subtitlecat.com

All language subtitles for Surveilled

Afrikaans

Akan

Albanian

Amharic

Arabic

Armenian

Azerbaijani

Basque

Belarusian

Bemba

Bengali

Bihari

Bosnian

Breton

Bulgarian

Cambodian

Catalan

Cebuano

Cherokee

Chichewa

Chinese (Simplified)

Chinese (Traditional)

Corsican

Croatian

Czech

Danish

Dutch

English Download

Esperanto

Estonian

Ewe

Faroese

Filipino

Finnish

French Download

Frisian

Galician

Georgian

German

Greek

Guarani

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hmong

Hungarian

Icelandic

Igbo

Indonesian

Interlingua

Irish

Italian

Japanese

Javanese

Kannada

Kazakh

Kinyarwanda

Kirundi

Kongo

Korean

Krio (Sierra Leone)

Kurdish

Kurdish (Soranî)

Kyrgyz

Laothian

Latin

Latvian

Lingala

Lithuanian

Lozi

Luganda

Luo

Luxembourgish

Macedonian

Malagasy

Malay

Malayalam

Maltese

Maori

Marathi

Mauritian Creole

Moldavian

Mongolian

Myanmar (Burmese)

Montenegrin

Nepali

Nigerian Pidgin

Northern Sotho

Norwegian

Norwegian (Nynorsk)

Occitan

Oriya

Oromo

Pashto

Persian

Polish

Portuguese (Brazil)

Portuguese (Portugal)

Punjabi

Quechua

Romanian

Romansh

Runyakitara

Russian

Samoan

Scots Gaelic

Serbian

Serbo-Croatian

Sesotho

Setswana

Seychellois Creole

Shona

Sindhi

Sinhalese

Slovak

Slovenian

Somali

Spanish

Spanish (Latin American)

