Academics are among the alleged targets of Pegasus spy software
The countries believed to be customers of NSO are Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo and the United Arab Emirates.
The data were released on 18 July by a consortium of 17 news outlets coordinated by the Forbidden Stories platform, in collaboration with Amnesty International’s Security Lab.
NSO has indicated that the software is intended for use against criminals and terrorists and is made available only to military, law enforcement and intelligence agencies from countries with good human rights records.
While the governments of Rwanda, Morocco, India and Hungary denied having used Pegasus to hack the phones of the individuals named in the list, the remaining countries did not respond
Known as Pegasus, the malware infects both iPhones and Android devices, and allows operators to surreptitiously siphon off locations, messages, photos, and even unannounced calls or visual recordings via secretly activated microphones and cameras.
Academics on the list
Besides journalists, politicians and activists, the potential target list of Pegasus software includes 13 academics from Azerbaijan (one), India (six), Hungary (two), Mexico (two) and Saudi Arabia (two).
Examples are Hany Babu, an associate professor of linguistics at Delhi University, Madawi Al-Rasheed, a Saudi Arabian visiting professor in the Middle East Centre of the London School of Economics and Political Science, Attila Chikán, a Hungarian economist, former minister of the economy of Hungary and professor at Corvinus University of Budapest, and John Mill Ackerman Rose, a United States-born, naturalised Mexican professor of constitutional law in the law school of the National Autonomous University of Mexico.
Also in there is Azzam Tamimi, a Palestinian-British academic and political activist who was one of the last people to see his friend Jamal Khashoggi in London before his murder.
And Gagandeep Kang a professor of microbiology at the Christian Medical College in Vellore and for four years until 2020 executive director of the Indian government’s Translational Health Science Technology Institute in Faridabad.
After her name appeared on the list, Kang reportedly told India Today: “I have no clue why anyone would be interested in anything I do. I study diarrhoea, which I think is important, but few other people even in healthcare are interested in it.”
Among the detected 50,000 phone numbers, 13,000 phone numbers were targeted using Pegasus software by three African countries, namely Morocco, Rwanda and Togo.
The African list includes more than 3,500 Rwandan phone numbers, around 10,000 Moroccan phone numbers and more than 300 Togolese phone numbers.
Some of the phone numbers belong to academics.
Examples include David Ekoué Dosseh, a professor of surgery at a Togolese university, Etienne Mutabazi, a Rwandan lawyer and researcher, and Aboubakr Jamai a Moroccan journalist and academic who is now dean of the School of Business and International Relations at the Institut Américain Universitaire in the south of France.
Dr Birgit Schreiber, a member of the Africa Centre for Transregional Research at Freiburg University in Germany, told University World News: “This Pegasus threat to the academic community is so new that – perhaps – we have not yet thought about what it means when we as researchers and academics are potentially always observed.
“If we don’t have safe spaces to think and explore with impunity, then this might negatively affect our academic and research work,” added Schreiber, who is also vice president of the International Association of Student Affairs and Services.
“Part of innovation is doing and thinking and exploring with impunity, that is, within the safety of private and personal spaces – when this is no longer possible, it has an impact on the kinds of ideas generated by free thought.”
Professor Goski Alabi, president of the Laweh Open University College in Ghana’s capital, Accra, told University World News: “Irrespective of the original intended purposes of Pegasus, it is an affront and attack on academic freedom and an infringement of the basic human right to privacy.
“This software can be considered a weapon against freedom of thought and speech and an invasion of privacy,” Alabi said. “It is a criminal weapon and needs global action against it in no uncertain terms.
“On the other hand, those who have been affected can bring a class action against the company that developed the software and those who installed it on the various communication devices of the individuals affected,” she pointed out.
Protecting the academic community
Natalia Krapiva is tech legal counsel at Access Now, an NGO that “defends and extends the digital rights of users at risk around the world”. It was born out of the 2009 Iranian election, when technologists stepped in to help millions of protesting Iranians after the government blocked internet access, censored content and undermined online security.
She told University World News: “Pegasus, like other ‘zero-click’ spyware, is extremely difficult to protect yourself from because it does not require a user to perform any action or click on any link for it to be installed.”
For example, it could be installed simply by placing a call on the target device, even if the call is not answered. “So, this is something that is, unfortunately, hard to prevent,” Krapiva said.
“However, there are good digital security practices that academics and anyone else can follow to try to protect their sensitive information as much as possible, even if 100% security can never be guaranteed.”
One precaution, for example, is not to store all data and communication on only one device and separate work data from personal data.
“Using encrypted communication, two-factor authentication and strong passwords is also very important and, while it may not protect against Pegasus, it may protect users from other types of attacks,” Krapiva indicated.
There are many digital security guides that exist for surveillance defence, such as ‘Surveillance Self-Defense’ by EFF or ‘Security Planner’ by the Consumer Reports.
“Members of civil society can also contact Access Now’s Digital Security Helpline to get direct digital security assistance,” said Krapiva.
“Universities must also invest in digital security specialists and robust digital security infrastructure to protect their staff of being targeted by Pegasus software or similar software.”
Staff members in university IT departments are not always equipped to handle advanced digital security threats.
“Not all universities may be at risk of being targeted by state actors but, depending on the country, the profile of the university and their staff and students, universities should consider investing in appropriate digital security prevention and response,” she said.
Krapiva concluded: “To prevent countries using Pegasus software against academics, among others, Access Now and a coalition of human rights organisations published on 27 July a call for moratorium on the sale, transfer and use of surveillance technologies such as Pegasus and outlined a set of recommendations for states.”