Digital Violence: How the NSO Group Enables State Terror

NSO Group Technologies Ltd. was founded in Israel in 2010 by Niv Carmi, Shalev Hulio and Omri Lavie. Part of an ecosystem of Israeli cyber-weapons companies—developed in the context of its ongoing occupation and settler-colonial surveillance of Palestinians—NSO’s Pegasus malware has reportedly been used since at least 2015 in at least 45 countries worldwide to infect the phones of activists, journalists and human rights defenders.

Forensic Architecture’s interest in the NSO Group dates back to 2017, when reporting by The Citizen Lab revealed that members of Centro Prodh, our collaborators in investigating the disappearance of 43 students from Ayotzinapa, Mexico, had been hacked using Pegasus.

The investigation into NSO Group began two years later, when Forensic Architecture learnt that our close associates, members of the legal team leading a suit against NSO on behalf of a number of human rights defenders, were informed by WhatsApp in 2019 that their phones had also been infected.

While reporting on this issue incrementally exposed new cases of infection, we undertook this project in order to provide the public, researchers and the legal team with a general tool to explore relations among different types of NSO-related activities worldwide.

NSO has yet to confirm a single state or corporate client, and continues to receive security export licences from Israel’s Ministry of Defence for the sale of Pegasus—despite being challenged in Israeli and international courts.

The investigation consists of:

1. A navigable digital platform,
2. Video investigations to tell the stories of human rights defenders from around the world reportedly targeted by Pegasus, and
3. An interactive diagram and video presenting new research into the web of corporate affiliations within which the NSO Group is nested.

With this, Forensic Architecture has for the first time mapped the global landscape of NSO-related activities to demonstrate new connections and patterns between ‘digital violence’ using Pegasus and real-world violence directed at lawyers, activists, and other civil society figures.

The data for the project is based on fifteen months of open source research that extracted data from hundreds of pages of documents as well as interviews. The Platform offers the most comprehensive database to date (containing over a thousand data points) of the reported infections of the phones using Pegasus.

Forensic Architecture developed bespoke open-source software to present this data as an interactive 3D platform, which will be updated as our investigation continues.

The infections enabled by NSO’s Pegasus malware that have thus far been publicly exposed likely form only a part of a more expansive deployment against civil society actors across the world. However, the data collected does already suggest possible patterns in the ways that digital targeting using Pegasus operates:

1. Digital infections do not target civil society actors as individuals, but rather as networks of collaboration. Our platform shows that in Mexico, Saudi Arabia and India digital targeting (blue dots) starts with one person, before their professional networks are targeted within a similar time period. In each of these examples, the use of Pegasus occurs after or during periods where these civil society networks expose or confront controversial or criminal state policy.

2. Digital infections of civil society groups occur alongside other forms of violence experienced in the physical world. Cyber-surveillance is consistently entangled with a spectrum of physical violations, including break-ins, intimidation, assaults, arrests, lawsuits and smear campaigns, and murder, in the case of prominent Saudi journalist Jamal Khashoggi, whose friends and colleagues were targeted by Pegasus.

3. Digital targeting extends the reach of state power to include human rights dissenters in exile, while also physically targeting their colleagues and families in their home country.

Using data from the platform and first-hand interviews (conducted with Laura Poitras) with reported targets and investigators of NSO’s spyware, Forensic Architecture’s video series, The Pegasus Stories, reveals how digital infections are part of a toolkit of actions targeting the work of civil society around the world.

Narrated by Edward Snowden, the NSA whistleblower and President of Freedom of the Press Foundation, these short films are the first to tell the stories of civil society actors targeted by Pegasus, describing in detail the experience of being surveilled as a personalised terror that exacts a psychological toll within networks of collaboration and friendship as well as their resistance and perseverance in the face of this terror.

Consulting Amnesty International’s report tracking investment in NSO and its corporate structure, along with news sources and leaked financial documents and reports, Forensic Architecture has reconstructed the corporate network within which the NSO Group is nested.

This video investigation reveals how affiliates of NSO Group based in other countries likely enabled the contracting of licences on NSO’s behalf for its spyware, so as to facilitate its access to state markets in Saudi Arabia, the United Arab Emirates and the United States—countries to which NSO otherwise would not have access.

These sales appear to be precursors to the normalization of relations with Israel, leading to the proliferation of digital targeting and a rise in human rights violations.

This is consistent with Forensic Architecture’s previous investigation into datasets used to demonstrate NSO Group’s contact-tracing software, Fleming, which also pointed out that the exposed data included location information from Rwanda, Israel, Saudi Arabia, the United Arab Emirates, and Bahrain—all countries in which NSO’s Pegasus spyware was reportedly used, and most of which Israel had no diplomatic ties with at the time.