We’re ex­cited to see the first press re­views go live for the Framework Laptop and the first or­ders land on your doorsteps to­day! With the FTC unan­i­mously vot­ing to en­force the Right to Repair just yes­ter­day, our tim­ing could­n’t be bet­ter for de­liv­er­ing a great, high per­for­mance, easy to re­pair prod­uct. There is a ton of amaz­ing ma­te­r­ial to read and watch, with more com­ing in the next weeks. Some of our fa­vorite quotes so far are:

“A poster child for the right-to-re­pair move­ment, Framework’s mod­u­lar lap­top is one of the smartest de­signs I’ve seen in a long time.”

“It’s the ul­ti­mate Right to Repair lap­top.”

“The Framework Laptop is more than just [a] worth­while ex­per­i­ment in mod­u­lar­ity, it’s also a great lap­top.”

Reviewers loved the free­dom to re­pair and up­grade, the Expansion Card sys­tem, CPU per­for­mance, key­board feel, we­b­cam qual­ity, and more.  Of course, in­side of Framework, we grav­i­tate to­wards the crit­i­cal feed­back that points us to where to do bet­ter.  We take every bit of feed­back se­ri­ously, and we want your thoughts as you start us­ing your Framework Laptop.  This lets us know where to fo­cus for fu­ture im­prove­ments, whether that is for firmware up­dates, mod­ules, or next prod­ucts.  A won­der­ful thing about our prod­uct phi­los­o­phy is that im­prove­ments can go into re­place­ment parts and up­grades that every ex­ist­ing user can pick up and swap to, rather than need­ing to wait around and pay for an en­tirely new prod­uct.

We’re grate­ful to each of you who have or­dered al­ready, and we’re look­ing for­ward to get­ting your Framework Laptop to you.  Batch 1 pre-or­ders for July de­liv­ery con­tinue to ship out from our ware­house each day.  We’ll start Batch 2 ship­ments for August de­liv­ery soon af­ter.  We have a small num­ber of Batch 2 Framework Laptop and Framework Laptop DIY Edition units cur­rently avail­able for sale, with just a fully re­fund­able $100 de­posit due to­day.  If you pre-or­der now, some of you will be able to re­ceive your or­der within 3-4 weeks.

As proud as we are of the Framework Laptop (and we’re ex­tremely proud!), the great­est thing we have cre­ated over the last 18 months is the team that built it.  It takes an in­cred­i­ble team to build an ex­cel­lent prod­uct this com­plex and de­liver it on time.  We’re hir­ing on all fronts to con­tinue de­vel­op­ing the Framework Laptop ecosys­tem and ini­ti­ate our next cat­e­gories.  Let us know if you know any­one who may be in­ter­ested in help­ing us build prod­ucts that are bet­ter for peo­ple and the planet.

New Delhi: The United States’ Department of Justice’s case against Wikileaks founder Julian Assange took a se­ri­ous hit last week af­ter a key wit­ness ad­mit­ted that he fab­ri­cated ac­cu­sa­tions in or­der to get im­mu­nity. Though these rev­e­la­tions were made pub­lic by an Icelandic news­pa­per on June 26, the main­stream me­dia in the US has largely cho­sen to ig­nore them.

According to the bi-weekly Stundin, the wit­ness, Sigurdur Ingi Thordarson, “has a doc­u­mented his­tory with so­ciopa­thy and has re­ceived sev­eral con­vic­tions for sex­ual abuse of mi­nors and wide-rang­ing fi­nan­cial fraud”. He was re­cruited by US au­thor­i­ties in or­der to build a case against Assange, and mis­led them into be­liev­ing he was a close as­so­ci­ate of the Wikileaks founder. In re­al­ity, how­ever, he had only “volunteered on a lim­ited ba­sis to raise money for Wikileaks in 2010 but was found to have used that op­por­tu­nity to em­bez­zle more than $50,000 from the or­gan­i­sa­tion”, the Icelandic news­pa­per re­ports.

The US is cur­rently seek­ing Assange’s ex­tra­di­tion from the UK. If it suc­ceeds, Assange could face up to 175 years in jail be­cause of the charges filed against him. But now, with Thordason ac­cept­ing that he fab­ri­cated his tes­ti­mony, the ve­rac­ity of the in­dict­ment sub­mit­ted by American au­thor­i­ties in the UK has come un­der se­ri­ous ques­tion.

The court doc­u­ments, ac­cord­ing to Stundin, claim that Thordarson (referred to only as ‘Teenager’, be­cause he looks young even though he is 28), was asked by Assange to hack MPs’ com­put­ers in Iceland to ac­cess cer­tain record­ings of them. However, the wit­ness has now said that Assange made no such de­mand, and in­stead Thordarson re­ceived these record­ings from a third party and of­fered them to Assange with­out check­ing them him­self. He has also made clear that his ear­lier al­le­ga­tions, on Assange ask­ing him to hack com­put­ers, was false.

There are also other mis­lead­ing el­e­ments in the court doc­u­ments based on Thordarson’s false tes­ti­mony, Stundin re­ports:

“One is a ref­er­ence to Icelandic bank doc­u­ments. The mag­is­trate court judge­ment reads: “It is al­leged that Mr. Assange and Teenager failed a joint at­tempt to de­crypt a file stolen from a “NATO coun­try 1” bank”.

Thordarson ad­mits to Stundin that this ac­tu­ally refers to a well pub­li­cised event in which an en­crypted file was leaked from an Icelandic bank and as­sumed to con­tain in­for­ma­tion about de­faulted loans pro­vided by the Icelandic Landsbanki. The bank went un­der in the fall of 2008, along with al­most all other fi­nan­cial in­sti­tu­tions in Iceland, and plunged the coun­try into a se­vere eco­nomic cri­sis. The file was at this time, in sum­mer of 2010, shared by many on­line who at­tempted to de­crypt it for the pub­lic in­ter­est pur­pose of re­veal­ing what pre­cip­i­tated the fi­nan­cial cri­sis. Nothing sup­ports the claim that this file was even “stolen” per se, as it was as­sumed to have been dis­trib­uted by whistle­blow­ers from in­side the failed bank.”

Thordarson, Stundin has claimed, con­tin­ued his own crim­i­nal ac­tiv­i­ties even while he was in con­tact with US au­thor­i­ties. “It is as if the of­fer of im­mu­nity, later se­cured and sealed in a meet­ing in DC, had en­cour­aged Thordarson to take bolder steps in crime. He started to fleece in­di­vid­u­als and com­pa­nies on a grander scale than ever; usu­ally by ei­ther ac­quir­ing or form­ing le­gal en­ti­ties he then used to bor­row mer­chan­dise, rent lux­ury cars, even or­der large quan­ti­ties of goods from whole­salers with­out any in­ten­tion to pay for these goods and ser­vices,” the re­port notes.

Also read: Wikileaks Acted in Public Interest, ‘Pentagon Papers’ Whistleblower Says at Assange Hearing

“This is just the lat­est rev­e­la­tion of how prob­lem­atic the United States’ case is against Julian Assange — and, in fact, base­less,” hu­man rights at­tor­ney Jennifer Robinson told Democracy Now on the Stundin in­ves­ti­ga­tion. “The ev­i­dence from Thordarson that was given to the United States and formed the ba­sis of the sec­ond, su­per­sed­ing in­dict­ment, in­clud­ing al­le­ga­tions of hack­ing, has now been, on his own ad­mis­sion, demon­strated to have been fab­ri­cated. Not only did he mis­rep­re­sent his ac­cess to Julian Assange and to WikiLeaks and his as­so­ci­a­tion with Julian Assange, he has now ad­mit­ted that he made up and falsely mis­rep­re­sented to the United States that there was any as­so­ci­a­tion with WikiLeaks and any as­so­ci­a­tion with hack­ing.”

“…the fac­tual ba­sis for this case has com­pletely fallen apart. And we have been call­ing for this case to be dropped for a very long time. And this is just the last form of abuse demon­strated in this case that shows why it ought to be dropped,” Robinson con­tin­ued.

While these rev­e­la­tions should have cre­ated an up­roar, most big, cor­po­rate-owned me­dia houses in the US have ig­nored them FAIR, an American me­dia watch­dog, has pointed out in an ar­ti­cle on its web­site.

“Such a bla­tant and juicy piece of im­por­tant news should have made world­wide head­lines. But, in­stead, as of Friday, July 2, there has been lit­er­ally zero cov­er­age of it in cor­po­rate me­dia; not one word in the New York Times, Washington Post, CNN, NBC News, Fox News or NPR. A search on­line for ei­ther “Assange” or “Thordarson” will elicit zero rel­e­vant ar­ti­cles from es­tab­lish­ment sources, ei­ther US or else­where in the Anglosphere, even in tech-fo­cused plat­forms like the Verge, Wired or Giz­modo,” FAIR says.

“It is not that the cor­po­rate press are com­pletely un­in­ter­ested in Assange. A num­ber of out­lets have cov­ered the news this week that he and his part­ner Stella Morris are plan­ning to get mar­ried (e.g., SBS, 6/27/21; Daily Mail, 6/28/21; Evening Standard, 6/28/21; London Times, 6/29/21). Yet none of these ar­ti­cles men­tioned the far more con­se­quen­tial news about Thordarson and how it un­der­mines the en­tire pros­e­cu­tion of Assange,” FAIR con­tin­ues.

Other in­de­pen­dent jour­nal­ists too have pointed out the one-sided and bi­ased cov­er­age of the Assange case.

This @declassifiedUK story de­tails how as a British judge made rul­ings against Assange, her hus­band was closely in­volved with a right-wing lobby group run­ning a cam­paign against WikiLeaks founder.

It has never been men­tioned in the main­stream me­dia. https://​t.co/​yUakZ1Z­eRk

With its state of the art Fan Simulation Engine (patent pend­ing), FanFan can bring back that sooth­ing sound of com­puter fans to your Apple Silicon Mac.

Download FanFan

This is an April Fools joke.

