John Scott-Railton first came into contact with Pegasus, the spyware developed by the Israeli firm NSO Group, in 2016. After receiving suspicious messages on his phone, Ahmed Mansoor, a prominent human rights advocate and dissident from the United Arab Emirates, sought out The Citizen Lab looking for technical advice and analysis. A test of Mansoor’s phone came back positive for a Pegasus infection.
Scott-Railton is a senior researcher at The Citizen Lab, an interdisciplinary cybersecurity research center at the University of Toronto now specializing in detecting Pegasus, a software that seeks to extract all the information stored in phones. He has analyzed hundreds of phones in countries such as Hungary, Poland, India, Saudi Arabia, and Mexico. A month ago, The Citizen Lab published a joint report with the digital rights organization Access Now revealing that 35 people in El Salvador were infected with Pegasus — 22 of them from El Faro.
In this interview with El Faro a month after the report, Scott-Railton notes the Salvadoran government’s lack of interest in looking into the events. “If the government didn’t do it, they should investigate,' he asserts. 'If they did, it should be investigated.'
The New York Times Magazine called Pegasus the “crown jewel of the Israeli defense industry” for its unmatched recruitment of elite former Israeli intelligence operatives and the Ministry of Defense’s approval of each sale abroad. Shalev Hulio, CEO of NSO, testified before a U.S. court that the firm only sells to 'sovereign states and the intelligence and law enforcement agencies of sovereign states' to combat crime and terrorism. Far to the contrary, Amnesty International considers that the use of Pegasus “facilitates systematic abuses” and human rights violations.
Tensions between the U.S. and Israeli governments over the spyware came to a head in November when Biden’s Commerce Dept. barred NSO from doing business with U.S. suppliers, arguing the company undermines national security and foreign policy interests. In mid-December, House Democrats called on Biden to take an even harder line against NSO by way of Global Magnitsky Act sanctions — a measure to revoke the visas or freeze the assets of human rights abusers.
In November, U.S. tech firm Apple included 11 U.S. Embassy officials in Uganda in warnings to users the company believed had been Pegasus targets. The company also alerted 14 members of El Faro. At least four legislators from Salvadoran President Nayib Bukele’s party claimed on social media that they received the alert from Apple, in an effort to claim that the government was not responsible for the attacks. According to Scott-Railton, though, “it is a common practice for autocrats to monitor their allies and friends.” He adds that, in the course of investigating Pegasus, “we often find evidence of ‘self-targeting' around alliances, party disputes, and even keeping track of negotiations.”
The case of Pegasus in El Salvador is not the first in Central America. An analyst from Panama’s National Security Council testified that ex-president Ricardo Martinelli (2009 - 2014) secured the spyware in 2012 and used it to keep tabs on dozens of political and business opponents, and even his mistress. The United States refused to sell him spyware, WikiLeaks revealed, but he secured Pegasus in parallel to a series of U.N. votes in support of Israel. Panamanian courts acquitted Martinelli of charges of illegal wiretapping last November.
Scott-Railton says international perceptions of Bukele — especially in cryptocurrency communities — as a forward-thinking leader clashed with the Pegasus revelations. “El Salvador has the opportunity to confront what appear to be current abuses of state power, and instead it appears that the legislature is moving in a different direction, which is to authorize and provide legal cover for more of that power,” he notes. “That’s extremely troubling.”
What international impact did you observe following the Pegasus revelations?
One of the most interesting parts is that communities who don’t usually pay attention to privacy and security paid attention. But what really caught my eye is that some who do care about privacy and security did — namely the crypto community. We found that a range of people from the cryptocurrency world were asking questions and wanted to do news reports about what happened in El Salvador. A lot of the responses took the form of a question: ‘okay, El Salvador is a big cryptocurrency experiment, but is there a darker side? What else is happening?’ That is a really interesting conversation to kick off. We saw a number of cryptocurrency news reports and publications asking whether El Salvador is the right place for this cryptocurrency experiment, because of the authoritarian and autocratic behavior that was being seen.
Pegasus was cause for concern in the crypto community, but the same can’t be said for when Bukele entered the Assembly with the military, or when the Assembly illegally removed the Supreme Court magistrates. Why do you think the Pegasus story resonated?
The crypto community thinks a lot about privacy, security, how to secure assets, and how to use cryptocurrency as a tool for liberation and to resist government overreach. If you juxtapose that with Pegasus, Pegasus is the clearest example of government overreach I can think of. Sadly, the case of El Salvador has this dissonance and is not abstract. It’s not just that journalists and others in El Salvador were targeted with Pegasus. If you, as a cryptocurrency investor, go to El Salvador, there’s a question about whether you might be targeted, too. That makes things very concrete and, I think, concerning for a lot of people.
El Salvador has already confirmed that there is an active system of Pegasus and also your technical report shows that there’s an obsessive target against journalists, but there’s silence from the Government. What does this tell you?
If the government hadn’t done it, they would have made a much greater effort to discredit it or they would say: “look, we'll be transparent. Here’s what we have, here’s what we don’t.” That’s not what we saw in the case of El Salvador, so they come out looking guilty.
In your experience, is it common that the governments ignore this type of investigation?
