Saturday, 23 September 2023 07:06

The Spy Inside Your Smartphone

Credit: Omar Marques/SOPA Images/LightRocket via Getty Images

Around the world, governments are spying on journalists with hacking software originally designed to capture criminals.

Around the globe, journalists, human rights activists, scholars and others are facing digital attacks from Pegasus, military-grade spyware originally developed to go after criminals. Some of the people targeted have been killed or are in prison.

In this episode, Reveal partners with the Shoot the Messenger podcast to investigate one of the biggest Pegasus hacks ever uncovered: the targeting of El Faro newspaper in El Salvador.

In the opening story, hosts Rose Reid and Nando Vila speak with El Faro co-founder Carlos Dada and reporter Julia Gavarrete. El Faro has been lauded for its investigations into government corruption and gang violence. The newspaper is no stranger to threats and intimidation, which have increased under the administration of President Nayib Bukele.

Reid and Vila also speak with John Scott-Railton of Citizen Lab, a Toronto-based digital watchdog group. Scott-Railton worked to identify the El Faro breach, and it was one of the most obsessive cases of spying Citizen Lab has ever seen.

Over the course of one year, 22 members of the newspaper’s staff had their phones infected with Pegasus and were surveilled by a remote operator. Researchers suspect Bukele’s government was behind the spying, though officials have denied those allegations. The breach forced El Faro’s journalists to change the way they work and live and take extreme measures to protect sources and themselves.

Then Reid talks with Reveal’s Al Letson about growing efforts to hold the NSO Group, the company behind Pegasus, accountable for the massive digital attacks.

Dig Deeper

Read: El Faro Journalists, Knight Institute Sue NSO Group Over Spyware (Knight First Amendment Institute)

Listen: Shoot the Messenger: Espionage, Murder & Pegasus Spyware


Hosts: Rose Reid and Nando Vila | Editor: Gail Reid | Production assistant: Sabine Jansen | Sound design and mixing: Pachi Quinones | Executive producer: Rose Reid | Special thanks to Carmen Graterol, Daniel Battista and Isaac Lee. Shoot the Messenger is a production of Exile Content Media and distributed by PRX.

Producers for Reveal: Michael Montgomery and Steven Rascón | Engineering for Reveal: Fernando Arruda and Jim Briggs | Editor for Reveal: Michael Montgomery | Interim executive producers for Reveal: Taki Telonidis and Brett Myers | Digital producer for Reveal: Nikki Frick | Host for Reveal: Al Letson

Support for Reveal is provided by the Reva and David Logan Foundation, the John D. and Catherine T. MacArthur Foundation, the Jonathan Logan Family Foundation, the Ford Foundation, the Hellman Foundation, the Robert Wood Johnson Foundation, and the Park Foundation.


Reveal transcripts are produced by a third-party transcription service and may contain errors. Please be aware that the official record for Reveal’s radio stories is the audio.