Sundanese

Swahili

Swedish

Tajik

Tamil

Tatar

Telugu

Thai

Tigrinya

Tonga

Tshiluba

Tumbuka

Turkish

Turkmen

Twi

Uighur

Ukrainian

Urdu

Uzbek

Vietnamese

Welsh

Wolof

Xhosa

Yiddish

Yoruba

Zulu

Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:32,323 --> 00:00:36,452 So, you have agreed to talk, but you want to make sure 2 00:00:36,453 --> 00:00:37,828 your face isn't shown 3 00:00:37,829 --> 00:00:39,371 and your voice isn't identifiable. 4 00:00:39,372 --> 00:00:42,334 We'll make sure that you're protected in those ways. 5 00:00:43,376 --> 00:00:45,210 So you're hacking these phones. 6 00:00:45,211 --> 00:00:46,920 What kinds of reactions did you get? 7 00:00:50,633 --> 00:00:54,220 What was the pitch that you were offering these governments? 8 00:01:08,735 --> 00:01:12,029 What should the average citizen, in any country in the world, 9 00:01:12,030 --> 00:01:14,657 know about this company and this technology? 10 00:01:17,869 --> 00:01:19,371 Should people be concerned? 11 00:01:37,347 --> 00:01:38,639 The software Pegasus 12 00:01:38,640 --> 00:01:41,392 is perhaps the most notorious spyware 13 00:01:41,393 --> 00:01:42,851 in the world. 14 00:01:42,852 --> 00:01:44,269 It allows law enforcement officials 15 00:01:44,270 --> 00:01:45,979 or government authorities 16 00:01:45,980 --> 00:01:49,400 to secretly hack into a target's smartphone. 17 00:01:49,401 --> 00:01:53,153 And that gains you access to photos, videos, messages... 18 00:01:53,154 --> 00:01:55,114 Pegasus can also remotely control 19 00:01:55,115 --> 00:01:57,241 a phone's microphone and camera, 20 00:01:57,242 --> 00:01:59,868 all without any indication at all 21 00:01:59,869 --> 00:02:01,537 that a hack has occurred. 22 00:02:01,538 --> 00:02:04,540 New Yorker contributor Ronan Farrow has a new piece out 23 00:02:04,541 --> 00:02:06,792 about Pegasus and the company that makes it. 24 00:02:06,793 --> 00:02:09,420 So, Ronan, let's just begin from the beginning. 25 00:02:09,421 --> 00:02:12,381 What drew you to this story above all other stories? 26 00:02:12,382 --> 00:02:16,552 Well, as you know, I tangled with some old-school 27 00:02:16,553 --> 00:02:20,597 private investigation tactics, uh, and surveillance. 28 00:02:20,598 --> 00:02:23,517 And we reported on that in the magazine. 29 00:02:23,518 --> 00:02:26,603 I had worked on a series of investigative stories 30 00:02:26,604 --> 00:02:29,941 that pissed off people with a lot of resources. 31 00:02:30,358 --> 00:02:33,193 Some of what they threw at me was traditional: 32 00:02:33,194 --> 00:02:35,946 on-the-ground spies following me around. 33 00:02:35,947 --> 00:02:40,743 But there was also this digital surveillance I ran into, like, 34 00:02:40,744 --> 00:02:44,956 those spies used my phone's GPS data to track me. 35 00:02:45,290 --> 00:02:50,377 I realized that the bleeding edge of surveillance 36 00:02:50,378 --> 00:02:52,421 is these digital tools, 37 00:02:52,422 --> 00:02:55,966 and that they are getting way more powerful. 38 00:02:58,928 --> 00:03:02,222 The most advanced spyware can turn your smartphone 39 00:03:02,223 --> 00:03:04,433 into a spy in your pocket. 40 00:03:04,434 --> 00:03:05,684 It can copy everything, 41 00:03:05,685 --> 00:03:08,729 your photos, your texts, your emails, 42 00:03:08,730 --> 00:03:10,689 even if you're using encrypted apps. 43 00:03:10,690 --> 00:03:13,609 It can turn on your camera, your microphone, 44 00:03:13,610 --> 00:03:16,988 it can record you without you ever knowing... 45 00:03:17,405 --> 00:03:20,742 And then just... disappear without a trace. 46 00:03:23,661 --> 00:03:26,288 Private commercial spyware companies 47 00:03:26,289 --> 00:03:29,625 are selling these tools mostly to governments. 48 00:03:29,626 --> 00:03:33,045 It's a booming, multi-billion-dollar industry. 49 00:03:33,046 --> 00:03:35,464 And a war is being waged 50 00:03:35,465 --> 00:03:37,926 over the future of this technology. 51 00:03:39,469 --> 00:03:41,345 See, to infect your phone, 52 00:03:41,346 --> 00:03:43,931 spyware has to go through the apps on it. 53 00:03:43,932 --> 00:03:47,518 So the Silicon Valley companies that control those apps, 54 00:03:47,519 --> 00:03:49,978 they're in this battle to defend themselves 55 00:03:49,979 --> 00:03:52,816 against incoming digital fire. 56 00:03:54,859 --> 00:03:56,360 In May of 2019, 57 00:03:56,361 --> 00:03:59,613 engineers at WhatsApp discovered suspicious code 58 00:03:59,614 --> 00:04:03,409 hidden within the instructions that get sent to their servers 59 00:04:03,410 --> 00:04:04,952 to initiate calls. 60 00:04:04,953 --> 00:04:07,329 At the time, Claudiu Gheorghe 61 00:04:07,330 --> 00:04:09,164 was the lead engineer responsible 62 00:04:09,165 --> 00:04:12,085 for WhatsApp voice and video calling. 63 00:04:12,711 --> 00:04:15,546 You were really on the front lines of this hack. 64 00:04:15,547 --> 00:04:17,673 What was on the line for you 65 00:04:17,674 --> 00:04:21,844 as you launched into this crisis? 66 00:04:21,845 --> 00:04:24,346 I felt directly responsible, um, 67 00:04:24,347 --> 00:04:27,850 because it's a product that I built from scratch. 68 00:04:27,851 --> 00:04:29,351 Someone had found a hole 69 00:04:29,352 --> 00:04:31,478 in, essentially, your work, right? 70 00:04:31,479 --> 00:04:33,939 Yeah, and that was really personal. 71 00:04:33,940 --> 00:04:36,191 I was really motivated to fix it. 72 00:04:36,192 --> 00:04:40,446 And not just to fix it. I think what was really important to me, 73 00:04:40,447 --> 00:04:44,533 um, starting that day, was understanding the attack. 74 00:04:44,534 --> 00:04:48,162 So, when you're setting up WhatsApp calls, 75 00:04:48,163 --> 00:04:51,457 there's routine messages that go back and forth 76 00:04:51,458 --> 00:04:54,794 between the user and your servers, 77 00:04:55,211 --> 00:04:57,963 and in one of these messages... 78 00:04:57,964 --> 00:04:59,506 there was something weird. 79 00:04:59,507 --> 00:05:02,426 At that point, it wasn't clear that this is 80 00:05:02,427 --> 00:05:04,470 something intentional. 81 00:05:04,471 --> 00:05:07,264 However, what we ended up finding 82 00:05:07,265 --> 00:05:09,391 was actually the tip of the iceberg. 83 00:05:09,392 --> 00:05:11,727 At what point was there, kind of, a first, 84 00:05:11,728 --> 00:05:14,855 all-hands-on-deck, emergency meeting about this? 85 00:05:14,856 --> 00:05:18,317 The first meeting that I had was maybe around 10:00 a.m. 86 00:05:18,318 --> 00:05:19,818 with the security team. 87 00:05:19,819 --> 00:05:21,904 Everything was on fire at that point, 88 00:05:21,905 --> 00:05:23,907 and on high alert status. 89 00:05:27,035 --> 00:05:28,744 It took just over a week 90 00:05:28,745 --> 00:05:30,871 for WhatsApp to patch its servers 91 00:05:30,872 --> 00:05:33,999 and release an update for the app, blocking the attacks. 92 00:05:34,000 --> 00:05:35,417 Then they went public, 93 00:05:35,418 --> 00:05:38,921 announcing that at least 1,400 WhatsApp users 94 00:05:38,922 --> 00:05:41,256 had been targeted with commercial spyware 95 00:05:41,257 --> 00:05:44,636 made by the Israeli company NSO Group. 96 00:05:45,136 --> 00:05:49,473 WhatsApp is urging its one and a half billion users 97 00:05:49,474 --> 00:05:52,434 to update the app right now. 98 00:05:52,435 --> 00:05:54,353 NSO Group has been accused 99 00:05:54,354 --> 00:05:56,146 of being responsible for the hack. 100 00:05:56,147 --> 00:05:57,315 They deny it. 101 00:05:57,691 --> 00:06:00,984 NSO is the most infamous vendor 102 00:06:00,985 --> 00:06:02,736 in the growing spyware market. 103 00:06:02,737 --> 00:06:05,906 The company says it developed its Pegasus spyware 104 00:06:05,907 --> 00:06:08,867 to help governments fight crime and terrorism. 105 00:06:08,868 --> 00:06:11,870 Famously, it's been reported that it was used to capture 106 00:06:11,871 --> 00:06:15,749 Mexican drug lord, Joaquin "El Chapo" Guzmán. 107 00:06:15,750 --> 00:06:18,669 But there have also been years of allegations 108 00:06:18,670 --> 00:06:22,131 that Pegasus has been used to target journalists, 109 00:06:22,132 --> 00:06:25,844 human rights activists, and political dissidents. 110 00:06:26,177 --> 00:06:28,387 Royalty and heads of state are some 111 00:06:28,388 --> 00:06:30,514 of the 50,000 people around the world 112 00:06:30,515 --> 00:06:32,766 who may have had their smartphones hacked. 113 00:06:32,767 --> 00:06:34,351 That's according to a new report 114 00:06:34,352 --> 00:06:36,855 by 17 media organizations. 115 00:06:37,188 --> 00:06:40,524 An investigation published Sunday in the Washington Post 116 00:06:40,525 --> 00:06:42,818 says the spyware at play is called Pegasus 117 00:06:42,819 --> 00:06:46,488 and was licensed to governments by a private Israeli tech firm. 118 00:06:46,489 --> 00:06:48,824 It was used to track and target 119 00:06:48,825 --> 00:06:51,035 Saudi journalist Jamal Khashoggi, 120 00:06:51,036 --> 00:06:52,327 who was critical 121 00:06:52,328 --> 00:06:54,580 of Crown Prince Mohammed bin Salman. 122 00:06:54,581 --> 00:06:57,291 It was at the Saudi consulate in Istanbul 123 00:06:57,292 --> 00:06:59,960 that Jamal Khashoggi met his brutal end. 124 00:06:59,961 --> 00:07:02,212 He was strangled as soon as he entered the building 125 00:07:02,213 --> 00:07:04,506 by a team of Saudi assassins, 126 00:07:04,507 --> 00:07:06,508 who then dismembered his body. 127 00:07:06,509 --> 00:07:08,218 I can guarantee to you, 128 00:07:08,219 --> 00:07:10,554 our technology was not used 129 00:07:10,555 --> 00:07:13,349 on Jamal Khashoggi or his relatives. 130 00:07:13,350 --> 00:07:15,559 In November 2021, 131 00:07:15,560 --> 00:07:17,353 I was reporting on all of this 132 00:07:17,354 --> 00:07:19,563 and trying to get answers out of NSO 133 00:07:19,564 --> 00:07:22,733 and its chief executive, Shalev Hulio. 134 00:07:22,734 --> 00:07:25,861 That's when the Biden administration placed NSO 135 00:07:25,862 --> 00:07:29,031 on a Commerce Department blacklist. 136 00:07:29,032 --> 00:07:31,784 NSO's inclusion on the U.S. blacklist 137 00:07:31,785 --> 00:07:33,786 does make business a lot harder, 138 00:07:33,787 --> 00:07:36,455 with other firms now maybe needing to think twice 139 00:07:36,456 --> 00:07:37,873 before doing business with them 140 00:07:37,874 --> 00:07:40,669 for fear of violating regulations. 141 00:07:41,670 --> 00:07:44,838 The next day, NSO's spokesperson called me 142 00:07:44,839 --> 00:07:47,592 and asked me to meet with Shalev in New York. 143 00:07:54,808 --> 00:07:57,101 Will you have your phone on in the meeting? 144 00:07:57,102 --> 00:07:59,479 - I'll try. I'll ask. - Okay. 145 00:08:04,776 --> 00:08:06,068 - This is my colleague, Unjin. - Hi. 146 00:08:06,069 --> 00:08:08,571 - Nice to meet you. - Hi, nice to meet you. 147 00:08:20,166 --> 00:08:21,667 Hello there. 148 00:08:21,668 --> 00:08:23,127 I'm in a bar, Ronan. 149 00:08:23,128 --> 00:08:25,796 I thought you were closing the magazine or something. 150 00:08:25,797 --> 00:08:28,549 I was just meeting with a Justice Department official. 151 00:08:28,550 --> 00:08:31,969 But I cut the interview off early, so... 152 00:08:31,970 --> 00:08:35,180 So that you could hear from one of your wayward reporters 153 00:08:35,181 --> 00:08:37,058 about what he's up to? 154 00:08:38,184 --> 00:08:40,769 So I talked to, uh, Shalev 155 00:08:40,770 --> 00:08:43,105 for two and a half hours. 156 00:08:43,106 --> 00:08:44,606 Wow. 157 00:08:44,607 --> 00:08:46,484 Tell me about the conversation. 158 00:08:46,860 --> 00:08:50,988 They're still reeling from this announcement yesterday 159 00:08:50,989 --> 00:08:54,283 that they're on this export blacklist. 