© Welt, 2 August 2021, Berlin
By Angela Richter
We do not know how many phones are infected with the Pegasus surveillance software or whether the manufacturer knew who was being targeted. Cryptography expert Jacob Appelbaum knows how difficult it is to protect yourself - and that even obvious measures can be tricky.
In 2012, Julian Assange prophesied in his book "Cypherpunks" that global civilization would slide into a postmodern surveillance nightmare within a few years. Investigative journalist Jacob Appelbaum, who is currently doing research on applied cryptography at the Eindhoven University of Technology, was one of Assange's co-authors at the time and had already worked with Wikileaks.
Jacob Appelbaum was later involved in the analysis of the machinations of the American National Security Agency (NSA) revealed by Edward Snowden.
Are the revelations that are now reaching us via the Pegasus spy program, its buyers and the people it spied on, comparable to those of Assange and Snowden? And how is the Pegasus project, a group of media companies and Amnesty International, handling the leaked material? They are not entirely exemplary, says Appelbaum.
Wikileaks veteran Jacob Appelbaum: "Every nation-state will eventually have a modern intelligence service."
Source: PA/ dpa
WELT: Mr. Appelbaum, let's start with the simplest question: Where do the leaked phone numbers from the Pegasus project come from?
Jacob Appelbaum: There are different stories around. But it sounds like the origin is in Cyprus. But it is unclear what that means. The list is supposed to contain 50,000 telephone numbers.
WELT: Why do we know so little about Pegasus and the leak despite the enormous media coverage?
Appelbaum: The people from the Pegasus project are extremely secretive about the details. The chose to behave quite differently from Wikileaks, where everything would have been disclosed transparently. This is quite frustrating when we assume that the NSO group is doing something fundamentally wrong, yet they remain protected.
WELT: What exactly are you criticizing about the Pegasus project?
Appelbaum: I find it shocking that they have all of these phone numbers and that everything being reported is about famous people who are affected. What about all of those on the list who might not be famous? Most of the Pegasus victims will probably never find out that they have been monitored.
WELT: How could you do it better?
Appelbaum: For example, you could set up a website where anyone can enter their phone number and be notified when it is in the data set.
WELT: Why hasn't that happened?
Appelbaum: One reason for this could be that Amnesty International is involved. Amnesty is very careful to protect its brand as a human rights organization. Amnesty cannot run the risk of inadvertently using the information to provide an advantage to a "rogue state" or "bad guy". It has nothing to do with morality. It's just pragmatism.
Then there is the Forbidden Stories group from France, the media company that coordinated these stories, according to the BBC. It basically played the role that Wikileaks has taken on in similar cases. Apparently it somehow got access to that list. Then it coordinated all media partners and Amnesty. My impression is that these are people who are afraid of going "a little too far". If someone passed this list to me, I wouldn't hesitate for a second to publish it. And if Julian ...
WELT: ... Julian Assange ...
Appelbaum: ... if he were free, he would do the same.
WELT: Such an approach would be risky, wouldn't it?
Appelbaum: Before doing that, you would of course have to make sure that everyone on the list is notified or identified. And that is a hell of a job! But the problem is, the NSO group could send out an update to everyone on the list in the meantime.
WELT: What would the NSO group do that for?
Appelbaum: You could remotely delete data on the phones in order to cover up forensic traces.
WELT: And how do you prevent that?
Appelbaum: It would be important to back up the data first. That means you have to write to every single person on the list: "Hi! We're from Amnesty International. We believe your phone has been compromised by the NSO group. We're going to make this public, but we need you to secure the evidence. Please write down this URL, fill out the form, turn your phone off and don't turn it back on until we've analyzed it." Something like that. And then you get 50,000 phones to analyze. Okay, that's a lot of work, but you see, this is the only approach that guarantees that all 50,000 people will be informed and that no evidence will be destroyed. As I understand it, that didn't happen.
WELT: How is the Pegasus project going instead?
Appelbaum: I saw some data that indicated that they were only going through the phone numbers one by one. Each research team does its own research on the list. They look for phone numbers they know and see if they appear in the list. And when they hit, they say: "Hey, look, this is the Princess of Dubai!"
WELT: What I have not understood so far: Is the NSO group itself directly involved in the espionage or not?
Appelbaum: That is an interesting question. The NSO group said that Pegasus was like a car and that it was just like the manufacturers that sell cars. If someone steals a car or has an accident while drunk, that's their problem. You won't hold the automaker accountable, will you?
WELT: How do you judge that?
