Pegasus scandal is the tip of the iceberg."If the supervision has failed here, he almost certainly failed in other places"

GAZETA.PL, ŁUKASZ ROGOJSZ: Zacznijmy od podstaw. Czym jest Pegasus, jak działa i do czego się go używa?

JOHN SCOTT-RAILTON: Żyjemy w czasach, gdzie wszyscy mają komórki.Even our grandparents have them.These devices store a huge part of our lives.Things we are worried about when searching the Internet at two in the morning, messages that we send to our children and partners, things that we think about our work and which we talk privately about our bosses.The whole world is extremely attractive to special services.Pegasus is a tool that allows you to take over your digital life on your phone.Turns this phone into a spy device, taking over its camera and microphone.It also allows the operator to impersonate the phone owner and edit all content from it and in it.Pegasus can also take over your photos, messages, contacts, chats.All key aspects of digital life.

But this is not the end.Pegasus can also be used to pull out digital keys, which your phone uses to connect with cloud services.However, this means that Pegasus operators can use your accounts and data even after your phone's control is already completed.This is an extremely powerful spy tool, extremely invasive.It has gained its notorious fame due to the fact that dictators around the world have been using this software for years to make various types of abuse.

Jest jakaś specyficzna procedura korzystania z Pegasusa czy każdy klient robi to wedle swojego uznania?

Pegasus, governments ensure that they use it only to fight organized crime and terrorists, but today we know - M.in.thanks to investigations carried out by Citizen Lab or Amnesty International - that Pegasus is used for four purposes.The first two are actually combating crime and terrorism.But two more are attacking civil society and large -scale international espionage.This powerful tool is sold to governments, which later use it at their own discretion and for their own purposes.The problem is that if your government does not have an effective supervision and pull system, it will almost certainly allow you to abuse this software.For politicians and other important figures, he is extremely tempting to know what their opponents say, think and do.Especially in the face of the election struggle, when you are afraid not only of the other side, but even some allies.Why not use such a tool then, why not get to their phones and life?This is what is happening in Poland at the moment.

Ironia losu, że rządy wykorzystują do walki między sobą oprogramowanie, które kontroluje inny rząd – konkretnie rząd Izraela.

This is a very interesting thread.The NSO Group, which is the manufacturer of Pegasus, maintains that there are a whole series of restrictions that Pegasus clients must follow.This applies in particular to attacking phones in the United States and Israel.Interestingly, in the last two weeks in Israel, a huge spy scandal has broken out just with abuse in the use of the Pegasus system.The purpose of the attack was M.in.Demonstrators critical of the government of Benjamin Netanyahu, who in turn is one of the world's largest PEGASUS system in the world.This shows that if you light a fire, you have no guarantee that they will not burn your home either.

It is fascinating how Israel for years believed that maybe Pegasus is a problem, but it is the problem elsewhere.Now we have a gigantic espionage scandal in Israel, people feel the same as in other countries and ask the same questions - were all politicians monitoring, or were all activists monitor?The stories of people whose sex life or internet dates became the light of daylight, became the subject of surveillance.These are very disturbing things.The irony of fate is that these are all things that have been happening in other countries for half a decade and about which I and other analysts are informing.

More about the Pegasus scandal and investigation of the Senate Commission in this matter, read on the newspaper's main page.pl

No, właśnie, od jak dawna Citizen Lab zajmuje się Pegausem?

We started to be interested in Pegasus around 2016.We dealt with the case of human rights defender from the United Arab Emirates - Ahmed Mansoor.This is probably the most underlying person with whom I have ever worked.His government attacked him with spy software from Germany and Italy, probably also with software designed by former American spies.In the end, they also got to him by Pegasus.Today, Mansoor is in prison, but throughout this period he showed us a number of very suspicious messages he received.We looked at these messages and it turned out that these were attempts to attack Pegasus.Once we borrowed the iPhone of our friend's girlfriend - of course with her knowledge and consent - and we opened links sent in the mentioned messages.Thanks to this, Pegasus became a golden fish in our own aquarium.We could study this program at will.This gave us evidence that we have connected with each other over the years to track the NSO Group spy software, as well as study the infrastructure they use to infect devices and extract sensitive data from them.

Gdzie w tym wszystkim polski wątek historii? Dlaczego w kontekście Pegasusa zainteresowaliście się Polską?