160 00:08:54,284 --> 00:08:55,534 - And... - Were they worried? 161 00:08:55,535 --> 00:08:57,286 They weren't worried in the substance 162 00:08:57,287 --> 00:08:59,663 of their answers so much as... 163 00:08:59,664 --> 00:09:01,957 There was a lot of reference to, you know, 164 00:09:01,958 --> 00:09:03,959 "Better schedule that trip to Tel Aviv quick. 165 00:09:03,960 --> 00:09:06,045 We might not exist as a company." 166 00:09:06,046 --> 00:09:07,004 Which I think is a joke. 167 00:09:07,005 --> 00:09:08,505 I don't know that their bottom line 168 00:09:08,506 --> 00:09:09,923 is that vulnerable, but I do think 169 00:09:09,924 --> 00:09:12,843 that it's a serious moment of-of worry for them. 170 00:09:12,844 --> 00:09:16,347 So the kind of, the high-level philosophical picture 171 00:09:16,348 --> 00:09:18,557 that he paints is, 172 00:09:18,558 --> 00:09:21,185 "This is a technology that's blossoming 173 00:09:21,186 --> 00:09:23,645 around the world anyway. 174 00:09:23,646 --> 00:09:25,647 If we're not doing it, someone else is gonna be." 175 00:09:25,648 --> 00:09:26,899 So his case is kind of like, 176 00:09:26,900 --> 00:09:29,777 "Hey, there's all these people doing this. 177 00:09:29,778 --> 00:09:31,236 This is the new reality." 178 00:09:31,237 --> 00:09:32,654 The digital Wild West. 179 00:09:32,655 --> 00:09:33,864 Yeah, and he acknowledges 180 00:09:33,865 --> 00:09:35,324 there's a potential for abuse, 181 00:09:35,325 --> 00:09:39,078 but he says, "We are, relative to the competition, 182 00:09:39,079 --> 00:09:41,663 the ones willing to subject ourselves to more scrutiny 183 00:09:41,664 --> 00:09:44,875 and answer more questions in the press and be regulated." 184 00:09:44,876 --> 00:09:47,628 They, as of now, are saying that they'll go fully on the record 185 00:09:47,629 --> 00:09:51,507 and actually allow me to bring cameras in, in Tel Aviv. 186 00:09:51,508 --> 00:09:53,258 That's great. It sounds like a great meeting. 187 00:09:53,259 --> 00:09:54,677 It's great you made it happen. 188 00:09:54,678 --> 00:09:56,887 - I-I have to go... - Oh, you have to run, right. 189 00:09:56,888 --> 00:09:59,181 Go, go, go. Thank you for making time. 190 00:09:59,182 --> 00:10:00,809 Thank you. Bye. 191 00:10:01,434 --> 00:10:06,314 Israel is at the center of surveillance innovation. 192 00:10:07,524 --> 00:10:09,191 There's a pipeline of expertise 193 00:10:09,192 --> 00:10:12,611 from the country's military and intelligence services 194 00:10:12,612 --> 00:10:14,780 into tech start-ups. 195 00:10:14,781 --> 00:10:18,117 And the Israeli state uses some of that tech, 196 00:10:18,118 --> 00:10:22,247 including in the conflict over the Palestinian territories. 197 00:10:22,789 --> 00:10:24,999 According to an Amnesty International report 198 00:10:25,000 --> 00:10:27,084 released in the fall of 2021, 199 00:10:27,085 --> 00:10:29,878 six Palestinian human rights activists 200 00:10:29,879 --> 00:10:33,091 had their phones hacked using Pegasus. 201 00:10:33,550 --> 00:10:35,843 Knesset member Sami Abu Shehadeh 202 00:10:35,844 --> 00:10:39,138 says that's part of a long history of surveillance 203 00:10:39,139 --> 00:10:41,056 of Palestinian citizens. 204 00:10:41,057 --> 00:10:43,350 So, it was reported a few months ago 205 00:10:43,351 --> 00:10:46,562 that Pegasus, from NSO Group, was found on the phones 206 00:10:46,563 --> 00:10:50,649 of six Palestinian human rights activists. 207 00:10:50,650 --> 00:10:53,736 The defense minister claimed... 208 00:10:53,737 --> 00:10:56,697 these were, uh, subjects of terrorism investigation. 209 00:10:56,698 --> 00:10:59,284 Yeah, yeah, yeah. So Israel... 210 00:11:01,036 --> 00:11:02,745 unfortunately, 211 00:11:02,746 --> 00:11:05,080 has been doing this for its citizens. 212 00:11:05,081 --> 00:11:07,041 Mainly for the Arab Palestinians. 213 00:11:07,042 --> 00:11:13,042 I think what-what-what-what is making Israel so... important 214 00:11:13,214 --> 00:11:16,759 in this destruction industry 215 00:11:16,760 --> 00:11:20,763 is that they have a huge laboratory to work in, 216 00:11:20,764 --> 00:11:23,975 and they are using the Palestinian people 217 00:11:24,476 --> 00:11:26,769 to do their, uh, tests. 218 00:11:26,770 --> 00:11:29,230 Then they sell it to the rest of the world. 219 00:11:29,689 --> 00:11:31,690 Israel says it uses surveillance 220 00:11:31,691 --> 00:11:34,777 for self-defense and national security. 221 00:11:39,783 --> 00:11:43,328 I started talking to NSO in 2019. 222 00:11:44,662 --> 00:11:46,622 It wasn't until 2022 223 00:11:46,623 --> 00:11:48,957 that they agreed to let me do some reporting 224 00:11:48,958 --> 00:11:51,753 inside their headquarters in Tel Aviv. 225 00:11:55,173 --> 00:11:59,593 Most companies that do this work are pretty secretive. 226 00:11:59,594 --> 00:12:03,055 But NSO has always courted the press... 227 00:12:03,056 --> 00:12:05,016 up to a point. 228 00:12:05,517 --> 00:12:06,600 Hi there. 229 00:12:06,601 --> 00:12:07,726 Ronan Farrow. 230 00:12:07,727 --> 00:12:09,395 Uh, you have an appointment? 231 00:12:09,396 --> 00:12:11,523 Yes. With NSO. 232 00:12:12,107 --> 00:12:14,191 They were opening their doors to me 233 00:12:14,192 --> 00:12:17,277 but also trying to keep a tight leash. 234 00:12:17,278 --> 00:12:20,364 I'd be talking to everyone from software engineers 235 00:12:20,365 --> 00:12:21,782 to salespeople, 236 00:12:21,783 --> 00:12:23,158 and I realized quickly, 237 00:12:23,159 --> 00:12:27,455 NSO's PR team was gonna be hovering. 238 00:12:27,789 --> 00:12:28,914 Hey. Ronan. 239 00:12:28,915 --> 00:12:31,917 Come, let's, uh, take some coffee, tea. 240 00:12:31,918 --> 00:12:33,961 I may take pictures as I go, if that's okay. 241 00:12:33,962 --> 00:12:35,546 - Yeah. - So I can write about it, 242 00:12:35,547 --> 00:12:36,923 you know, for color. 243 00:12:37,465 --> 00:12:39,008 Want to get a sense of the digs. 244 00:12:39,009 --> 00:12:41,051 It's a swanky office space. 245 00:12:41,052 --> 00:12:43,512 It's very American tech start-up vibes. 246 00:12:43,513 --> 00:12:45,223 - Fancy cafeteria. - Thank you! 247 00:12:45,598 --> 00:12:47,141 You want some coffee? Tea? 248 00:12:47,142 --> 00:12:50,395 - What do you want to drink? - Coffee sounds great. Thank you. 249 00:12:53,815 --> 00:12:57,151 I just wanted to start with introducing our team. 250 00:12:57,152 --> 00:13:00,195 Yes! I'm very much looking forward to talking to all of you 251 00:13:00,196 --> 00:13:02,281 and hear about the working level experiences you have. 252 00:13:02,282 --> 00:13:04,909 So this is great. Should we get started? 253 00:13:06,578 --> 00:13:07,786 What made you want this job? 254 00:13:16,713 --> 00:13:19,506 What specifically do you think people have gotten wrong? 255 00:13:36,358 --> 00:13:38,275 You have been involved in relationships 256 00:13:38,276 --> 00:13:40,319 where there's been some kind of a finding, 257 00:13:40,320 --> 00:13:41,820 or at least a suspicion, 258 00:13:41,821 --> 00:13:43,739 that there was inappropriate targeting. 259 00:13:43,740 --> 00:13:46,742 What would you say to the targets 260 00:13:46,743 --> 00:13:50,538 of that kind of misuse of your technologies? 261 00:14:18,775 --> 00:14:21,443 How-How have you navigated 262 00:14:21,444 --> 00:14:23,445 the sort of moral questions 263 00:14:23,446 --> 00:14:27,116 being raised about your work in such a public way? 264 00:14:44,175 --> 00:14:46,385 You know, what happens in a case 265 00:14:46,386 --> 00:14:48,470 where maybe the government thinks these are criminals, 266 00:14:48,471 --> 00:14:50,556 but outside observers say, "Hey, those are activists"? 267 00:14:50,557 --> 00:14:52,891 I'm a tech guy and I'm an intelligence guy, okay? 268 00:14:52,892 --> 00:14:54,810 I know how to create investigation systems 269 00:14:54,811 --> 00:14:56,895 and now I can know how to make it technically 270 00:14:56,896 --> 00:14:58,480 the best way possible. Okay? 271 00:14:58,481 --> 00:15:01,233 The question you're asking now, this is for the big guys. 272 00:15:01,234 --> 00:15:02,651 Big questions. 273 00:15:02,652 --> 00:15:05,446 NSO claims that potential customers 274 00:15:05,447 --> 00:15:06,989 are thoroughly vetted, 275 00:15:06,990 --> 00:15:10,075 and it emphasizes that each sale needs to be approved 276 00:15:10,076 --> 00:15:12,870 by the Israeli Department of Defense. 277 00:15:12,871 --> 00:15:14,830 General Counsel Shmuel Sunray 278 00:15:14,831 --> 00:15:17,249 is in charge of that compliance process 279 00:15:17,250 --> 00:15:19,835 and of the internal investigations 280 00:15:19,836 --> 00:15:21,920 the company says it conducts 281 00:15:21,921 --> 00:15:24,298 when there's an allegation of abuse. 282 00:15:24,299 --> 00:15:25,632 - Hello. - Hi. 283 00:15:25,633 --> 00:15:28,260 - Pleasure to have you here. - Yes, it's good to be here. 284 00:15:28,261 --> 00:15:29,845 It's an interesting time to be here. 285 00:15:29,846 --> 00:15:33,682 You're up against a pretty widespread perception 286 00:15:33,683 --> 00:15:37,770 that this talk of compliance efforts 287 00:15:37,771 --> 00:15:39,229 and internal investigations 288 00:15:39,230 --> 00:15:41,482 is-is viewed as being non-substantive. 289 00:15:41,483 --> 00:15:43,609 First of all, the efforts are truly substantive. 290 00:15:43,610 --> 00:15:46,904 Unfortunately, I think one of the main problems we have 291 00:15:46,905 --> 00:15:48,822 on the perception side 292 00:15:48,823 --> 00:15:51,784 is that all the good work that we do, 293 00:15:51,785 --> 00:15:54,203 um, cannot be published in its details. 294 00:15:54,204 --> 00:15:56,747 I mean, it cannot be... we cannot share, like, 295 00:15:56,748 --> 00:15:58,916 when we disqualify a certain customer 296 00:15:58,917 --> 00:16:00,376 for a due diligence reason, 297 00:16:00,377 --> 00:16:02,670 or we shut down a system for a misuse. 298 00:16:02,671 --> 00:16:06,423 Even if we would have wanted to, we are prohibited from doing so. 299 00:16:06,424 --> 00:16:09,009 As you might imagine in the course of this reporting, 300 00:16:09,010 --> 00:16:11,679 I'm gonna be talking to quite a few targets 301 00:16:11,680 --> 00:16:13,222 of NSO's technology, 302 00:16:13,223 --> 00:16:15,265 some of whom, you know, really feel 303 00:16:15,266 --> 00:16:17,893 that this was destructive in their life. 304 00:16:17,894 --> 00:16:21,021 What would you say to targets of Pegasus 305 00:16:21,022 --> 00:16:22,272 and other NSO software? 306 00:16:22,273 --> 00:16:24,066 Anyone who feels he's a target, 307 00:16:24,067 --> 00:16:27,069 I would really appeal for them to go 308 00:16:27,070 --> 00:16:29,405 and go through our process. 309 00:16:29,406 --> 00:16:32,241 I think that our record has proved itself. 310 00:16:32,242 --> 00:16:34,243 We, you know, don't want our technology 311 00:16:34,244 --> 00:16:35,953 to go and be used in such a way. 312 00:16:35,954 --> 00:16:39,581 And if it was our technology that was used, 313 00:16:39,582 --> 00:16:41,166 we feel very bad about it 314 00:16:41,167 --> 00:16:43,252 and we'll make our utmost to make sure 315 00:16:43,253 --> 00:16:46,381 that no other targets will be in that situation. 316 00:16:46,965 --> 00:16:48,632 I asked Sunray repeatedly 317 00:16:48,633 --> 00:16:51,510 to give me specifics about these investigations 318 00:16:51,511 --> 00:16:55,681 or proof that contracts had been canceled as a result. 319 00:16:55,682 --> 00:16:57,308 He declined. 320 00:16:58,309 --> 00:17:00,645 - Should we break for lunch? - Yeah, yeah... 321 00:17:09,779 --> 00:17:10,946 Okay, great. 