- THE NEW YORKER - Ronan Farrow - APR 18, 2022 -
The inside story of the world’s most notorious commercial spyware and the big tech companies waging war against it.
The parliament of Catalonia, the autonomous region in Spain, sits on the edge of Barcelona’s Old City, in the remains of a fortified citadel constructed by King Philip V to monitor the restive local population. The citadel was built with forced labor from hundreds of Catalans, and its remaining structures and gardens are for many a reminder of oppression. Today, a majority of Catalan parliamentarians support independence for the region, which the Spanish government has deemed unconstitutional. In 2017, as Catalonia prepared for a referendum on independence, Spanish police arrested at least twelve separatist politicians. On the day of the referendum, which received the support of ninety per cent of voters despite low turnout, police raids of polling stations injured hundreds of civilians. Leaders of the independence movement, some of whom live in exile across Europe, now meet in private and communicate through encrypted messaging platforms.
One afternoon last month, Jordi Solé, a pro-independence member of the European Parliament, met a digital-security researcher, Elies Campo, in one of the Catalan parliament’s ornate chambers. Solé, who is forty-five and wore a loose-fitting suit, handed over his cell phone, a silver iPhone 8 Plus. He had been getting suspicious texts and wanted to have the device analyzed. Campo, a soft-spoken thirty-eight-year-old with tousled dark hair, was born and raised in Catalonia and supports independence. He spent years working for WhatsApp and Telegram in San Francisco, but recently moved home. “I feel in a way it’s a kind of duty,” Campo told me. He now works as a fellow at the Citizen Lab, a research group based at the University of Toronto that focusses on high-tech human-rights abuses.
Campo collected records of Solé’s phone’s activity, including crashes it had experienced, then ran specialized software to search for spyware designed to operate invisibly. As they waited, Campo looked through the phone for evidence of attacks that take varied forms: some arrive through WhatsApp or as S.M.S. messages that seem to come from known contacts; some require a click on a link, and others operate with no action from the user.
Campo identified an apparent notification from the Spanish government’s social-security agency which used the same format as links to malware that the Citizen Lab had found on other phones. “With this message, we have the proof that at some point you were attacked,” Campo explained. Soon, Solé’s phone vibrated. “This phone tested positive,” the screen read. Campo told Solé, “There’s two confirmed infections,” from June, 2020. “In those days, your device was infected—they took control of it and were on it probably for some hours. Downloading, listening, recording.”
Solé’s phone had been infected with Pegasus, a spyware technology designed by NSO Group, an Israeli firm, which can extract the contents of a phone, giving access to its texts and photographs, or activate its camera and microphone to provide real-time surveillance—exposing, say, confidential meetings. Pegasus is useful for law enforcement seeking criminals, or for authoritarians looking to quash dissent. Solé had been hacked in the weeks before he joined the European Parliament, replacing a colleague who had been imprisoned for pro-independence activities. “There’s been a clear political and judicial persecution of people and elected representatives,” Solé told me, “by using these dirty things, these dirty methodologies.”
In Catalonia, more than sixty phones—owned by Catalan politicians, lawyers, and activists in Spain and across Europe—have been targeted using Pegasus. This is the largest forensically documented cluster of such attacks and infections on record. Among the victims are three members of the European Parliament, including Solé. Catalan politicians believe that the likely perpetrators of the hacking campaign are Spanish officials, and the Citizen Lab’s analysis suggests that the Spanish government has used Pegasus. A former NSO employee confirmed that the company has an account in Spain. (Government agencies did not respond to requests for comment.) The results of the Citizen Lab’s investigation are being disclosed for the first time in this article. I spoke with more than forty of the targeted individuals, and the conversations revealed an atmosphere of paranoia and mistrust. Solé said, “That kind of surveillance in democratic countries and democratic states—I mean, it’s unbelievable.”