Spying in the digital age: The use of spyware against journalists

Spyware and freedom of expression

Encryption is a valuable tool for freedom of expression online. It allows journalists, lawyers, human rights activists, and citizens to communicate securely. In recent years however, journalists around the world have experienced increasing digital surveillance, despite encryption becoming more accessible. In particular, investigative journalists uncovering corruption, abuse of power, and human rights violations are victims of rampant surveillance and often illegal collection and abuse of personal data. Governments and private actors are using software – or more accurately: spyware or cyberweapons – to penetrate encrypted, confidential information. This puts journalists, along with their sources, and even their families and friends, at great risk.

Sophisticated spyware like Pegasus, designed by the Israeli surveillance film NSO Group, is marketed to governments as a digital tool that enables security forces to fight crime. Some governments have introduced legislation expressly authorising the use of spyware under the guise of protecting national security and public safety. This means that laws providing for the protection of sources could be trumped by national security legislation. Other governments have also adopted compulsory data retention laws that require third party intermediaries such as telecommunications companies and internet service providers to keep hold of data and metadata for inspection and analysis.

The spyware

Pegasus is the most discussed spyware tool, but it is one of many. The numbers of similar cyber-surveillance tools are growing in an area that is unregulated. Spyware companies such as Hacking Team, FinFisher, NSO Group, and Cyberbit Solutions, among others, have designed products that monitor the activity of a device, such as a phone or laptop, without its user’s knowledge. Each spyware product has varying functions. Generally, once it permeates a device, the spyware has access to passwords, accounts, calls, emails, geolocation data, and even encrypted communications. Some spyware can also activate the device’s camera and microphone. The spyware is usually installed onto a device by tricking the user into clicking on a link or attachment of a message or email. Pegasus can also be installed remotely, for example by simply calling a target device, without any action from the user.

In 2021, it was revealed that thousands of journalists, politicians, and activists around the world were targeted with Pegasus. The Pegasus Project, a special investigation into the NSO Group, has shown that a lack of oversight and safeguards has meant that governments were able to abuse spyware to monitor journalists. The recent UNESCO World Trends in Freedom of Expression and Media Development: Global Report 2021/2022 highlights how hacking and surveillance targets journalists for doing their work.

What rights are being violated?

The use of spyware against journalists has the potential to violate a wide array of human rights, and it impacts journalists in a very personal way. Spyware most obviously violates the right to privacy. It also affects the right to freedom of expression, and even freedom of thought. Surveillance also impairs journalists’, activists’ and politicians’ right to freedom of association.

Importantly, the use of spyware has a deleterious impact on the protection of journalistic sources. Journalists who have been targeted by spyware are being forced to take drastic measures to keep their sources anonymous. For example, when speaking on the phone they might do so in coded language. Journalists don’t mention people’s names and are wary to save people’s numbers on their phones. They might avoid writing emails or text messages about where or what time they will meet their sources. Some journalists have also reported that they no longer go to the places they used to visit before they were victims of spyware. Others have said they are losing contact with their sources altogether, as the sources are unwilling to come forward for fear of their identity being revealed. In such cases, journalists no longer have access to crucial public interest information.

Additionally, journalists have a right to data protection; a right that is arguably heightened for journalists engaged in public interest work. They should be informed about the collection and use of their personal data. Governments and regional bodies have developed data protection laws over the last decade, but these are inadequate in some cases to protect people’s data. With the rapid growth in data harvesting, governments are facing challenges with resource constraints and delayed implementation. In some states, legislators are behind in fully protecting and promoting data privacy and data protection.

Furthermore, governments have a duty not to carry out intrusive surveillance. They also have a positive obligation to provide a remedy for those who have been targeted by spyware. Governments have a positive obligation to provide a favourable environment for the press to operate in. Currently, law enforcement agencies are often unequipped or unwilling to carry out investigations into allegations of government surveillance. The lack of investigation and accountability can thus violate journalists’ rights to access justice, as well as their rights to an effective remedy.

Recent cases: journalists targeted by spyware

Greece:

In April 2022, it was revealed that Thanasis Koukakis had his phone hacked by the spyware Predator. Koukakis is a financial editor for CNN Greece, as well as a contributor to other international media outlets.  The hacking took place between July and September 2021, when Koukakis was investigating topics including money laundering and corruption. The Greek government has denied any involvement in the surveillance. Instead, the government suggested that a private actor was to blame.

It has also become apparent that the Greek National Intelligence Service (EYP) itself carried out surveillance on Koukakis in 2020, purportedly for national security reasons. Koukakis asked the Greek Authority Ensuring the Confidentiality of Communications (ADAE) to confirm that his phone had indeed been hacked. He did not receive a response until a year later. In the meantime, the Greek government passed an amendment preventing the ADAE from informing citizens in cases where they are being monitored for national security purposes. The response that Koukakis did receive was inconclusive. Several press freedom organisations have called on the Greek government to provide clarity on the issue, and to strictly regulate the use of Predator and similar spyware technologies.

Jordan:

Suhair Jaradat is a freelance columnist for several media outlets, and serves on the Executive Committee of the International Federation of Journalists (IFJ). Additionally, she is a trainer specialised in investigative reporting. She was also one of four Jordanian human rights defenders targeted by Pegasus spyware in 2021. Jaradat writes commentary about Jordanian politics, and is at times critical of the authorities in her writing. Front Line Defenders and Citizen Lab informed Jaradat that her devices had been targeted by spyware. They also informed her that agencies affiliated with the Jordanian government were likely behind the surveillance. The Jordanian National Cyber Security Center has denied any government involvement.

This case is part of a wider trend in the rise of surveillance technologies in the Middle East, where some governments are taking advantage of the legal gap and the fragile rule of law. Journalists are unable to rely on a regional mechanism to hold their government to account for surveillance-related abuses in circumstances where the domestic legal framework offers them inadequate protection.