322 00:17:10,947 --> 00:17:12,823 Oh, so this is the Shalev suite. 323 00:17:12,824 --> 00:17:14,491 Okay. 324 00:17:14,492 --> 00:17:17,077 I convinced Shalev Hulio, the CEO, 325 00:17:17,078 --> 00:17:19,455 to go on the record for my New Yorker article, 326 00:17:19,456 --> 00:17:23,208 but he refused to appear on camera. 327 00:17:23,209 --> 00:17:26,003 When I pressed him about the allegations of abuse, 328 00:17:26,004 --> 00:17:28,297 he also wouldn't provide specifics 329 00:17:28,298 --> 00:17:30,924 about the company's internal investigations, 330 00:17:30,925 --> 00:17:33,886 citing the privacy of NSO's clients. 331 00:17:33,887 --> 00:17:35,929 Both he and Sunray 332 00:17:35,930 --> 00:17:38,724 compared their company to an arms dealer, 333 00:17:38,725 --> 00:17:42,061 just in a field that doesn't yet have regulations 334 00:17:42,062 --> 00:17:44,481 like the Geneva Conventions. 335 00:17:47,317 --> 00:17:49,777 I needed to find unvarnished takes 336 00:17:49,778 --> 00:17:52,613 on how NSO really operates. 337 00:17:52,614 --> 00:17:54,114 One of the calls I made 338 00:17:54,115 --> 00:17:57,660 was to Israeli journalist, Chaim Levinson. 339 00:17:58,328 --> 00:18:00,662 What has the experience of reporting on NSO 340 00:18:00,663 --> 00:18:01,830 been like for you? 341 00:18:02,999 --> 00:18:05,209 At the beginning they were very closed, 342 00:18:05,210 --> 00:18:07,753 didn't talk to journalists, "You all are against us, 343 00:18:07,754 --> 00:18:08,962 you don't understand, 344 00:18:08,963 --> 00:18:10,673 it's a security issue," et cetera. 345 00:18:10,674 --> 00:18:14,094 But lately, in the last year, they've become very friendly. 346 00:18:14,469 --> 00:18:17,429 Do you buy what NSO is selling 347 00:18:17,430 --> 00:18:19,973 to journalists and governments around the world 348 00:18:19,974 --> 00:18:23,352 when they say, you know, "Yes, there have been some missteps, 349 00:18:23,353 --> 00:18:27,439 but we want to be, and we are now, the good guys"? 350 00:18:27,440 --> 00:18:31,235 I think they understand they are in a very, very bad PR situation 351 00:18:31,236 --> 00:18:33,862 and the previous policy didn't work. 352 00:18:33,863 --> 00:18:36,448 And now they're thinking if they explain to the people 353 00:18:36,449 --> 00:18:38,534 what exactly they are doing, it will help them. 354 00:18:38,535 --> 00:18:40,911 If you ask me, the head of the problem is not the PR. 355 00:18:40,912 --> 00:18:42,371 The problem is the issue. 356 00:18:42,372 --> 00:18:44,832 NSO can hack your phone with zero-click technology. 357 00:18:44,833 --> 00:18:47,501 And this is a tool that, until NSO, 358 00:18:47,502 --> 00:18:49,712 only very industrial countries had... 359 00:18:49,713 --> 00:18:52,965 United States, security services of Israel. 360 00:18:52,966 --> 00:18:56,343 But for countries like Angola, 361 00:18:56,344 --> 00:18:58,512 it's impossible to develop such a technology. 362 00:18:58,513 --> 00:19:00,764 They don't have the human resources to breach 363 00:19:00,765 --> 00:19:03,058 Apple and Google engineers. 364 00:19:03,059 --> 00:19:05,185 What makes NSO special? 365 00:19:05,186 --> 00:19:07,229 They are willing to sell to countries 366 00:19:07,230 --> 00:19:09,898 with huge democracy and human rights problems. 367 00:19:09,899 --> 00:19:15,154 Other companies are not willing to sell, and NSO are. 368 00:19:15,155 --> 00:19:17,740 Chaim introduced me to something rare... 369 00:19:17,741 --> 00:19:20,492 a former employee who had firsthand knowledge 370 00:19:20,493 --> 00:19:23,537 of NSO's sales efforts and was willing to speak 371 00:19:23,538 --> 00:19:25,581 without the company's permission... 372 00:19:25,582 --> 00:19:28,877 if I promised to conceal their identity. 373 00:19:29,627 --> 00:19:33,881 Is there anything specific that makes you fearful 374 00:19:33,882 --> 00:19:35,591 of how they would react 375 00:19:35,592 --> 00:19:38,218 if they did see your face and your identity? 376 00:19:41,639 --> 00:19:44,641 So tell me from your standpoint why you think 377 00:19:44,642 --> 00:19:47,729 it's important to have this conversation. 378 00:19:55,904 --> 00:19:59,114 What's the most objectionable thing that you saw 379 00:19:59,115 --> 00:20:00,909 in your time at the company? 380 00:20:25,392 --> 00:20:29,646 So you sold Pegasus to these different governments? 381 00:20:31,106 --> 00:20:32,523 Pre-sold. 382 00:20:32,524 --> 00:20:36,151 You pitched Pegasus to governments around the world? 383 00:20:36,152 --> 00:20:39,405 What were the-the main customers 384 00:20:39,406 --> 00:20:41,824 that you saw the company deal with? 385 00:20:41,825 --> 00:20:43,242 Um, they claim 386 00:20:43,243 --> 00:20:46,245 most Western European countries use them. 387 00:20:46,246 --> 00:20:47,747 Is that true? 388 00:20:48,039 --> 00:20:49,624 Um... 389 00:20:50,709 --> 00:20:51,876 Some examples? 390 00:20:55,505 --> 00:20:57,214 And beyond Europe. Any examples 391 00:20:57,215 --> 00:20:59,425 that were sort of significant in your mind 392 00:20:59,426 --> 00:21:01,011 or that gave you pause? 393 00:21:02,887 --> 00:21:04,014 Mm-hmm. 394 00:21:07,767 --> 00:21:10,353 Any African? Oman. 395 00:21:13,231 --> 00:21:14,649 Yeah, yeah, yeah. 396 00:21:15,233 --> 00:21:16,608 What was the price tag on this? 397 00:21:16,609 --> 00:21:19,029 What was NSO charging for Pegasus? 398 00:22:11,623 --> 00:22:13,666 Does NSO know 399 00:22:13,667 --> 00:22:16,377 that some of its customers that it's selling to 400 00:22:16,378 --> 00:22:18,504 for those big-ticket prices you mentioned 401 00:22:18,505 --> 00:22:20,632 are abusing this technology? 402 00:22:31,935 --> 00:22:33,185 Hi, Oded. 403 00:22:34,604 --> 00:22:36,271 More importantly, how are you? 404 00:22:49,536 --> 00:22:51,620 Yeah. As you can imagine, uh, 405 00:22:51,621 --> 00:22:54,957 I'm-I'm gonna call everyone around the story. 406 00:22:54,958 --> 00:22:58,919 Um, I think it's been a fairly short list of formers. 407 00:22:58,920 --> 00:23:02,131 But, you know, if there's anyone you suggest I add to that list, 408 00:23:02,132 --> 00:23:03,758 I welcome it. 409 00:23:12,934 --> 00:23:14,436 Mm-hmm. 410 00:23:33,830 --> 00:23:37,666 Yeah. Oded, you know, I'm always an open book on this stuff. 411 00:23:37,667 --> 00:23:39,168 We've talked about this at length. 412 00:23:39,169 --> 00:23:42,588 I have been very glad to see that I think you're savvy 413 00:23:42,589 --> 00:23:44,840 about knowing that more transparency 414 00:23:44,841 --> 00:23:47,843 is a good thing for NSO at this point. 415 00:23:47,844 --> 00:23:50,054 I know it's been a, kind of, a hard time 416 00:23:50,055 --> 00:23:51,513 with a lot of controversy. 417 00:23:51,514 --> 00:23:54,183 Any time you have a concern, you know, raise it. 418 00:23:54,184 --> 00:23:56,185 And I'll answer honestly. 419 00:23:56,186 --> 00:23:57,604 Okay. 420 00:23:58,271 --> 00:23:59,271 Okay. 421 00:24:01,274 --> 00:24:02,524 - Bye. - Bye. 422 00:24:04,569 --> 00:24:06,695 Though NSO was wary of me speaking 423 00:24:06,696 --> 00:24:09,031 to its former employees, 424 00:24:09,032 --> 00:24:11,033 the company was willing to let me speak 425 00:24:11,034 --> 00:24:14,996 to one of its current Western European clients. 426 00:24:16,873 --> 00:24:18,374 Hello. 427 00:24:18,375 --> 00:24:20,209 He's going to be ten minutes late. 428 00:24:20,210 --> 00:24:23,046 He's on his way to his laptop right now. 429 00:24:23,505 --> 00:24:25,631 How many other outlets, uh, 430 00:24:25,632 --> 00:24:28,133 has, uh, our friend who's about to come on, 431 00:24:28,134 --> 00:24:30,427 uh, spoken to in this way? 432 00:24:30,428 --> 00:24:32,764 - No one. - No one? 433 00:24:33,390 --> 00:24:34,848 I was assuming that he was the source 434 00:24:34,849 --> 00:24:36,600 of the Wall Street Journal article. 435 00:24:36,601 --> 00:24:39,812 I think that was also a Western European law enforcement. 436 00:24:39,813 --> 00:24:42,940 We have several customers from Western Europe, 437 00:24:42,941 --> 00:24:45,901 but we don't have a lot of customers 438 00:24:45,902 --> 00:24:48,570 that are willing to speak with journalists. 439 00:24:48,571 --> 00:24:50,739 I will need to know his-his full name 440 00:24:50,740 --> 00:24:52,074 and identity and everything. 441 00:24:52,075 --> 00:24:54,743 Only for your... But only for your knowledge. 442 00:24:54,744 --> 00:24:56,245 Yes. You don't have to worry. 443 00:24:56,246 --> 00:24:57,746 If I verbally agree 444 00:24:57,747 --> 00:25:00,249 that a source is an unidentified background source, 445 00:25:00,250 --> 00:25:03,127 uh, you know, described as a European intelligence official 446 00:25:03,128 --> 00:25:06,089 then-then that is, uh, that's the ground rule. 447 00:25:06,673 --> 00:25:08,090 Yes, you can even say, you know, 448 00:25:08,091 --> 00:25:10,384 West European law enforcement agency, 449 00:25:10,385 --> 00:25:12,928 I mean, whatever that will not... 450 00:25:12,929 --> 00:25:15,597 will not expose the name of the country, the agency, 451 00:25:15,598 --> 00:25:17,142 or, of course, his name. 452 00:25:17,475 --> 00:25:19,144 Tal, is he joining? 453 00:25:19,519 --> 00:25:21,020 He's connecting right now. 454 00:25:21,021 --> 00:25:22,021 Okay, great. 455 00:25:23,940 --> 00:25:25,024 Hello! 456 00:25:25,025 --> 00:25:26,233 Thank you for doing this. 457 00:25:26,234 --> 00:25:28,068 I appreciate your taking the time. 458 00:25:29,612 --> 00:25:34,575 So when did your, uh, agency first become a customer of NSO? 459 00:25:53,470 --> 00:25:56,014 How much did you pay for the software? 460 00:26:05,774 --> 00:26:07,399 Tens of millions of euros? 461 00:26:07,400 --> 00:26:08,985 What's the... what's the... 462 00:26:11,237 --> 00:26:12,988 Okay. Understood. 463 00:26:12,989 --> 00:26:16,241 And what type of product did you purchase? 464 00:26:16,242 --> 00:26:18,286 Is this Pegasus, primarily? 465 00:26:20,830 --> 00:26:24,000 And what is the software being used for? 466 00:26:30,715 --> 00:26:32,466 Do you think it would be a scandal 467 00:26:32,467 --> 00:26:34,718 if it was known widely 468 00:26:34,719 --> 00:26:37,639 that you were using Pegasus? 469 00:26:57,117 --> 00:26:59,786 Do you have to get a warrant to use Pegasus? 470 00:27:09,838 --> 00:27:13,215 And how many people have you targeted, uh, 471 00:27:13,216 --> 00:27:16,219 since 2015, with, uh, Pegasus? 472 00:27:20,515 --> 00:27:22,267 Roughly. Roughly. 473 00:27:26,604 --> 00:27:27,981 Mm-hmm. 474 00:27:28,773 --> 00:27:30,692 Okay. So, um... 475 00:27:33,111 --> 00:27:34,612 Very helpful. 476 00:27:34,988 --> 00:27:36,781 - All right. Take care. - Thank you. 477 00:27:37,532 --> 00:27:38,782 Okay. 478 00:27:38,783 --> 00:27:41,536 Are we all, uh, dispersing now? 479 00:27:42,120 --> 00:27:44,747 - And sorry for the mistake. - Oh yeah, I saw. 480 00:27:44,748 --> 00:27:46,665 So it's two-two journalists he talked to. 481 00:27:46,666 --> 00:27:47,916 Do you remember which ones? 482 00:27:47,917 --> 00:27:49,501 He was the Wall Street Journal source? 483 00:27:49,502 --> 00:27:52,421 It was... it was one of the Wall Street Journal 484 00:27:52,422 --> 00:27:53,589 and one is Israeli TV. 485 00:27:53,590 --> 00:27:55,591 An Israeli one. Okay. Got it. 486 00:27:55,592 --> 00:27:58,260 Okay. Um, this is very helpful to know. 487 00:27:58,261 --> 00:27:59,720 Thank you again, everyone. 488 00:27:59,721 --> 00:28:01,597 - Enjoy. - Okay. Take care. 489 00:28:02,932 --> 00:28:05,809 I don't doubt these law enforcement officials 490 00:28:05,810 --> 00:28:08,103 when they tell me they love having 491 00:28:08,104 --> 00:28:10,648 such a powerful surveillance tool... 492 00:28:11,274 --> 00:28:15,111 and that they sincerely want to use it to ensnare criminals. 