Spanish Spy Chief Fired After Civil Society Groups Expose Agency’s Use of NSO Group Surveillance Software to Spy on Catalan Independence Movement

Citizen Lab, a research group at the University of Toronto that studies digital threats to civil society, discovered that at least 65 people linked to the Catalan pro-independence movement were targeted or infected with Pegasus spyware made by the NSO Group between 2017-2020. This scandal has led to the firing of Paz Esteban, Spain’s spy chief.

"It's an unjustifiable disgrace. An extremely serious attack on fundamental rights and democracy." – Pere Aragones, Catalan leader

Background

NSO Group Technologies (NSO) is a software company based in Herzeliya, Israeli, that was founded in 2010. It is best known for its ‘Pegasus’ spyware which can hack into smartphone operating systems such as Android, iOS (Apple) or Blackberry, through either ‘zero-click’ text messages (the spyware can gain access to the phone without the owner clicking on links) or vulnerabilities in the system (by clicking on a link sent via iMessage or SMS). NSO  claims that it sells this software solely to governments for the purpose of combating crime and terror.

WhatsApp

In 2019, NSO used a vulnerability in WhatsApp which allowed attackers to gain access to phones simply by ringing the phone’s number. WhatsApp notified the 1,400 users that were targeted by the spyware and later fixed the vulnerability. Citizen Lab along with other civil society organizations launched a large-scale investigation into Pegasus hacking in Spain. WhatsApp filed a lawsuit against NSO in October 2019 in a California court.

Apple Lawsuit

In November 2021 Apple also filed a lawsuit against NSO and its parent company (Q Cyber Technologies) in California for targeting Apple users with spyware. Apple is also seeking to ban NSO from using any Apple software, services or devices.

Which countries use the spyware?

NSO doesn’t disclose its clients but based on Citizen Lab’s extensive research, it is reported that there are 45 countries where Pegasus is being used for surveillance. There are at least 6 countries that have been linked to the abusive use of the spyware against civil society.

Examples

Mexico – used Pegasus against journalists and political dissidents.

Rwanda – used Pegasus to spy on the Rwanda National Congress (RNC) opposition party.

Saudi Arabia – used Pegasus against women’s rights activists and allegedly to spy on Jamal Khashoggi, a Saudi Arabian journalist who was later assassinated. 

United Arab Emirates – used Pegasus to hack into the phones of jailed activists

“These individuals and organisations appear to have been targeted solely as a result of their criticism of governments that utilised the spyware or because of their work bearing on human rights issues of political sensitivity to those governments. Thus, this targeting is in violation of internationally recognised human rights.” – Amnesty International

Company response

“NSO continues to be targeted by a number of politically motivated advocacy organisations like Citizen Labs and Amnesty to produce inaccurate and unsubstantiated reports based on vague and incomplete information. We have repeatedly cooperated with governmental investigations, where credible allegations merit. However, information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”

This is #17 in our series of Instagram infographics on resistance against corporate power.

Click here to see the full post on Instagram.