Health re­search is based on trust. Health pro­fes­sion­als and jour­nal ed­i­tors read­ing the re­sults of a clin­i­cal trial as­sume that the trial hap­pened and that the re­sults were hon­estly re­ported. But about 20% of the time, said Ben Mol, pro­fes­sor of ob­stet­rics and gy­nae­col­ogy at Monash Health, they would be wrong. As I’ve been con­cerned about re­search fraud for 40 years, I was­n’t that sur­prised as many would be by this fig­ure, but it led me to think that the time may have come to stop as­sum­ing that re­search ac­tu­ally hap­pened and is hon­estly re­ported, and as­sume that the re­search is fraud­u­lent un­til there is some ev­i­dence to sup­port it hav­ing hap­pened and been hon­estly re­ported. The Cochrane Collaboration, which pur­veys “trusted in­for­ma­tion,” has now taken a step in that di­rec­tion.

As he de­scribed in a we­bi­nar last week, Ian Roberts, pro­fes­sor of epi­demi­ol­ogy at the London School of Hygiene & Tropical Medicine, be­gan to have doubts about the hon­est re­port­ing of tri­als af­ter a col­league asked if he knew that his sys­tem­atic re­view show­ing the man­ni­tol halved death from head in­jury was based on tri­als that had never hap­pened. He did­n’t, but he set about in­ves­ti­gat­ing the tri­als and con­firmed that they had­n’t ever hap­pened. They all had a lead au­thor who pur­ported to come from an in­sti­tu­tion that did­n’t ex­ist and who killed him­self a few years later. The tri­als were all pub­lished in pres­ti­gious neu­ro­surgery jour­nals and had mul­ti­ple co-au­thors. None of the co-au­thors had con­tributed pa­tients to the tri­als, and some did­n’t know that they were co-au­thors un­til af­ter the tri­als were pub­lished. When Roberts con­tacted one of the jour­nals the ed­i­tor re­sponded that “I would­n’t trust the data.” Why, Roberts won­dered, did he pub­lish the trial? None of the tri­als have been re­tracted.

Later Roberts, who headed one of the Cochrane groups, did a sys­tem­atic re­view of col­loids ver­sus crys­tal­loids only to dis­cover again that many of the tri­als that were in­cluded in the re­view could not be trusted. He is now scep­ti­cal about all sys­tem­atic re­views, par­tic­u­larly those that are mostly re­views of mul­ti­ple small tri­als. He com­pared the orig­i­nal idea of sys­tem­atic re­views as search­ing for di­a­monds, knowl­edge that was avail­able if brought to­gether in sys­tem­atic re­views; now he thinks of sys­tem­atic re­view­ing as search­ing through rub­bish. He pro­posed that small, sin­gle cen­tre tri­als should be dis­carded, not com­bined in sys­tem­atic re­views.

Mol, like Roberts, has con­ducted sys­tem­atic re­views only to re­alise that most of the tri­als in­cluded ei­ther were zom­bie tri­als that were fa­tally flawed or were un­trust­wor­thy. What, he asked, is the scale of the prob­lem? Although re­trac­tions are in­creas­ing, only about 0.04% of bio­med­ical stud­ies have been re­tracted, sug­gest­ing the prob­lem is small. But the anaes­thetist John Carlisle analysed 526 tri­als sub­mit­ted to Anaesthesia and found that 73 (14%) had false data, and 43 (8%) he cat­e­gorised as zom­bie. When he was able to ex­am­ine in­di­vid­ual pa­tient data in 153 stud­ies, 67 (44%) had un­trust­wor­thy data and 40 (26%) were zom­bie tri­als. Many of the tri­als came from the same coun­tries (Egypt, China, India, Iran, Japan, South Korea, and Turkey), and when John Ioannidis, a pro­fes­sor at Stanford University, ex­am­ined in­di­vid­ual pa­tient data from tri­als sub­mit­ted from those coun­tries to Anaesthesia dur­ing a year he found that many were false: 100% (7/7) in Egypt; 75% (3/ 4) in Iran; 54% (7/13) in India; 46% (22/48) in China; 40% (2/5) in Turkey; 25% (5/20) in South Korea; and 18% (2/11) in Japan. Most of the tri­als were zom­bies. Ioannidis con­cluded that there are hun­dreds of thou­sands of zom­bie tri­als pub­lished from those coun­tries alone.

Others have found sim­i­lar re­sults, and Mol’s best guess is that about 20% of tri­als are false. Very few of these pa­pers are re­tracted.

We have long known that peer re­view is in­ef­fec­tive at de­tect­ing fraud, es­pe­cially if the re­view­ers start, as most have un­til now, by as­sum­ing that the re­search is hon­estly re­ported. I re­mem­ber be­ing part of a panel in the 1990s in­ves­ti­gat­ing one of Britain’s most out­ra­geous cases of fraud, when the sta­tis­ti­cal re­viewer of the study told us that he had found mul­ti­ple prob­lems with the study and only hoped that it was bet­ter done than it was re­ported. We asked if had ever con­sid­ered that the study might be fraud­u­lent, and he told us that he had­n’t.

We have now reached a point where those do­ing sys­tem­atic re­views must start by as­sum­ing that a study is fraud­u­lent un­til they can have some ev­i­dence to the con­trary. Some sup­port­ing ev­i­dence comes from the trial hav­ing been reg­is­tered and hav­ing ethics com­mit­tee ap­proval. Andrew Grey, an as­so­ci­ate pro­fes­sor of med­i­cine at the University of Auckland, and oth­ers have de­vel­oped a check­list with around 40 items that can be used as a screen­ing tool for fraud (you can view the check­list here). The REAPPRAISED check­list (Research gov­er­nance, Ethics, Authorship, Plagiarism, Research con­duct, Analyses and meth­ods, Image ma­nip­u­la­tion, Statistics, Errors, Data ma­nip­u­la­tion and re­port­ing) cov­ers is­sues like “ethical over­sight and fund­ing, re­search pro­duc­tiv­ity and in­ves­ti­ga­tor work­load, va­lid­ity of ran­domi­sa­tion, plau­si­bil­ity of re­sults and du­pli­cate data re­port­ing.” The check­list has been used to de­tect stud­ies that have sub­se­quently been re­tracted but has­n’t been through the full eval­u­a­tion that you would ex­pect for a clin­i­cal screen­ing tool. (But I must con­grat­u­late the au­thors on a clever acronym: some say that dream­ing up the acronym for a study is the most dif­fi­cult part of the whole process.)

Roberts and oth­ers wrote about the prob­lem of the many un­trust­wor­thy and zom­bie tri­als in The BMJ six years ago with the provoca­tive ti­tle: “The knowl­edge sys­tem un­der­pin­ning health­care is not fit for pur­pose and must change.” They wanted the Cochrane Collaboration and any­body con­duct­ing sys­tem­atic re­views to take very se­ri­ously the prob­lem of fraud. It was per­haps co­in­ci­dence, but a few weeks be­fore the we­bi­nar the Cochrane Collaboration pro­duced guide­lines on re­view­ing stud­ies where there has been a re­trac­tion, an ex­pres­sion of con­cern, or the re­view­ers are wor­ried about the trust­wor­thi­ness of the data.

Retractions are the eas­i­est to deal with, but they are, as Mol said, only a tiny frac­tion of un­trust­wor­thy or zom­bie stud­ies. An ed­i­to­r­ial in the Cochrane Library ac­com­pa­ny­ing the new guide­lines recog­nises that there is no agree­ment on what con­sti­tutes an un­trust­wor­thy study, screen­ing tools are not re­li­able, and “Misclassification could also lead to rep­u­ta­tional dam­age to au­thors, le­gal con­se­quences, and eth­i­cal is­sues as­so­ci­ated with par­tic­i­pants hav­ing taken part in re­search, only for it to be dis­counted.” The Collaboration is be­ing cau­tious but does stand to lose cred­i­bil­ity—and in­come—if the world ceases to trust Cochrane Reviews be­cause they are thought to be based on un­trust­wor­thy tri­als.

Research fraud is of­ten viewed as a prob­lem of “bad ap­ples,” but Barbara K Redman, who spoke at the we­bi­nar in­sists that it is not a prob­lem of bad ap­ples but bad bar­rels if not, she said, of rot­ten forests or or­chards. In her book Research Misconduct Policy in Biomedicine: Beyond the Bad-Apple Approach she ar­gues that re­search mis­con­duct is a sys­tems prob­lem—the sys­tem pro­vides in­cen­tives to pub­lish fraud­u­lent re­search and does not have ad­e­quate reg­u­la­tory processes. Researchers progress by pub­lish­ing re­search, and be­cause the pub­li­ca­tion sys­tem is built on trust and peer re­view is not de­signed to de­tect fraud it is easy to pub­lish fraud­u­lent re­search. The busi­ness model of jour­nals and pub­lish­ers de­pends on pub­lish­ing, prefer­ably lots of stud­ies as cheaply as pos­si­ble. They have lit­tle in­cen­tive to check for fraud and a pos­i­tive dis­in­cen­tive to ex­pe­ri­ence rep­u­ta­tional dam­age—and pos­si­bly le­gal risk—from re­tract­ing stud­ies. Funders, uni­ver­si­ties, and other re­search in­sti­tu­tions sim­i­larly have in­cen­tives to fund and pub­lish stud­ies and dis­in­cen­tives to make a fuss about fraud­u­lent re­search they may have funded or had un­der­taken in their in­sti­tu­tion—per­haps by one of their star re­searchers. Regulators of­ten lack the le­gal stand­ing and the re­sources to re­spond to what is clearly ex­ten­sive fraud, recog­nis­ing that prov­ing a study to be fraud­u­lent (as op­posed to sus­pect­ing it of be­ing fraud­u­lent) is a skilled, com­plex, and time con­sum­ing process. Another prob­lem is that re­search is in­creas­ingly in­ter­na­tional with par­tic­i­pants from many in­sti­tu­tions in many coun­tries: who then takes on the un­en­vi­able task of in­ves­ti­gat­ing fraud? Science re­ally needs global gov­er­nance.

Everybody gains from the pub­li­ca­tion game, con­cluded Roberts, apart from the pa­tients who suf­fer from be­ing given treat­ments based on fraud­u­lent data.

