Last year in Hungary, six people discovered their phones had been hacked by NSO group’s Pegasus, after they were tipped off by the Pegasus Project, an investigation by 17 media outlets in different countries. There is no direct evidence the Hungarian government deployed this spyware against local journalists and activists, says Ádám Remport, legal officer for the Hungarian Civil Liberties Union, which is representing hacking victims in a legal case against the state. Instead it’s a case of connecting the dots. “We know that Hungary bought Pegasus. We know these people were in fields that are uncomfortable for the government,” he says, adding the people targeted were journalists and activists who uncovered corruption and Hungary’s connections with Russia. “I think there are no other possible suspects who could have carried out these acts.”
Following revelations about the use of NSO spyware in Hungary and Poland, members of the European Parliament launched a rare inquiry in April, whose focus on Pegasus was so marked that it was called the PEGA committee.
Some in Israel believe the focus on the NSO Group is disproportionate. “There’s a feeling in Israel that a fair part of this is just Israel-bashing, and if it were any other country, there wouldn’t have been nearly as much noise about it,” says Chuck Freilich, a former deputy national security adviser in Israel. “There are companies and other countries that do the exact same or almost exact same thing. They just don’t do it as well.”
The NSO group doesn’t deserve less scrutiny, but other spyware companies do deserve more, says Lookout’s Albrecht. Although victims of other spyware firms are not as well known as Jamal Khashoggi, the Washington Post columnist who was murdered after his phone was hacked with Pegasus, there are signs that other companies enable hacking that would be considered controversial. “We’ve seen indications that RCS Lab spyware is being used within Syria, specifically in what’s known as the Rojava region, the area where the Kurdish minority population primarily is,” he says.
For some, the situation in Greece reinforces the argument that there needs to be industry-wide regulation. “Even if NSO Group closes tomorrow because of all the problems they face today, the situation will be the same if there is no change in the regulation,” says Etienne Maynier, a technologist at Amnesty International’s Security Lab. “The problem is not one bad company. It’s really the legal structure that makes these companies take these decisions.”
Sophie in’t Veld, a Dutch MEP who is the rapporteur in charge of the PEGA committee, is hoping to change that once the EU inquiry is complete next year. “This whole sector should be heavily regulated,” she says, adding she wants to force the sector to be more transparent. “If you try to find out who these companies are, who the people are behind them, and where they are based, it’s impossible.”
What annoys her the most is that Intellexa—the company that sells Cytrox—says on its website that it’s EU regulated. “What the hell does that mean that you are EU regulated?” she says. “Regulated by whom and by what rules?”