El Salvador:

El Faro is an independent media organisation in El Salvador. It is also one of several media outlets targeted by Pegasus spyware. Forensic researchers identified “the strong country-specific focus of the infections”, which suggests it is very likely that the hacks came from El Salvador’s government. The government has denied any association with Pegasus. Nayib Bukele, who is the president of El Salvador, has had an increasingly hostile attitude towards independent media in the country. Media workers have suffered physical threats and violent language. At El Faro alone, researchers found spyware infections on the mobile phones of 22 employees. Editor-in-Chief Oscar Martinez’ phone was infiltrated at least 42 times over a period of 17 months between 2020 and 2021. During this period, El Faro reporters wrote extensively about sensitive issues involving Nayib Bukele’s administration, including a scandal involving the government’s negotiation of an agreement with organised crime syndicates.

Since March 2022 – following a wave of killings attributed to criminal gangs – El Salvador has been in a state of emergency. The authorities have used this state of emergency to approve an increased budget to intercept communications. A new law created ‘covert digital agents’. As a result, journalists are losing sources to tell stories about the recent increases in human rights violations, including arbitrary detentions.

Hungary:

The deterioration of Hungary’s media landscape has been well documented by human rights organisations in recent years. Prime Minister Viktor Orban has gained control of the country’s media in a manner unprecedented in EU countries. Hungary’s laws around surveillance are extremely broad: they enable the state to spy on almost anyone on grounds of national security.

Several Hungarian journalists were targeted by Pegasus. Journalist Panyi, who works for the non-profit investigative journalism centre Direkt36, was one of the victims. He states that he is particularly worried about the infringement of his source protection rights. Representing numerous journalists, the Hungarian Civil Liberties Union (HCLU) is in the process of launching legal action against Hungary before the European Court of Human Rights. It is also pressing for an investigation of the NSO Group – Pegasus’ developer – in Israel.

The law and current standards governing surveillance

Given the lack of regulation and oversight of spyware, strategic litigation is an effective means to protect journalists’ rights in this area. Litigating cases involving surveillance can present challenges, but legal standards have been developed in international law over the past couple of years. International courts such as the European Court of Human Rights and the Inter-American Court of Human Rights have set legal precedents that impose safeguards and limits to surveillance.

In Zakharov v. Russia (2015) the European Court of Human Rights ruled that Russia’s laws governing surveillance did not provide adequate safeguards against abuse by state agents and others. The judgment held that citizens should be made aware of surveillance legislation that can be used against them. It also reiterated that the scope and duration of surveillance should be targeted and necessary in a democratic society, and it must not be excessive. The Court additionally considered that to carry out surveillance, law enforcement should receive judicial authorisation. Moreover, the Court criticised the data retention regime in Russia, finding that automatically storing irrelevant data for six months could not be considered justified under Article 8: the right to privacy. Lastly, it stated that there is a need for an independent body to oversee the implementation of such surveillance.

More recently, the European Court of Human Rights defined 8 key criteria relevant to surveillance in Big Brother Watch v. UK (2021). Namely, it considered that the following issues should be evaluated when determining the legality of surveillance: the grounds and circumstances of the surveillance; the authorisation and data handling procedure; the duration of the spying; the supervision by an independent authority; and procedures for independent review in hindsight.

Similarly, in AmaBhungane Centre for Investigative Journalism v. South Africa (2021), South Africa’s Constitutional Court ruled that South Africa’s regulations around surveillance did not provide sufficient safeguards to protect privacy. The Court also accepted the argument that journalists and lawyers fall into a special category for which additional safeguards are necessary.

Our role

Media Defence has been following Pegasus and other spyware cases closely. We are working with a number of other civil society organisations and media lawyers to compile evidence to support journalists who have become victims of spyware in Europe, Africa, and the Americas. Currently, we are working on cases before domestic courts. Our aim is to bring those cases to interregional bodies such as the ECtHR and the IACHR, so that further precedent can be set to protect the rights of journalists who are victims of these intrusive cyberweapons.

Our resources on surveillance

Media Defence has put together an extensive Training Resource Hub containing a series of summary modules on the right to Privacy, Security and Data Protection in the African context. The modules provide an overview of the right to privacy, how data protection has evolved as a concept in recent years, and ways to protect privacy and freedom of expression in an increasingly digital world. Laws around cybercrimes and national security – frequently cited as justifications for infringing privacy and limiting freedom of expression by journalists – are also included in the modules.

For our factsheet on spyware and digital surveillance, see here. It includes a summary of the ten widely recognised principles to limit the harm that surveillance regimes may cause. These principles provide a framework aiming uphold fundamental rights and, ideally, are to be read together with domestic legislation that would sufficiently restrict digital interception.

In May 2022 Media Defence hosted a UNESCO World Press Freedom Day panel about litigation and accountability for Pegasus surveillance against journalists. Journalists affected by Pegasus and experts on the topic took part in the discussion. A video of the panel is available to watch here.

Conclusion

Spyware is a tool of transnational oppression. Targeting journalists across the world with the use of cyberweapons creates fear. It silences journalists and diminishes public trust in digital communications platforms – undermining the right to freedom of expression. Governments need to work together to put regulations in place, ensuring that spyware technologies comply with international human rights standards. They need to develop legal frameworks that require surveillance technology companies to conduct effective human rights due diligence. Moreover, judicial accountability mechanisms need to be put in place to provide justice and reparation to victims of these intrusive cyberweapons and their negative human rights impacts. Unless states introduce such regulations, cyberweapons will continue to have a chilling effect on freedom of expression – and other rights – globally.

If you are a journalist in need of support as a result of your reporting, please click here.