The Polish thread of this story began one morning when I got a few messages in which I was noticed that in Poland a thing was worth noting.Namely, the Polish prosecutor informed that she had received a notification from Apple about the spy attack on her phone.It really caught our attention.A few years ago we conducted a global study, in which we searched for all networks in which PEGASUS infected devices could operate.It gave us a world map of PEGASUS attacks.Thanks to this, we first learned where the attacks occurred, and then on this basis we began to group individual active customers using Pegasus.Some customers have made attacks around the world in many different countries.It can be assumed with a high degree.However, there were also customers who made attacks almost exclusively in one country.Poland is one such examples.We found one of the clients of Pegasus, who was active only in Poland.We considered it interesting and we began to watch it more closely.Then we came across the case of Ewa Wrzosek and assumed that these two matters could be related to each other.It was the beginning of our investigation regarding the use of Pegasus in Poland.

Wrzosek before the WS Commission.Pegasus: I'm not in conflict with PiS

Skontaktowaliście się też z Ewą Wrzosek.

We contacted many different people, trying to find out if we could check their phones for the PEGASUS attack.Until now, most of our investigations concerned dictatorships.This case had very similar features.It was inconceivable for us, as you can attack the spy system with the prosecutor critical of the incumbent power.When we confirmed the attacks on Prosecutor Wrzosek, we found that we should delve into the subject even more, since the first case of surveillance appeared, there will probably be another.

I mieliście rację. Kolejne dotyczyły Romana Giertycha, prominentnego adwokata powiązanego z opozycją, i Krzysztofa Brejzy, urzędującego senatora największej partii opozycyjnej. Jak doszliście do tego, że oni również padli ofiarą ataku Pegasusem?

We learned about the fact that their devices were also hacked in exactly the same way as in the case of Ewa Wrzosek.We looked at the effects of forensic analyzes of their devices, and we made the decision guided by digital fingerprints, which in our opinion were left by the Pegasus system.

Z Giertychem i Brejzą też się skontaktowaliście?

In all these cases, the most difficult is the moment when you have to make a phone call and explain to a person that she has been attacked and inspired.In the case of Pegasus, I went through it hundreds of times in my life.This is a terrible experience, because you don't really tell a man that he has a problem with a computer and maybe a virus has been uploaded.You really tell such a man: it's a government.Moreover, a government that probably doesn't want you well.This government used its power and influence to delve into your digital life and put all your private world on a great digital table.All this to find things that will allow them to hurt you in what will be on this table.Learn about something like this is an extremely traumatic experience.We cannot underestimate the psychological violence, which is inherent in this type of surveillance.

W ostatnich dniach poznaliśmy dwa kolejne nazwiska na liście osób publicznych inwigilowanych Pegasusem w Polsce. Ta lista cały czas się wydłuża. Jak długa może być w końcowym rozrachunku?

I noted that recently one of the prominent Polish politicians from the power camp said - probably wanting to minimize the importance of the whole scandal - that at most a few hundred people are about several hundred people.

Citizen Lab confirms two new cases of pegasus

Chodzi o posła Marka Suskiego, jednego z najbliższych współpracowników prezesa Prawa i Sprawiedliwości Jarosława Kaczyńskiego.

Exactly.For now, we have several cases here that look really bad now.I can only imagine what will happen when we examine the structure of each of these cases.I can say one thing from my many years of experience in conducting such investigations: if so many cases have already appeared so quickly, then there will be much, many more.

Dużo więcej?

It is very difficult to give any estimates here.We can certainly say, however, that in the case of Poland there is an actor who has been active in the country for years, attacking more people from public life.We know M at the moment.in.About a lawyer, a critical author towards the minister of book, politician, prosecutor and social movement leader.This type of system fits perfectly to what we usually observe in the case of dictatorships - attacks on civil society, attacks on opposition.For me personally, it was very difficult when we examined cases from Poland.Because, on the one hand, it is a very familiar pattern.But on the other hand, this is a pattern that does not appear in democracy.

Jak wiele osób było inwigilowanych Pegasusem w innych krajach, którymi się zajmowaliście?

When we talk about other countries, we are really talking about other investigations that we, journalists or NGOs have conducted.The answer is: it depends.There were cases that the whole specific organization was under surveillance in a given country, each member was the target of the attack.For example, twenty people.Different countries, different governments have different styles of using Pegasus.In some investigations we find one, two or three cases of surveillance.This does not mean that there are no more, it means that this kind of investigation is simply a piece of hard work.When in the case of surveillance people think about numbers, it is terribly important to remember what enormity of work is needed to reach these numbers and show them to the public.This requires a forensic examination, cross-checking with other data, and finally the analysis of the collected material.If we already have an idea of how much work consumes identifying each single surveillance, you can realize that these cases will definitely be more.It's just a matter of time.