Appelbaum: That's a pretty poor comparison. The NSO Group takes no responsibility for how their product is used. But it also claims that customers only target 100 people on average, there is no list of 50,000 people, and so on. At the same time, it insists that it has no insight into what people its customers target. But if they know that there are only 100 targets per customer, that begs the question of how they know that. Ed Snowden's analogy is far more accurate. He said that an entire IT sector -- the Israeli company NSO is just one example of many -- offers a single product: software exploits, i.e. viruses.
WELT: Snowden says this company doesn't offer vaccination for the virus it is spreading.
Appelbaum: If the NSO Group knows that 100 people are being targeted by a customer, then that suggests that they have more insight into their customers' targets than they claim. Someone has a server, enters your phone number and presses a button to control your phone. If that's successful, your phone will connect to what is the command and control infrastructure that may be operated by the NSO group. Or operated by the customers themselves. It is a little unclear how this is set up - it sounds like the NSO group is involved, but of course they are not completely transparent about it. So we don't really know. Neither do we know where this list of 50,000 phone numbers came from. What we do know is that the NSO group is making a lot of money from it and that there are a lot of unanswered questions.
WELT: So is the NSO group to be held responsible for the actual espionage or not?
Appelbaum: Well, if the NSO group hadn't developed Pegasus, there would be no espionage at all through this software. So it starts and ends with the NSO group, no matter what exactly they are doing or not. For example, it looks like American and Israeli phone numbers are exempt from monitoring by the Pegasus software, and those phone numbers just don't work. Apart from that, there do not seem to be any precautionary measures on the part of the NSO, for example, to prevent a head of state like the French president from being monitored. While the NSO claims that human rights lawyers and journalists are off-limits, as far as I can tell, they haven't designed the technology to allow human rights defenders and journalists to register their number with the NSO so they don't get targeted. However, there are likely to be user guides for customers that explain what to do - for example, how to get destination email addresses and phone numbers, and so on. And then, when you have it, put it in the NSO software. So the NSO group has to train people. Directly or indirectly, ultimately the NSO Group's business model is espionage.
WELT: How do you assess the extent and the importance of the Pegasus leak? Is that comparable to the Snowden leaks about the machinations of the American National Security Agency (NSA)?
Appelbaum: Well, I would rather compare it to the Panama Papers. Snowden showed us how secret services around the world work together and spy on us. We understand mass surveillance very differently now than we did before Snowden's revelations. The Pegasus and NSO revelations are perhaps comparable to the Panama Papers in the sense of saying, "We have this incredible data set, and we've studied it, here's the story!" As with the Panama Papers, you don't get to see the original documents, because that would let you form your own impressions and do your own research.
WELT: Was that possible with the Snowden Leaks?
Appelbaum: We really tried to make sure you could do just that. It was very important for Laura Poitras, Glenn Greenwald, myself and others involved that everyone could understand what the NSA was doing. Anyone who wanted to had a look at the documents, the journalistic research and the conversations with the sources. The evidence was indisputable, even to the governments themselves. And when they tried to lie, we immediately released a document that exposed the lie. It was very different from what I see with the Pegasus leak. What I see is that Amnesty has a good name, as does some of the media that are involved. And they have very good technical people at Amnesty who really know what they are doing and they are transparent with their analysis. In this respect, the procedure is better than with the Panama Papers. Amnesty has even developed tools that you can use to check your own devices to see whether or not they have been infected by the NSO software. This is an important step.
WELT: You and Julian Assange warned against mass surveillance beforehand, how did you proceed?
Appelbaum: The Pegasus leak is perhaps best comparable to the Wikileaks Spyfiles publications. About ten years ago we all got together and worked to look at the multi-billion dollar private espionage companies. We brought the Wall Street Journal on board and worked with a number of different media partners. One of my favorite jobs was going to surveillance shows where forerunners of the NSO group sold their wares. I had sales pitches with them, as a potential customer, so I gathered all kinds of information. The Pegasus leaks do not go as far as the Snowden leaks. The matter has geopolitical aspects that are comparable. But right now everyone is beating up on the NSO. It's especially easy because there is so much aversion to Israel right now. But the reality is: What the NSO group does is no different from what the US company Verint does and many others.
It's no different from what the NSA and CIA are doing. If anything, one major difference is that the NSO group does not disguise itself as a hostile secret service, for example, trying to blame the Russians or the Chinese, as the US military and secret services do, as Wikileaks revealed in the Vault 7 leak. After all, NSO stands behind its work.
WELT: There are already art exhibitions on Pegasus, your friend Laura Poitras has already worked through the story artistically. Why is there so much coverage now?
