Last week, the first legal challenge by journalists against the NSO Group in United States courts was filed over allegations that they were targeted by the company’s Pegasus spyware.
The iPhones of at least 22 El Faro journalists—one of El Salvador’s leading independent investigative journalism media houses—were targeted by 226 Pegasus attacks between June 2020 and November 2021, the petition filed against Pegasus-developer NSO Group alleges. The journalists did not know the attacks were taking place during this time.
“The total losses stemming from the Pegasus attacks—including costs incurred by Plaintiffs as well as those incurred by El Faro—exceeded $5,000 in aggregate during a one-year period,” the petition adds.
Not only was Pegasus’ deployment against the team unlawful, it also violated various provisions of California privacy law, contend the journalists, who seek injunctive and declaratory relief from the court, and compensatory and punitive damages too. NSO group should also identify, return, and delete the allegedly stolen information, be prohibited from using the spyware against the journalists again, and be required to identify the client ordering their surveillance, add the petitioners.
Why it matters: The El Faro Pegasus attacks are one among many targeting journalists and media organisations across the world, observes the petition. The spyware has allegedly been used by governments against at least 180 journalists from 20 countries. This can impact the quality of hard-hitting investigations on corruption and government inaction, which are often reported thanks to carefully cultivated and protected sources. For example, as data was surreptitiously extracted from these devices sources communicating with the journalists also grew reticent about sharing information, impacting El Faro‘s independent journalism, the petition observes. Human rights activists and political opponents have also been cited in the petition, including the example of “at least three human rights activists in India [who] were surveilled with Pegasus while they were advocating for the release of other imprisoned activists”. The Indian government’s investigations into these allegations are currently ongoing, if at a slow pace.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
While the affected journalists are largely based in El Salvador, the case has been filed at the San José division of California’s Northern District of California Court, as the company has “purposefully directed their tortious activities at the State of California” and “have also purposefully availed themselves of the United States, and the State of California in particular”. “For example, for most of the past decade, NSO Group has been principally funded and controlled by California-based companies, including Francisco Partners and Berkeley Research Group,” explains the petition.
Two other lawsuits against the Israel-based NSO Group have already been filed by WhatsApp and Apple at this district court. In the WhatsApp case in 2021, an appeals court rejected the NSO Group’s claim that it is protected under sovereign immunity laws over allegations of hacking 1,400 WhatsApp users. The United States Supreme Court is set to decide on whether to approve the NSO Group’s petition to review this verdict.
Who are the people behind El Faro and how were they allegedly targeted?
What’s El Faro?: El Faro is an El Salvador-based independent digital newspaper. The petition claims that the paper’s investigations on violence, corruption, inequality, and human rights violations have earned it a wide readership in Central America and the United States.
Who are the plaintiffs?: The plaintiffs include El Faro‘s Co-founder and Director, Carlos Dada, and 14 of El Faro‘s journalists and members.
When was Pegasus used against the Plaintiffs?: The NSO Group and its clients repeatedly attacked the devices of at least 22 of El Faro’s 35-member staff, the petition alleges. Subsequent technical analyses identified 226 such attacks between June 2020 and November 2021 on these devices. At least one of the employees’ devices was infected for each day of October 2020. The devices of four employees were infected for at least twenty days in the same month.
While Citizen Lab was able to confirm data exfiltration from at least 11 of the targeted El Faro devices, the petitioners believe that data (including data stored on the cloud) was exfiltrated from all the targeted devices.
Many attacks took place when the employees were reporting on the Salvadoran government’s abuses, or when communicating with sources including American embassy officials. These attacks intensified when El Faro published major stories, adds the petition.
On a larger scale, the petition alleges that Pegasus was surreptitiously installed on the phones of at least 35 people working or around El Salvador between June 2020 and November 2021. Individuals attacked included independent journalists, media organisations, and prominent civil society leaders.
How did the alleged attacks impact them?: “The Pegasus attacks have profoundly disrupted Plaintiffs’ lives and work,” observes the petition.
The attacks damaged the devices of El Faro‘s employees, while also transmitting sensitive data to the NSO group and its clients, allege the petitioners. Some reporters have been unable to pursue investigations as they first have to assess which data was stolen, and the subsequent likelihood of the stolen data being exploited.
The attacks also compromised the safety of the employees, their colleagues, sources, and family members. The fallout is that some sources were averse to sharing information with the reporters. This undermines “the security that is a precondition for the independent journalism that El Faro strives to provide its readers, as well as the ability of El Faro‘s readers, including those in the United States to obtain independent analysis of events in Central America,” adds the petition.
The plaintiffs also had to spend substantially on protecting their devices from future attacks, ensuring personal safety, and addressing the attacks’ mental and physical health consequences.
How were the devices attacked?: The NSO Group and its clients first created Apple ID accounts to identify vulnerabilities in Apple’s software that could be used to infect the targeted iPhones with Pegasus. “Ordinarily, Apple ID accounts are used by Apple to authenticate its customers when they use Apple services,” the petition drily observes.
