering in its long-standing efforts to sell its products to U.S. law enforcement, in part through an American branch, Westbridge Technologies. It also faces numerous lawsuits in many countries, brought by Meta (formerly Facebook), by Apple, and by individuals who have been hacked by NSO. The company said in its statement that it had been “targeted by a number of politically motivated advocacy organizations, many with well-known anti-Israel biases,” and added that “we have repeatedly cooperated with governmental investigations, where credible allegations merit, and have learned from each of these findings and reports, and improved the safeguards in our technologies.” Hulio told me, “I never imagined in my life that this company would be so famous. . . . I never imagined that we would be so successful.” He paused. “And I never imagined that it would be so controversial.”

Hulio, who is forty, has a lumbering gait and pudgy features. He typically wears loose T-shirts and jeans, with his hair in a utilitarian buzz cut. Last month, I visited him at his duplex in a luxury high-rise in Park Tzameret, the fanciest neighborhood in Tel Aviv. He lives with his three small children and his wife, Avital, who is expecting a fourth. There’s a pool on the upper level of Hulio’s apartment, and downstairs, in the double-height living room, is a custom arcade cabinet stocked with retro games and bearing a cartoon portrait of him, wearing shades, next to the word “Hulio” in large eight-bit font. Avital attends to the children, frequent renovations, and an ever-shifting array of pets: rabbits remain, a parrot does not. The family has a teacup poodle named Marshmallow Rainbow Sprinkle.

Hulio, Omri Lavie, and Niv Karmi founded NSO Group in 2010, creating its name from the first letters of their names and renting space in a converted chicken coop on a kibbutz. The company now has some eight hundred employees, and its technology has become a leading tool of state-sponsored hacking, instrumental in the fight among great powers.


“Your résumé looks terrific, but I’m just not sure we can deal with the shedding.”


Cartoon by Elisabeth McNair

The Citizen Lab’s researchers concluded that, on July 7, 2020, Pegasus was used to infect a device connected to the network at 10 Downing Street, the office of Boris Johnson, the Prime Minister of the United Kingdom. A government official confirmed to me that the network was compromised, without specifying the spyware used. “When we found the No. 10 case, my jaw dropped,” John Scott-Railton, a senior researcher at the Citizen Lab, recalled. “We suspect this included the exfiltration of data,” Bill Marczak, another senior researcher there, added. The official told me that the National Cyber Security Centre, a branch of British intelligence, tested several phones at Downing Street, including Johnson’s. It was difficult to conduct a thorough search of phones—“It’s a bloody hard job,” the official said—and the agency was unable to locate the infected device. The nature of any data that may have been taken was never determined.

Video From The New Yorker

Surfing on Kelly Slater’s Machine-Made Wave

The Citizen Lab suspects, based on the servers to which the data were transmitted, that the United Arab Emirates was likely behind the hack. “I’d thought that the U.S., U.K., and other top-tier cyber powers were moving slowly on Pegasus because it wasn’t a direct threat to their national security,” Scott-­Railton said. “I realized I was mistaken: even the U.K. was underestimating the threat from Pegasus, and had just been spectacularly burned.” The U.A.E. did not respond to multiple requests for comment, and NSO employees told me that the company was unaware of the hack. One of them said, “We hear about every, every phone call that is being hacked over the globe, we get a report immediately”—a statement that contradicts the company’s frequent arguments that it has little insight into its customers’ activities. In its statement, the company added, “Information raised in the inquiry indicates that these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”