493 00:28:15,487 --> 00:28:18,572 But there's evidence that Pegasus is being used 494 00:28:18,573 --> 00:28:20,824 in at least 45 countries. 495 00:28:20,825 --> 00:28:22,785 And it's mostly happening 496 00:28:22,786 --> 00:28:24,870 under a veil of secrecy, 497 00:28:24,871 --> 00:28:27,791 without public input or oversight. 498 00:28:28,416 --> 00:28:30,751 Pegasus might have lived up to the promise 499 00:28:30,752 --> 00:28:32,587 that it's undetectable... 500 00:28:33,254 --> 00:28:37,049 if it weren't for a group of researchers in Canada. 501 00:28:39,969 --> 00:28:42,721 The vast majority of what we know about NSO abuse 502 00:28:42,722 --> 00:28:44,014 comes from researchers 503 00:28:44,015 --> 00:28:46,266 at the University of Toronto's Citizen Lab. 504 00:28:46,267 --> 00:28:48,769 They have found examples of the spyware being used 505 00:28:48,770 --> 00:28:50,062 to conduct surveillance 506 00:28:50,063 --> 00:28:51,980 on dissidents, human rights activists, 507 00:28:51,981 --> 00:28:54,025 and journalists around the world. 508 00:28:54,859 --> 00:28:56,235 - Hey! - Ronan, how you doing? 509 00:28:56,236 --> 00:28:58,320 - It's great to finally meet you. - Great to meet you too. 510 00:28:58,321 --> 00:29:00,489 Thanks for letting us into the inner sanctum. 511 00:29:00,490 --> 00:29:01,532 Of course. 512 00:29:01,533 --> 00:29:03,033 For more than a decade, 513 00:29:03,034 --> 00:29:05,285 Ron Deibert and the team at Citizen Lab 514 00:29:05,286 --> 00:29:08,455 have been studying the pieces of malicious code, 515 00:29:08,456 --> 00:29:09,915 known as exploits, 516 00:29:09,916 --> 00:29:12,793 that target vulnerabilities in your phone's apps 517 00:29:12,794 --> 00:29:16,172 or operating system to install spyware. 518 00:29:16,715 --> 00:29:18,674 We're really lucky to have this space. 519 00:29:18,675 --> 00:29:21,136 This is, uh, the lab. 520 00:29:23,054 --> 00:29:26,098 These are the spaces where most of the work gets done. 521 00:29:26,099 --> 00:29:27,016 Got it. 522 00:29:27,017 --> 00:29:28,934 So what are they doing in there? 523 00:29:28,935 --> 00:29:31,812 We have a person who suspects 524 00:29:31,813 --> 00:29:33,397 that they've been targeted with spyware. 525 00:29:33,398 --> 00:29:36,859 And so what they will be doing is walking them through 526 00:29:36,860 --> 00:29:38,777 how to gather the data that we need 527 00:29:38,778 --> 00:29:40,905 to do forensic analysis of a phone. 528 00:29:41,239 --> 00:29:44,199 How difficult has it been to catch these exploits? 529 00:29:44,200 --> 00:29:46,035 'Cause many of them, including Pegasus, 530 00:29:46,036 --> 00:29:48,747 are designed to clean up after themselves. 531 00:29:49,080 --> 00:29:51,457 We've been fortunate now, uh, to capture 532 00:29:51,458 --> 00:29:55,544 several different vendors' spyware in the wild, 533 00:29:55,545 --> 00:29:57,212 usually from targets. 534 00:29:57,213 --> 00:29:59,882 Um, the one that really stands out for me 535 00:29:59,883 --> 00:30:03,719 is the case of the Saudi women's rights activist, 536 00:30:03,720 --> 00:30:06,513 whose phone was hacked with Pegasus. 537 00:30:06,514 --> 00:30:11,226 Which is why that excuse that NSO Group and others use 538 00:30:11,227 --> 00:30:12,770 is so specious. 539 00:30:12,771 --> 00:30:14,605 You know, "Don't worry. Nothing to see here, 540 00:30:14,606 --> 00:30:16,106 because we only sell it to governments 541 00:30:16,107 --> 00:30:17,983 to be used for crime or terrorism." 542 00:30:17,984 --> 00:30:21,236 It's not a-a good way to think 543 00:30:21,237 --> 00:30:24,031 about the limits of this type of technology. 544 00:30:24,032 --> 00:30:26,575 How do you see the industry evolving from here? 545 00:30:26,576 --> 00:30:28,327 If we succeed, you could imagine 546 00:30:28,328 --> 00:30:30,788 a much different environment ten years from now, 547 00:30:30,789 --> 00:30:33,749 where there is robust oversight mechanisms, 548 00:30:33,750 --> 00:30:35,042 and much more transparency. 549 00:30:35,043 --> 00:30:36,585 That would be my ideal world. 550 00:30:36,586 --> 00:30:38,754 The way things are going, though, 551 00:30:38,755 --> 00:30:40,172 frankly, frightens me 552 00:30:40,173 --> 00:30:44,051 because we live in a time where there is obvious, 553 00:30:44,052 --> 00:30:47,054 well-documented democratic backsliding. 554 00:30:47,055 --> 00:30:49,973 Authoritarian practices are spreading worldwide. 555 00:30:49,974 --> 00:30:53,352 I firmly believe the surveillance industry, 556 00:30:53,353 --> 00:30:54,603 unchecked as it is, 557 00:30:54,604 --> 00:30:58,190 is one of the major contributing factors to those trends. 558 00:30:58,191 --> 00:31:01,902 A lot of the coverage of the dangers of spyware 559 00:31:01,903 --> 00:31:05,239 has focused on the way autocrats and dictators 560 00:31:05,240 --> 00:31:08,159 outside the Western world use it. 561 00:31:08,660 --> 00:31:10,285 But Citizen Lab's work shows 562 00:31:10,286 --> 00:31:14,666 that Western democracies are abusing spyware too. 563 00:31:15,250 --> 00:31:17,001 They tipped me off to an investigation 564 00:31:17,002 --> 00:31:19,545 they were conducting in Catalonia, 565 00:31:19,546 --> 00:31:20,963 a region of Spain, 566 00:31:20,964 --> 00:31:23,799 where they suspected Pegasus was being used 567 00:31:23,800 --> 00:31:27,428 to surveil local politicians and activists 568 00:31:27,429 --> 00:31:29,431 on a massive scale. 569 00:31:34,686 --> 00:31:35,811 - Hey! - Hi. 570 00:31:35,812 --> 00:31:37,104 - How are you? - Thank you for coming. 571 00:31:37,105 --> 00:31:38,522 Yeah! I'm looking forward to it. 572 00:31:38,523 --> 00:31:39,857 It's also stunning here. 573 00:31:39,858 --> 00:31:41,817 I was not fully expecting that. 574 00:31:41,818 --> 00:31:44,194 Elies Campo was born here. 575 00:31:44,195 --> 00:31:48,115 He's worked in Silicon Valley for WhatsApp and for Telegram. 576 00:31:48,116 --> 00:31:50,659 And now, he's Citizen Lab's investigator 577 00:31:50,660 --> 00:31:52,619 on the ground in Catalonia. 578 00:31:52,620 --> 00:31:56,999 A few people from Catalonia messaged me and said, 579 00:31:57,000 --> 00:32:00,210 "Hey, I just received this message on WhatsApp 580 00:32:00,211 --> 00:32:04,006 about being, uh, targeted or being hacked at some point, 581 00:32:04,007 --> 00:32:07,719 um, and I don't know if it's, um, it's real or not." 582 00:32:08,303 --> 00:32:10,679 I contacted my ex-colleagues at WhatsApp. 583 00:32:10,680 --> 00:32:14,183 They told me that they couldn't communicate anything with me 584 00:32:14,184 --> 00:32:16,727 because of privacy issues but I should contact Citizen Lab 585 00:32:16,728 --> 00:32:19,688 and see if they could help. So I reached out to Citizen Lab. 586 00:32:19,689 --> 00:32:23,108 The conversation went that these cases from WhatsApp 587 00:32:23,109 --> 00:32:26,070 were probably just the tip of the iceberg, um, 588 00:32:26,071 --> 00:32:29,990 and that we... if we organized a little bit 589 00:32:29,991 --> 00:32:32,827 and had some kind of strategy, we'd probably find more. 590 00:32:33,203 --> 00:32:35,204 Why should people around the world care 591 00:32:35,205 --> 00:32:38,374 about the hacking that you're documenting 592 00:32:38,375 --> 00:32:39,917 here in Catalonia? 593 00:32:39,918 --> 00:32:42,336 This is gonna be one of the first cases 594 00:32:42,337 --> 00:32:47,132 where there's such a large and vast number of affected people 595 00:32:47,133 --> 00:32:51,720 and from a vast and different type of categories 596 00:32:51,721 --> 00:32:53,389 of, um, of society. 597 00:32:53,390 --> 00:32:57,101 So we've had the Parliament of Catalonia targeted. 598 00:32:57,102 --> 00:32:59,228 We've had the government of Catalonia targeted. 599 00:32:59,229 --> 00:33:01,063 We've had lawyers targeted. 600 00:33:01,064 --> 00:33:03,440 We've had, uh, civil leaders 601 00:33:03,441 --> 00:33:06,944 of org... cultural organizations of Catalonia targeted. 602 00:33:06,945 --> 00:33:09,822 This is not some future Orwellian scenario. 603 00:33:09,823 --> 00:33:11,240 It really... It happened here. 604 00:33:11,241 --> 00:33:13,409 - It's happening here. - It's happening here. 605 00:33:15,578 --> 00:33:18,580 Citizen Lab suspects that people in Catalonia 606 00:33:18,581 --> 00:33:21,584 are being targeted for political reasons. 607 00:33:22,210 --> 00:33:25,337 Catalonia is a semi-autonomous region in Spain, 608 00:33:25,338 --> 00:33:27,256 with Barcelona as its capital. 609 00:33:27,257 --> 00:33:30,217 There's a significant segment of the population there 610 00:33:30,218 --> 00:33:33,804 that wants Catalonia to be an independent country. 611 00:33:36,433 --> 00:33:40,811 In 2017, Catalan leaders organized a referendum 612 00:33:40,812 --> 00:33:42,396 where they asked voters to decide 613 00:33:42,397 --> 00:33:45,108 if the region should be independent. 614 00:33:46,026 --> 00:33:47,317 The Spanish government in Madrid 615 00:33:47,318 --> 00:33:49,738 declared the referendum illegal 616 00:33:50,447 --> 00:33:54,200 and even raided polling sites on Election Day. 617 00:33:56,661 --> 00:33:59,288 Tensions are still pretty high today 618 00:33:59,289 --> 00:34:01,290 between Catalonia and Madrid. 619 00:34:01,291 --> 00:34:03,625 And there's a lot of Catalan politicians 620 00:34:03,626 --> 00:34:06,338 that still favor independence. 621 00:34:08,506 --> 00:34:11,300 I joined Elies in the Parliament of Catalonia, 622 00:34:11,301 --> 00:34:14,554 where he was testing politicians' phones. 623 00:34:17,223 --> 00:34:18,974 Walk me through what you've been doing 624 00:34:18,975 --> 00:34:20,559 and what you're finding with these ones. 625 00:34:20,560 --> 00:34:23,937 - Yeah, so we analyze the device. - Yeah. 626 00:34:23,938 --> 00:34:26,148 And we try to find traces 627 00:34:26,149 --> 00:34:28,108 that there was the malware 628 00:34:28,109 --> 00:34:29,818 at some point in that... in that device. 629 00:34:29,819 --> 00:34:33,322 And how we do that is through some analysis on the device. 630 00:34:33,323 --> 00:34:37,117 We extract the file, and uploading it to the cloud, 631 00:34:37,118 --> 00:34:39,495 and the cloud is doing the analysis 632 00:34:39,496 --> 00:34:41,330 of, uh, of trying to find traces. 633 00:34:41,331 --> 00:34:43,415 What's next? You have members of Parliament coming in, right? 634 00:34:43,416 --> 00:34:45,668 Yeah, a European member of the Parliament 635 00:34:45,669 --> 00:34:47,002 that's currently in Barcelona, 636 00:34:47,003 --> 00:34:49,171 and, uh, his name is Jordi Sole, 637 00:34:49,172 --> 00:34:51,382 and, uh, we're gonna talk to him 638 00:34:51,383 --> 00:34:53,258 and look at his device now. 639 00:34:53,259 --> 00:34:56,721 Great. 640 00:35:03,186 --> 00:35:04,812 Hola, que tal? 641 00:35:04,813 --> 00:35:06,564 Hola. Laura. 642 00:35:38,638 --> 00:35:39,764 Uh-huh. 643 00:35:43,143 --> 00:35:44,436 Mm-hmm. 644 00:35:50,608 --> 00:35:53,319 When does it look like you were infected? 645 00:35:54,404 --> 00:35:56,363 I have to check, uh, the date. 646 00:35:56,364 --> 00:36:00,242 But around that day, I was appointed, um, 647 00:36:00,243 --> 00:36:02,454 member of the European Parliament. 648 00:36:02,996 --> 00:36:04,663 How do you feel knowing 649 00:36:04,664 --> 00:36:07,625 that you may have been compromised in this way? 650 00:36:08,501 --> 00:36:13,798 Well, I feel surprised and angry at the same... at the same time. 651 00:36:14,424 --> 00:36:17,384 Uh, and it's, uh, somehow it's ironic 652 00:36:17,385 --> 00:36:20,512 because next week, in the European Parliament, 653 00:36:20,513 --> 00:36:25,935 we are gonna vote to set up an inquiry committee on Pegasus. 