Different governments take different approaches. What surprised me about El Salvador was that one of two things is happening: either the Bukele administration or some other government was doing this targeting. If it was another government, then that is a clear national security concern. If it was the administration, then there’s a very serious question about whether Salvadorans’ constitutional and civil rights were violated. Clearly, the government doesn't want to address either question. That’s really troubling, given that El Salvador is, on paper, a democracy.
The Attorney General said they’re going to investigate. Did his office try to reach you?
To my knowledge no one from the Salvadoran government has gotten in touch with me or anyone else to ask us more questions. Again, that is concerning given the scope and scale of the abuses that were revealed.
If they want to investigate, would they need to contact Citizen Lab for more information?
I think that would be a natural part of any investigation. That said, our approach and the evidence are pretty clear, and the report that we published was independently validated by Amnesty International. That’s enough to start any kind of investigation. Unless there’s an investigation underway and they haven’t mentioned it, I haven’t seen any signs of it. But, then again, there could be things that I’m just not aware of.
Last week the Legislative Assembly approved reforms to the Penal Code that practically “legalize surveillance”. What are your thoughts about this, especially given that this came weeks after we published the Pegasus story?
There’s an open question: Should Police and security services be technologically enabled to conduct investigations, and should that include very invasive monitoring? One prerequisite in any democracy should be oversight and accountability. The problem in El Salvador appears to be unaccountable use of Pegasus. If the government didn’t do it, they should investigate; if they did do it, it should be investigated. The fact that we don't see strong signs of either of those things is really concerning. And it’s certainly concerning for the use of these tools and technologies. A lot of us would like to see more signs that the government is taking this seriously, rather than creating legal structures that might justify future potential abuses.
Why should civil society and the citizens of El Salvador be concerned about this?
El Salvador has a long, troubled history with the overreaching power of the state and the state’s abuse of technology and training from overseas. The Pegasus case seems to be another chapter in that concerning story and, if indeed it was the Salvadoran government, is a strong signal that many other things are wrong. Pegasus is one technology. We see the abuses in El Salvador. There are other technologies for monitoring, for following people and for tracking them. Most governments have access for some of those other technologies. Salvadorans should ask the question: are these technologies and tactics, such as large-scale telephone tapping, the interception of SMS messages, the tracking of telephones through the cellular network, being deployed against Salvadorans as well? If so, to what end?
After the use of Pegasus is confirmed in a country, how do governments tend to react? Do they also approve reforms to legalize the espionage?
One case happened almost at the same time as El Salvador. This was the targeting of a number of members of Polish civil society and the opposition with Pegasus. What’s interesting is how different the story is there right now. Pegasus has been a national scandal in Poland and the Polish Senate opened a commission of investigation, which has taken testimony, including from myself and my Citizen Lab colleague Bill Marczak, researchers at Amnesty International, and the victims, to try to get to the bottom of what happened. That seems a much more natural chain of events after this kind of discovery in a democracy. It really demands an investigation. The fact that, instead, what we see is a legal project that could potentially provide more authorization or justification for this kind of clearly abusive behavior is deeply troubling.
How many cases did you find in Poland?
Poland has a substantial scandal, but I think we researchers have only confirmed five cases. The most well-known case in Poland was the targeting of a member of Parliament who was leading the 2019 parliamentary elections, during the time that he was leading electoral strategy. Very concerning for the role that this software might be playing in democracy and in Poland more generally. We also saw somebody who had written a critical book about the governing party, a prosecutor who had asked very serious questions about the governing party, a prominent lawyer to very senior Polish politicians, and the leader of an agriculture workers’ movement. None of those people fit the profile that Pegasus is marketed for: to track terrorists and others. Instead, these are people who really seem to represent a threat for the ruling party.
What differences do you see when you compare both cases?
What is especially concerning about the case of El Salvado is that the country has a history of state abuses of power and has the opportunity to confront what appear to be current abuses of state power, and instead it appears that the legislature is moving in a different direction, which is to authorize and provide legal cover for more of that power. That’s extremely troubling.
What type of countries does the Pegasus Project investigate?
The Pegasus Project was led by a consortium of news organizations under the Forbidden Stories collaboration, with the technical support of Amnesty International. We at Citizen Lab did a peer review of the technical methodology. What we have seen as researchers is that many of the Pegasus infections around the world are in dictatorships, but in recent years we’ve discovered more and more cases in democracies, and often in democracies that are on an authoritarian slide. Poland and Hungary are examples. Pegasus is fuel on the authoritarian fire. It grants a state breathtaking and unprecedented access to a person’s world, their history, behavior, things that they’ve said and done, and their relationships. That’s tremendously invasive and is dangerous in a democracy. It’s even more dangerous when that power can be used unaccountably or without oversight.
Were you surprised to find Pegasus in El Salvador?
I was troubled and disappointed. I think many around the world looked at the Bukele experiment from afar and thought, here’s a hip, modern millennial ruler talking about bitcoin, financial freedom, and autonomy. The contrast with our investigation is really dramatic. We found obsessive and intense targeting of journalists and others who have been critical of this administration and had brought scandals to light. That’s a very discordant, troubling contrast.
What happened after? Did more people seek help from you?
Citizen Lab doesn’t typically comment on investigations that are ongoing and that haven’t been published yet, but I can say we remain very interested in the case of El Salvador. Stay tuned.