According to an analysis by the Citizen Lab, phones connected to the Foreign Office were hacked using Pegasus on at least five occasions, from July, 2020, through June, 2021. The government official confirmed that indications of hacking had been uncovered. According to the Citizen Lab, the destination servers suggested that the attacks were initiated by states including the U.A.E., India, and Cyprus. (Officials in India and Cyprus did not respond to requests for comment.) About a year after the Downing Street hack, a British court revealed that the U.A.E. had used Pegasus to spy on Princess Haya, the ex-wife of Sheikh Mohammed bin Rashid al-Maktoum, the ruler of Dubai, one of the Emirates. Maktoum was engaged in a custody dispute with Haya, who had fled with their two children to the U.K. Her attorneys, who are British, were also targeted. A source directly involved told me that a whistle-blower contacted NSO to alert it to the cyberattack on Haya. The company enlisted Cherie Blair, the wife of former Prime Minister Tony Blair and an adviser to NSO, to notify Haya’s attorneys. “We alerted everyone in time,” Hulio told me. Soon afterward, the U.A.E. shut down its Pegasus system, and NSO announced that it would prevent its software from targeting U.K. phone numbers, as it has long done for U.S. ­numbers.

Elsewhere in Europe, Pegasus has filled a need for law-enforcement agencies that previously had limited cyber-intelligence capacity. “Almost all governments in Europe are using our tools,” Hulio told me. A former senior Israeli intelligence official added, “NSO has a monopoly in Europe.” German, Polish, and Hungarian authorities have admitted to using Pegasus. Belgian law enforcement uses it, too, though it won’t admit it. (A spokesperson for the Belgian federal police said that it respects “a legal framework as to the use of intrusive methods in private life.”) A senior European law-enforcement official whose agency uses Pegasus said that it gave an inside look at criminal organizations: “When do they want to store the gas, to go to the place, to put the explosive?” He said that his agency uses Pegasus only as a last resort, with court approval, but conceded, “It’s like a weapon. . . . It can always occur that an individual uses it in the wrong way.”

The United States has been both a consumer and a victim of this tech­nology. Although the National Security Agency and the C.I.A. have their own surveillance technology, other government offices, including in the military and in the Department of Justice, have bought spyware from private companies, according to people involved in those transactions. The Times has reported that the F.B.I. purchased and tested a Pegasus system in 2019, but the agency denied deploying the technology.

Establishing strict rules about who can use commercial spyware is com­plicated by the fact that such technology is offered as a tool of diplomacy. The results can be chaotic. The Times has reported that the C.I.A. paid for Djibouti to acquire Pegasus, as a way to fight terrorism. According to a previously unreported investigation by WhatsApp, the technology was also used against members of Djibouti’s own government, including its Prime Minister, Abdoulkadar Kamil Mohamed, and its Minister of the Interior, Hassan Omar.

Last year, as the Washington Post reported and Apple disclosed in a legal filing, the iPhones of eleven people working for the U.S. government abroad, many of them at its embassy in Uganda, were hacked using Pegasus. NSO Group said that, “following a media inquiry” about the incident, the company “immediately shut down all the customers potentially relevant to this case, due to the severity of the allegations, and even before we began the investigation.” The Biden Administration is investigating additional targeting of U.S. officials, and has launched a review of the threats posed by foreign commercial hacking tools. Administration officials told me that they now plan to take new, aggressive steps. The most significant is “a ban on U.S. government purchase or use of foreign commercial spyware that poses counterintelligence and security risks for the U.S. government or has been improperly used abroad,” Adrienne Watson, a White House spokesperson, said.

In November, the Commerce Department added NSO Group, along with several other spyware makers, to a list of entities blocked from purchasing technology from American companies without a license.

I was with Hulio in New York the next day. NSO could no longer legally buy Windows operating systems, iPhones, Amazon cloud servers—the kinds of products it uses to run its business and build its spyware. “It’s outrageous,” he told me.“We never sold to any country which is not an ally with the U.S., or an ally of Israel. We’ve never sold to any country the U.S. doesn’t do business with.” Deals with foreign clients require “direct written approval from the government of Israel,” Hulio said.