654 00:36:26,644 --> 00:36:28,145 Um, so it's... 655 00:36:28,146 --> 00:36:30,522 it's-it's only... it's only ironic 656 00:36:30,523 --> 00:36:32,691 that just a few days before, I learn, 657 00:36:32,692 --> 00:36:34,485 as member of the European Parliament, 658 00:36:34,486 --> 00:36:37,279 that I've been infected by Pegasus. 659 00:36:37,280 --> 00:36:38,697 What about you, Elies? 660 00:36:38,698 --> 00:36:40,949 What goes through your mind each time you see 661 00:36:40,950 --> 00:36:42,785 a positive result pop up on that screen? 662 00:36:42,786 --> 00:36:45,037 I think about the gravity of the situation. 663 00:36:45,038 --> 00:36:46,622 Especially these cases where 664 00:36:46,623 --> 00:36:48,624 there are members of the European Parliament 665 00:36:48,625 --> 00:36:51,460 'cause it affects, uh, 450 million people, 666 00:36:51,461 --> 00:36:54,296 citizens, and the violation of their rights. 667 00:36:54,297 --> 00:36:56,924 Um... Yeah, each time we discover one 668 00:36:56,925 --> 00:36:59,093 is-is, um, similarly intense 669 00:36:59,094 --> 00:37:02,805 in terms of realizing, uh, 670 00:37:02,806 --> 00:37:05,432 the importance of it and the gravity of it. 671 00:37:05,433 --> 00:37:07,768 Why do you think you were hacked? 672 00:37:07,769 --> 00:37:11,271 Well, I've been hacked for sure because I am, uh, 673 00:37:11,272 --> 00:37:12,523 pro-independence. 674 00:37:12,524 --> 00:37:15,234 So I'm sure that there is the will here 675 00:37:15,235 --> 00:37:17,319 to keep under control 676 00:37:17,320 --> 00:37:21,949 politicians representing, uh, the will for independence 677 00:37:21,950 --> 00:37:23,992 in Catalonia in several institutions. 678 00:37:23,993 --> 00:37:25,869 Are you looking at any legal remedies? 679 00:37:25,870 --> 00:37:28,580 Do you think that you'll bring suit in some way? 680 00:37:28,581 --> 00:37:31,376 I'll defend my rights until the end. 681 00:37:34,170 --> 00:37:36,714 Jordi wasn't alone. 682 00:37:36,715 --> 00:37:40,968 Elies was steadily uncovering more and more infections 683 00:37:40,969 --> 00:37:45,723 on the phones of activists and lawyers and politicians. 684 00:37:45,724 --> 00:37:48,600 And it also wasn't just Pegasus. 685 00:37:48,601 --> 00:37:50,644 These tests were turning up evidence 686 00:37:50,645 --> 00:37:53,147 that the Catalans were also being targeted 687 00:37:53,148 --> 00:37:56,942 with other forms of spyware from competing companies. 688 00:37:56,943 --> 00:38:01,281 One day, Citizen Lab found evidence of something rare. 689 00:38:01,698 --> 00:38:04,158 A local activist had a spyware infection 690 00:38:04,159 --> 00:38:05,951 on his personal laptop 691 00:38:05,952 --> 00:38:07,536 that was still live 692 00:38:07,537 --> 00:38:09,831 and in the middle of its attack. 693 00:38:11,583 --> 00:38:13,167 - Hello, Joan. - Hello. Hi. 694 00:38:13,168 --> 00:38:14,918 It's great to finally meet in person. 695 00:38:14,919 --> 00:38:16,296 Thank you for doing this. 696 00:38:16,713 --> 00:38:18,630 Joan Matamala is an activist 697 00:38:18,631 --> 00:38:21,383 connected to separatist politicians. 698 00:38:21,384 --> 00:38:23,886 His laptop was infected by spyware 699 00:38:23,887 --> 00:38:27,891 made by another Israeli company called Candiru. 700 00:38:28,391 --> 00:38:30,851 Elies worked to try to exfiltrate the software 701 00:38:30,852 --> 00:38:33,896 and study it before it self-destructed. 702 00:38:35,398 --> 00:38:37,483 This is where you were, uh, sitting 703 00:38:37,484 --> 00:38:40,361 when the, uh... when you learned about the hack? 704 00:38:44,783 --> 00:38:46,909 He was working over there when he received the call 705 00:38:46,910 --> 00:38:49,244 that he currently had a live infection. 706 00:38:49,245 --> 00:38:50,954 And what date and time was this? 707 00:38:52,791 --> 00:38:54,668 February 2021. 708 00:39:00,423 --> 00:39:03,175 Tell me what you did from there. 709 00:39:05,929 --> 00:39:10,265 Yeah. So he took some time to get that aluminum foil. 710 00:39:10,266 --> 00:39:12,727 He wrapped two computers. 711 00:39:14,604 --> 00:39:16,438 What's the goal of the tin foil wrapping? 712 00:39:16,439 --> 00:39:18,941 You're creating what's called a Faraday cage, right? 713 00:39:18,942 --> 00:39:22,361 By wrapping it and-and creating a Faraday cage, 714 00:39:22,362 --> 00:39:25,197 uh, we're actually protecting the device 715 00:39:25,198 --> 00:39:26,949 from receiving outside instructions 716 00:39:26,950 --> 00:39:30,369 to have the software delete itself or self-destruct 717 00:39:30,370 --> 00:39:33,414 in order to, uh, remove or potentially remove 718 00:39:33,415 --> 00:39:35,874 the evidence of... that software was there. 719 00:39:35,875 --> 00:39:38,877 It's particularly important to be able to capture 720 00:39:38,878 --> 00:39:41,714 the software live or active in the computer 721 00:39:41,715 --> 00:39:44,800 so we can understand how it works, uh, 722 00:39:44,801 --> 00:39:47,177 how it compromises the operating system. 723 00:39:47,178 --> 00:39:52,141 So he was really doing something that's a service to researchers 724 00:39:52,142 --> 00:39:53,934 on these kinds of technologies. 725 00:39:53,935 --> 00:39:57,312 Yeah, his action actually helped Microsoft 726 00:39:57,313 --> 00:39:59,815 understand how this particular software, 727 00:39:59,816 --> 00:40:02,985 Candiru, was affecting this operating system. 728 00:40:02,986 --> 00:40:04,570 And a few months later, 729 00:40:04,571 --> 00:40:06,739 Microsoft actually developed a patch 730 00:40:06,740 --> 00:40:09,324 that, uh, resolved the vulnerability 731 00:40:09,325 --> 00:40:11,952 that this, uh, software was actually exploiting. 732 00:40:11,953 --> 00:40:14,496 It's surprising that just tin foil can work. 733 00:40:14,497 --> 00:40:17,041 - Yeah, it's physics. - Yeah, yeah. It makes sense. 734 00:40:17,042 --> 00:40:19,251 A little tinfoil went a long way. 735 00:40:24,924 --> 00:40:27,634 The proliferation of spyware around the world 736 00:40:27,635 --> 00:40:30,429 has left governments scrambling to respond. 737 00:40:30,430 --> 00:40:32,806 And that includes the United States. 738 00:40:32,807 --> 00:40:35,893 Even though NSO claims that it blocks its spyware 739 00:40:35,894 --> 00:40:38,395 from targeting American phone numbers, 740 00:40:38,396 --> 00:40:40,898 U.S. government employees working overseas 741 00:40:40,899 --> 00:40:44,903 have had their foreign phones hacked using Pegasus. 742 00:40:45,195 --> 00:40:48,781 Apple is warning at least 11 United States diplomats 743 00:40:48,782 --> 00:40:51,867 that their iPhones were hacked in the last several months. 744 00:40:51,868 --> 00:40:54,787 The hackers reportedly used the spyware technology 745 00:40:54,788 --> 00:40:55,829 called Pegasus. 746 00:40:55,830 --> 00:40:57,831 But the U.S. government 747 00:40:57,832 --> 00:41:01,293 is also a buyer of commercial spyware, 748 00:41:01,294 --> 00:41:04,838 including Pegasus. 749 00:41:04,839 --> 00:41:07,716 Internal documents obtained by the New York Times reveal 750 00:41:07,717 --> 00:41:10,803 some FBI officials made a push to deploy 751 00:41:10,804 --> 00:41:13,389 Israel's Pegasus hacking tool. 752 00:41:13,390 --> 00:41:15,599 So I understand that you did purchase a program 753 00:41:15,600 --> 00:41:17,726 and you tested it. Is that accurate? 754 00:41:17,727 --> 00:41:20,104 We had a limited license for testing and evaluation. 755 00:41:20,105 --> 00:41:22,606 We've tested and evaluated, and that's... that's over. 756 00:41:22,607 --> 00:41:25,151 It hasn't been used in any investigation of anyone. 757 00:41:26,653 --> 00:41:29,196 It's been reported that NSO also pitched 758 00:41:29,197 --> 00:41:30,656 American police departments 759 00:41:30,657 --> 00:41:33,409 on a Pegasus-like software 760 00:41:33,410 --> 00:41:35,995 designed to be used on U.S. soil. 761 00:41:36,663 --> 00:41:39,790 Lawmakers are grappling with both sides of this... 762 00:41:39,791 --> 00:41:42,710 how to protect Americans against these attacks 763 00:41:42,711 --> 00:41:46,840 and how to control America's use of this technology. 764 00:41:47,257 --> 00:41:48,716 Jim Himes is the ranking member 765 00:41:48,717 --> 00:41:50,551 of the House Intelligence Committee, 766 00:41:50,552 --> 00:41:52,845 which oversees U.S. intelligence agencies, 767 00:41:52,846 --> 00:41:55,556 including the FBI and the CIA. 768 00:41:55,557 --> 00:41:56,890 - Hey, Ronan. - Hey. 769 00:41:56,891 --> 00:41:58,767 - How are ya? - Thanks so much for doing this. 770 00:41:58,768 --> 00:42:01,603 Yeah. Good to see you in person. I know we talked on the phone, 771 00:42:01,604 --> 00:42:03,815 but I don't think we've ever met in person. 772 00:42:04,524 --> 00:42:07,151 What is your feeling on how much ability 773 00:42:07,152 --> 00:42:10,696 the U.S. government should have to purchase this kind of tech? 774 00:42:10,697 --> 00:42:13,490 First of all, it would be a very serious mistake 775 00:42:13,491 --> 00:42:15,826 to simply prohibit the purchase of the technology. 776 00:42:15,827 --> 00:42:18,787 We need our experts to know what is out there. 777 00:42:18,788 --> 00:42:20,497 I have no objection to the FBI 778 00:42:20,498 --> 00:42:22,875 purchasing the technology to understand it. 779 00:42:22,876 --> 00:42:24,918 Then comes the more complicated question of, 780 00:42:24,919 --> 00:42:27,964 "Do we want the FBI to be able to use it?" 781 00:42:28,423 --> 00:42:31,300 Do you think the answer is 782 00:42:31,301 --> 00:42:33,635 a ban on the operational use 783 00:42:33,636 --> 00:42:38,140 of foreign commercial spyware by the U.S. government? 784 00:42:38,141 --> 00:42:39,475 No. 785 00:42:39,476 --> 00:42:41,226 No, abs-absolutely not. 786 00:42:41,227 --> 00:42:43,270 The answer is, 787 00:42:43,271 --> 00:42:46,148 do the hard work of assuring 788 00:42:46,149 --> 00:42:47,983 that law enforcement uses it 789 00:42:47,984 --> 00:42:50,819 consistent with our civil liberties. 790 00:42:50,820 --> 00:42:53,782 We're using a lot of abstractions here right now. 791 00:42:54,324 --> 00:42:55,574 I have two daughters. 792 00:42:55,575 --> 00:42:58,370 What if one of my daughters were kidnapped? 793 00:42:58,745 --> 00:43:01,080 I want that tool. I want that tool. 794 00:43:01,081 --> 00:43:03,832 And it would be profoundly irresponsible of me to say, 795 00:43:03,833 --> 00:43:06,001 "There's this amazing tool out there 796 00:43:06,002 --> 00:43:08,295 that could fall into the hands of the Iranians, 797 00:43:08,296 --> 00:43:09,838 the North Koreans, the Chinese... 798 00:43:09,839 --> 00:43:12,383 and we're not gonna let the FBI use it." 799 00:43:12,384 --> 00:43:14,051 We're going to let the FBI use it. 800 00:43:14,052 --> 00:43:17,012 We're going to make sure that they use it in the context 801 00:43:17,013 --> 00:43:19,890 of our civil liberties, and, well, will it be perfect? 802 00:43:19,891 --> 00:43:21,016 No, it will not. 803 00:43:21,017 --> 00:43:23,185 It will, from time to time, be abused. 804 00:43:23,186 --> 00:43:25,396 But the notion that, for the first time in our history, 805 00:43:25,397 --> 00:43:29,024 we're gonna say we're gonna let all the bad guys have technology 806 00:43:29,025 --> 00:43:33,195 that we're not going to use, um, that's a novel concept. 807 00:43:33,196 --> 00:43:35,948 And-And when you really think it through, uh, 808 00:43:35,949 --> 00:43:37,825 a little bit of a scary concept. 