Second, the NSO Group and its clients exploited the identified vulnerabilities by infecting the targeted iPhones. They confirmed whether the target was using an iPhone by using the target’s “Apple ID or other information”. Malicious data was then sent to the targeted phone using these specially created IDs, explain the petitioners, adding that this was done by “leveraging the communications between Apple’s services and the targeted iPhone”. The targeted device subsequently retrieved the Pegasus infection through a network of servers operated and/or maintained by the NSO Group and its clients. The infection was caused by “zero-click exploits” called KISMET and FORCEDENTRY—these exploits are designed to work even without user interaction, by making use of existing system vulnerabilities. “In the case of at least FORCEDENTRY, the Pegasus file was stored temporarily, in encrypted form, on one of Apple’s iCloud servers before delivery to a target’s iPhone,” claim the petitioners.
Finally, NSO Group and its clients used command-and-control servers to exploit the infection and control the targeted iPhone, the petitioners allege. Commands include exfiltrating data, enabling location tracking, recording audio, or taking photographs. “If a Pegasus operator extracted authentication keys from an infected iPhone, the operator could use those keys to access and extract data from the targeted individual’s cloud-based accounts,” add the petitioners.
An additional investigation by Amnesty International in July 2021 concluded that the NSO Group and its clients used the above processes—or similar ones—to covertly and remotely compromise all recent versions of Apple’s mobile operating system and iPhone models.
Attacks knowingly violated the Computer Fraud and Abuse Act
The first legal count against the NSO Group alleges that the surreptitious Pegasus attacks knowingly violated provisions of the Computer Fraud and Abuse Act, namely:
- Section 1030(e)(2)(B), as the attacks were carried out against private devices, or “protected computers” that are “used in or affecting interstate or foreign commerce or communication”;
- Section 1030(a)(2)(C) for intentionally accessing a protected computer without authorisation to access information;
- Section 1030(a)(5)(A) for knowingly transmitting a program, information, code, or command that intentionally causes unauthorised damage to a protected computer;
- Section 1030(a)(5)(B) for causing reckless damage by intentionally accessing a protected computer without authorisation;
- Section 1030(a)(5)(C) for causing damages and loss by these actions;
- Section 1030(b) for conspiring to commit these offences;
Attacks knowingly violated the California Comprehensive Computer Data Access and Fraud Act
The second legal count against the NSO Group alleges that the surreptitious Pegasus attacks knowingly violated provisions of the California Comprehensive Computer Data Access and Fraud Act, namely:
- Section 502(c)(1) for knowingly and without permission accessing the iPhones and damaging, altering, or using the devices to wrongfully control and extract data from them;
- Section 502(c)(2) for knowingly taking, copying, and using the extracted data of the journalists without permission;
- Section 502(c)(3) for knowingly accessing and unauthorisedly using, or causing to be used, the journalists’ computer services;
- Section 502(c)(4) for knowingly and unauthorisedly accessing, adding, and altering software and computer programs on the devices;
- Section 502(c)(6) for knowingly providing a means of accessing the journalists’ devices and cloud-based accounts in violation of the Act;
- Section 502(c)(7) for knowingly and unauthorisedly accessing and causing to be accessed the journalists’ devices and accounts;
- Section 502(c)(8) for knowingly introducing a “computer contaminant” on the devices.
Attack trespasses on journalists’ property
The third legal count against the NSO Group alleges that its actions amount to a “trespass to chattels“—this is a type of harm where the defendant intentionally interferes with the petitioner’s chattel, or property. The petitioners argue that:
- The journalists had “a possessory interest in and exclusive right” to use their iPhones as part of their work with El Faro;
- The NSO Group’s actions intentionally and unauthorisedly interfered with this possessory interest, and with the information stored on the iPhones;
- These actions intentionally and unauthorisedly damaged the iPhones themselves. They disabled certain iOS features, infected the phones, and enabled the operators to issue commands to extract data without the journalists’ consent, argue the petitioners. This also made the devices less valuable “as tools for private communication and computing”;
- The journalists suffered substantial harms as a result of these actions. The devices’ value deteriorated, they incurred costs in investigating and remediating the attacks, lost professional goodwill, and incurred medical expenses and emotional distress.
Attack intrudes upon reasonable privacy expectations
The final legal count against the NSO Group alleges that its actions amount to an “intrusion upon seclusion“—or when someone intentionally intrudes on another’s solitude or seclusion through physical or electronic surveillance. To prove such a claim, the petitioners must be able to prove that the intrusion is intentional and without authorisation, is offensive to a reasonable person, intruded on a private matter, and caused mental anguish or suffering. The El Faro journalists make their case by stating:
- The journalists had a reasonable expectation of privacy—their iPhones were password-protected and contained private information;
- The NSO Group’s actions of surreptitious surveillance are “highly offensive” to a reasonable person;
- These actions caused substantial harm to the journalists, as described above.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- ‘When Spyware Turns Phones Into Weapons’: CPJ Report On How Spyware Impacts Journalists And Press Freedom
- Supreme Court Opens Sealed Cover Pegasus Report: Only 5 Out Of 29 Phones Infected With ‘Malware’
- ‘NSA Surveillance Not Beyond Reach Of Courts’: Wikimedia Brings Suit In US Supreme Court Against ‘Upstream’ Program
- UK-Based Dissident Can Sue Saudi Arabia For Alleged Transnational Pegasus Attack, Rules UK High Court
- New Report Suggests Pegasus Used To Target Pro-Democracy Protestors In Thailand