Above Photo: Electronic Frontier Foundation’s Cindy Cohn
CounterSpin interview with Cindy Cohn on Pegasus spyware
Janine Jackson: If you don’t know the story of how a consortium of journalists revealed how countries around the world have bought spyware from an Israeli surveillance firm, supposedly to track terrorists and other criminals, well, that’s understandable. Though it is a journalist-driven effort, and is leading to calls for the resignation of officials in Hungary, for example, the Pegasus Project hasn’t really gotten the pay-attention-to-this treatment from US news media. But that emphatically does not mean that the story doesn’t concern you and your right to know.
Cindy Cohn: Thank you.
JJ: We’re talking about the Pegasus Project because of a leak of tens of thousands of phone numbers, believed selected as candidates for possible surveillance by clients of this company, NSO Group. The technology in question doesn’t just allow access to conversations and photos, but can also turn your cell phone into a listening device. But for those who really haven’t heard anything, what is the story here? What’s going on?
CC: There has been a dark business that has existed for quite a while now, developing what we call malware—which is software, but designed to hurt you—and selling it to governments to use against people that governments want to secretly track.
What happened here was that a list of 50,000 phone numbers that had been targeted by NSO Group’s client leaked, and got to a bunch of journalists. And they started analyzing it, and figuring out who some of these people were. And it turns out a tremendous number of them are journalists, all around the world. Kind of reveals how deeply governments are engaged in spying on the people who bring us the news.
JJ: My sense is that this is being treated as suggesting a threat of potential misuse, rather than constituting a harm in its own right. And it seems to be kind of running up against the “Well, it doesn’t have to bother me because I have nothing to hide” phenomenon. I’m not asking you to scare people, but can you just illustrate the seriousness of the findings here? What are the implications?
CC: The NSO Group is reportedly—and this leak confirms it—deeply involved in Saudi Arabia’s spying and ultimately killing of reporter Jamal Khashoggi, as well as a Mexican journalist. This isn’t just about spying; this is about murder, at the end of the day.
And we all rely on journalists’ ability to find out what’s going on, especially in ways that governments don’t like, to be an informed populace. I think it’s not an overstatement to say the question of self-governance turns on whether the current people in power can hide from us the truth about what’s going on in the world.
How do we elect the right people if the people in power right now are making sure we don’t find out the whole story? So I think it’s tremendously important for, fundamentally, are we governing ourselves?
JJ: To be clear: This Israeli company, NSO Group, they’re not the only source of concern here, right?
CC: No, no, no. They’re one of the more notorious and, of course, they were the subject of this leak, and the list of countries is pretty bad here. But, yeah, they’re not the only one.
As I said, this is a business, and it’s a dark business that I think some people—including the UN special rapporteur for freedom of expression—ultimately, we reached the point where we’re calling for a moratorium on governmental use of these malware technologies, because it’s clear that governments can’t use them responsibly. And we don’t have real mechanisms for accountability when they misuse it, either. And so, whether it’s stopping governments from getting this in the first place, or making sure that when governments misuse this information, we have real remedies—we aren’t doing any of that right now.
JJ: I’m going to bring you back to what accountability might look like. But if I can just take a question on media: I’m thinking back to the show 24 that suggested that there might be a time when you need to torture someone, you know, because they have information that would prevent the deaths of many people. We get into a lot of trolley problems and, “Don’t you think the state should be allowed to surveil cell phones in case terrorists something something something?”
The Justice minister in Hungary says, “Every country needs such tools.” How do you talk about what’s being lost here? How do we bring folks back to valuing privacy, in this moment where people—some people, anyway—just seem to have given up, and the idea that, “Well, if I’m not committing a crime, I shouldn’t care about my privacy”?
CC: I think there’s a few things. The first thing I would say is that we shouldn’t take policy advice from a fictional TV show. The reality is, the US Senate did a big report on this, the torture done under the Bush administration. The times in which we need Kiefer Sutherland to torture people, it’s a fiction most of the time; 99.99% of the time, it’s a fiction. And I think if we’re not grounded in that, and if we’re stuck in TV, we’re not going to be able to look at this fairly. So that’s the first thing I would do, is I would push back on this TV show as a basis for us deciding our laws.
