A new investigation revealed that Saudi Arabia allegedly used the NSO Group’s Pegasus spyware to hack into the phones of slain journalist Jamal Khashoggi’s friends and family before and after his death.
In 2018, Khashoggi was reportedly killed by Saudi agents while at the Saudi consulate in Istanbul, where he was attempting to pick up documents needed to marry his Turkish fiancée, Hatice Cengiz. Saudi Crown Prince Mohammed bin Salman, a U.S. intelligence report found, green-lighted the murder.
Soon after his death, Khashoggi’s friend and fellow Saudi dissident Omar Abdulaziz accused the Saudi government of spying on him, using Pegasus technology—military-grade spyware that grants the user access not just to all data on a cellphone but also to its microphone and camera, allowing remote surveillance of anywhere the phone is taken. According to Abdulaziz and his lawyers, information gathered in this manner contributed to the Saudi administration’s decision to have Khashoggi killed.
At the time, the NSO Group—an Israeli surveillance company—denied that its technology was involved in the murder of Khashoggi, citing an internal investigation. It also temporarily canceled its contracts with Saudi Arabia, resuming work with the kingdom in 2019 after the company was bought by a new private equity firm.
However, according to data leaked to Amnesty International and the subsequent investigation—named The Pegasus Project, helmed by Amnesty International’s tech division and Forbidden Stories—Pegasus spyware was used by Saudi Arabia in order to spy on Khashoggi’s friends and family.
According to the investigation’s findings, multiple attempts were made to install the spyware on the phone belonging to his wife, Hanan Elatr, prior to Khashoggi’s death. It remains unclear whether these attempts were actually successful, however, because Pegasus is designed to be extremely difficult to detect and because Android devices don’t log the type of data that would have allowed Amnesty International to definitively detect it. Amnesty International found that the phone belonging to Khashoggi’s fiancée, on the other hand, was infected with Pegasus spyware just four days after Khashoggi’s death.
According to the data leak, other friends and family of Khashoggi, including his son, Abdullah, and Turkey President Recep Tayyip Erdoğan’s aide, Yasin Aktay, were also targeted with Pegasus spyware before and after Khashoggi’s death. According to the Guardian’s Stephanie Kirchgaessner, one of the journalists who worked on The Pegasus Project, this demonstrates how the Saudi government wasn’t just monitoring the campaign spearheaded by Khashoggi’s friends and family to seek justice for his killing, but it also attempted “to spy on the official Turkish inquiry into his murder.”
NSO Group reportedly maintains that its technology is not in any way connected to Khashoggi’s murder, saying in a statment: “As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi. We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in your inquiry. We previously investigated this claim, which again, is being made without validation.”
It also disputed all the findings of the investigation, claiming to The Pegasus Project: “NSO Group firmly denies false claims made in your report, many of which are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.”
“NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products,” it continued.
It also denied responsibility for anything done with its technology by any of its clients while asserting that if they were to become aware of any human rights abuses, they would revoke that client’s access to the technology.
“NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems,” it said to The Pegasus Project.
For many, especially experts in cybersecurity, the alleged misuse of the technology goes far beyond the Khashoggi case and into a matter of fundamental human rights. The ease with which repressive governments can use such technology to monitor and shut down dissent of any kind has many, including Amnesty International, calling for an international ban on the sale and use of digital surveillance technology “until this company and the industry as a whole can show it is capable of respecting human rights”
NSO Group, meanwhile, reportedly claims its software is an essential part of making the world safer.
“The fact is NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings. The technologies are also being used every day to break up paedophilia, sex- and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones,” it reporedtly said. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”
Of the other governments contacted by The Pegasus Project about their alleged use of Pegasus technology to spy on journalists, activists, and other civilians, only Morocco, Hungary, Rwanda, and India responded. Rwanda and Morocco denied the allegation, with Rwanda stating it does not have access to Pegasus or similar spyware. India issued a lengthy denial, accusing the investigation of attempting “to malign Indian democracy and its institutions.” Hungary, meanwhile, emphasized its status as a democracy and implied that non-Western countries were being unfairly singled out by the investigation.