Appelbaum: In the Snowden era, the tenor in the West was: even if these guys break rules and go a little too far, they're still the good guys, it's our guys! I think there is a geopolitical element now at NSO: Basically, the Israelis don't have the same level of geopolitical support. Attention to the case also reflects a shift in the discourse on Israel and Palestine. It would be possible to neutralize the NSO group in the West. For example, the software could be declared illegal in all NATO countries. Then you could put pressure on Israel not to sell to non-NATO countries. Or you could do the opposite and say that the NSO group is only allowed to sell to NATO countries, nowhere else. I suspect part of what is going on has to do with the fact that there is little reluctance to criticize the state in which these people live and work. When the Snowden thing came out, there were people who said mass surveillance was against international law. But there was also the other side who said, well, you know, these tools are used by legitimate authorities. I now observe that in the case of Israel, the velvet gloves are coming off. Then there is also the fact that these are not just any 50,000 people on the list. That's 50,000 of the most interesting people in the world combined with data about their lives! So that's a whole story that journalists can tell if they find out who these people are.
WELT: A former NSA spokeswoman says in the "Guardian" podcast that bin Laden could have been prevented with such software. What do you think?
Appelbaum: That's a joke. We know the NSA had bin Laden's satellite phone number. At least since the 1990s. With that, they could easily have found his location. To claim they could have prevented "9/11" if only had these particularly powerful tools is a completely misleading statement. A classic NSA statement. What they really mean is: If we had this tool and a time machine! And that's a lie too. For example, during the Snowden Affair, we found out that the NSA had compromised the phones of the people involved in the Mumbai bombing that killed over 300 people. Before the bombing took place! And then they didn't tip off Indian intelligence that they had compromised the terrorists' phones. So why didn't they stop that?
They didn't want to reveal that they had these technical capabilities -- and 300 people died! I got involved when ProPublica and the New York Times made a story about it. In essence, my conclusion is: The claim that the mere existence of such technical possibilities would prevent such things from happening is a lie. Just because the NSA knows an attack is going to happen doesn't mean they will prevent it. Mumbai proved that.
WELT: That makes it very difficult to trust the statements of the NSA ...
Appelbaum: You don't trust them because aren't transparent and they won't just say, "Look, there were times when people's phones were compromised and we didn't want to reveal our technical capabilities, so we made a decision." That would be a level of honesty that the NSA simply cannot muster. If they did, one could understand what their values are and how their decision-making process actually works. Which means that they sometimes let people die in terrorist attacks in order to keep their skills a secret. This is not so different from the British during WWII, who knew that Coventry was going to be bombed. But if they had admitted that they knew, then the Nazis would have known that their cryptosystem, the Enigma system, had been cracked. And so they had to let the city get bombed. That is my understanding of Coventry history. And it's basically the same decision-making basis that you can see in the Mumbai bombing.
WELT: Speaking of capabilities: When the Snowden Leaks came out and I did some research, I was at the Telekom Security Summit in Bonn. Mainly politicians and CEOs attended, and they were very concerned about these technical possibilities of the NSA that they now had earned about. There was concern that they might fall into hands of the wrong people, the criminals or "rogue states." The whole summit revolved around this problem. Do you think these fears were justified?
Appelbaum: I recently heard a story. It's about a book that supposedly offers some kind of guide - everything you need to know to set up your own intelligence service. In one country where it was published, all copies were destroyed. It was written by a person who was the founder of an intelligence agency in a European country. If you have the blueprint for a modern day intelligence service, this is pretty easy to do on the right budget. Dubai, for example, is seen as an incredible spy state these days because it just hired a bunch of former NSA people, a bunch of European academics, and really talented hackers. And they gave them a whole truck full of money and said, "Build everything we need for us." They did that too.
WELT: Is it conceivable that the German government is in possession of Pegasus? Or something like that?
Appelbaum: In contrast to traditional military equipment such as tanks, espionage software is comparatively cheap and also infinitely scalable. That changes the purchasing behavior of states. If I buy a tank, it costs me a lot and I can only use it in one place at a time. If I buy spy software, I can use it everywhere at the same time. So imagine - perhaps for the price of a very small tank - you could compromise any phone across the country with just a few clicks. You gain immense electronic warfare capabilities and control over every single person who enters the country. These countries buy several of these things. There's a whole market for it. For example, I've heard of a Southeast Asian country that made such a calculation: Are we going to buy two tanks and a jet or a tank and software like that? There is nothing to think about.
WELT: And Germany does that too?
Appelbaum: My guess is that Germany buys from German or European companies and works with other secret services. For example, the CIA and the BND have worked together. And a lot of things will be offered on the open market through various channels. That's when German laws and regulations really come into play. Ultimately, the time will come when many governments will have these capabilities even if they don't have the technical knowledge just because they have a dump-truck full of money. It's a growth industry.