809 00:43:37,826 --> 00:43:41,495 A lot would have to change for it to be transparent 810 00:43:41,496 --> 00:43:45,874 and have an approvals process that-that meets that threshold. 811 00:43:45,875 --> 00:43:47,876 That's not the space we're operating in now 812 00:43:47,877 --> 00:43:50,379 when this technology is used by the U.S. government. 813 00:43:50,380 --> 00:43:53,048 That's correct. And this is why I say 814 00:43:53,049 --> 00:43:55,217 one of the urgent things we would need... we should do, 815 00:43:55,218 --> 00:43:58,721 we should be doing, is building the protections 816 00:43:58,722 --> 00:44:02,434 around how U.S. law enforcement might use this technology. 817 00:44:02,809 --> 00:44:06,395 In terms of the hacking of American officials, 818 00:44:06,396 --> 00:44:11,400 are American officials abroad, and maybe in general, 819 00:44:11,401 --> 00:44:15,738 subject to more attacks using this kind of technology 820 00:44:15,739 --> 00:44:17,406 than the public is aware of? 821 00:44:17,407 --> 00:44:18,867 Yes. 822 00:44:19,284 --> 00:44:20,576 - And... - Significantly more. 823 00:44:20,577 --> 00:44:22,119 Significantly more. 824 00:44:22,120 --> 00:44:26,707 And are you aware of infections of this type 825 00:44:26,708 --> 00:44:29,043 that have played out on U.S. soil? 826 00:44:29,044 --> 00:44:32,171 Maybe the best way to answer that is that this technology 827 00:44:32,172 --> 00:44:33,630 knows no borders. 828 00:44:33,631 --> 00:44:38,552 I don't happen to know of the deliberate targeting 829 00:44:38,553 --> 00:44:41,472 of Americans on U.S. soil. 830 00:44:41,473 --> 00:44:43,557 I'm also... 831 00:44:43,558 --> 00:44:46,478 I have no confidence that it hasn't happened. 832 00:44:51,274 --> 00:44:54,151 The White House told me they were still investigating 833 00:44:54,152 --> 00:44:56,780 how spyware affects national security. 834 00:44:57,155 --> 00:44:59,656 And then they told me something I'd be making public 835 00:44:59,657 --> 00:45:01,033 for the first time... 836 00:45:01,034 --> 00:45:02,743 that the Biden administration was planning 837 00:45:02,744 --> 00:45:05,788 an executive order banning government agencies 838 00:45:05,789 --> 00:45:07,122 from buying or using 839 00:45:07,123 --> 00:45:10,460 at least some types of foreign spyware. 840 00:45:12,796 --> 00:45:15,089 I'd been reporting on this for a few years, 841 00:45:15,090 --> 00:45:17,716 and I really hadn't found any governments 842 00:45:17,717 --> 00:45:20,010 that provide meaningful transparency 843 00:45:20,011 --> 00:45:22,346 about how they use these tools. 844 00:45:34,025 --> 00:45:36,819 Uh, this is... this is Ariella, 845 00:45:36,820 --> 00:45:38,278 the comms person at NSO, 846 00:45:38,279 --> 00:45:41,449 sending me a thumbs up that she is going to get me a... 847 00:45:44,035 --> 00:45:45,661 I'm gonna say, "Much appreciated." 848 00:45:45,662 --> 00:45:48,248 She's gonna get me a last statement that they have. 849 00:45:48,998 --> 00:45:52,001 There's a dozen countries that are mentioned in this piece 850 00:45:52,002 --> 00:45:54,003 and each of them had to be approached for comment. 851 00:45:54,004 --> 00:45:55,754 Some of them wanted to comment, some didn't. 852 00:45:55,755 --> 00:45:57,381 Some wanted to only comment in secret, 853 00:45:57,382 --> 00:45:58,674 but not on the record. 854 00:45:58,675 --> 00:46:00,342 There's just a lot to juggle with this one, 855 00:46:00,343 --> 00:46:04,264 and I've got to hustle and redline the rest of this piece. 856 00:46:11,062 --> 00:46:12,521 Avey, are we in here? 857 00:46:12,522 --> 00:46:14,356 - We're in here. - We're in here. Okay. 858 00:46:14,357 --> 00:46:15,441 Yeah. 859 00:46:15,442 --> 00:46:17,152 - Good to see you. - You too. 860 00:46:17,527 --> 00:46:18,694 - Hello. - We're ready? Okay, good. 861 00:46:18,695 --> 00:46:20,779 - Yes. - All right. 862 00:46:20,780 --> 00:46:22,573 Avey. Great. 863 00:46:22,574 --> 00:46:24,409 Um... 864 00:46:26,286 --> 00:46:27,412 All right. 865 00:46:28,788 --> 00:46:30,497 - Thanks a lot. - Thank you. 866 00:46:30,498 --> 00:46:31,958 Okay. 867 00:46:34,753 --> 00:46:37,171 - Are you all closed up? - Mmm... 868 00:46:37,172 --> 00:46:41,342 Yes, but, like, checkers still laying in odds and ends. 869 00:46:41,343 --> 00:46:44,011 It's Thursday, and the magazine closes today. 870 00:46:44,012 --> 00:46:46,388 - Yeah. - Like completement. 871 00:46:46,389 --> 00:46:47,431 Yeah. 872 00:46:47,432 --> 00:46:48,599 - That's it. - Yeah. 873 00:46:48,600 --> 00:46:50,185 - That's it. - Okay. 874 00:46:51,061 --> 00:46:53,103 I think it's... it reads really well. 875 00:46:53,104 --> 00:46:56,190 Okay, so we're just gonna power through this pretty standard. 876 00:46:56,191 --> 00:46:57,775 You know what you're doing. Here we go. 877 00:46:57,776 --> 00:46:59,401 In your reporting, you've narrowed in 878 00:46:59,402 --> 00:47:02,863 on a series of Pegasus attacks on people involved 879 00:47:02,864 --> 00:47:07,117 in the Catalan independence movement in Spain. 880 00:47:07,118 --> 00:47:09,578 Were you able to confirm these hacks with NSO 881 00:47:09,579 --> 00:47:10,829 or the Spanish government? 882 00:47:10,830 --> 00:47:12,956 NSO Group CEO, Shalev Hulio, 883 00:47:12,957 --> 00:47:16,418 did very clearly talk about some of the countries 884 00:47:16,419 --> 00:47:20,297 that we now know use his technology, including Spain. 885 00:47:20,298 --> 00:47:22,758 And in that case, he said, you know, 886 00:47:22,759 --> 00:47:25,219 Spain is a democracy. 887 00:47:25,220 --> 00:47:29,598 Uh, if they decide to use these tools... 888 00:47:29,599 --> 00:47:32,059 - That's on them. - That's on them! 889 00:47:32,060 --> 00:47:34,103 And the Spanish government, for their part, 890 00:47:34,104 --> 00:47:37,439 didn't respond to our requests for comment about it. 891 00:47:37,440 --> 00:47:39,483 Do you think it's possible to have a world 892 00:47:39,484 --> 00:47:44,864 where such a thing exists and it's used responsibly? 893 00:47:45,323 --> 00:47:47,908 Well, we're watching the fights 894 00:47:47,909 --> 00:47:49,952 that will dictate the answer to that question 895 00:47:49,953 --> 00:47:51,161 play out right now. 896 00:47:51,162 --> 00:47:52,705 And one of the things that we break 897 00:47:52,706 --> 00:47:56,083 for the first time in this story is-is that the White House 898 00:47:56,084 --> 00:48:00,129 is actively pursuing a U.S.-government-wide ban 899 00:48:00,130 --> 00:48:02,798 on purchasing this kind of commercial spyware. 900 00:48:02,799 --> 00:48:04,299 Because they have their own? 901 00:48:04,300 --> 00:48:07,553 Well, certainly certain U.S. agencies have their own. 902 00:48:07,554 --> 00:48:09,805 But, you know, in the past, 903 00:48:09,806 --> 00:48:11,765 other U.S. government offices 904 00:48:11,766 --> 00:48:14,601 have also purchased these kinds of tools. 905 00:48:14,602 --> 00:48:16,979 And I think there's an increasing understanding 906 00:48:16,980 --> 00:48:20,274 that this is both, uh, technology that has 907 00:48:20,275 --> 00:48:23,110 an incredibly destructive footprint in the world, 908 00:48:23,111 --> 00:48:25,237 and we've just got to hope 909 00:48:25,238 --> 00:48:27,990 that some of these regulatory efforts 910 00:48:27,991 --> 00:48:32,203 can rein in the most destructive effects of it. 911 00:48:33,288 --> 00:48:36,915 In his latest investigation, the journalist Ronan Farrow 912 00:48:36,916 --> 00:48:39,501 has dug into the spyware industry. 913 00:48:39,502 --> 00:48:42,296 In explosive new reporting in The New Yorker, Ronan Farrow 914 00:48:42,297 --> 00:48:44,631 details the two years he spent digging 915 00:48:44,632 --> 00:48:46,300 into the vast spyware industry. 916 00:48:46,301 --> 00:48:48,427 Ronan, my friend, this is scary stuff! Um, 917 00:48:48,428 --> 00:48:51,013 first of all, just break down, for those who are unaware 918 00:48:51,014 --> 00:48:53,515 of what it is, what is Pegasus and who makes it? 919 00:48:53,516 --> 00:48:56,435 The fundamental is, it can crack a phone. 920 00:48:56,436 --> 00:48:59,021 It feels like the cat's out of the bag, isn't it? 921 00:48:59,022 --> 00:49:00,522 How do you control this? 922 00:49:00,523 --> 00:49:03,984 To your point, once data has been exfiltrated, 923 00:49:03,985 --> 00:49:06,528 the damage has, in a sense, been done. 924 00:49:06,529 --> 00:49:08,697 The article is called "How Democracies Spy 925 00:49:08,698 --> 00:49:10,407 on Their Citizens" by Ronan Farrow. 926 00:49:10,408 --> 00:49:12,201 Ronan, thanks so much for joining us. 927 00:49:14,704 --> 00:49:17,373 The article in The New Yorker and the results 928 00:49:17,374 --> 00:49:20,459 of the Citizen Lab investigation led by Elies 929 00:49:20,460 --> 00:49:23,712 had enormous repercussions in Spain 930 00:49:23,713 --> 00:49:28,175 and finally helped shed light on who was behind all this. 931 00:49:28,176 --> 00:49:30,010 After initially denying the report, 932 00:49:30,011 --> 00:49:31,595 the Spanish government in Madrid 933 00:49:31,596 --> 00:49:34,933 acknowledged spying on some of the Catalans. 934 00:49:35,433 --> 00:49:37,726 The head of Spain's intelligence agency 935 00:49:37,727 --> 00:49:39,978 was fired amidst the controversy. 936 00:49:46,403 --> 00:49:48,529 The scandal became known 937 00:49:48,530 --> 00:49:50,448 as "CatalanGate." 938 00:50:03,628 --> 00:50:06,255 On the list of targeted individuals 939 00:50:06,256 --> 00:50:08,590 was Elies's own family. 940 00:50:08,591 --> 00:50:10,384 Is your family okay? 941 00:50:10,385 --> 00:50:13,012 Yeah, my family is okay. They were surprised. 942 00:50:13,013 --> 00:50:15,431 Surprised that they got hacked too? 943 00:50:15,432 --> 00:50:17,599 Yeah. So I was having a dinner with my parents, 944 00:50:17,600 --> 00:50:19,643 uh, just a few weeks before publication. 945 00:50:19,644 --> 00:50:22,980 I told my father, "We're gonna publish this report. 946 00:50:22,981 --> 00:50:24,815 It's probably gonna have some impact 947 00:50:24,816 --> 00:50:26,275 in Spain because it's pretty serious." 948 00:50:26,276 --> 00:50:28,360 And so we checked his phone, 949 00:50:28,361 --> 00:50:31,822 and, a few hours later, we got the results back 950 00:50:31,823 --> 00:50:34,284 and, um, we got a confirmation. 951 00:50:34,826 --> 00:50:36,452 The next day, we tested my mom 952 00:50:36,453 --> 00:50:39,413 and, uh, we found that she had also been targeted. 953 00:50:39,414 --> 00:50:42,624 So they were following you and trying 954 00:50:42,625 --> 00:50:46,086 to get your communications through your parents. 955 00:50:46,087 --> 00:50:48,297 Presumably they failed in targeting my device, 956 00:50:48,298 --> 00:50:50,716 because I have an American, uh, phone number, 957 00:50:50,717 --> 00:50:52,301 and they targeted my family 958 00:50:52,302 --> 00:50:55,721 in-in order to try to get to the information 959 00:50:55,722 --> 00:50:57,097 that they were looking for. 960 00:50:57,098 --> 00:50:58,891 What do your parents do for a living? 961 00:50:58,892 --> 00:51:02,603 They specialized in, uh, in pathology 962 00:51:02,604 --> 00:51:05,105 and, uh, vascular diseases, 963 00:51:05,106 --> 00:51:07,691 and they work at the University of Barcelona 964 00:51:07,692 --> 00:51:10,903 and the hospitals of Barcelona, the research centers. 965 00:51:10,904 --> 00:51:14,948 So, whoever had access to those devices, 966 00:51:14,949 --> 00:51:17,493 they actually had access to, uh, potentially, 967 00:51:17,494 --> 00:51:19,995 hundreds of conversations or hundreds of data points 968 00:51:19,996 --> 00:51:22,873 of emails, messages, photographs, 969 00:51:22,874 --> 00:51:24,876 of patients all around the world. 