Al Letson: From the Center for Investigative Reporting at PRX, this is Reveal. I’m Al Letson.
This past decade has been brutal for journalists. Around the globe, more than 500 reporters and media workers have been killed in the line of duty. According to the Committee to Protect Journalists, one of the most notorious cases was Jamal Khashoggi.
News reports: An explosive new report this morning.
Al Letson: Columnists for the Washington Post.
News reports: Turkish officials have audio and video recordings of the gruesome murder of journalists Jamal Khashoggi inside the Saudi Arabian Consulate in Istanbul.
Al Letson: After Khashoggi’s murder came another disturbing revelation.
News reports: A joint investigation has revealed evidence suggesting spyware was used to monitor those in his inner circle before and even after his death.
Al Letson: Researchers believe the cell phones of Khashoggi’s wife and friends were infected with Pegasus, a military grade surveillance software. It can copy your messages, harvest your photos, and even record you by controlling your phone’s own camera and microphone.
News reports: Pegasus is probably the most advanced piece of spyware ever developed. It is effectively the most invasive form of surveillance imaginable.
Al Letson: This summer, Khashoggi’s widow filed a lawsuit against the Israeli company that makes Pegasus, the NSO Group. NSO has denied its software was used to target Khashoggi. They say Pegasus is only sold to governments for tracking and capturing criminals and terrorists. But over the years, many confirmed targets of Pegasus have not been criminals or terrorists. They’re human rights activists, scholars, journalists.
Today, we’re partnering with the podcast series, Shoot the Messenger, produced by Exile Content studio. Hosts Rose Reid and Nando Vila investigate how Pegasus was weaponized to go after an entire newsroom, reporters, editors, photographers, accountants, all working in one of the most dangerous countries in the Western hemisphere, El Salvador.
Rose Reid: Carlos Dada is an award-winning journalist who for more than two decades has run the newsroom of El Faro, based in the Capitol, San Salvador.
Carlos Dada: It’s an online media that turns 25 years old this year, which means we were born before Google. We were born in a country where not many people had access to the internet in 1998. We started it just as an experiment. Here we are.
Nando Vila: El Faro is a special newsroom because it was the first exclusively digital newspaper in Latin America. In English, El Faro means the lighthouse.
Rose Reid: Known for its investigative reporting, El Faro has been referred to as “a breakthrough digital newspaper blazing an independent and ethical trail in Central America”.
Carlos Dada: I think that we were able to attract a very talented generation of Salvadorian journalists, all children of the post-war.
Nando Vila: When Carlos references the war, he’s talking about El Salvador’s civil war in the 1980s and early nineties. The 12-year conflict pitted a leftist gorilla coalition backed by Cuba against the government and far right paramilitary groups, which received more than a billion dollars in military support from the US.
News reports: The Reagan administration in Washington is backing the government drive with arms, money and advisors.
Rose Reid: It’s estimated that more than 75,000 civilians were killed. Nearly a quarter of the Salvadorian population moved to the US. The devastating effects of the conflict lasted for decades. El Faro has reported on all of that, including government corruption and gang violence.
Carlos Dada: We do long feature stories that deal with violence, with organized crime, with corruption, with human rights violations and with politics.
Nando Vila: Carlos and his colleagues are no stranger to threats. Over the years, police have made unofficial visits to the newsroom. Unidentified people in unmarked cars, showing up unannounced to the El Faro offices to intimidate its journalists.
Carlos Dada: We’ve received messages from organized crime. We received veiled threats from public officers. Gangs publicly said that if it was up to them, we should not exist.
We have been harassed in the form of physical harassment, of having strange people standing out of our homes. We have received drones standing by our windows.
Rose Reid: It wasn’t just outside his windows. Carlos says one time a drone actually flew into his apartment. It hovered for about a minute in his living room and then darted away.
Because they’ve been operating in such a dangerous environment for so long, Carlos’s team takes extra precautions when they’re working with their sources. They’re careful with how they communicate with each other. They pay attention when something seems a little off.
In 2021, reporter Julia Gavarrete noticed something was off with her brand new iPhone.
Julia Gavarrete: I start having a lot of problems. For example, the battery was very, very low in a short time.
Rose Reid: An app that she relied on to make encrypted calls with her sources wouldn’t open.
Carlos Dada: The phone was overheating and the screen started turning off or opening apps that she was not opening.
Julia Gavarrete: We were just having this sensation of that someone was reading or someone was in our phones, but we never thought about Pegasus.
Rose Reid: Julia’s phone was eventually sent to Citizen Lab. It’s a digital watchdog group that essentially tracks human rights violations on the internet.
John Scott-Rail…: The lab had been aware that something was up in El Salvador. There was something going on with Pegasus there.
Rose Reid: John Scott-Railton is a senior researcher was Citizen Lab, which is based at the University of Toronto’s Monk School. A lot of their work focuses on tracking mercenary spyware like Pegasus.
John Scott-Rail…: It’s not uncommon for us as researchers to know that Pegasus spyware might be being used in a country, but to have really no idea of who those victims are. The problem is, if you just go hunting for those people, you’re looking for needles in a stack of needles.
