The Israeli spyware scandal Pegasus has brought to light a very discreet department of the human rights NGO Amnesty International: Amnesty Tech. Created five years ago, this laboratory now brings together ten people: lawyers, communication officers and above all four technicians. Almost all of these computer security specialists have gone through industry, such as antivirus vendors or computer security companies.

Amnesty Tech offers assistance to human rights activists, NGOs and journalists who are threatened in the course of their work and who may be subject to surveillance. “States have developed more and more monitoring tools, explains Etienne Maynier, one of the security experts. a. You can’t tell if someone is being wiretapped, but spyware leaves traces. So we can help activists detect and protect themselves. “

In the Pegasus case, two technical elements made it possible to attribute the attacks to States

On July 18, a consortium of investigative journalists, Forbidden Stories, and seventeen associated international media, revealed a new case of mass surveillance through spyware Pegasus, from the Israeli company NSO. The use of this very sophisticated software had already been pointed out, in particular in the execution of the Saudi opponent Jamal Khashoggi. But the revelation of a list of 50,000 telephone numbers of potential targets shows for the first time the extent of these very intrusive methods by States with little regard for human rights and public freedoms to monitor their opponents or political leaders. The phones of President Macron and 14 ministers are included. Several states are implicated: Saudi Arabia, India, Mexico, Indonesia, United Arab Emirates, Kazakhstan, Azerbaijan, Togo, Rwanda, Hungary and Morocco. In a statement, NSO defends itself and refers to “information which has no factual basis and is far from reality”.

At the heart of the controversy is the attribution to states of the implantation of Pegasus in a smartphone. Because everyone has a good time saying: “I am not the one behind the use of spyware.” “The attribution of the computer attack is never only technical, explains Etienne Maynier. It is also contextual: who is targeted, who has an interest in this surveillance, how the attack took place …” Staff Amnesty are therefore also responsible for investigating the profile of the person concerned.





In the Pegasus case, two technical elements made it possible to attribute the attacks to States. “The first relates specifically to Morocco and the use of Pegasus against the Moroccan journalist Omar Radi who is currently imprisoned, details Etienne Maynier. The attack targeting him was carried out by injection of network traffic.” In short, the user is browsing a website from his phone. And suddenly it is redirected to another site for a few seconds. The spyware is then installed in the phone using an internet browser loophole. “However, between the telephone and the website, there is the Moroccan telephone network and internet. Access to this network was therefore necessary to implement the software. And the government was necessarily aware and had given access to the service responsible for ‘install Pegasus. “

Amnesty hopes for debate on securing laptops

Another method to infect phones has sometimes been used: sending a trick email. “We noticed during our investigations that people relating to the same client were targeted by the same email address, explains Etienne Maynier. There was clearly an email address for people linked to Morocco, another for those linked India or Kazakhstan. This little mistake helped us a lot in attributing the attacks. “

Beyond the Pegasus scandal, Amnesty International hopes that these revelations will bring the issue of the security and integrity of mobile phones into the public debate. The NGO is calling for a moratorium on these monitoring tools while waiting for an international legal framework to prevent abuse.