Spyware sold by a prominent Israeli surveillance company, called NSO Group, has been implicated in the targeting of world leaders, human rights activists and journalists.

We are actively investigating this with a view to litigation on behalf of a senior MP and a senior human rights lawyer, alongside other individuals who have been potentially affected, including journalists and political activists.

What is The Pegasus Project?

The spyware, called ‘Pegasus’, was sold purportedly for use in law enforcement investigations and to counter-terrorism, but it has allegedly been deployed in a far wider range of contexts in a way that may have been unlawful.

Individuals whose phone numbers appear on the leaked client lists have included the Prime Minister of Egypt Mostafa Madbouly, President of France Emmanuel Macron, Princesses Latifa and Haya of the UAE and the family of Jamal Khashoggi. In addition, over 180 journalists appear on the lists and may have been targets.

Following an investigation into a leaked batch of 50,000 telephone numbers by Amnesty International’s Security Lab and a collaboration of journalists across ten countries coordinated by Paris-based non-profit Forbidden Stories (dubbed ‘The Pegasus Project’), they have reported that potential NSO clients are located in a wide range of jurisdictions including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).

A number of prominent newspapers including the Washington Post and The Guardian continue to publish information regarding The Pegasus Project, therefore the picture is evolving daily.

Cybersecurity aspects

The mechanism of action was to take advantage of the ‘target’ via a smishing/phishing attack, tricking them into clicking a malicious link that installed the software. Or, alternatively, to take account of a previously unknown vulnerability (‘zero day’) in order to carry out an attack that did not even require the individual to click on anything.

Once the spyware was installed on the phone, it was able to carry out a range of functions, such as activating the camera and microphone, and exfiltrating data, including GPS data, emails, calendar items, contacts, photos and videos. It was able to bypass the encryption of messages in apps such as WhatsApp. The spyware was capable of compromising the Apple iPhone, which has long been touted for its higher security standards.

Privacy issues

In the UK, individuals targeted by Pegasus spyware have potentially had their privacy rights infringed.

Whilst the jurisdiction in which the organisation deploying the spyware is located may be outside of the UK and/or EEA, the General Data Protection Regulation (GDPR) may nevertheless apply by virtue of Article 3(2)(b), which captures within the extraterritorial scope of the Regulation ‘any monitoring of behaviour’ of data subjects by a controller or processor not established in the UK and/or EEA.

The spyware would infringe a number of the provisions of the GDPR, not least the Data Protection Principles themselves, and would allow the individual to sue for and potentially claim compensation under the Regulation and (in the UK) a number of other torts such as the tort of misuse of private information.

In addition, the matter may potentially engage human rights law, as well as potentially engage the criminal law in different jurisdictions. In the UK, the Investigatory Powers Act 2016 sets out a crime of unlawful interception for interceptions which occur without proper authority or consent.

Conclusion

We are actively investigating a potential claim in relation to these issues. Other individuals named by The Pegasus Project or affected by the disclosures may choose to seek recourse in respect of the various privacy and human rights breaches which may have occurred.

In terms of a wider political solution, individuals have long called for export controls on spyware, including the UN special rapporteur on freedom of expression, David Kaye. In addition, Kaye called for a moratorium for the sale of surveillance tools to governments until suitable export controls were in place. Alternatively, a global or regional ban on the production and/or sale of these types of software goods would be possible, but without coordination by a global body such as the UN, it seems unlikely that this will fully protect individuals anywhere in the world in a global digital era.