With few exceptions, spying on the data on cell phones remains a scandal that demands urgent consequences — from us individually, the Pegasus manufacturer NSO, and the EU, says Martin Muno.
Hacking into electronic devices and spying on data is nothing new but the Pegasus cyber attack has taken it to the next level
It sounds like something out of a science fiction dystopia: In many countries, intelligence agencies and police authorities are using the Pegasus spy program to monitor journalists, lawyers and opposition activists.
"Pegasus" is a Trojan that turns cellphones into data zombies — emails, encrypted messenger messages and calendar entries can be read; the microphone and camera can be switched on unnoticed.
The attack does not even have to come via an infected email or website but can also be triggered via manipulated cell towers. This means that even prudent users have no chance of protecting their data. Pegasus is thus an effective and cruel cyberweapon that, according to current findings, was also used in connection with the murder of Saudi journalist Jamal Khashoggi in the fall of 2018.
The manufacturer of the software, the Israeli cyber intelligence NSO Group, claims to sell it only to verified government agencies and exclusively for the purpose of fighting terrorism and crime. But we know from painful experience that it is not only in dictatorships where the line to illegal surveillance becomes blurred.
The whole thing is scandalous— but doesn't really come as a surprise. Since the revelations by Edward Snowden, we have known how great the hunger for data is even among democratically legitimized intelligence services — for example, when the US intelligence service NSA spied on the cell phone of German Chancellor Angela Merkel for years without being detected.
Pegasus attacks on iPhones are also nothing new. As early as five years ago, the iOS operating systems of Apple phones had security vulnerabilities that allowed Pegasus to tap into data. Apple needed several updates to close the gap — which permanently damaged the company's security reputation.
Nothing new, then, but scary nonetheless because this is apparently also about murder, imprisonment and intimidation. There should be three consequences from the Pegasus revelations — one for each and every one of us, one for NSO Group, and one for the European Union.
The first is simple: We should all be aware that our data stored on mobile devicesare only partially secure, even when encrypted. What is meant for our eyes only does not belong on a cell phone — from intimate videos to confidential information. And we should be skeptical when our governments justify the need for more and more state Trojans with the fight against crime, as it recently happened in Germany.
The second consequence concerns the Pegasus manufacturer NSO, which — as is unfortunately common practice in such cases — washes its hands of the matter. Anyone who provides spy software to authoritarian governments such as those in Belarus or Saudi Arabia is complicit in human rights violations up to and including murder. This would then also be a case for the Israeli prosecution. Or the government, which would regulate the export of the software more rigorously.
Finally, the EU must step up. Viktor Orban's Hungarian government initially waited 24 hours without addressing the allegations of using Pegasus against reporters. Then Foreign Minister Peter Szijjarto merely ruled out the possibility that the civilian intelligence service he oversees — one of five Hungarian intelligence agencies — had used the software.
A real denial looks different. If it transpires that Hungary is bullying the press in this way, then the country has no place in the EU. Then action is needed, not just words of warning. Because then — finally — sanctions must be imposed to wipe the smile off Orban's face as he pockets EU funds while trampling all over democratic values at the same time. It's time for Commission President Ursula von der Leyen to act decisively.
This piece has been translated from German.