A new generation of spywares, similar to the Pegasus hacking software, that can infect gadgets through zero-click operations is the latest in threats to reporters and global press freedom, the Committee to Protect Journalists said in a report published on Thursday.
A zero-click operation does not require any interaction from the phone’s owner for it to succeed. Such operations often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that manufacturer of mobile phone’s does not yet know about and therefore has not been able to fix.
Pegasus infections, which allow operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras, can be achieved through zero-click attacks too.
“Targets need not open a link or download an attachment,” the CPJ report authored by journalist Fred Guterl said on Thursday. “All it takes to pierce the phone’s defenses is an unanswered call or an invisible text message.”
The CPJ said that it found fear of surveillance not only impacts journalists but also their sources, who fear their conversations with reporters could expose them to retribution from authorities.
Several journalists told the non-profit that they are concerned not only about their personal safety but also about their friends and family who may be targeted along with them.
“The awareness that any journalist could be tapped without their knowledge has created profound feelings of powerlessness that could prompt many to leave the profession – or not enter it to begin with,” the CPJ said.
John Scott Railton, a senior researcher at the University of Toronto’s Citizen Lab, told CPJ that besides actual physical violence, threats imparted digitally are also on a rise against journalists.
“The damage by tools like Pegasus is contributing to the rise in violence,” he told the CPJ.
The Pegasus spyware is licensed to governments around the world by the Israeli cyber intelligence company NSO Group. The company insists that it sells its software only to “vetted governments” with good human-rights records and that Pegasus is intended to target criminals.
In July 2021, a story about Pegasus being used by governments around the world to snoop on critics was broken in July by a consortium of international media organisations.
The exposes had shown that the military-grade spyware had been used for unauthorised surveillance of Opposition leaders, activists and journalists. In India, The Wire had reported that 161 Indians were spied on using Pegasus. The Indian government has denied the allegations.
How Pegasus works
It inserts itself into the smartphones and gives the infiltrator access to its microphone and camera, any files or photos stored on the phone, any network connections, contact information, message and browsing histories, passwords, email accounts, recordings and so forth. The purchaser can hear conversations – even ones that take place over encrypted messaging apps like Signal – all without owners knowing that their phones have been turned into instruments of surveillance.
The report stated that the revelations about spyware in India had taken fears of surveillance to new levels.
“We would not talk [about sensitive stories] on the phone,” Ajoy Ashirwad Mahaprashasta, political editor at The Wire, told the CPJ. “Even when we were meeting, we kept our phones in a separate room. Although regular editorial meetings are held through Google Meet, sensitive stories are discussed in person.”
Swati Chaturvedi, an independent journalist whose name appeared in the Pegasus target list, said that her immediate concern following the revelations was protecting her sources.
“In Delhi, everyone I know who is in a position of power no longer talks on normal calls,” Chaturvedi told the CPJ.
‘Governments and global institutions have to step in’
Noting that it is difficult for individuals to defend themselves against spyware, the Committee to Protect Journalists said it was upon governments and global institutions to play a role to mitigate the crisis.
“Surveillance technology – and the demand for it – is unlikely to disappear,” the non-profit organisation said. “The challenge now is for governments and rights advocates to find ways to regulate the industry and prevent their products from being used as a tool to abuse freedom of speech and other rights.
The CPJ also called for a moratorium on the sale, use, and transfer of surveillance tools till regulations that respect human rights are implemented.
It also suggested framing an internationally regulated treaty that sales of spyware only to signatory governments that pledge to obey the rules of spyware use.
“The challenge now is whether legislators and rights advocates can craft an effective global combination of laws, regulations, awareness, and technological solutions to prevent abuse of surveillance technology – and whether they can do it before journalists’ ability to do their jobs is irreparably damaged by the threats to their safety and sources,” it said.