It has been revealed that UK government officials have been infected with the NSO Group's Pegasus spyware, that can activate a phone’s camera or microphone and harvest its data.
This includes both the Prime Minister’s Office and the Foreign and Commonwealth Office, involving personnel in many countries, and devices located abroad and using foreign SIM cards, according to Amnesty International’s latest investigation.
At the same time, the Citizen Lab has found evidence, corroborated by Amnesty’s Tech Lab, of the extensive use of the spyware against Catalans using Pegasus and Candiru.
In this case, it includes members of the European Parliament, Catalan presidents, legislators, jurists and members of civil society organisations.
The latest scandal comes as the European Parliament has voted to investigate abuses of Pegasus by European member states.
“The Pegasus revelations laid bare how the surveillance industry is out of control, unaccountable and unconstrained,” said Likhita Banerji, technology and human rights researcher at Amnesty International.
Publicising these abuses is part of an international collaboration between Amnesty and media organisations in 10 countries to highlight how phones are being weaponised against individuals.
Amnesty believes that the unlawful use of targeted surveillance technologies against journalists and other members of civil society has caused a digital surveillance crisis.
“It has exposed how current regulatory tools are not fit for purpose and stronger spyware regulation and urgent accountability are needed,” Banerji told Information Age.
Spyware delivered with ease
The most recent discoveries provide more evidence of the rise in spyware that’s delivered through zero-click attacks.
While WhatsApp has been found to be used, it’s not the only means.
Zero-click attacks don’t require any action by the user and can be delivered in messaging apps, as well as while viewing a PDF or email and through Wi-Fi vulnerabilities.
These attacks can exploit zero-day vulnerabilities, known exploits that remain unpatched, or attack vectors discovered and exploited before the developer can address it.
The rise in zero-click attacks driven by the growing use of surveillance software and the range of people targeted — company executives, investigative journalists, activists, politicians and world leaders — has heightened the concern among human rights groups.
It’s prompted Amnesty International, alongside UN experts and civil society partners, to call for a global moratorium on surveillance technology and demand a proper regulatory framework.
“States need to implement a regulatory framework that at its core protects human rights,” Banerji told Information Age.
The groups wants to limit the export of spyware where there’s a high risk it will be used to violate human rights or to countries with inadequate safeguards to prevent this.
“States need to scrutinise human rights risks prior to transfer as part of the licensing assessment for surveillance technologies,” Banerji said.
Amnesty and its partner organisations also want to see far more scrutiny around this kind of software, believing it’s operating without adequate scrutiny.
As Banerji explained: “We need to see transparency regarding the volume, nature, value, destination and end-user countries of surveillance transfers; for example, by publishing annual reports on imports and exports of surveillance technologies.”
“For too long, the surveillance industry has been able to operate in the shadows, avoiding accountability and perpetuating human rights violations,” she added.