Stephen Lock, my pre­de­ces­sor as ed­i­tor of The BMJ, be­came wor­ried about re­search fraud in the 1980s, but peo­ple thought his con­cerns ec­cen­tric. Research au­thor­i­ties in­sisted that fraud was rare, did­n’t mat­ter be­cause sci­ence was self-cor­rect­ing, and that no pa­tients had suf­fered be­cause of sci­en­tific fraud. All those rea­sons for not tak­ing re­search fraud se­ri­ously have proved to be false, and, 40 years on from Lock’s con­cerns, we are re­al­is­ing that the prob­lem is huge, the sys­tem en­cour­ages fraud, and we have no ad­e­quate way to re­spond. It may be time to move from as­sum­ing that re­search has been hon­estly con­ducted and re­ported to as­sum­ing it to be un­trust­wor­thy un­til there is some ev­i­dence to the con­trary.

Competing in­ter­est: RS was a co­founder of the Committee on Medical Ethics (COPE), for many years the chair of the Cochrane Library Oversight Committee, and a mem­ber of the board of the UK Research Integrity Office.

Looking Glass is tar­geted at ex­tremely low la­tency use re­quire­ments on the lo­cal com­puter, it is not de­signed to stream over a net­work or pipe but rather through a block of shared mem­ory. In cur­rent test­ing at a re­fresh rate of 60Hz it is pos­si­ble to ob­tain equal or bet­ter then 16 mil­lisec­onds of la­tency with the guest. If the user does­n’t care for VSYNC this can be fur­ther re­duced to un­der a few mil­lisec­onds on av­er­age.

Unlike net­work based stream­ing ap­pli­ca­tions, Looking Glass does not use any form of com­pres­sion or color space con­ver­sion, all frames are trans­ferred to the viewer (client ap­pli­ca­tion) in 32-bit RGBA with­out any trans­for­ma­tions or mod­i­fi­ca­tions. This is pos­si­ble through the use of a shared mem­ory seg­ment which en­ables ex­tremely high through­put low la­tency guest to host com­mu­ni­ca­tion.

Huge data leak shat­ters the lie that the in­no­cent need not fear sur­veil­lance Companies such as NSO op­er­ate in a mar­ket that is al­most en­tirely un­reg­u­lated. Illustration: Guardian DesignCompanies such as NSO op­er­ate in a mar­ket that is al­most en­tirely un­reg­u­lated. Illustration: Guardian DesignOur in­ves­ti­ga­tion shows how re­pres­sive regimes can buy and use the kind of spy­ing tools Edward Snowden warned us about­Bil­lions of peo­ple are in­sep­a­ra­ble from their phones. Their de­vices are within reach — and earshot — for al­most every daily ex­pe­ri­ence, from the most mun­dane to the most in­ti­mate. Few pause to think that their phones can be trans­formed into sur­veil­lance de­vices, with some­one thou­sands of miles away silently ex­tract­ing their mes­sages, pho­tos and lo­ca­tion, ac­ti­vat­ing their mi­cro­phone to record them in real time.Such are the ca­pa­bil­i­ties of Pegasus, the spy­ware man­u­fac­tured by NSO Group, the Israeli pur­veyor of weapons of mass sur­veil­lance.NSO re­jects this la­bel. It in­sists only care­fully vet­ted gov­ern­ment in­tel­li­gence and law en­force­ment agen­cies can use Pegasus, and only to pen­e­trate the phones of “legitimate crim­i­nal or ter­ror group tar­gets”.Yet in the com­ing days the Guardian will be re­veal­ing the iden­ti­ties of many in­no­cent peo­ple who have been iden­ti­fied as can­di­dates for pos­si­ble sur­veil­lance by NSO clients in a mas­sive leak of data.With­out foren­sics on their de­vices, we can­not know whether gov­ern­ments suc­cess­fully tar­geted these peo­ple. But the pres­ence of their names on this list in­di­cates the lengths to which gov­ern­ments may go to spy on crit­ics, ri­vals and op­po­nents.What is in the Pegasus pro­ject data? What is in the data leak?The data leak is a list of more than 50,000 phone num­bers that, since 2016, are be­lieved to have been se­lected as those of peo­ple of in­ter­est by gov­ern­ment clients of NSO Group, which sells sur­veil­lance soft­ware. The data also con­tains the time and date that num­bers were se­lected, or en­tered on to a sys­tem. Forbidden Stories, a Paris-based non­profit jour­nal­ism or­gan­i­sa­tion, and Amnesty International ini­tially had ac­cess to the list and shared ac­cess with 16 me­dia or­gan­i­sa­tions in­clud­ing the Guardian. More than 80 jour­nal­ists have worked to­gether over sev­eral months as part of the Pegasus pro­ject. Amnesty’s Security Lab, a tech­ni­cal part­ner on the pro­ject, did the foren­sic analy­ses.What does the leak in­di­cate?The con­sor­tium be­lieves the data in­di­cates the po­ten­tial tar­gets NSO’s gov­ern­ment clients iden­ti­fied in ad­vance of pos­si­ble sur­veil­lance. While the data is an in­di­ca­tion of in­tent, the pres­ence of a num­ber in the data does not re­veal whether there was an at­tempt to in­fect the phone with spy­ware such as Pegasus, the com­pa­ny’s sig­na­ture sur­veil­lance tool, or whether any at­tempt suc­ceeded. The pres­ence in the data of a very small num­ber of land­lines and US num­bers, which NSO says are “technically im­pos­si­ble” to ac­cess with its tools, re­veals some tar­gets were se­lected by NSO clients even though they could not be in­fected with Pegasus. However, foren­sic ex­am­i­na­tions of a small sam­ple of mo­bile phones with num­bers on the list found tight cor­re­la­tions be­tween the time and date of a num­ber in the data and the start of Pegasus ac­tiv­ity — in some cases as lit­tle as a few sec­onds.Amnesty ex­am­ined 67 smart­phones where at­tacks were sus­pected. Of those, 23 were suc­cess­fully in­fected and 14 showed signs of at­tempted pen­e­tra­tion. For the re­main­ing 30, the tests were in­con­clu­sive, in sev­eral cases be­cause the hand­sets had been re­placed. Fifteen of the phones were Android de­vices, none of which showed ev­i­dence of suc­cess­ful in­fec­tion. However, un­like iPhones, phones that use Android do not log the kinds of in­for­ma­tion re­quired for Amnesty’s de­tec­tive work. Three Android phones showed signs of tar­get­ing, such as Pegasus-linked SMS mes­sages.Amnesty shared “backup copies” of four iPhones with Citizen Lab, a re­search group at the University of Toronto that spe­cialises in study­ing Pegasus, which con­firmed that they showed signs of Pegasus in­fec­tion. Citizen Lab also con­ducted a peer re­view of Amnesty’s foren­sic meth­ods, and found them to be sound.While the data is or­gan­ised into clus­ters, in­dica­tive of in­di­vid­ual NSO clients, it does not say which NSO client was re­spon­si­ble for se­lect­ing any given num­ber. NSO claims to sell its tools to 60 clients in 40 coun­tries, but re­fuses to iden­tify them. By closely ex­am­in­ing the pat­tern of tar­get­ing by in­di­vid­ual clients in the leaked data, me­dia part­ners were able to iden­tify 10 gov­ern­ments be­lieved to be re­spon­si­ble for se­lect­ing the tar­gets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found ev­i­dence of all 10 be­ing clients of NSO.What does NSO Group say?You can read NSO Group’s full state­ment here. The com­pany has al­ways said it does not have ac­cess to the data of its cus­tomers’ tar­gets. Through its lawyers, NSO said the con­sor­tium had made “incorrect as­sump­tions” about which clients use the com­pa­ny’s tech­nol­ogy. It said the 50,000 num­ber was “exaggerated” and that the list could not be a list of num­bers “targeted by gov­ern­ments us­ing Pegasus”. The lawyers said NSO had rea­son to be­lieve the list ac­cessed by the con­sor­tium “is not a list of num­bers tar­geted by gov­ern­ments us­ing Pegasus, but in­stead, may be part of a larger list of num­bers that might have been used by NSO Group cus­tomers for other pur­poses”. They said it was a list of num­bers that any­one could search on an open source sys­tem. After fur­ther ques­tions, the lawyers said the con­sor­tium was bas­ing its find­ings “on mis­lead­ing in­ter­pre­ta­tion of leaked data from ac­ces­si­ble and overt ba­sic in­for­ma­tion, such as HLR Lookup ser­vices, which have no bear­ing on the list of the cus­tomers’ tar­gets of Pegasus or any other NSO prod­ucts … we still do not see any cor­re­la­tion of these lists to any­thing re­lated to use of NSO Group tech­nolo­gies”. Fol­low­ing pub­li­ca­tion, they ex­plained that they con­sid­ered a “target” to be a phone that was the sub­ject of a suc­cess­ful or at­tempted (but failed) in­fec­tion by Pegasus, and re­it­er­ated that the list of 50,000 phones was too large for it to rep­re­sent “targets” of Pegasus. They said that the fact that a num­ber ap­peared on the list was in no way in­dica­tive of whether it had been se­lected for sur­veil­lance us­ing Pegasus. The term HLR, or home lo­ca­tion reg­is­ter, refers to a data­base that is es­sen­tial to op­er­at­ing mo­bile phone net­works. Such reg­is­ters keep records on the net­works of phone users and their gen­eral lo­ca­tions, along with other iden­ti­fy­ing in­for­ma­tion that is used rou­tinely in rout­ing calls and texts. Telecoms and sur­veil­lance ex­perts say HLR data can some­times be used in the early phase of a sur­veil­lance at­tempt, when iden­ti­fy­ing whether it is pos­si­ble to con­nect to a phone. The con­sor­tium un­der­stands NSO clients have the ca­pa­bil­ity through an in­ter­face on the Pegasus sys­tem to con­duct HLR lookup in­quiries. It is un­clear whether Pegasus op­er­a­tors are re­quired to con­duct HRL lookup in­quiries via its in­ter­face to use its soft­ware; an NSO source stressed its clients may have dif­fer­ent rea­sons — un­re­lated to Pegasus — for con­duct­ing HLR lookups via an NSO sys­tem.Thank you for your feed­back.First we re­veal how jour­nal­ists across the world were se­lected as po­ten­tial tar­gets by these clients prior to a pos­si­ble hack us­ing NSO sur­veil­lance tools.Over the com­ing week we will be re­veal­ing the iden­ti­ties of more peo­ple whose phone num­bers ap­pear in the leak. They in­clude lawyers, hu­man rights de­fend­ers, re­li­gious fig­ures, aca­d­e­mics, busi­ness­peo­ple, diplo­mats, se­nior gov­ern­ment of­fi­cials and heads of state.Our re­port­ing is rooted in the pub­lic in­ter­est. We be­lieve the pub­lic should know that NSO’s tech­nol­ogy is be­ing abused by the gov­ern­ments who li­cense and op­er­ate its spy­ware. But we also be­lieve it is in the pub­lic in­ter­est to re­veal how gov­ern­ments look to spy on their cit­i­zens and how seem­ingly be­nign processes such as HLR lookups can be ex­ploited in this en­vi­ron­ment.The Pegasus pro­ject is a col­lab­o­ra­tive re­port­ing pro­ject led by the French non­profit or­gan­i­sa­tion Forbidden Stories, in­clud­ing the Guardian and 16 other me­dia out­lets. For months, our jour­nal­ists have been work­ing with re­porters across the world to es­tab­lish the iden­ti­ties of peo­ple in the leaked data and see if and how this links to NSO’s soft­ware.It is not pos­si­ble to know with­out foren­sic analy­sis whether the phone of some­one whose num­ber ap­pears in the data was ac­tu­ally tar­geted by a gov­ern­ment or whether it was suc­cess­fully hacked with NSO’s spy­ware. But when our tech­ni­cal part­ner, Amnesty International’s Security Lab, con­ducted foren­sic analy­sis on dozens of iPhones that be­longed to po­ten­tial tar­gets at the time they were se­lected, they found ev­i­dence of Pegasus ac­tiv­ity in more than half.One phone that has con­tained signs of Pegasus ac­tiv­ity be­longed to our es­teemed Mexican col­league Carmen Aristegui, whose num­ber was in the data leak and who was tar­geted fol­low­ing her ex­posé of a cor­rup­tion scan­dal in­volv­ing her coun­try’s for­mer pres­i­dent Enrique Peña Nieto.The data leak sug­gests that Mexican au­thor­i­ties did not stop at Aristegui. The phone num­bers of at least four of her jour­nal­ist col­leagues ap­pear in the leak, as well as her as­sis­tant, her sis­ter and her son, who was 16 at the time.In­ves­ti­gat­ing soft­ware pro­duced and sold by a com­pany as se­cre­tive as NSO is not easy. Its busi­ness is sur­veil­lance, af­ter all. It meant a rad­i­cal over­haul of our work­ing meth­ods, in­clud­ing a ban on dis­cussing our work with sources, ed­i­tors or lawyers in the pres­ence of our phones.The last time the Guardian adopted such ex­treme counter-es­pi­onage mea­sures was in 2013, when re­port­ing on doc­u­ments leaked by the whistle­blower Edward Snowden. Those dis­clo­sures pulled back the cur­tains on the vast ap­pa­ra­tus of mass sur­veil­lance cre­ated af­ter 9/11 by west­ern in­tel­li­gence agen­cies such as the National Security Agency (NSA) and its British part­ner, GCHQ.In do­ing so, they in­sti­gated a global de­bate about west­ern state sur­veil­lance ca­pa­bil­i­ties and led to coun­tries, in­clud­ing the UK, ad­mit­ting their reg­u­la­tory regime was out of date and open to po­ten­tial abuse.The Pegasus pro­ject may do the same for the pri­va­tised gov­ern­ment sur­veil­lance in­dus­try that has turned NSO into a bil­lion-dol­lar com­pany.Com­pa­nies such as NSO op­er­ate in a mar­ket that is al­most en­tirely un­reg­u­lated, en­abling tools that can be used as in­stru­ments of re­pres­sion for au­thor­i­tar­ian regimes such as those in Saudi Arabia, Kazakhstan and Azerbaijan.The mar­ket for NSO-style sur­veil­lance-on-de­mand ser­vices has boomed post-Snow­den, whose rev­e­la­tions prompted the mass adop­tion of en­cryp­tion across the in­ter­net. As a re­sult the in­ter­net be­came far more se­cure, and mass har­vest­ing of com­mu­ni­ca­tions much more dif­fi­cult.But that in turn spurred the pro­lif­er­a­tion of com­pa­nies such as NSO of­fer­ing so­lu­tions to gov­ern­ments strug­gling to in­ter­cept mes­sages, emails and calls in tran­sit. The NSO an­swer was to by­pass en­cryp­tion by hack­ing de­vices.Two years ago the then UN spe­cial rap­por­teur on free­dom of ex­pres­sion, David Kaye, called for a mora­to­rium on the sale of NSO-style spy­ware to gov­ern­ments un­til vi­able ex­port con­trols could be put in place. He warned of an in­dus­try that seemed “out of con­trol, un­ac­count­able and un­con­strained in pro­vid­ing gov­ern­ments with rel­a­tively low-cost ac­cess to the sorts of spy­ing tools that only the most ad­vanced state in­tel­li­gence ser­vices were pre­vi­ously able to use”.His warn­ings were ig­nored. The sale of sur­veil­lance con­tin­ued un­abated. That GCHQ-like sur­veil­lance tools are now avail­able for pur­chase by re­pres­sive gov­ern­ments may give some of Snowden’s crit­ics pause for thought.In the UK, the whistle­blow­er’s de­trac­tors ar­gued breezily that spy­ing was what in­tel­li­gence agen­cies were sup­posed to do. We were as­sured that in­no­cent cit­i­zens in the Five Eyes al­liance of in­tel­li­gence pow­ers, com­pris­ing Australia, Canada, New Zealand, the UK and US, were safe from abuse. Some in­voked the dic­tum: “If you have done noth­ing wrong, you have noth­ing to fear.”The Pegasus pro­ject is likely to put an end to any such wish­ful think­ing. Law-abiding peo­ple — in­clud­ing cit­i­zens and res­i­dents of democ­ra­cies such as the UK, such as ed­i­tors-in-chief of lead­ing news­pa­pers — are not im­mune from un­war­ranted sur­veil­lance. And west­ern coun­tries do not have a mo­nop­oly on the most in­va­sive sur­veil­lance tech­nolo­gies. We’re en­ter­ing a new sur­veil­lance era, and un­less pro­tec­tions are put in place, none of us are safe.On Tuesday 27 July, at 8pm BST, join The Guardian’s head of in­ves­ti­ga­tions, Paul Lewis, for a livestreamed Guardian Live event on the im­pli­ca­tions of the Pegasus pro­ject. Book your ticket here.