Rose Reid: John texted Julia. They had found Pegasus on her iPhone.
Julia Gavarrete: It was overwhelming. I start thinking about, “Okay, I’m the target right now.” But the thing was, it’s obvious that it’s not only me. There are more people here that are targeted as well.
Rose Reid: They then started to put the pieces together of what was happening, not just with Julia, but with her colleagues too.
John Scott-Rail…: There is a pattern to Pegasus cases, which is if you find one in a given country, you’re probably going to find a lot more.
Carlos Dada: Well, since they kept asking for more phones, we sent all the phones.
Rose Reid: When researchers took a closer look, John says there was something different about how Pegasus was being used on El Faro.
John Scott-Rail…: I was just like, “Can that be right? I’ve never seen anything like that.” It was that they were really targeted, just in a radical manner. It’s not something that we’d seen before in anything like this volume or this number of cases.
Carlos Dada: Citizen Lab were so impressed by our case. We thought, “Well, maybe this is really big. This is something extraordinary.” That’s what it was.
John Scott-Rail…: Since the initial discovery of Pegasus, we’ve been on this journey to try to understand where it is, how it’s evolving, who the customers are, where the targets may be.
Nando Vila: John has worked with Citizen Lab for the past decade and has been tracking Pegasus since 2016. That’s when they made their first discovery of a Pegasus infection on the phone of a human rights activist from the United Arab Emirates named Ahmed Mansour. He’s been in prison since 2017.
John Scott-Rail…: That journey has continued unbroken since those first findings around Ahmed Mansour. That approach gave us a trail of digital breadcrumbs that we continue to follow to this day.
Nando Vila: Pegasus is the most sophisticated spyware made to date. It can bypass any encryption because it uses a loophole in a phone software to be a hidden but active parasite. The NSO group, the company behind Pegasus, has said Mexican authorities use their product to help capture the drug lord, Joaquin Guzman, better known as El Chapo, by tapping the phones of people in his inner circle, but Citizen Lab has confirmed journalists have also been targeted.
John Scott-Rail…: One of the components of our work, of course, is this constant effort to try to understand where Pegasus is located in cyberspace. Where is the data that’s being taken from phones going?
In some cases, our research has been able to determine clusters of servers that belong to, we could say a single deployment, and then try to understand where in the world the infections are that are talking to that cluster.
Nando Vila: Pegasus allows an operator in one country to steal information from phones in multiple countries. In El Faro’s case, the hacker seemed to be close to their target.
John Scott-Rail…: Back in 2020, we observed an operator that appeared to be involved in El Salvador. This means there’s a Pegasus operation going on in El Salvador. By the next year, we were investigating these cases.
Rose Reid: When the El Faro journalists learned that Julia Gavarrete’s iPhone was infected with Pegasus, they suspected the Salvadorian government was behind the attack. The government has denied the use of Pegasus, but as we’ve heard, harassment of the media by the government is hardly new.
Carlos has covered the terms of six different Salvadorian presidents. Some of those administrations have tried to intimidate or silence independent press in El Salvador, or just make their business difficult.
Carlos Dada: In the form of legal harassment, we are the subject of four different tax audits. Harassment has intensified during this administration of President Nayib Bukele.
Nando Vila: Nayib Bukele. Bukele was elected president in 2019 at the age of 37. He has a beard, wears skinny jeans, leather jackets, and backwards baseball caps. He once described himself on Twitter as the world’s coolest dictator. Fluent and prolific on social media, he has said that Instagram posts can be more important than assembly floor speeches. Bukele has led a brutal campaign to crack down on gangs, which, since El Salvador’s Civil War, have been a powerful force.
Nayib Bukele: [inaudible 00:11:42].
Nando Vila: This is Bukele describing his war on gangs and corruption in a speech to the nation in June. He boasted about opening a mega prison, possibly the world’s largest. During his tenure, more than 65,000 people have been arrested for being suspected gang members. Before becoming president, he was a city mayor. El Faro was one of the few Salvador and outlets to cover his unconventional race for president, as Bukele ran outside the two main political parties.
Carlos Dada: Mainstream media in El Salvador will not cover his political messages or his political conferences. We did. By that time, he was only talking to us because we were the only ones willing to talk to him. As soon as he became president, we started reporting on his government.
Rose Reid: In Bukele’s first year in office, he began to work on consolidating his power. In February of 2020, he was trying to push through a loan of $109 million for military equipment and was meeting resistance from Parliament.
News reports: After speaking for half an hour, the president went into the legislative assembly. He said he would give the members of the parliament another week to approve this loan. He said if they didn’t do that, he would return to the assembly.
Rose Reid: A few weeks later, lawmakers were in session. Heavily armed police and soldiers arrived to occupy El Salvador’s parliament building.
News reports: Soldiers entered El Salvador’s parliament as the president demanded lawmakers approve a $109 million loan to equip the military and police to fight against violent gangs.
Carlos Dada: He entered Congress, followed by soldiers armed for conflict to threaten the congressmen that he was going to sack them that day. He didn’t in the end. He prayed to God sitting in the chair of the President of Congress and he left the place and he talked to the crowd outside Congress. He told the crowd, “God asked me for patience.”