“I think that it is not well understood by American leaders,” Eva Galperin, the director of cybersecurity at the watchdog group Electronic Frontier Foundation, told me. “They keep expecting that the Israeli government will crack down on NSO for this, whereas, in fact, they’re doing the Israeli government’s bidding.” Last month, the Washington Post reported that Israel had blocked Ukraine from purchasing Pegasus, not wanting to alienate Russia. “Everything that we are doing, we got the permission from the government of Israel,” Hulio told me. “The entire mechanism of regulation in Israel was built by the Americans.”

NSO sees itself as a type of arms dealer, operating in a field without established norms. Hulio said, “There is the Geneva Conventions for the use of a weapon. I truly believe that there should be a convention of countries that should agree between themselves on the proper use of such tools” for cyber warfare. In the absence of international regulation, a battle is taking place between private companies: on one side, firms like NSO; on the other, the major technology platforms through which such firms implement their spyware.

On Thursday, May 2, 2019, Claudiu Dan Gheorghe, a software engineer, was working at Building 10 on Facebook’s campus in Menlo Park, where he managed a team of seven people responsible for WhatsApp’s voice- and video-calling infrastructure. Gheorghe, who was born in Romania, is thirty-five, with a slight frame and dark, close-cropped hair. In a photograph he used as a professional head shot during his nine years at Facebook, he wears a black hoodie and looks a little like Elliot Alderson, the protagonist of the hacking drama “Mr. Robot.” Building 10 is a two-story structure with open-plan workspaces, brightly colored accent walls, and whiteboards. Engineers, most of them in their twenties and thirties, hunch over keyboards. The word “focus” is written on a wall and stamped on magnets scattered around the office. “It often felt like a church,” Gheorghe recalled. WhatsApp, which Facebook bought for nineteen billion dollars in 2014, is the world’s most popular messaging application, with about two billion monthly users.

Facebook had presented the platform, which uses end-to-end encryption, as ideal for sensitive communications; now the company’s security team was more than two years into an effort to reinforce the security of its products. One task entailed looking at “signalling messages” automatically sent by WhatsApp users to the company’s servers, in order to initiate calls. That evening, Gheorghe was alerted to an unusual signalling message. A piece of code that was intended to dictate the ringtone contained, instead, code with strange instructions for the recipient’s phone.

In a system as vast as Facebook’s, anomalies were routine, and usually innocuous. Unfamiliar code can stem from an older version of the software, or it can be a stress test by Facebook’s Red Team, which conducts simulated attacks. But, as engineers in Facebook’s international offices awoke and began to scrutinize the code, they grew concerned. Otto Ebeling, who worked on Facebook’s security team in London, told me that the code seemed “polished, slick, which was alarming.” Early on the morning after the message was discovered, Joaquin Moreno Garijo, another member of the London security team, wrote on the company’s internal messaging system that, owing to how sophisticated the code was, “we believe that attacker may have found a vulnerability.” Programmers who work on security issues often describe their work in terms of vulnerabilities and exploits. Ivan Krstić, an engineer at Apple, compared the concept to a heist scene in the film “Ocean’s Twelve,” in which a character dances through a hall filled with lasers that trigger alarms. “In that scene, the vulnerability is that there exists a path through all the lasers, where it’s possible to get across the room,” Krstić said. “But the exploit is that somebody had to be a precise enough dancer to actually be able to do that dance.”

By late Sunday, a group of engineers working on the problem had become convinced that the code was an active exploit, one that was attacking vulnerabilities in their infrastructure as they watched. They could see that data were being copied from users’ phones. “It was scary,” Gheorghe recalled. “Like the world is sort of shaking under you, because you built this thing, and it’s used by so many people, but it has this massive flaw in it.”

The engineers quickly identified ways to block the offending code, but they debated whether to do so. Blocking access would tip off the attackers, and perhaps allow them to erase their tracks before the engineers could make sure that any solution closed all possible avenues of attack. “That would be like chasing ghosts,” Ebeling said. “Made a decision to not roll out the server-side fix,” Andrey Labunets, a WhatsApp security engineer, wrote, in an internal message, “because we don’t understand the root cause the impact for users and other possible attacker numbers / techniques.”