WELT: Is the only way to be safe really not to use a smartphone?
Appelbaum: When using off-the-shelf consumer devices like an iPhone or Android phone, keep in mind that they are very easy to compromise and it's extremely difficult to find out if they have been compromised. It's a pretty scary world out there. The real problem, however, is that tools like Pegasus will outgrow smartphones the more devices people have in the house. You know, the same type of malware also exists on laptops. If you look at a modern MacBook, an interesting feature is that the lid electronically turns off the microphone when you fold it down. Even if the computer is infected, it cannot be used as a bug once it is closed. That's what Apple says. It doesn't take a lot of imagination to think about what's possible on smart home assistants like Alexa.
WELT: Is that also possible with telephones?
Appelbaum: You can listen to the microphone or other devices. That's why I usually disassemble the phone and remove the microphones and speakers. And when I want to make a call, I plug in a headset with an external microphone, which is what I've done now. But that can't protect the call we're on if my phone is compromised by some crazy, well-funded secret service or company. Then the fact that I removed the microphones doesn't matter because ultimately they want to listen to the calls. But you can at least withhold the room sounds from them. If you are targeted by people spending millions of dollars on electronic warfare, you are better off using the old John le Carré trick: face-to-face meetings. Don't take a cell phone with you. Be careful with all of your communications. It is possible to live without a cell phone. But it remains tricky. Because if you get rid of your phones, you might be the only one in your village doing that. And then they just bug your house instead.
WELT: It's a real dilemma.
Appelbaum: Everyone has to make an individual assessment of what they are worried about. If you take a look at our bugged planet, there are websites like buggedplanet.info run by a friend of ours, where you can see the surveillance capabilities in different countries. But at some point this surveillance map will show the whole world. Every nation state will have a modern secret service at some point. They will have electronic warfare software and there will be free versions of these tools online. So all you have to do is pay a few computer nerds to join in. At some point, literally every country in the world will have a department that deals with these kinds of things. And if they can get your iPhone number or iCloud ID, they can just target your phone. And with zero technical knowledge - just type in the phone number, press a button, and the phone is a bug! This is something that used to take a lot of technical skill. Not any longer longer.
WELT: We also owe this knowledge to the Pegasus project.
Appelbaum: The people involved seem to have done a really good job. Well, there are a few quibbles such as why the list is not public, what the exact source is, and what the data looks like. But what really matters is that they verified that the data is authentic. That's the most important. And it would be nice if they took such a transparent approach as Wikileaks. I'm really sad that Julian is in jail. He would probably take a similar point of view. You know, giving people access to this data would add a whole different dimension to the problem. But other than that, I think they did and will continue to do a really good job. And I think the Amnesty technical team should continue to be supported in their work. Amnesty should have the best forensic tools on the planet. They should have a program for human rights defenders who are targeted so they can call and analyze their phones. It's important to understand this industry.
Amnesty's technical team has done very important work. Nonetheless, we shouldn't forget that it was Julian Assange who, with the Spyfiles publications, uncovered the surveillance industry and its political use and began this type of research on a large scale.
WELT: Is malware like NSO group distributes illegal everywhere?
Appelbaum: It can be legal in one country and illegal in another to use these tools. But it's not really about legal and illegal. If they target the president of France, it's espionage. It's not a question of terrorism to be prevented. It's just spying. And that means that we as journalists are not obliged to remain silent about it.
WELT: Who can put a stop to the activities of NSO and Co.?
Appelbaum: Apple has a great responsibility here, just like Google. These companies have the resources and the know-how to put a whole team of engineers to work on solving the problem. There is enough budget for that, it would be easy for them. But if they do, it will likely end up with an NSA or other intelligence agent infiltrating their company to build backdoors into their code. This is the game that is being played right now. We know that from the Snowden files: CIA, NSA and other groups send people into companies to do bad things on behalf of these secret services. As I said, it's not just about the NSO group. Apple could just spend a few million dollars in engineering time on this problem. You wouldn't solve all of the problems in the process. But they would make it much more difficult and much more expensive, the whole dynamic of the espionage industry would be affected. But, you know, they're not going to do this because it's not really in their best interest. These companies also rely on the benevolence of governments to sell their products and act accordingly. In China, for example, iCloud is completely visible to the government. So the question is whether the big tech companies everywhere are doing a good job protecting their customers' data, or whether they are making dodgy deals similar to this one with the Chinese government using our data. This is where we really have to watch the public pressure build up. From this point of view, the NSO group is in a way only taking advantage of the market that companies like Apple have created.
[Rendered in English by Google Translate with minor revisions.]