Nayib Bukele: [inaudible 00:13:52].
Rose Reid: The president was pushing Congress, which he didn’t get control, to approve the loan.
Carlos Dada: Congress was asking for more information about it. What he did was to threaten Congress that he was going to stage a [inaudible 00:14:14] against Congress.
Rose Reid: Not long after Bukele threatened a coup, El Salvador held parliamentary elections.
Nayib Bukele: [inaudible 00:14:27].
Carlos Dada: He won the majority. On the first session of the new Congress that he controlled, Congress dismissed some Supreme Court justices, or judges, which is of course unconstitutional. That’s how Bukele got in control of all the institutions of the state.
Rose Reid: El Faro pressed on with their coverage of Bukele’s power grab and the harassment intensified. In November of 2020, the President criticized El Faro on Twitter saying, “They say they do independent and truthful journalism. At least the pamphlets are good for ripening avocados or cleaning up after pets.” And this tweet, “El Faro and friends have become a website with opposition content. If there was any journalism left there, it’s gone.”
Carlos Dada: Bukele is not only the president, he’s the most popular president in the whole Western hemisphere. He has around 85% of popular support. When a president with that traction, with that huge percentage of followers, which that divisive speech declares you a public enemy, that means that a lot of that 85% of the people will believe him, will believe that we are not publishing the truth because the truth is what the government says.
Rose Reid: All of this raises some questions. If Bukele’s propaganda machine is so powerful and if he enjoys genuine popular support, why bother spying on journalists? Is there any way to figure out if Bukele’s government really was behind the Pegasus attack?
Al Letson: One of the reasons Pegasus is so powerful is because it’s very hard to trace an attack back to the source, but in this case, the hacker left behind some important clues. That’s up next on Reveal.
From the Center for Investigative Reporting in PRX, this is Reveal. I’m Al Letson. We’re following the spread of a virus, a human made information virus. Pegasus is spyware developed to help governments crack into smartphones, to target drug traffickers and terrorists, but Pegasus has also been used against journalists, activists and scholars, and in the case of the El Faro newspaper in El Salvador, an entire newsroom. Rose Reid and Nando Vila from the podcast series Shoot the Messenger are tracking the efforts to figure out who was behind the attack.
Nando Vila: In the months after Citizen Lab found Pegasus on the phone of El Faro reporter, Julia Gavarrete, the newspaper was facing direct and public attacks from President Nayib Bukele. In trying to connect Bukele’s government to the phone hack, there was some unique evidence. Once again, this is Citizen Lab’s senior researcher, John Scott-Railton.
John Scott-Rail…: Sometimes we get lucky and we get a device that’s just been infected and we’re able to say, “Okay, well, we can connect this infection to a cluster of servers that we were monitoring.” What’s interesting about the El Salvador case is we did have one case where we were able to connect one of the infections to an operator.
Rose Reid: That case involved an El Faro reporter named Carlos Martinez. Researchers caught a spyware attack on Carlos’s phone. The technical term is intermission. They caught it as it was happening, in real time.
John Scott-Rail…: We were able to discover that there was a failed exploit attempt on his device. We connected that failed exploit attempt to the operator that we called Torogoz, which had been pretty much exclusively targeting within El Salvador.
Carlos Dada: They saw the operator live into Carlos Martinez’s phone that allowed them to geo-locate the operator. To no surprise, it’s based in El Salvador. That’s who was operating Pegasus in our phones.
John Scott-Rail…: Which further adds to the suggestive evidence pointing at the likelihood that the El Salvadorian government may be the operator in this case.
With each infection you can kind of hear a cha-ching in the background, as you imagine the process of analyzing the data, the process of targeting the person. All of these other pieces that would’ve had to go into it, I imagine just reams and reams and reams of paper and documents authorizing and requesting infections again and again and again and again, and then reports generated based on that material.
Nando Vila: The NSO group, the Israeli company behind Pegasus, insists it only sells to government agencies like security and intelligence services. Since Pegasus is classified by Israel as a cyber weapon, the NSO group is required to get government approval for every sale. It works like a subscription service. Countries use a portal. Depending on the package, are allotted a specific number of targets. The idea is the more you pay, the more targets you get, but NSO is very protective about the intricacies of their deals. Carlos Dada says that makes it all the more difficult to figure out who was spying on his newspaper.
Carlos Dada: Since NSO keeps such a secrecy over who they sell Pegasus to, the government of El Salvador has been able to say it’s not us.
Nando Vila: Most of the time hacks with Pegasus are a single hit, largely because of how expensive it is to use. The person operating it will break into a phone, take a copy of everything and get out, but that was not the case with the El Faro hack.
John Scott-Rail…: I’m pretty accustomed to looking at the readouts and the number of infections that we show when we do an analysis. Again and again, the results from the El Faro journalists would literally fill my screen with cases, with numbers of infections. It was that they were really targeted 10, 20, 30, 40 times the same individual. This was obsessive every day, constantly hacking and re-hacking every time this person would restart his phone. That’s really intense.