Apple and its se­cu­rity con­trac­tor Security Industry Specialists (SIS) were sued on Friday in Massachusetts as part of a mul­ti­juris­dic­tional defama­tion and ma­li­cious pros­e­cu­tion com­plaint brought on be­half of Ousmane Bah, a New York res­i­dent misiden­ti­fied as a shoplifter mul­ti­ple times in 2018 and 2019.

The law­suit con­tends that Apple and SIS ex­hib­ited reck­less dis­re­gard for the truth by misiden­ti­fy­ing Bah as the per­pe­tra­tor of mul­ti­ple shoplift­ing crimes at iS­tores, lead­ing to his un­jus­ti­fied ar­rest and to his defama­tion.

The fil­ing [PDF] in US District Court in Massachusetts aims to re­vive charges rel­e­vant to events in Boston that were ex­cluded from re­lated on­go­ing lit­i­ga­tion in New York. A third re­lated case is be­ing heard in New Jersey.

Apple and SIS have a qual­i­fied law en­force­ment priv­i­lege that al­lows them to err in store se­cu­rity-re­lated ac­cu­sa­tions and not be sued for it. However, if they ex­hibit “reckless dis­re­gard for the truth” [PDF] — ig­nor­ing ob­vi­ous facts, for ex­am­ple, they lose that priv­i­lege.

Among the more star­tling al­le­ga­tions in the case is that an SIS VP falsely claimed that no SIS em­ployee ever iden­ti­fied Bah to the NYPD or to Apple. The com­plaint points to an ex­hibit that’s been sub­mit­ted as ev­i­dence, an email from an SIS em­ployee to an NYPD de­tec­tive does in fact iden­tify Bah as a shoplifter.

The law­suit also claims that Apple and SIS se­lec­tively deleted video ev­i­dence that would have ex­posed them to po­ten­tial crim­i­nal and civil li­a­bil­ity for fil­ing false com­plaints with the po­lice.

In ad­di­tion, it as­serts Bah’s ap­pre­hen­sion was in part due to the ap­pli­ca­tion of un­re­li­able fa­cial-recog­ni­tion tech­nol­ogy in the shoplift­ing in­ci­dents in New York.

Bah, who is Black, ob­tained a New York State tem­po­rary learner dri­ver’s per­mit in March 2018 at the age of 17, when he was an hon­ors stu­dent at Bronx Latin Academy, a New York City high school. The doc­u­ment in­cluded his height, weight, date of birth, and eye color, but no pho­to­graph.

According to the Massachusetts court fil­ing, he had lost the tem­po­rary per­mit by May that year, but had ob­tained a per­ma­nent lam­i­nated copy that in­cluded his pic­ture.

In Greenwich, Connecticut in April 2018, Apple al­legedly de­tained an in­di­vid­ual for steal­ing store mer­chan­dise and iden­ti­fied the in­di­vid­ual as Ousmane Bah based on the ex­am­i­na­tion of the tem­po­rary learn­er’s per­mit he is said to have had on him — this de­spite the fact that the ID says, “This tem­po­rary doc­u­ment is not to be used for iden­ti­fi­ca­tion pur­poses.”

The com­plaint states that the per­son de­tained was not Bah, who is 5′7″ but a 6′1″ im­pos­tor us­ing the lost tem­po­rary learn­er’s per­mit. Nonetheless, Apple per­son­nel are said to have re­tained some video sur­veil­lance ev­i­dence and pub­lished the record with the name “Ousmane Bah” through an on­line sys­tem to make it avail­able to SIS and Apple Stores in the Northeastern US.