Warto przy tym wspomnieć, że Pegasus nie jest narzędziem masowej inwigilacji. Wręcz przeciwnie - jest bardzo precyzyjny. Inwigilacja każdej osoby to zresztą niemały wydatek sięgający nawet 100 tys. dol.

From what we already know, when the customer acquires Pegasus, he also acquires the possibility of making a specific number of durable attacks.When you buy Microsoft software, you can buy, for example, five licenses for five computers.At any time, any five computers can use the purchased software.Pegasus works in the same way, but it's about victims that you can under surveillance without their consent.Let's say that the Polish government has bought ten licenses.This means that they can monitor ten people with Pegasus every day.If they want to follow the number of eleven, they must close one of the ten already open accounts.But there is a way that some intelligence agencies use - this is such an surveillance carousel on which you observe ten people in the morning and ten people in the evening.Suddenly out of ten licenses, at the same price, you can under surveillance twenty people.Such a strategy of action assumes that each of the facilities is under surveillance every third, fourth day.Objectives that have the highest priority can of course be an exception to the principle and be under observation more often.There are also governments that choose a more long -term approach and focus on carefully selected people who surveillance day by day, without a break.

I think it is too early to indicate the standard model of the authorities in the case of Poland.However, in those cases with which we have already learned, it is clear that there were time windows in which these people were extremely often attacked by Pegasus.This, in turn, means that the licenses used for this purpose could not be used in the same time window to surveillance anyone else.In this way, public funds for a long time were used to control a person, and not, for example, to fight organized crime.When we talk about where Pegasus is in the world of Cybernadzor, I always think about an inverted pyramid.

W ostatnich tygodniach coraz większa liczba czołowych polskich polityków - przede wszystkim z opozycji, co nie może dziwić - mówi, że poprosiła Citizen Lab o zbadanie ich telefonów i zweryfikowanie, czy oni też byli inwigilowani. Ile takich zapytań już do was wpłynęło?

I can not say.We have a clear policy in this matter, according to which we do not comment on the investigations, before their effects are made public.

In PiS, mockery from Kukiz that he will dance like special services will play him

W styczniu był pan w Polsce na posiedzeniu nadzwyczajnej komisji senackiej, która zajmuje się wyjaśnieniem sprawy inwigilacji z użyciem Pegasusa. Uważa pan, że komisja wyjaśni tę sprawę?

That this kind of hearing in parliament can take place is one of the best things in democracy.There were too many cases we examined and in which nothing happened at all.To a large extent because the governments that commit abuse are also controlled by courts and parliament, thus effectively preventing any serious investigation.That is why I am very pleased with what happened in Poland, from this investigation that the commission in the Senate.This is inspiring, because at first glance you can see that by accepting testimonies from witnesses and examining the whole situation, the Commission wants to do everything to reach the heart of this matter.We all hope that it will be able to discover much more facts about this matter.There is no doubt that Poles deserve to know the whole truth in this topic.

Kojarzy pan podobną komisję albo inne ciało wyjaśniające sprawę nadużyć Pegasusa w innych krajach, którymi się zajmowaliście?

A number of criminal investigations regarding the abuse of the Pegasus system were initiated in several countries, complaints about various institutions were lodged, a lot of noise arose around the matter.Nevertheless, I believe that Poland is leading the world when it comes to establishing a Senate committee, gathering testimonies and conducting an investigation into Pegasus.It is inspiring for me and gives me a lot of faith in the future of Polish democracy.

In one of the previous questions, you mentioned that Pegasus is a very precise, not a massive tool of surveillance.However, we must remember that most of the rule does not have Pegasus.Pegasus is just a spear cave.Maybe it is not used against a wide range of people, but it is extremely invasive.But there are other surveillance techniques - such as eavesdropping on telephone calls, deciphering text messages, tracking internet activity.In addition, there is also a global problem with the abuse of digital marketing data for spy purposes.Most of the rule - I imagine that the Polish government also has a full set of possibilities.The thing is that most of these tools do not leave digital fingerprints on infected devices.For me, finding evidence of the abuse of the Pegasus system is a very strong premise that there were other abuses in the case of other technologies and espionage tools.Pegasus is the most powerful of such tools and if in this case the supervision has failed, it almost certainly failed in other places, but we do not know about it yet.This is a very visible symptom, others are not that clear.