Carlos Dada: In my case, out of a year and a half, Citizen Lab says the intermission might have lasted 167 days. That’s not only getting into your phone, sucking the information. That’s living with you. Basically, I had someone living in my phone next to me, turning on the microphone, turning on the camera, knowing where I was going and who I was meeting with.
It was more surprising that even people from the accounting department, from the managing part of El Faro was also… I don’t know the exact word, contaminated with Pegasus, which lets you know the scope of this intermission and the amount of money they spent to find out everything about our operation and about every single one of us.
John Scott-Rail…: It wasn’t just one or two people at this news organization. It was like somebody had done a core sample through the entire organization. It was monitoring people left and right, journalists, editors, publishers, the works.
Rose Reid: Citizen Lab uncovered a total of 226 infections detected on 22 members of El Faro over the course of a year.
John Scott-Rail…: We try to get people informed very quickly. There are times when I will go to sleep knowing that the next day I’ll have to talk to some people and give them some tricky news. People often want to know. People are relieved to learn that they have been hacked. For a lot of people, it is also clarity and truth in a scenario where those things are hard to come by.
Rose Reid: After the hack was discovered, Carlos met with his newsroom to talk about what this meant for them personally and for their sources.
Carlos Dada: Our lifestyle was already different. Everybody knew what was going on inside El Faro. We have a very solid team in that sense. I felt that my first obligation was letting everybody know that the healthiest decision would be to leave, to quit El Faro, and that I didn’t want anyone to stay because they felt some kind of obligation. I have been very insistent about that. Some people left. We all let them know they were entitled to that and that that was a normal thing, but if you wanted to stay, you should know that silence is not an option. We are not going to let these things silence us while we are working here.
Rose Reid: You had said that, people who work at El Faro, that our lives were already different. What does that mean? How are your lives different working at El Faro?
Carlos Dada: I think our public life, meaning going out to parties, to public places, have already diminished a lot. Let me give you a good example. One day after a tough night in, health-wise, in the morning of a Saturday, I went to the pharmacy, I think it was 8:00 AM, to get medicine and buy a couple of Gatorades. 15 minutes later, the press secretary was Tweeting a photo of the drugstore where I went saying, “Carlos Dada was just here buying five Gatorades. That’s the size of his hangover. Let’s hope he didn’t rape any women yesterday night.” That’s the kind of things that were happening.
Rose Reid: The most important thing to the reporters at El Faro was what this would mean for their sources. The people who risked their jobs, their careers, and even their safety, to share with them critical pieces of information and evidence about Bukele’s administration and possible corruption.
Carlos Dada: We talk to a lot of sources every week, so it’s impossible to talk back to all the sources that we have dealt with during all the time that turned out that we were being tagged with Pegasus.
We asked Citizen Lab for the dates of the intermissions into everybody’s phones. We crossed this information with our news cycles.
Nando Vila: When they looked at the points in time when their phones were being targeted, they noticed something startling, that the hacks often coincided with their stories on corruption and Bukele’s deals with gangs.
John Scott-Rail…: There was this nexus of timing between reporting on corruption and reporting on negotiations with murderous gangs like MS 13 and some of that targeting.
Carlos Dada: That was a huge story. MS 13 is a gang, the biggest gang in El Salvador. I don’t know how to describe how powerful they are because it has to do not only with a number of members, but also with the businesses they have or the things they move.
A few weeks after that, we published a news story that said that it was not the only gang that Bukele was negotiating with. He was also negotiating with the 18th Street gang, which is the other big gang. Those were two big red dots when we crossed the data. What we had were videos, photographies, and official paperwork from the prisons where the leaders were taking out or where government offices would visit to talk to them. That proved that Bukele had been negotiating with them. That’s what explained the reduction of the homicide rate in the country.
Rose Reid: El Faro published their article about President Bukele’s negotiations with MS 13 on September 3rd, 2020. The article outlined how Bukele was making an alliance and brokering deals with the leaders of MS 13 to reduce violence in exchange for favors, better prison conditions, and the release of high ranking gang leaders from prison.
Nando Vila: A few weeks later, Bukele struck back. He announced El Faro was being investigated for money laundering.
Nayib Bukele: [inaudible 00:27:37]
Rose Reid: During the month the article was published, at least one El Faro employee was surveilled with Pegasus every single day. The data indicated a strong link between Pegasus infections and the newspaper’s corruption investigations. Carlos says many of El Faro’s findings were substantiated earlier this year in US Court as part of an investigation into MS 13’s transnational operations.
Carlos Dada: The United States Justice Department presented an indictment in New York in a federal court against 13 members of the MS 13 gang where they detailed the negotiations between the gang and President Bukele’s administration. According to this indictment, they were negotiating in exchange for economic benefits for territorial control and for the refusal of the Bukele administration to extradition requests from the United States.
