American Journalist First To Sue NSO Group Directly For Targeting His Phone
NSO Group is objectively awful. For years - with the assistance of the Israeli government - NSO sold to whoever wanted powerful phone exploits to deploy against targets. Ostensibly sold to investigate violent crimes and acts of terrorism, the less-than-savory customers of NSO flipped the script, deploying zero-click malware that allowed government employees to target journalists, critics, activists, human rights lawyers, and anyone else (INCLUDING EX-WIVES) that made their lives uncomfortable.
NSO has seen its fortunes fall. It has seen VCs, normally immune to public opinion, cut and run. It has been investigated, sanctioned, and pilloried. It lives on somehow, but it's hardly the force it once was.
It has also been sued. And not by entities NSO might feel like blowing off. It tried this quote/endquote tactic" for a bit, but Apple and Meta ain't nothin' to fuck with, to quote the WuTang Clan. It's now facing another lawsuit, as Ronan Farrow reports for the New Yorker. An American journalist targeted by NSO malware wants the company to be held accountable for making his life miserable and interfering with his reporting.
Roman Gressier, an American journalist working for the Salvadoran news outlet El Faro, spent the spring of 2021 in his small, dorm-like apartment outside the capital. He was twenty-six, and had recently moved to San Salvador to pursue his long-standing ambition of working for El Faro, one of Central America's foremost news organizations. Breaking a string of stories documenting corruption and malfeasance in the administration of El Salvador's populist President, Nayib Bukele, El Faro has become a leading source of accountability in Central American media-and a source of frustration to Bukele.
Obviously, this was a problem for the El Salvadoran government. Fortunately, it had access to NSO Group malware. That made this American journalist a target for government oppression, even if Gressier wasn't actually a citizen of the country he reported on.
Gressier is one of at least thirty-five journalists and civil-society members hacked with Pegasus in El Salvador between July, 2020, and November, 2021, according to the analysis by Citizen Lab, which was verified by Amnesty International. The hacking campaign comprised at least two hundred and sixty Pegasus attacks. Because it is more difficult to confirm Pegasus infections on Android phones, which predominate in El Salvador, experts said that the true number was likely far higher.
In El Salvador, targeting of journalists with NSO malware happens all the time.
It's a shitty feeling," Oscar Martinez, El Faro's executive editor, whose phone was infected with Pegasus forty-two times between July, 2020, and October, 2021, told me. Sources, they were very upset with me. And they have the right to be. They just trusted me. And I failed them."
In response, Gressier has sued NSO Group. Assisted by the Knight First Amendment Institute, Gressier is hoping the US court system will allow him to hold NSO Group accountable for violating his rights.
Heading up what could become a class action lawsuit [PDF], Gressier alleges NSO-enabled phone hacking has pretty much destroyed the lives of foreign (and foreign-based) journalists.
The Pegasus attacks have profoundly disrupted Plaintiffs' lives and work. The attacks have compromised Plaintiffs' safety as well as the safety of their colleagues, sources, and family members. The attacks have deterred some sources from sharing information with Plaintiffs. Some Plaintiffs have been diverted from pressing investigative projects by the necessity of assessing which data was stolen, and of taking precautions against the possibility that the stolen data will be exploited. Plaintiffs have also had to expend substantial resources to protect their devices against possible future attacks, to ensure their personal safety, and to address serious physical and mental health issues resulting from the attacks. The attacks have undermined the security that is a precondition for the independent journalism that El Faro strives to provide its readers, as well as the ability of El Faro's readers, including those in the United States, to obtain independent analysis of events in Central America.
For better or worse, the litigation attack vector is the CFAA, an oft-abused law that often allows plaintiffs to silence pesky security researchers or punish people who use their sites and services in ways they didn't expect.
That being said, there's no arguing the threat NSO malware poses to journalists. NSO historically hasn't shown much restraint when it comes to selling licenses, courting a large number of known human rights abusers. Unsurprisingly, the acquisition of malware by these governments has resulted in more human rights violations.
According to the Pegasus Project, a collaboration of more than eighty journalists from seventeen media organizations in ten countries, at least 180 journalists from twenty countries have been the victims of Pegasus attacks directed by authoritarian or rights-abusing governments. For example, Saudi authorities used Pegasus to surveil family members and close associates of journalist Jamal Khashoggi-whom Saudi agents brutally murdered in 2018-as well as other Saudi activists, an Amnesty International researcher, and an American New York Times journalist who has reported extensively on the country. Morocco used Pegasus to spy on journalist Omar Radi. Mexican officials used Pegasus to surveil journalists and lawyers investigating corruption and human rights abuses in the country. Hungarian Prime Minister Viktor Orban also used Pegasus to surveil journalists, lawyers, and social activists.
The lawsuit details multiple targetings of El Faro journalists. As it pertains to the US journalist, Gressier argues this targeting not only violates the CFAA but also violates California's anti-hacking law. Unfortunately, it's going to be difficult to prove targeting that occurred while Gressier was located in El Salvador violates state law (since it likely involved a foreign government entity operating domestically). As for the CFAA, NSO is certain to claim this law does not govern its malware, nor its foreign customers' deployments. And it will no doubt take another pass at getting a court to agree with its sovereign immunity assertions, given that the infections of journalists' phones were performed by government operatives.
Ahead of its filed responses to this lawsuit, NSO has issued yet another nonsensical response to these extremely credible accusations:
In a statement, an NSO spokesperson said that the watchdog groups repeatedly recycle each other's reports and knowingly release speculative, inaccurate and incomplete reports to the media, including to the New Yorker." NSO claims that the groups' analyses rely on probabilities and circumstantial protocols rather than on actual forensics and evidence" and that Citizen Lab and Amnesty are unable to differentiate between NSO's tools and those of other cyber intelligence companies."
Ah, so the investigative work of Citizen Lab is just fake news." OK. This is the verbal sound of flailing by a company that never bothered to care who it sold to until a lengthy negative news cycle forced it to start doing something about the problems it created. And, despite plenty of evidence pointing to misuse of NSO malware, NSO still thinks it can bluster its way past intense investigations by pretending everyone is lying about it and its abhorrent customer base. Good luck with that in court.