On May 24, 2018, SIS, act­ing in a se­cu­rity ca­pac­ity for Apple, ap­pre­hended and hand­cuffed the im­pos­tor for al­legedly steal­ing mer­chan­dise from a Paramus, New Jersey Apple Store. Again, it’s claimed the im­pos­tor was car­ry­ing Bah’s lost learn­er’s per­mit and iden­ti­fied him­self as such to au­thor­i­ties or tried to do so — the de­tained in­di­vid­ual is said to have mis­spelled his stolen name as “Ousama Bah” be­fore cor­rect­ing the spelling.

Yet the Paramus Police Department ap­par­ently did not make any fur­ther ef­fort to ver­ify the sus­pec­t’s iden­tity, con­tent to ac­cept the iden­ti­fi­ca­tion pro­vided by the SIS em­ployee who ap­pre­hended the shoplifter. It’s also claimed SIS told au­thor­i­ties it had video ev­i­dence.

“Without prob­a­ble cause, SIS be­gan link­ing prior thefts in the re­gion in­volv­ing the im­pos­tor to the Plaintiff,” the com­plaint says, with SIS rep­re­sent­ing to po­lice that video of these other thefts, such as one at the Short Hills Apple Store near Millburn, NJ on May 5, 2018.

At this point, it’s al­leged that SIS, on be­half of Apple, dis­trib­uted a “Be on the Lookout” (BOLO) no­tice with the im­pos­tor’s im­age but the name “Ousmane Bah” as a “known shoplifter.” This is said to have been sent not only to Apple Stores but to po­lice de­part­ments in the re­gion.

Then there was the May 31, 2018 theft of a dozen Apple Pencils from an Apple Store in Boston. It’s claimed that an SIS em­ployee in his po­lice re­port ac­cused Ousmane Bah — who was not in Massachusetts at the time — of the thefts and said there was video to back that up.

According to the com­plaint, the video de­picted the im­pos­tor, not Bah, and Apple and SIS had in­for­ma­tion at the time that their iden­ti­fi­ca­tion of Bah was un­re­li­able and there­fore were reck­less in their ac­cu­sa­tion.

In June 2018, Bah ap­peared in Boston Municipal Court to an­swer the charges and his at­tor­ney asked Apple and SIS to pre­sent the video ev­i­dence of the thefts to prove his clien­t’s in­no­cence. Apple then told the Suffolk County pros­e­cu­tor “that the video ev­i­dence of the im­pos­tor, which would have com­pletely ex­cul­pated Ousmane Bah, had been rou­tinely deleted.”

The video from an October 2018 theft mis­at­trib­uted to Bah in Rockaway, New Jersey, was also deleted. Apple and SIS are said to have told the New York court that nei­ther firm has any writ­ten pol­icy on video re­ten­tion.

And as it turned out, the video of the Boston in­ci­dent turned up even­tu­ally — Bah’s at­tor­neys found it dur­ing the dis­cov­ery process. It showed the im­pos­tor, not Bah.

On September 18, 2018, the im­pos­tor is said to have struck at an Apple Store in Freehold, New Jersey, and es­caped. An SIS em­ployee act­ing on Apple’s be­half again filed a po­lice com­plaint. The com­plaint charges that both Apple and SIS knew that iden­ti­fi­ca­tion was un­re­li­able but ac­cused Bah any­way.

The iden­tity of the im­pos­tor would be re­vealed in the fol­low­ing months, the com­plaint says, when the im­pos­tor twice tried to pass him­self off as Bah in New York and twice was ar­rested and booked.

“The ar­rest­ing of­fi­cer was able to iden­tify the im­pos­tor as Mamadou Barrie, a friend of the Plaintiff, who ap­par­ently stole the learn­er’s per­mit from the Plaintiff,” the com­plaint says. “These ar­rests specif­i­cally [noted] that Barrie had pre­tended to be Ousmane Bah.”

There were more Apple Store thefts in October 2018, the pre­vi­ously men­tioned one in Rockaway, New Jersey, and an­other in­ci­dent in Trumbull, Connecticut. Apple and SIS again told au­thor­i­ties that Bah was to blame.

Also that month, the im­pos­tor is said to have hit an Apple Store in Staten Island, New York. A New York po­lice de­tec­tive, it’s claimed, pub­lished de­tails of the crime and a store video screen­shot to a re­port­ing ser­vice used by the NYPD called MetrORCA.

The de­tec­tive sub­se­quently sub­mit­ted an in­for­ma­tion re­quest “to the NYPD’s Facial Identification Section (FIS), which iden­ti­fied the pho­to­graph as po­ten­tially de­pict­ing two peo­ple, one of whom was pur­port­edly Ousmane Bah — and the other was the ac­tual thief, Mamadou Barrie.”

The com­plaint fur­ther notes that FIS pol­icy is that au­to­mated iden­ti­fi­ca­tion is not suf­fi­cient to pro­vide the prob­a­ble cause nec­es­sary to make an ar­rest. Shortly there­after, an SIS em­ployee saw the MetrORCA bul­letin and emailed the NYPD de­tec­tive to tell him that Apple and SIS had iden­ti­fied Bah as the Staten Island thief.

Around 0400 ET, on November 29, 2018, Paramus Police Department, un­der a war­rant ob­tained by NYPD, ar­rested Bah for the New York thefts.

“The war­rant is­sued for Bah’s ar­rest con­tained the photo of the im­pos­tor (now known to be Mamadou Barrie),” the com­plaint says, adding that “Barrie in no way phys­i­cally re­sem­bles the Plaintiff, other than be­ing Black.”

Despite the in­con­sis­tency noted at the time of the ar­rest, po­lice took him into cus­tody. This was while Bah was still be­ing wrong­fully pros­e­cuted in Boston.

At the New York precinct, po­lice rec­og­nized that Bah was not the in­di­vid­ual in Apple’s im­ages and charges were dropped.

Two days later, on December 1, 2018, SIS em­ploy­ees ap­pre­hended the im­pos­tor try­ing to steal mer­chan­dise from an Apple Store in Holyoke, Massachusetts. Holyoke po­lice for­warded the sus­pects fin­ger­prints to the FBI’s National Criminal Identification Center and they were iden­ti­fied as be­long­ing to Mamadou Barrie.

Yet two weeks later, Bah re­ceived a mailed no­tice of a war­rant from the Freehold County District Court for his ar­rest for the Freehold theft based on the in­for­ma­tion pro­vided by Apple and SIS.

Around that time, with an SIS em­ployee ap­pear­ing in a New Jersey court to press charges against the Cherry Hill, New Jersey thefts, a dif­fer­ent in­di­vid­ual with the same name “Ousmane Bah,” this one a res­i­dent of Willingboro, New Jersey, showed up for the sum­mons. He was not the thief, the com­plaint says, and the charges against Ousmane Bah from New York were dropped.

Nonetheless, pros­e­cu­tion against Bah con­tin­ued in mul­ti­ple states through June 2019.

Presently, the at­tor­neys rep­re­sent­ing Bah, Daniel Malis and Subhan Tariq, are pur­su­ing law­suits against Apple and SIS in New York, New Jersey, and now Massachusetts.

Neither Apple nor SIS re­sponded to re­quests for com­ment. ®

The Stockfish pro­ject strongly be­lieves in free and open-source soft­ware and data. Collaboration is what made this en­gine the strongest chess en­gine in the world. We li­cense our soft­ware us­ing the GNU General Public License, Version 3 (GPL) with the in­tent to guar­an­tee all chess en­thu­si­asts the free­dom to use, share and change all ver­sions of the pro­gram.

Unfortunately, not every­body shares this vi­sion of open­ness. We have come to re­al­ize that ChessBase con­cealed from their cus­tomers Stockfish as the true ori­gin of key parts of their prod­ucts (see also ear­lier blog posts by us and the joint Lichess, Leela Chess Zero, and Stockfish teams). Indeed, few cus­tomers know they ob­tained a mod­i­fied ver­sion of Stockfish when they paid for Fat Fritz 2 or Houdini 6 - both Stockfish de­riv­a­tives - and they thus have good rea­son to be up­set. ChessBase re­peat­edly vi­o­lated cen­tral oblig­a­tions of the GPL, which en­sures that the user of the soft­ware is in­formed of their rights. These rights are ex­plicit in the li­cense and in­clude ac­cess to the cor­re­spond­ing sources, and the right to re­pro­duce, mod­ify and dis­trib­ute GPLed pro­grams roy­alty-free.

In the past four months, we, sup­ported by a cer­ti­fied copy­right and me­dia law at­tor­ney in Germany, went through a long process to en­force our li­cense. Even though we had our first suc­cesses, lead­ing to a re­call of the Fat Fritz 2 DVD and the ter­mi­na­tion of the sales of Houdini 6, we were un­able to fi­nal­ize our dis­pute out of court. Due to Chessbase’s re­peated li­cense vi­o­la­tions, lead­ing de­vel­op­ers of Stockfish have ter­mi­nated their GPL li­cense with ChessBase per­ma­nently. However, ChessBase is ig­nor­ing the fact that they no longer have the right to dis­trib­ute Stockfish, mod­i­fied or un­mod­i­fied, as part of their prod­ucts.

Thus, to en­force the con­se­quences of the li­cense ter­mi­na­tion, we have filed a law­suit. This law­suit is broadly sup­ported by the team of main­tain­ers and de­vel­op­ers of Stockfish. We be­lieve we have the ev­i­dence, the fi­nan­cial means and the de­ter­mi­na­tion to bring this law­suit to a suc­cess­ful end. We will pro­vide an up­date to this state­ment once sig­nif­i­cant progress has been made.

We would like to thank our fans for their sup­port, and en­cour­age them to down­load and use the of­fi­cial ver­sion of Stockfish that we en­joy de­vel­op­ing and shar­ing freely.