We, in the end, also knew and published that some Bukele administration officers personally took out of prison MS 13 leaders and drove them to the border with Guatemala. These are the kind of stories we were publishing during this cycle.
Rose Reid: What do you think that the people behind the attack were looking for?
Carlos Dada: My first impression is that they want to know who we’re talking to. They want to know who our sources are, who we meet with, because we’ve been publishing inside information in the last years, and that’s how we found out about Bukele’s deals with gangs. That’s how we found out about some corruption scandals. You can imagine the risk for those people.
That’s my first impression, that they wanted to go after that. But as we’ve seen, that happened to journalists in other autocratic ruled countries, they are looking for intimate images that they can blackmail the reporters with or discredit them by handing them to the public.
Julia Gavarrete: We knew that in El Salvador it is hard to be a journalist, but now you have to be stronger if you want to make the type of work that we are doing.
Nando Vila: When it comes to the Pegasus infections at El Faro, reporter, Julio Gavarrete was patience zero. She says it got under her skin. It affected her mental health. She felt paranoid. She had to change the way she lived and worked.
Julia Gavarrete: You have to take care of your sources or you have to take care of the information that someone shared with you. You have to take care of your own family. We keep analyzing our devices just to check if we are still victims of Pegasus, but there are more. Pegasus is not the only program that they can use.
Nando Vila: For John Scott-Railton from Citizen Lab, he’s seen Pegasus used in all sorts of ways by governments trying to stop the press or to attack human rights defenders.
John Scott-Rail…: Maybe it’s used purely strategically. They don’t want to do anything that would show that they have it. Instead they try to use it to frustrate the designs or plans or activities of an organization. Maybe in other cases it’s going to be used to blackmail people, or maybe it’ll be used to try to discredit people. Think about all the things that you do on your phone and then imagine what would happen if all of those things were dumped out on the table. Think about what they might do in your personal life and your work life. That kind of creativity, unfortunately, is the stock and trade of security services in authoritarian and repressive regimes.
Nando Vila: We saw in the killing of Saudi journalists, Jamal Khashoggi, that Pegasus has been connected to murder investigations. Carlos Dada knows this firsthand.
In 2017, his good friend, Mexican investigative reporter, Javier Valdez, was shot dead in his hometown of Culiacán. Javier Valdez investigated corruption and drug cartels, the same kind of work El Faro does. Police investigations have revealed he was killed for his reporting.
Citizen Lab discovered something more, that his widow was targeted with Pegasus within weeks of his murder.
Carlos Dada: Javier Valdez was a character. He was not a Mexican journalist. He was Javier Valdez. There’s no one like him. What a marvelous man to describe in a very literary way the horrors of drug trafficking and its consequences in a place like Sinaloa in Mexico.
He was exceptional as a journalist, but his ultimate fate was not exceptional among Mexican journalists. But again, also Mexico is not an exceptional place. It may be the worst, if not one of the worst places to do journalism, but not the only one where journalists are being killed. The commonality in these countries is a level of impunity, which allows criminals to think we can kill a journalist and we won’t pay the consequences.
Rose Reid: In January, 2022, Carlos, Julia and their colleagues prepared to publish an article about how El Faro’s newsroom was targeted by Pegasus. They wanted to share with the world the scale and intensity of the attack and warn their sources.
Carlos Dada: I told my family. I told my girlfriend. I told some of my friends, “This is what happened. You should know from me before you know from our publication at El Faro.”
Julia Gavarrete: I was alone in my house just waiting for the moment everything was going to be released. Yeah, I was scared a little bit. We were telling our own stories. It was the first time that I worked on something like that. We don’t use to talk and we don’t like to talk of ourselves.
Speaker 9: [inaudible 00:34:08]
Carlos Dada: We became the story, which is very uncomfortable for journalists. We tell other people’s stories.
When we published the story that we have been infected with Pegasus, we felt the obligation to run an editorial, which was titled to our sources, basically telling our sources we have done anything in our hands to protect you. Take your own measures, just know what is happening. Of course, what happened the day after is that no one else wanted to talk to us anymore. It has taken a long time to construct systems of communication with sources that are safe.
Rose Reid: Carlos says that it was only after they published the article about the Pegasus attack that he had the time to think about all the personal consequences.
Carlos Dada: I felt so invaded, that the only thing that I felt that I needed to do was get into the shower and open it. I needed to clean myself from something very dirty. They have all my photos, they have all my videos. They have the photos of my dear ones. They have been listening to my conversations in my apartment with my girlfriend, with my friends, with my not so friendly friends. They have been living with me for many, many days.
Rose Reid: Today, the staff at El Faro remain dedicated. They found new ways to communicate safely. It makes their work more difficult, more tedious. They often have to travel within El Salvador and outside the country to work effectively and be safe.
Carlos Dada: We are going back and forth, going out and going back in. Some of them have spent months out of the country and then they go back. We are trying to measure the risks week by week.