The second thing I would argue is that the American Constitution is all about limits on what the government can do, right? It’s not the case that the founders of this country… and for good reason, of course, because we wouldn’t have gotten independence if the founders of this country hadn’t decided that letting the cops just randomly break into people’s houses to find out whether people were paying their taxes or not—remember, the Boston Tea Party was about taxes, and the Fourth Amendment was written because the colonists didn’t think it was OK for the cops to just break into anybody’s house because they might be breaking the law—and that’s what the Fourth Amendment is based on.
And that’s not the only thing. Certainly there’s international law, something called the necessary and proportionate principle that’s built into international law, that reflects some of the same values of the Fourth Amendment. They’re not exactly the same, but both of them recognize that you can’t just “never say no” to government because they might be able to dream up a scenario in which they need power. The whole idea of a society that’s governed by laws and not by men is based upon limiting what the government can do.
So I guess, sure, if we want to just go back to a feudal society where rulers have all the power, we’re certainly capable of doing that. But I would argue that that really undoes hundreds of years of trying to find the balance between governmental power and the rest of us.
I’m sorry, I don’t mean to get historical about it. But I really do think this idea that, you know, because the government can dream up some reason why it might need a power, we should give it to them, really flies in the face of the whole history of this country, and I would argue even longer. So that’s the second thing.
The third thing is, you can’t always predict who’s going to be in power in the future. We just came out of four years of an administration that felt very differently about who its enemies were than the administration before that. And whether you’re a fan of the previous administration or the one before that, you have to recognize that who’s in charge of those levers of power can change, and can change in very dramatic ways.
And again, if you look at the list of people who are on the 50,000 phone numbers that were leaked here, you see the kinds of people who, really, the rest of us rely on. And central to that is journalists; there were over 180 journalists on the list that they were able to confirm, but I suspect there are many be more. Human rights defenders, political activists, opposition parties, even President Macron of France was on the list. So even currently powerful political people were on the list, because they’re being watched by others.
So I think that it’s not realistic to think that we always and forever will have governmental powers who will only use these powers for good and never use them for evil. Instead, we have to put systems and structures in place to cabin those situations, so that we limit the times in which they happen, and we have accountability when they do. To be able to sue if these malware companies are pretending to be them; they have deep pockets, they can do this.
But also the people who are harmed should be able to, and EFF brought a case a few years ago, on behalf of an American guy who was spied on by the government of Ethiopia; he was an immigrant. And we were unable to get a remedy for this guy, because of the doctrine of sovereign immunity. We need those doctrines to get out of the way so that people can have real accountability.
And then the companies that actually built this software need to be accountable when that software is used to hurt somebody. If you have a tool that is designed to hurt people and then it hurts people, you should be held accountable for those harms, and you shouldn’t be able to basically wash your hands of it.
And then, finally, NSO Group claimed that it had a set of rules about who it sold to, and wouldn’t sell to repressive governments. But it seems that they were completely toothless. And we need to hold companies to those kinds of standards. And we need to make them accountable when they violate them.
JJ: And make them transparent, so that folks know what’s going on, because it’s often being told that it’s in our name.
CC: Yeah, totally. That’s the stepping stone, right? Without transparency, you can’t have accountability. We have lived for 200 years in the United States with the idea of warrant, where the government has to go to a judge and make its case, and then it gets a warrant to be able to turn on surveillance against you. The country has not fallen because we have basic accountability in this area. Now, I would argue we probably need more accountability in the context of domestic warrants, but we at least have some. In these international situations right now, we have almost none, and we really need to bring the level up, so that we can stop these kinds of travesties.
JJ: We’ve been speaking with Cindy Cohn; she’s executive director of Electronic Frontier Foundation. You can find their work online at EFF.org. Cindy Cohn, thank you so much for joining us this week on CounterSpin.
CC: Thank you so much for giving us some attention.