Claiming that “right-wing voices are be­ing cen­sored,” Republican-led leg­is­la­tures in Florida and Texas have in­tro­duced leg­is­la­tion to “end Big Tech cen­sor­ship.” They say that the dom­i­nant tech plat­forms block le­git­i­mate speech with­out ever ar­tic­u­lat­ing their mod­er­a­tion poli­cies, that they are slow to ad­mit their mis­takes, and that there is no mean­ing­ful due process for peo­ple who think the plat­forms got it wrong.

But it’s not just con­ser­v­a­tives who have their po­lit­i­cal speech blocked by so­cial me­dia gi­ants. It’s Palestinians and other crit­ics of Israel, in­clud­ing many Israelis. And it’s queer peo­ple, of course. We have a whole pro­ject track­ing peo­ple who’ve been cen­sored, blocked, down­ranked, sus­pended and ter­mi­nated for their le­git­i­mate speech, from punk mu­si­cians to peanuts fans, his­to­ri­ans to war crimes in­ves­ti­ga­tors, sex ed­u­ca­tors to Christian min­istries.

Content mod­er­a­tion is hard at any scale, but even so, the cat­a­log of big plat­forms’ un­forced er­rors makes for sorry read­ing. Experts who care about po­lit­i­cal di­ver­sity, ha­rass­ment and in­clu­sion came to­gether in 2018 to draft the Santa Clara Principles on Transparency and Accountability in Content Moderation but the biggest plat­forms are still just wing­ing it for the most part.

The sit­u­a­tion is es­pe­cially grim when it comes to po­lit­i­cal speech, par­tic­u­larly when plat­forms are told they have a duty to re­move “extremism.”

The Florida and Texas so­cial me­dia laws are deeply mis­guided and nakedly un­con­sti­tu­tional, but we get why peo­ple are fed up with Big Tech’s on­go­ing goat-rodeo of con­tent mod­er­a­tion gaffes.

Let’s start with talk­ing about why plat­form cen­sor­ship mat­ters. In the­ory, if you don’t like the mod­er­a­tion poli­cies at Facebook, you can quit and go to a ri­val, or start your own. In prac­tice, it’s not that sim­ple.

First of all, the in­ter­net’s “marketplace of ideas” is se­verely lop­sided at the plat­form level, con­sist­ing of a sin­gle gar­gan­tuan ser­vice (Facebook), a hand­ful of mas­sive ser­vices (YouTube, Twitter, Reddit, TikTok, etc) and a con­stel­la­tion of plucky, strug­gling, en­dan­gered in­dieweb al­ter­na­tives.

If none of the big plat­forms want you, you can try to strike out on your own. Setting up your own ri­val plat­form re­quires that you get cloud ser­vices, anti-DDoS, do­main reg­is­tra­tion and DNS, pay­ment pro­cess­ing and other es­sen­tial in­fra­struc­ture. Unfortunately, every one of these sec­tors has grown in­creas­ingly con­cen­trated, and with just a hand­ful of com­pa­nies dom­i­nat­ing every layer of the stack, there are plenty of weak links in the chain and if just one breaks, your ser­vice is at risk.

But even if you can set up your own ser­vice, you’ve still got a prob­lem: every­one you want to talk about your dis­fa­vored ideas with is stuck in one of the Big Tech si­los. Economists call this the “network ef­fect,” when a ser­vice gets more valu­able as more users join it. You join Facebook be­cause your friends are there, and once you’re there, more of your friends join so they can talk to you.

Setting up your own ser­vice might get you a more nu­anced and wel­com­ing mod­er­a­tion en­vi­ron­ment, but it’s not go­ing to do you much good if your peo­ple aren’t will­ing to give up ac­cess to all their friends, cus­tomers and com­mu­ni­ties by quit­ting Facebook and join­ing your nascent al­ter­na­tive, not least be­cause there’s a limit to how many ser­vices you can be ac­tive on.

If all you think about is net­work ef­fects, then you might be tempted to think that we’ve ar­rived at the end of his­tory, and that the in­ter­net was doomed to be a  win­ner-take-all world of five gi­ant web­sites filled with screen­shots of text from the other four.

But net­work ef­fects aren’t the only idea from eco­nom­ics we need to pay at­ten­tion to when it comes to the in­ter­net and free speech. Just as im­por­tant is the idea of “switching costs,” the things you have to give up when you switch away from one of the big ser­vices - if you re­sign from Facebook, you lose ac­cess to every­one who is­n’t will­ing to fol­low you to a bet­ter place.

Switching costs aren’t an in­evitable fea­ture of large com­mu­ni­ca­tions sys­tems. You can switch email providers and still con­nect with your friends; you can change cel­lu­lar car­ri­ers with­out even hav­ing to tell your friends be­cause you get to keep your phone num­ber.

The high switch­ing costs of Big Tech are there by de­sign. Social me­dia may make sign­ing up as easy as a greased slide, but leav­ing is an­other story. It’s like a roach mo­tel: users check in but they’re not sup­posed to check out.

Enter in­ter­op­er­abil­ity, the prac­tice of de­sign­ing new tech­nolo­gies that con­nect to ex­ist­ing ones. Interoperability is why you can ac­cess any web­site with any browser, and read Microsoft Office files us­ing free/​open soft­ware like LibreOffice, cloud soft­ware like Google Office, or desk­top soft­ware like Apple iWorks.

An in­ter­op­er­a­ble so­cial me­dia gi­ant - one that al­lowed new ser­vices to con­nect to it - would bust open that roach mo­tel. If you could leave Facebook but con­tinue to con­nect with the friends, com­mu­ni­ties and cus­tomers who stayed be­hind, the de­ci­sion to leave would be much sim­pler. If you don’t like Facebook’s rules (and who does?) you could go some­where else and still reach the peo­ple that mat­ter to you, with­out hav­ing to con­vince them that it’s time to make a move.

That’s where laws like the pro­posed ACCESS Act come in. While not per­fect, this pro­posal to force the Big Tech plat­forms to open up their walled gar­dens to pri­vacy-re­spect­ing, con­sent-seek­ing third par­ties is a way for­ward for any­one who chafes against Big Tech’s mod­er­a­tion poli­cies and their un­even, high-handed ap­pli­ca­tion.

Some tech plat­forms are al­ready mov­ing in that di­rec­tion. Twitter says it wants to cre­ate an “app store for mod­er­a­tion,” with mul­ti­ple ser­vices con­nect­ing to it, each of­fer­ing dif­fer­ent mod­er­a­tion op­tions. We wish it well! Twitter is well-po­si­tioned to do this - it’s one tenth the size of Facebook and needs to find ways to grow.

But the biggest tech com­pa­nies show no sign of vol­un­tar­ily re­duc­ing their switch­ing costs.  The ACCESS Act is the most im­por­tant in­ter­op­er­abil­ity pro­posal in the world, and it could be a game-changer for all in­ter­net users.

Unfortunately for all of us, many of the peo­ple who don’t like Big Tech’s mod­er­a­tion think the way to fix it is to elim­i­nate Section 230, a law that pro­motes users’ free speech. Section 230 is a rule that says you sue the per­son who caused the harm while or­ga­ni­za­tions that host ex­pres­sive speech are free to re­move of­fen­sive, ha­rass­ing or oth­er­wise ob­jec­tion­able con­tent.

That means that con­ser­v­a­tive Twitter al­ter­na­tives can delete floods of porno­graphic memes with­out be­ing sued by their users. It means that on­line fo­rums can al­low sur­vivors of work­place ha­rass­ment to name their abusers with­out wor­ry­ing about li­bel suits.

If host­ing speech makes you li­able for what your users say, then only the very biggest plat­forms can af­ford to op­er­ate, and then only by re­sort­ing to shoot-first/​ask-ques­tions-later au­to­mated take­down sys­tems.

There’s not much that the po­lit­i­cal left and right agree on these days, but there’s one sub­ject that re­li­ably crosses the po­lit­i­cal di­vide: frus­tra­tion with mo­nop­o­lists’ clumsy han­dling of on­line speech.

For the first time, there’s a law be­fore Congress that could make Big Tech more ac­count­able and give in­ter­net users more con­trol over speech and mod­er­a­tion poli­cies. The promise of the ACCESS Act is an in­ter­net where if you don’t like a big plat­for­m’s mod­er­a­tion poli­cies, if you think they’re too tol­er­ant of abusers or too quick to kick some­one off for get­ting too pas­sion­ate dur­ing a de­bate, you can leave, and still stay con­nected to the peo­ple who mat­ter to you.

Killing CDA 230 won’t fix Big Tech (if that was the case, Mark Zuckerberg would­n’t be call­ing for CDA 230 re­form). The ACCESS Act won’t ei­ther, by it­self — but by mak­ing Big Tech open up to new ser­vices that are ac­count­able to their users, the ACCESS Act takes sev­eral steps in the right di­rec­tion.