John Scott-Rail…: These people are at such risk. Clearly, even though they knew that they were at risk at the time, there were risks that they didn’t fully understand, these digital risks. That made me angry. It made me angry because I thought that the work that they were doing was critically important so that the world would understand what was going on in El Salvador, and yet there was this digital subversion going on on their devices trying to make it really dangerous for them to do truth telling and to talk to sources.
Carlos Dada: Pegasus is just one element of the harassment and attacks against independent President El Salvador. They passed a law criminalizing publication about gangs that can bring a reporter or a publisher or an editor up to 15 years in prison for publishing a story about gangs, with the clear intention of silencing us who were publishing Bukele’s secret negotiations with gangs. Since we decided that silence is not an option, when we publish a story about gangs, we have faced the need to take those reporters out of the country for some time. Pegasus is just another means that this government has to attack and harass independent press, but far from the only one.
Al Letson: Coming up, what the Pegasus hack of El Faro means for the free press around the world.
John Scott-Rail…: Think about what happened to El Faro as a canary in the coal mine. It is highlighting what happens when an unaccountable government gets his hand on a powerful surveillance tool. It will be abused.
Al Letson: You’re listening to Reveal.
From the Center for Investigative Reporting in PRX, this is Reveal. I’m Al Letson. When Pegasus was developed, it was marketed secretly to intelligence agencies as a tool for tracking terrorists and drug traffickers. Its creators have said that sometimes that necessitates spying on innocent people.
This is the NSO group’s former CEO, Shalev Hulio, on 60 Minutes, talking about how Pegasus helped authorities in Mexico capture Joaquin Guzman, AKA El Chapo.
Shalev Hulio : They had to intercept a journalist, an actress, and a lawyer. Now, by themself, they’re not criminals, but if they are in touch with a drug lord, and in order to catch them, you need to intercept them.
Al Letson: Okay, so let’s assume that in the right hands, Pegasus can help catch the bad guys, but in the wrong hands… Well, we’ve seen what happened at El Faro and around the globe. Traces of Pegasus have been discovered on the phones of journalists, human rights activists, and politicians. Some of the people spied on were either killed or put in prison, but to this day, no one knows the full story of Pegasus. With me to talk about all of this is Shoot the Messenger cohost, Rose Reid. Hey, Rose.
Rose Reid: Hey Al. It’s great to be here.
Al Letson: I gather that one of the many frustrations for El Faro and other media outlets goes beyond the extensive spying and the damage it’s caused.
Rose Reid: Yeah, it’s really about the total lack of accountability for all of this. As we mentioned, El Salvador has denied using Pegasus. Since NSO groups contracts protect the identity of its customers, we can assume it’s the government of Nayib Bukele, but we don’t have exact confirmation, although we did learn that Citizen Lab saw in real time an operator in El Salvador targeting a journalist at El Faro.
Al Letson: No one has been held accountable in El Salvador for these hacks. What else can a media organization like El Faro do?
Rose Reid: Well, there’s one thing El Faro has done. They’ve teamed up with the Knight First Amendment Institute at Columbia University. They’re actually suing the NSO group. Their case says the attacks violated the Computer Fraud and Abuse Act, which is an anti-hacking statute that dates back to the eighties. The Act itself does say that it can extend beyond US soil. What’s really interesting about this case is that if Carlos Dada and the 17 other folks from the newsroom who have sued the NSO group, if they win, the client of the NSO group who targeted them will be revealed.
Al Letson: With such intrusive spyware like this, they can’t be the only ones suing the NSO group.
Rose Reid: That’s right. The legal cases against the NSO group are mounting. We mentioned at the top of the show that the widow of Jamal Khashoggi has filed legal action. There’s another lawsuit on behalf of Meta, and specifically WhatsApp. They alleged that Pegasus was used to exploit a bug in WhatsApp and target more than 1400 people. That also included activists and journalists. Most importantly, Apple is suing the NSO group. Apple is saying that the NSO group violated their infrastructure to target these people. That’s actually how Pegasus works. The whole idea about Pegasus is that it finds an exploit in either your iPhone or your Android.
NSO has asked the courts to dismiss these cases. The courts have not ruled in their favor, so it’s possible that these cases will proceed.
Al Letson: Why is that important?
Rose Reid: NSOs business model relies on secrecy. That means keeping all of their clients, AKA governments, countries, hidden. If the case proceeds and moves to court, something called the discovery phase begins. Discovery could bring a lot of problems for the NSO group because their contracts, documents, emails, phone calls, text messages, could all be subpoenaed.
If Carlos Dada and El Faro win their lawsuit against the NSO group and the client is revealed, it would create a strong deterrent for countries around the world from using Pegasus and spyware like it because they couldn’t assume protection and secrecy.
Al Letson: I hear all these stories and see all the research that’s been compiled. It’s really hard for me to accept the NSOs claims that Pegasus isn’t involved in these attacks.
Rose Reid: Yeah. This is something I wonder a lot about too. I think a lot of people have given this a lot of thought. There’s evidence that Citizen Lab and other research groups have collected that’s really compelling that Pegasus is involved.
