Spyware like Pegasus is a warning: Digital authoritarianism can happen in democracies, too

Watch the full event

When Szabolcs Panyi discovered he had been targeted by Pegasus spyware, his reaction was understandable: “Well, I freaked out,” the Hungarian journalist said, as he was in the middle of investigating the powerful, Russian-controlled International Investment Bank. He wondered why he had been targeted and how he had installed the malware. “What’s going to happen to my sources?” 

For Panyi and many other journalists in Hungary, it was the first direct evidence of something they had long suspected: That they were being watched by the Viktor Orbán government in Budapest. And they weren’t alone, as was revealed by an extensive coordinated global investigation by journalists and nonprofits.

Carine Kanimba—a dual US-Belgian citizen working to free her father, Paul Rusesabagina, the imprisoned Rwandan activist who inspired the film Hotel Rwanda—was one of the fifty thousand phone surveillance targets revealed in the investigation. Studying the data, Kanimba and Amnesty International discovered that the software had been active during a meeting she had with the Belgian foreign minister. “From the moment I walked in to the moment I walked out, the software was active—not only spying on me, but spying on the [Belgian] government and the other officials I’m interacting with to free my father.”

Kanimba and Panyi spoke Monday at a panel discussion on “Digital Authoritarianism on the Open Market,” hosted by the Atlantic Council’s Digital Forensic Research Lab at this year’s 360/Open Summit in Brussels. Here are some more key takeaways from the conversation. 

The lay of a land in the shadows

  • It’s not just governments known for privacy abuses that are using digital surveillance tools like Pegasus, warned panel moderator Miranda Patrucic, the deputy editor in chief for regional stories and central Asia for the Organized Crime and Corruption Reporting Project: “These tools are open for misuses, not just by different authoritarian governments, but also by democracies worldwide.”
  • State-sponsored digital surveillance is not a new industry, added Donncha Ó Cearbhaill, acting head of Security Lab at Amnesty International. For example, such surveillance tools were used against civil society during the early days of the Arab Spring, and the National Security Agency carried out an illegal spying program in the United States. 
  • Some spy tech programs have been successfully exposed. Milan-based Area Spa was raided by Italian authorities in 2016 after being accused of working with Syria. Munich-based FinFisher was raided by German authorities in 2020 after its tech was used by the Turkish government and others, and has since shut down. 
  • While the tech changes, the targets often stay the same: “The same individuals the states see as a threat are being targeted again and again, by new companies and new software that is getting more and more sophisticated over time,” Cearbhaill said.

What is being done?

  • Panyi and other Hungarian journalists are taking legal action to discover why they were targeted, as well as suing Israeli government officials for approving the sale of Pegasus to Hungary, given its record for cracking down on the media. While he’s not confident they will succeed, Panyi says the goal is to spread awareness. “If a relatively unknown journalist from a small country can become a target, you can imagine what can happen to others,” Panyi said. 
  • France and Israel opened investigations into the NSO Group after the Pegasus Project was published, while the US Department of Commerce added the NSO Group to its Entity List for trade restrictions. Companies responded, too, with Apple suing the NSO Group and Amazon Web Services shutting down infrastructure and accounts linked to the company. WhatsApp now sends notifications to those who may have been exposed to Pegasus software, which has led to new spyware cases discovered in Jordan and El Salvador. “Activists, journalists, we have power. We were able to make a difference, even with tools like that, and obviously we need more support, and more action,” Patrucic said.
  • Still, direct policy action has been limited, outside of a European Union parliamentary inquiry. “Several states, while they are critical of activists in their own countries getting targeted, they have so far been reluctant to put in meaningful regulation on these tools because they also benefit from an open system where they can apply these tools without much transparency,” Cearbhaill said, adding that better export controls would help states and the public track the use of surveillance tech as it is sold across borders.

Trying to protect against surveillance

  • All of the panel speakers have adjusted their behaviors since discovering the surveillance. Kanimba got rid of her surveilled phone only to find tracking on newer devices, too. That’s led her family to somewhat drastic measures when talking about sensitive topics. “Since everyone is frightened, we put all our phones in the microwave,” she said. “I don’t know that it works, but at least it makes everyone feel safe. But unfortunately, there’s no way until there is more work done by our governments.”
  • Panyi has changed the ways he works with sensitive information, especially as his team prepares legal actions, which could be ruined if Hungarian intelligence hacked their communications and shared them with Israel. Teaming with Forbidden Stories, Amnesty International, and large international outlets like the Guardian and the Washington Post gave smaller newsrooms like his some tech and legal cover, Panyi said: “With the PR firm employed by NSO group, or the legal threats, you can imagine what kind of power and money that involves.”
  • Source protection has taken on even greater importance to journalists. Panyi relies more often on “old-school methods” to schedule meetings and gather information, such as using code words and conducting interviews in public spaces. “I’m pretty sure that as technology develops, there are going to be new Pegasuses, but if you just leave your phone behind… I think, relatively, you should be fine.” 

Nick Fouriezos is an Atlanta-based writer with bylines from every US state and six continents. Follow him on Twitter @nick4iezos.

Watch the panel

Further reading