970 00:51:25,335 --> 00:51:27,044 Not only did they have access 971 00:51:27,045 --> 00:51:29,338 to his parents' patients' records, 972 00:51:29,339 --> 00:51:32,091 they also potentially had the ability to record 973 00:51:32,092 --> 00:51:33,884 audio or video of Elies 974 00:51:33,885 --> 00:51:36,845 whenever he was in the room with his parents' phones. 975 00:51:36,846 --> 00:51:38,972 So, Elies started testing 976 00:51:38,973 --> 00:51:41,016 the rest of his family members' phones, 977 00:51:41,017 --> 00:51:43,060 including his sister's. 978 00:52:54,674 --> 00:52:56,925 Including Elies's family, 979 00:52:56,926 --> 00:53:00,763 Citizen Lab found that around 70 people in Catalonia 980 00:53:00,764 --> 00:53:02,432 were targeted with spyware. 981 00:53:02,974 --> 00:53:05,809 Since the publication of those findings in Spain, 982 00:53:05,810 --> 00:53:08,312 Citizen Lab has documented Pegasus being used 983 00:53:08,313 --> 00:53:11,357 against government officials in the United Kingdom, 984 00:53:11,358 --> 00:53:13,817 activists in Armenia, 985 00:53:13,818 --> 00:53:15,486 journalists in Mexico, 986 00:53:15,487 --> 00:53:19,782 and pro-democracy demonstrators in Thailand. 987 00:53:19,783 --> 00:53:21,408 In the summer of 2022, 988 00:53:21,409 --> 00:53:23,243 Shalev Hulio stepped down 989 00:53:23,244 --> 00:53:25,287 as CEO of NSO Group. 990 00:53:25,288 --> 00:53:27,039 He went on to establish a new start-up 991 00:53:27,040 --> 00:53:28,917 in the cybersecurity space. 992 00:53:29,459 --> 00:53:31,460 Meanwhile, in March of 2023, 993 00:53:31,461 --> 00:53:33,379 the White House followed through 994 00:53:33,380 --> 00:53:36,966 on the plans they'd revealed in my New Yorker article. 995 00:53:37,467 --> 00:53:39,301 Just a few hours ago, 996 00:53:39,302 --> 00:53:41,470 President Biden issued an executive order 997 00:53:41,471 --> 00:53:43,138 that, for the first time, 998 00:53:43,139 --> 00:53:44,973 will prohibit our government's use 999 00:53:44,974 --> 00:53:49,561 of commercial spyware that poses a risk to our national security 1000 00:53:49,562 --> 00:53:52,231 or that's been misused by foreign actors 1001 00:53:52,232 --> 00:53:54,858 to enable human rights abuses overseas. 1002 00:53:54,859 --> 00:53:58,529 The executive order banned federal agencies 1003 00:53:58,530 --> 00:54:02,199 from buying spyware that's been abused by other governments, 1004 00:54:02,200 --> 00:54:04,159 used to target Americans, 1005 00:54:04,160 --> 00:54:07,329 or otherwise threatened national security. 1006 00:54:07,330 --> 00:54:09,498 But it's not a blanket ban 1007 00:54:09,499 --> 00:54:12,251 on the purchase of all spyware. 1008 00:54:12,252 --> 00:54:14,586 And in fact, just days later, 1009 00:54:14,587 --> 00:54:17,715 the United States and 36 other countries, 1010 00:54:17,716 --> 00:54:19,174 including Spain, 1011 00:54:19,175 --> 00:54:20,718 released a statement outlining 1012 00:54:20,719 --> 00:54:24,013 how they believe governments can use commercial spyware 1013 00:54:24,014 --> 00:54:26,725 and still respect human rights. 1014 00:54:27,809 --> 00:54:31,562 I went back to DC to press Biden administration officials 1015 00:54:31,563 --> 00:54:32,646 about this. 1016 00:54:32,647 --> 00:54:35,024 Nathaniel Fick is the first Ambassador 1017 00:54:35,025 --> 00:54:36,358 for the newly created 1018 00:54:36,359 --> 00:54:38,944 Bureau of Cyberspace and Digital Policy. 1019 00:54:38,945 --> 00:54:40,320 What do you wish 1020 00:54:40,321 --> 00:54:42,614 this executive order contained that it doesn't? 1021 00:54:42,615 --> 00:54:45,409 What do you think the soft point is in it? 1022 00:54:45,410 --> 00:54:48,537 I think part of the reality is we don't know that yet. Right? 1023 00:54:48,538 --> 00:54:50,414 You-You-You craft something 1024 00:54:50,415 --> 00:54:52,291 and you throw it out in the world. 1025 00:54:52,292 --> 00:54:54,043 And the world is a dynamic place. 1026 00:54:54,044 --> 00:54:58,922 Our adversaries are innovative and smart and well-resourced. 1027 00:54:58,923 --> 00:55:00,508 So we'll adjust as required. 1028 00:55:00,925 --> 00:55:04,094 I'm struck by the fact that it contains so little 1029 00:55:04,095 --> 00:55:07,806 about what we do do with spyware. 1030 00:55:07,807 --> 00:55:10,392 There's no suggestion of, 1031 00:55:10,393 --> 00:55:13,062 once a spyware vendor passes muster 1032 00:55:13,063 --> 00:55:15,815 through the lens of this executive order, 1033 00:55:16,274 --> 00:55:17,691 what does that look like? 1034 00:55:17,692 --> 00:55:20,944 What can we then do with that technology? 1035 00:55:20,945 --> 00:55:22,280 Why? 1036 00:55:22,655 --> 00:55:26,992 The United States uses every tool of national power 1037 00:55:26,993 --> 00:55:29,953 in pursuit of our interests, 1038 00:55:29,954 --> 00:55:32,247 uh, grounded in our values. 1039 00:55:32,248 --> 00:55:35,459 And so, we do believe, and openly acknowledge, 1040 00:55:35,460 --> 00:55:38,587 that there are legitimate law enforcement 1041 00:55:38,588 --> 00:55:42,758 and national security uses of these technologies. 1042 00:55:42,759 --> 00:55:45,594 There were a number of joint statements circulating around... 1043 00:55:45,595 --> 00:55:48,639 Spain signed on to one of these statements. 1044 00:55:48,640 --> 00:55:53,352 Obviously, the administration in Madrid has been implicated 1045 00:55:53,353 --> 00:55:56,647 in one of the largest spying operations domestically 1046 00:55:56,648 --> 00:55:58,607 in their country, in the world. 1047 00:55:58,608 --> 00:56:02,486 Uh, how do you feel about them being a signatory? 1048 00:56:02,487 --> 00:56:04,697 I think that getting countries 1049 00:56:04,698 --> 00:56:08,117 to publicly align with the principles 1050 00:56:08,118 --> 00:56:09,368 is always a good thing. 1051 00:56:09,369 --> 00:56:10,619 Even if it's hypocritical? 1052 00:56:10,620 --> 00:56:13,497 And then we have to continue to hold 1053 00:56:13,498 --> 00:56:15,958 their feet to the fire, just as we do ourselves, 1054 00:56:15,959 --> 00:56:19,170 to make sure that we're living up to the implementation. 1055 00:56:19,546 --> 00:56:21,880 I've had conversations with foreign officials who say, 1056 00:56:21,881 --> 00:56:24,800 "Well, you want us to have more transparency about this. 1057 00:56:24,801 --> 00:56:28,262 You want us to have clearer routes for judicial oversight 1058 00:56:28,263 --> 00:56:30,347 for-for these-these kinds of tools. 1059 00:56:30,348 --> 00:56:32,641 Uh, where is that from the United States?" 1060 00:56:32,642 --> 00:56:35,394 I think the Executive Order is a statement that 1061 00:56:35,395 --> 00:56:37,771 everything that came before was not adequate. 1062 00:56:37,772 --> 00:56:40,482 And-And this is a very strong attempt 1063 00:56:40,483 --> 00:56:42,651 to put those guardrails in place. 1064 00:56:42,652 --> 00:56:45,529 My perception, digging into this issue, has been that 1065 00:56:45,530 --> 00:56:48,365 inevitably we're gonna have the first big scandal 1066 00:56:48,366 --> 00:56:51,703 where this is used to scale on American soil. 1067 00:56:52,203 --> 00:56:57,082 Do you think it's headed down a path of more domestic impact? 1068 00:56:57,083 --> 00:56:58,959 I think we can't put 1069 00:56:58,960 --> 00:57:01,170 the technology genie back in the bottle. 1070 00:57:01,171 --> 00:57:03,839 That's kind of an unfortunate reality of these things. 1071 00:57:03,840 --> 00:57:07,843 So once they're out there in the world, um, 1072 00:57:07,844 --> 00:57:11,180 any nefarious use that we can imagine, 1073 00:57:11,181 --> 00:57:13,265 we're probably going to see. 1074 00:57:13,266 --> 00:57:16,643 And so we would be well-served 1075 00:57:16,644 --> 00:57:18,854 to think forward in time, 1076 00:57:18,855 --> 00:57:20,939 um, and anticipate that kind of thing. 1077 00:57:23,568 --> 00:57:26,195 Spyware is here to stay. 1078 00:57:26,196 --> 00:57:28,781 The industry is still growing. 1079 00:57:28,782 --> 00:57:32,076 It's gonna keep getting more sophisticated, 1080 00:57:32,077 --> 00:57:34,119 more intrusive, 1081 00:57:34,120 --> 00:57:35,746 and easier to hide, 1082 00:57:35,747 --> 00:57:39,208 especially as we witness the dawning of a new era 1083 00:57:39,209 --> 00:57:40,752 of artificial intelligence. 1084 00:57:41,211 --> 00:57:44,380 This is still a largely unregulated category 1085 00:57:44,381 --> 00:57:45,714 of technology, 1086 00:57:45,715 --> 00:57:49,009 one that will always be seductively useful 1087 00:57:49,010 --> 00:57:50,552 for law enforcement 1088 00:57:50,553 --> 00:57:53,222 and always pose a threat to democracy 1089 00:57:53,223 --> 00:57:55,225 and human rights. 1090 00:57:56,893 --> 00:57:59,895 Technology is reorganizing the life of the world. 1091 00:57:59,896 --> 00:58:02,106 President Biden likes to say that, in many ways, 1092 00:58:02,107 --> 00:58:03,565 we're at an inflection point, 1093 00:58:03,566 --> 00:58:05,484 where the decisions that we're making now 1094 00:58:05,485 --> 00:58:06,860 and in the next few years 1095 00:58:06,861 --> 00:58:09,405 are likely to shape the next decades. 1096 00:58:12,033 --> 00:58:14,785 Commercial spyware is going to continue 1097 00:58:14,786 --> 00:58:17,539 to shape conflicts around the world. 1098 00:58:18,832 --> 00:58:21,875 Questions remain about the role these surveillance tools 1099 00:58:21,876 --> 00:58:24,337 have played in the Israel-Gaza war. 1100 00:58:25,130 --> 00:58:28,590 Since Hamas's attack on October 7th, 2023, 1101 00:58:28,591 --> 00:58:30,968 sources close to NSO have claimed 1102 00:58:30,969 --> 00:58:33,470 the Israeli government is using Pegasus 1103 00:58:33,471 --> 00:58:35,974 to try and track down hostages. 1104 00:58:36,891 --> 00:58:40,854 And additional investigations have been opened in Poland 1105 00:58:41,271 --> 00:58:43,105 and in Jordan. 1106 00:58:43,106 --> 00:58:44,606 Governments and legislators 1107 00:58:44,607 --> 00:58:48,319 will be struggling to catch up to this technology. 1108 00:58:50,572 --> 00:58:53,490 Tech companies are gonna have to fight harder 1109 00:58:53,491 --> 00:58:54,825 to defend themselves 1110 00:58:54,826 --> 00:58:57,995 against a teeming international landscape 1111 00:58:57,996 --> 00:59:00,373 of unseen adversaries. 1112 00:59:00,707 --> 00:59:03,751 The message is that unchecked spyware 1113 00:59:03,752 --> 00:59:06,337 is a national security risk 1114 00:59:06,338 --> 00:59:08,255 for free societies. 1115 00:59:08,256 --> 00:59:12,217 More ordinary civilians are being ensnared, 1116 00:59:12,218 --> 00:59:14,470 their most private data stolen 1117 00:59:14,471 --> 00:59:16,430 and potentially exploited. 1118 00:59:21,311 --> 00:59:24,438 There will be more families and communities 1119 00:59:24,439 --> 00:59:25,814 upended by this. 1120 00:59:25,815 --> 00:59:27,816 There will be more urgent need 1121 00:59:27,817 --> 00:59:30,944 for the work of activists and researchers 1122 00:59:30,945 --> 00:59:33,281 bringing this out of the shadows. 1123 00:59:33,740 --> 00:59:35,240 This is an important issue. 1124 00:59:35,241 --> 00:59:37,910 I think things are gonna get worse before they get better. 1125 00:59:37,911 --> 00:59:40,621 In spite of the measures that have been taken, 1126 00:59:40,622 --> 00:59:43,833 the industry is only going to continue to grow. 1127 00:59:45,335 --> 00:59:49,004 Otherwise, the only path towards privacy 1128 00:59:49,005 --> 00:59:52,966 might be living without our phones. 90411