Now, the executives at the NSO group have declined to speak with us, but in their defense, they’ve said that Pegasus is classified as a cyber weapon. Every sale has to be approved by the Israeli government. Its contracts with other governments and intelligence agencies have all kinds of restrictions. NSO also says if a government abuses their software and targets illegitimate targets, that they’re cut off as clients.
This is Omri Lavie, one of NSOs co-founders, speaking in an interview that was posted on YouTube.
Omri Lavie: We do everything within our power to prevent and make sure that this technology is not misused. We’re taking the regulation that is put on our shoulders and taking it even further by having our own regulatory leaps and bounds of committees and people involved that try and prevent, as much as possible, misuse of this technology. But I just want to add that nothing will ever be a hundred percent.
Al Letson: He says nothing will ever be 100%, but that’s quite a caveat when you’re talking about spyware this powerful. It makes me wonder, how would the NSO know if a government is violating terms of their contract? Does the NSO require its clients to reveal the identity of a potential target, or are these just rogue operations?
Rose Reid: Yeah, I think this is where the NSO group has really tripped up because they basically have said conflicting messages. On one hand, they say, “We do a lot of due diligence. We really investigate our clients before we sign them onto a contract.” They’ve also said, “We don’t know exactly who our clients are targeting. We give them a portal. They’re the ones who are operating it.” And they don’t have control over what their clients are doing.
Basically you could sum up their business model as, trust us, we’ll investigate, but they don’t want to give a definitive statement on how involved they are with the targeting and infections with their customers. What’s really important for us to remember is that the abuses are still proliferating.
Al Letson: The NSO group has become so controversial. It’s been blacklisted by the Biden administration, but it’s also hugely profitable.
Rose Reid: That’s right. When the co-founders, Shalev Hulio and Omri Lavie, when they started out in the mid two thousands, cybersecurity was a budding industry, measured in the millions. Today, the cyber warfare industry and the mercenary companies that support it, represent more than $43 billion. Those are just the reported numbers. Bloomberg projects that there are more than 200 companies in this space. The NSO group is just one of the most famous, or infamous.
Al Letson: Okay, so let’s say the lawsuits are successful and Pegasus is eventually shut down, given how much money is at stake, could this kind of technology just find a new life in some other form?
Rose Reid: People who have thought deeply about this say that Pegasus is just a first iteration. Like so much of how technology evolves, so does something like Pegasus. We’ve even seen it go from one click to zero clicks. I think that we’re already seeing this kind of evolution happen. I think a lot about what John Scott-Railton from Citizen Lab had to say about how the NSO group was trying to market Pegasus.
John Scott-Rail…: Think about what happened to El Faro as a canary in the coal mine. It is highlighting what happens when an unaccountable government or an unaccountable security service gets its hand on a powerful surveillance tool. It will be abused. We are seeing early cases, high risk places, places with maybe security services that are not as good at hiding their tracks, but that’s not where this ends. It ends in a police department near you. That should concern all of us.
Rose Reid: The key word is vigilance, for all of us. We need to be vigilant about the nexus, the close connections between private industry and the government, especially in the area of technology. We can’t simply trust what any government tells us because we’ve seen how some of this advancing technology can pose direct threats to democracy, in places where democracy is struggling or where it’s under threat, to keep it that way.
Al Letson: Rose, thanks so much for talking to me.
Rose Reid: It’s a pleasure, Al. Thank you for having me.
Al Letson: Rose Reid is a co-host and executive producer of Shoot the Messenger, a podcast from Exile Content Studio and PRX.
We just heard about how spyware like Pegasus continues to evolve. As we’re finishing this show, as if on queue, there was some news. Citizen Lab reported that Pegasus found a new way to take over an iPhone through its messaging app. No clicks. Pegasus just took control.
The reported target of the hack was a person working at an international NGO based in Washington, DC. Apple quickly responded with an emergency software update.
We know the El Faro newspaper is just the tip of the iceberg when it comes to Pegasus. For a deeper dive, you can binge the entire 10 episode series, espionage, murder, and Pegasus Spyware. That’s on, Shoot the Messenger. Find it anywhere you get your podcasts.
This week’s show was produced by Michael Montgomery and Steven Rascón. Michael also edited the show. Special thanks to Nando Vila, Sabine Janssen, Gail Reed, Carmen Graterol, Isaac Lee, and the entire team at Exile Content Studio. Thanks also to the Committee to Protect journalists.
Nikki Frick is our fact-checker. Victoria Baranetsky is our general counsel. Our production manager is Zulema Cobb. Score and Sound design this week by [inaudible 00:49:56], with help from Jay Breezy, Mr. Jim Briggs, and Fernando, my man, Arruda. Our CEO is Robert Rosenthal. Our COO is Maria Feldman. Our interim executive producers are Taki Telonidis and Brett Myers. Our theme music is by Comarado, Lightning. Support for Reveal is provided by the Revan David Logan Foundation. The Ford Foundation, the John D and Catherine T MacArthur Foundation, the Jonathan Logan Family Foundation, the Robert Wood Johnson Foundation, the Part Foundation, and the Helman Foundation.
Reveal is a co-production of the Center for Investigative Reporting in PRX. I’m Al Letson. Remember, there is always more to the story.