Private Israeli spy­ware used to hack cell­phones of jour­nal­ists, ac­tivists world­wideNSO Group’s Pegasus spy­ware, li­censed to gov­ern­ments around the globe, can in­fect phones with­out a click­Warn­ing: This graphic re­quires JavaScript. Please en­able JavaScript for the best ex­pe­ri­ence. Military-grade spy­ware li­censed by an Israeli firm to gov­ern­ments for track­ing ter­ror­ists and crim­i­nals was used in at­tempted and suc­cess­ful hacks of 37 smart­phones be­long­ing to jour­nal­ists, hu­man rights ac­tivists, busi­ness ex­ec­u­tives and two women close to mur­dered Saudi jour­nal­ist Jamal Khashoggi, ac­cord­ing to an in­ves­ti­ga­tion by The Washington Post and 16 me­dia part­ners.The phones ap­peared on a list of more than 50,000 num­bers that are con­cen­trated in coun­tries known to en­gage in sur­veil­lance of their cit­i­zens and also known to have been clients of the Israeli firm, NSO Group, a world­wide leader in the grow­ing and largely un­reg­u­lated pri­vate spy­ware in­dus­try, the in­ves­ti­ga­tion found.The list does not iden­tify who put the num­bers on it, or why, and it is un­known how many of the phones were tar­geted or sur­veilled. But foren­sic analy­sis of the 37 smart­phones shows that many dis­play a tight cor­re­la­tion be­tween time stamps as­so­ci­ated with a num­ber on the list and the ini­ti­a­tion of sur­veil­lance, in some cases as brief as a few sec­onds.For­bid­den Stories, a Paris-based jour­nal­ism non­profit, and Amnesty International, a hu­man rights group, had ac­cess to the list and shared it with the news or­ga­ni­za­tions, which did fur­ther re­search and analy­sis. Amnesty’s Security Lab did the foren­sic analy­ses on the smart­phones.The num­bers on the list are un­at­trib­uted, but re­porters were able to iden­tify more than 1,000 peo­ple span­ning more than 50 coun­tries through re­search and in­ter­views on four con­ti­nents: sev­eral Arab royal fam­ily mem­bers, at least 65 busi­ness ex­ec­u­tives, 85 hu­man rights ac­tivists, 189 jour­nal­ists, and more than 600 politi­cians and gov­ern­ment of­fi­cials — in­clud­ing cab­i­net min­is­ters, diplo­mats, and mil­i­tary and se­cu­rity of­fi­cers. The num­bers of sev­eral heads of state and prime min­is­ters also ap­peared on the list.Among the jour­nal­ists whose num­bers ap­pear on the list, which dates to 2016, are re­porters work­ing over­seas for sev­eral lead­ing news or­ga­ni­za­tions, in­clud­ing a small num­ber from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.The tar­get­ing of the 37 smart­phones would ap­pear to con­flict with the stated pur­pose of NSO’s li­cens­ing of the Pegasus spy­ware, which the com­pany says is in­tended only for use in sur­veilling ter­ror­ists and ma­jor crim­i­nals. The ev­i­dence ex­tracted from these smart­phones, re­vealed here for the first time, calls into ques­tion pledges by the Israeli com­pany to po­lice its clients for hu­man rights abuses.The me­dia con­sor­tium, ti­tled the Pegasus Project, an­a­lyzed the list through in­ter­views and foren­sic analy­sis of the phones, and by com­par­ing de­tails with pre­vi­ously re­ported in­for­ma­tion about NSO. Amnesty’s Security Lab ex­am­ined 67 smart­phones where at­tacks were sus­pected. Of those, 23 were suc­cess­fully in­fected and 14 showed signs of at­tempted pen­e­tra­tion.For the re­main­ing 30, the tests were in­con­clu­sive, in sev­eral cases be­cause the phones had been re­placed. Fifteen of the phones were Android de­vices, none of which showed ev­i­dence of suc­cess­ful in­fec­tion. However, un­like iPhones, Androids do not log the kinds of in­for­ma­tion re­quired for Amnesty’s de­tec­tive work. Three Android phones showed signs of tar­get­ing, such as Pegasus-linked SMS mes­sages.Amnesty shared backup copies of data on four iPhones with Citizen Lab, which con­firmed that they showed signs of Pegasus in­fec­tion. Citizen Lab, a re­search group at the University of Toronto that spe­cial­izes in study­ing Pegasus, also con­ducted a peer re­view of Amnesty’s foren­sic meth­ods and found them to be sound.In lengthy re­sponses be­fore pub­li­ca­tion, NSO called the in­ves­ti­ga­tion’s find­ings ex­ag­ger­ated and base­less. It also said it does not op­er­ate the spy­ware li­censed to its clients and “has no in­sight” into their spe­cific in­tel­li­gence ac­tiv­i­ties.Af­ter pub­li­ca­tion, NSO chief ex­ec­u­tive Shalev Hulio ex­pressed con­cern in a phone in­ter­view with The Post about some of the de­tails he had read in Pegasus Project sto­ries Sunday, while con­tin­u­ing to dis­pute that the list of more than 50,000 phone num­bers had any­thing to do with NSO or Pegasus.“The com­pany cares about jour­nal­ists and ac­tivists and civil so­ci­ety in gen­eral,” Hulio said. “We un­der­stand that in some cir­cum­stances our cus­tomers might mis­use the sys­tem and, in some cases like we re­ported in [NSO’s] Transparency and Responsibility Report, we have shut down sys­tems for cus­tomers who have mis­used the sys­tem.”He said that in the past 12 months NSO had ter­mi­nated two con­tracts over al­le­ga­tions of hu­man rights abuses, but he de­clined to name the coun­tries in­volved.“Every al­le­ga­tion about mis­use of the sys­tem is con­cern­ing me,” he said. “It vi­o­lates the trust that we give cus­tomers. We are in­ves­ti­gat­ing every al­le­ga­tion.”NSO de­scribes its cus­tomers as 60 in­tel­li­gence, mil­i­tary and law en­force­ment agen­cies in 40 coun­tries, al­though it will not con­firm the iden­ti­ties of any of them, cit­ing client con­fi­den­tial­ity oblig­a­tions. The con­sor­tium found many of the phone num­bers in at least 10 coun­try clus­ters, which were sub­jected to deeper analy­sis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found ev­i­dence that all 10 have been clients of NSO, ac­cord­ing to Bill Marczak, a se­nior re­search fel­low.For­bid­den Stories or­ga­nized the me­dia con­sor­tium’s in­ves­ti­ga­tion, and Amnesty pro­vided analy­sis and tech­ni­cal sup­port but had no ed­i­to­r­ial in­put. Amnesty has openly crit­i­cized NSO’s spy­ware busi­ness and sup­ported an un­suc­cess­ful law­suit against the com­pany in an Israeli court seek­ing to have its ex­port li­cense re­voked. After the in­ves­ti­ga­tion be­gan, sev­eral re­porters in the con­sor­tium learned that they or their fam­ily mem­bers had been suc­cess­fully at­tacked with Pegasus spy­ware.Be­yond the per­sonal in­tru­sions made pos­si­ble by smart­phone sur­veil­lance, the wide­spread use of spy­ware has emerged as a lead­ing threat to democ­ra­cies world­wide, crit­ics say. Journalists un­der sur­veil­lance can­not safely gather sen­si­tive news with­out en­dan­ger­ing them­selves and their sources. Opposition politi­cians can­not plot their cam­paign strate­gies with­out those in power an­tic­i­pat­ing their moves. Human rights work­ers can­not work with vul­ner­a­ble peo­ple — some of whom are vic­tims of their own gov­ern­ments — with­out ex­pos­ing them to re­newed abuse.For ex­am­ple, Amnesty’s foren­sics found ev­i­dence that Pegasus was tar­geted at the two women clos­est to Saudi colum­nist Khashoggi, who wrote for The Post’s Opinions sec­tion. The phone of his fi­ancee, Hatice Cengiz, was suc­cess­fully in­fected dur­ing the days af­ter his mur­der in Turkey on Oct. 2, 2018, ac­cord­ing to a foren­sic analy­sis by Amnesty’s Security Lab. Also on the list were the num­bers of two Turkish of­fi­cials in­volved in in­ves­ti­gat­ing his dis­mem­ber­ment by a Saudi hit team. Khashoggi also had a wife, Hanan Elatr, whose phone was tar­geted by some­one us­ing Pegasus in the months be­fore his killing. Amnesty was un­able to de­ter­mine whether the hack was suc­cess­ful.“This is nasty soft­ware — like elo­quently nasty,” said Timothy Summers, a for­mer cy­ber­se­cu­rity en­gi­neer at a U.S. in­tel­li­gence agency and now di­rec­tor of IT at Arizona State University. With it “one could spy on al­most the en­tire world pop­u­la­tion. … There’s not any­thing wrong with build­ing tech­nolo­gies that al­lows you to col­lect data; it’s nec­es­sary some­times. But hu­man­ity is not in a place where we can have that much power just ac­ces­si­ble to any­body.”In re­sponse to de­tailed ques­tions from the con­sor­tium be­fore pub­li­ca­tion, NSO said in a state­ment that it did not op­er­ate the spy­ware it li­censed to clients and did not have reg­u­lar ac­cess to the data they gather. The com­pany also said its tech­nolo­gies have helped pre­vent at­tacks and bomb­ings and bro­ken up rings that traf­ficked in drugs, sex and chil­dren. “Simply put, NSO Group is on a life-sav­ing mis­sion, and the com­pany will faith­fully ex­e­cute this mis­sion un­de­terred, de­spite any and all con­tin­ued at­tempts to dis­credit it on false grounds,” NSO said. “Your sources have sup­plied you with in­for­ma­tion that has no fac­tual ba­sis, as ev­i­denced by the lack of sup­port­ing doc­u­men­ta­tion for many of the claims.”The com­pany de­nied that its tech­nol­ogy was used against Khashoggi, or his rel­a­tives or as­so­ci­ates.“As NSO has pre­vi­ously stated, our tech­nol­ogy was not as­so­ci­ated in any way with the heinous mur­der of Jamal Khashoggi. This in­cludes lis­ten­ing, mon­i­tor­ing, track­ing, or col­lect­ing in­for­ma­tion. We pre­vi­ously in­ves­ti­gated this claim, im­me­di­ately af­ter the heinous mur­der, which again, is be­ing made with­out val­i­da­tion.”Thomas Clare, a li­bel at­tor­ney hired by NSO, said that the con­sor­tium had “apparently mis­in­ter­preted and mis­char­ac­ter­ized cru­cial source data on which it re­lied” and that its re­port­ing con­tained flawed as­sump­tions and fac­tual er­rors.