Tymczasem polskie władze starają się przekonać zarówno media, jak i opinię publiczną, że to całkowicie normalne, że rząd nabywa tego rodzaju urządzenie i że jest ono absolutnie niezbędne do skutecznej walki ze zorganizowaną przestępczością i terroryzmem.

The government can say that it is normal to have an army.The government may say that it is normal to have police forces that have the opportunity to arrest and even shoot someone if human life is threatened.But this does not justify the use of the army to terrorize society or use the police for their own purposes.The same applies to Pegasus.It is a tool that is burdened with enormous potential to abuse.The use of this for actions that the government describes as justified does not exclude the fact that there has been abuse or even more justify them.

W listopadzie ubiegłego roku "Times of Israel" poinformował o tym, że polska licencja na korzystanie z Pegasusa nie została przedłużona. Nie przedłużono jej także m.in. Węgrom i Arabii Saudyjskiej. Wiecie dlaczego tak się stało?

To be honest, we can't confirm it.The Israeli government issued confusing and even contradictory messages in terms of supervision over Pegasus.He has recently issued a statement in which he informs that there will be a limitation of the number of countries in which Pegasus can be used.However, when we look closer, most Israeli journalists are skeptical therefore.After all, you can't trade Pegasus without government authorization.The whole business with the use of Pegasus depends on the authorization of the Israeli government, therefore, or other statement or any significant difficulty in the use of Pegasus, nor does it protect us against the use of Pegasus by dictatorship.That is why I would like to sensitize our readers very much to all kinds of assurances about who, what and when it uses.Everything seems to indicate that not only the abuse of Pegasus software itself has occurred here, but also the violation of the findings between the buyer and the seller, i.e. NSO Group.

Dobrze rozumiem: izraelski rząd wiedział, jak polskie władze wykorzystywały Pegasusa?

We don't know what the NSO Group knew or what the Israeli government knew.NSO Group publicly stated that it provided this technology to its clients, and they use it at their discretion.It's like saying: we produced a car, but it's not our problem, how someone drives it.The only truth is that what they do much more like the sale of a specific service.They sell and maintain all the technological infrastructure necessary to service Pegasus.This means that the servers they support, probably receive and develop data from individual spy attacks made by their clients.We can only guess, but if it really is so, they not only knew who was the goal of their clients, but also what data were stolen from these clients.For now, we do not know it for sure and we cannot prove it, but the very fact that this is a likely scenario shows something unusual: special services and intelligence agencies from around the world are not able to guarantee that the NSO Group does not see what they do.This is an incredible violation of national security, because the services and agencies reveal their priorities and activities to another government.It would be an amazing scandal.Violation of the basic principles of national security protection when you use such a powerful tool as Pegasus.

Z drugiej strony, izraelski rząd udostępniając taką technologię rządom, które użytkowały ją niewłaściwie, w pewien sposób stracił nad nią kontrolę. Cofając licencję m.in. Polsce próbował tę kontrolę odzyskać?

We still don't know all the details.We only know what saw the light of day.In this matter, my knowledge is as great as the Lord.The only thing is that anyone had surveillance with Pegasus, he certainly abused this technology.If Israel or NSO Group learned that the Polish authorities were doing it, it could have been the reason for the termination of the previously concluded contract.In this context, not only the abuse of Pegasus is interesting, but the fact that someone who used Pegasus did not quite understand how he really works because he thought that all actions would remain secret, although it was known that they were not.What's more, these abuses could be highly likely.

Myśli pan, że tak szerokie echo, jakim sprawa Pegasusa w Polsce odbiła się na świecie, będzie przestrogą dla innych rządów nadużywających tej technologii? Teraz widzą, że ich działania nie są anonimowe, że ktoś jednak patrzy im na ręce i może ich przyłapać na gorącym uczynku.

I hope that Polish democracy and legislators will not only be able to investigate this matter, but also draw a lesson from it that such a large power requires strong and efficient supervision.Generally, in democracy, people deserve to know how power uses special services and the police.They may not know the details, but they need to know what, in principle, it looks.If there is evidence that the authorities have committed abuse, citizens and legislators are required to limit this authority in its activities according to the principles of the state of rights and democratic values.