“NSO Group has good rea­son to be­lieve that this list of ‘thousands of phone num­bers’ is not a list of num­bers tar­geted by gov­ern­ments us­ing Pegasus, but in­stead, may be part of a larger list of num­bers that might have been used by NSO Group cus­tomers for other pur­poses,” Clare wrote.In re­sponse to fol­low-up ques­tions, NSO called the 50,000 num­ber “exaggerated” and said it was far too large to rep­re­sent num­bers tar­geted by its clients. Based on the ques­tions it was be­ing asked, NSO said, it had rea­son to be­lieve that the con­sor­tium was bas­ing its find­ings “on mis­lead­ing in­ter­pre­ta­tion of leaked data from ac­ces­si­ble and overt ba­sic in­for­ma­tion, such as HLR Lookup ser­vices, which have no bear­ing on the list of the cus­tomers tar­gets of Pegasus or any other NSO prod­ucts … we still do not see any cor­re­la­tion of these lists to any­thing re­lated to use of NSO Group tech­nolo­gies.”The term HLR, or Home Location Register, refers to a data­base that is es­sen­tial to op­er­at­ing cel­lu­lar phone net­works. Such reg­is­ters keep records on the net­works of cell­phone users and their gen­eral lo­ca­tions, along with other iden­ti­fy­ing in­for­ma­tion that is used rou­tinely in rout­ing calls and texts. HLR lookup ser­vices op­er­ate on the SS7 sys­tem that cel­lu­lar car­ri­ers use to com­mu­ni­cate with each other. The ser­vices can be used as a step to­ward spy­ing on tar­gets.Telecom­mu­ni­ca­tions se­cu­rity ex­pert Karsten Nohl, chief sci­en­tist for Security Research Labs in Berlin, said that he does not have di­rect knowl­edge of NSO’s sys­tems but that HLR lookups and other SS7 queries are widely and in­ex­pen­sively used by the sur­veil­lance in­dus­try — of­ten for just tens of thou­sands of dol­lars a year.“It’s not dif­fi­cult to get that ac­cess. Given the re­sources of NSO, it’d be crazy to as­sume that they don’t have SS7 ac­cess from at least a dozen coun­tries,” Nohl said. “From a dozen coun­tries, you can spy on the rest of the world.”Pe­ga­sus was en­gi­neered a decade ago by Israeli ex-cy­ber­spies with gov­ern­ment-honed skills. The Israeli Defense Ministry must ap­prove any li­cense to a gov­ern­ment that wants to buy it, ac­cord­ing to pre­vi­ous NSO state­ments.“As a mat­ter of pol­icy, the State of Israel ap­proves the ex­port of cy­ber prod­ucts ex­clu­sively to gov­ern­men­tal en­ti­ties, for law­ful use, and only for the pur­pose of pre­vent­ing and in­ves­ti­gat­ing crime and coun­tert­er­ror­ism, un­der end-use/​end user cer­tifi­cates pro­vided by the ac­quir­ing gov­ern­ment,” a spokesper­son for the Israeli de­fense es­tab­lish­ment said Sunday. “In cases where ex­ported items are used in vi­o­la­tion of ex­port li­censes or end-use cer­tifi­cates, ap­pro­pri­ate mea­sures are taken.”The num­bers of about a dozen Americans work­ing over­seas were dis­cov­ered on the list, in all but one case while us­ing phones reg­is­tered to for­eign cel­lu­lar net­works. The con­sor­tium could not per­form foren­sic analy­sis on most of these phones. NSO has said for years that its prod­uct can­not be used to sur­veil American phones. The con­sor­tium did not find ev­i­dence of suc­cess­ful spy­ware pen­e­tra­tion on phones with the U.S. coun­try code.“We also stand by our pre­vi­ous state­ments that our prod­ucts, sold to vet­ted for­eign gov­ern­ments, can­not be used to con­duct cy­ber­sur­veil­lance within the United States, and no cus­tomer has ever been granted tech­nol­ogy that would en­able them to ac­cess phones with U.S. num­bers,” the com­pany said in its state­ment. “It is tech­no­log­i­cally im­pos­si­ble and reaf­firms the fact your sources’ claims have no merit.”Tar­get: Someone sends what’s known as a trap link to a smart­phone that per­suades the vic­tim to tap and ac­ti­vate — or ac­ti­vates it­self with­out any in­put, as in the most so­phis­ti­cated “zero-click” hacks.In­fect: The spy­ware cap­tures and copies the phone’s most ba­sic func­tions, NSO mar­ket­ing ma­te­ri­als show, record­ing from the cam­eras and mi­cro­phone and col­lect­ing lo­ca­tion data, call logs and con­tacts.Track: The im­plant se­cretly re­ports that in­for­ma­tion to an op­er­a­tive who can use it to map out sen­si­tive de­tails of the vic­tim’s life.Read more about why it’s hard to pro­tect your­self from hacks.Ap­ple and other smart­phone man­u­fac­tur­ers are years into a cat-and-mouse game with NSO and other spy­ware mak­ers.“Ap­ple un­equiv­o­cally con­demns cy­ber­at­tacks against jour­nal­ists, hu­man rights ac­tivists and oth­ers seek­ing to make the world a bet­ter place,” said Ivan Krstić, head of Apple Security Engineering and Architecture. “For over a decade, Apple has led the in­dus­try in se­cu­rity in­no­va­tion and, as a re­sult, se­cu­rity re­searchers agree iPhone is the safest, most se­cure con­sumer mo­bile de­vice on the mar­ket. Attacks like the ones de­scribed are highly so­phis­ti­cated, cost mil­lions of dol­lars to de­velop, of­ten have a short shelf life and are used to tar­get spe­cific in­di­vid­u­als. While that means they are not a threat to the over­whelm­ing ma­jor­ity of our users, we con­tinue to work tire­lessly to de­fend all our cus­tomers, and we are con­stantly adding new pro­tec­tions for their de­vices and data.”Some Pegasus in­tru­sion tech­niques de­tailed in a 2016 re­port were changed in a mat­ter of hours af­ter they were made pub­lic, un­der­scor­ing NSO’s abil­ity to adapt to coun­ter­mea­sures.Pe­ga­sus is en­gi­neered to evade de­fenses on iPhones and Android de­vices and to leave few traces of its at­tack. Familiar pri­vacy mea­sures like strong pass­words and en­cryp­tion of­fer lit­tle help against Pegasus, which can at­tack phones with­out any warn­ing to users. It can read any­thing on a de­vice that a user can, while also steal­ing pho­tos, record­ings, lo­ca­tion records, com­mu­ni­ca­tions, pass­words, call logs and so­cial me­dia posts. Spyware also can ac­ti­vate cam­eras and mi­cro­phones for real-time sur­veil­lance.“There is just noth­ing from an en­cryp­tion stand­point to pro­tect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian re­searcher who de­vel­oped and per­formed the dig­i­tal foren­sics on 37 smart­phones that showed ev­i­dence of Pegasus at­tacks.That sense of help­less­ness makes Guarnieri, who of­ten dresses head-to-toe in black, feel as use­less as a 14th-century doc­tor con­fronting the Black Plague with­out any use­ful med­ica­tion. “Primarily I’m here just to keep the death count,” he said.The at­tack can be­gin in dif­fer­ent ways. It can come from a ma­li­cious link in an SMS text mes­sage or an iMes­sage. In some cases, a user must click on the link to start the in­fec­tion. In re­cent years, spy­ware com­pa­nies have de­vel­oped what they call “zero-click” at­tacks, which de­liver spy­ware sim­ply by send­ing a mes­sage to a user’s phone that pro­duces no no­ti­fi­ca­tion. Users do not even need to touch their phones for in­fec­tions to be­gin.Many coun­tries have laws per­tain­ing to tra­di­tional wire­tap­ping and in­ter­cep­tion of com­mu­ni­ca­tions, but few have ef­fec­tive safe­guards against deeper in­tru­sions made pos­si­ble by hack­ing into smart­phones. “This is more de­vi­ous in a sense be­cause it re­ally is no longer about in­ter­cept­ing com­mu­ni­ca­tions and over­hear­ing con­ver­sa­tion. … This cov­ers all of them and goes way be­yond that,” Guarnieri said. “It has raised a lot of ques­tions from not only hu­man rights, but even na­tional con­sti­tu­tional laws as to is this even le­gal?”Clare, NSO’s at­tor­ney, at­tacked the foren­sic ex­am­i­na­tions as “a com­pi­la­tion of spec­u­la­tive and base­less as­sump­tions” built on as­sump­tions based on ear­lier re­ports. He also said, “NSO does not have in­sight into the spe­cific in­tel­li­gence ac­tiv­i­ties of its cus­tomers.”The Pegasus Project’s find­ings are sim­i­lar to pre­vi­ous dis­cov­er­ies by Amnesty, Citizen Lab and news or­ga­ni­za­tions world­wide, but the new re­port­ing of­fers a de­tailed view of the per­sonal con­se­quences and scale of sur­veil­lance and its abuses.The con­sor­tium an­a­lyzed the list and found clus­ters of num­bers with sim­i­lar coun­try codes and ge­o­graph­i­cal fo­cus that align with pre­vi­ous re­port­ing and ad­di­tional re­search about NSO clients over­seas. For ex­am­ple, Mexico has been pre­vi­ously iden­ti­fied in pub­lished re­ports and doc­u­ments as an NSO client, and en­tries on the list are clus­tered by Mexican coun­try code, area code and ge­og­ra­phy. In sev­eral cases, clus­ters also con­tained num­bers from other coun­tries.In re­sponse to ques­tions from re­porters, spokes­peo­ple for the coun­tries with clus­ters ei­ther de­nied Pegasus was used or de­nied that their coun­try had abused their pow­ers of sur­veil­lance.Hun­gar­ian Prime Minister Viktor Orban’s of­fice said any sur­veil­lance car­ried out by that na­tion is done in ac­cor­dance with the law.“In Hungary, state bod­ies au­tho­rized to use covert in­stru­ments are reg­u­larly mon­i­tored by gov­ern­men­tal and non-gov­ern­men­tal in­sti­tu­tions,” the of­fice said. “Have you asked the same ques­tions of the gov­ern­ments of the United States of America, the United Kingdom, Germany or France?”Moroccan au­thor­i­ties re­sponded: “It should be re­called that the un­founded al­le­ga­tions pre­vi­ously pub­lished by Amnesty International and con­veyed by Forbidden Stories have al­ready been the sub­ject of an of­fi­cial re­sponse from the Moroccan au­thor­i­ties, who have cat­e­gor­i­cally re­jected these al­le­ga­tions.”Vin­cent Biruta, Rwanda’s for­eign af­fairs min­is­ter, also de­nied the use of Pegasus.“Rwanda does not use this soft­ware sys­tem, as pre­vi­ously con­firmed in November 2019, and does not pos­sess this tech­ni­cal ca­pa­bil­ity in any form,” Biruta said. “These false ac­cu­sa­tions are part of an on­go­ing cam­paign to cause ten­sions be­tween Rwanda and other coun­tries, and to sow dis­in­for­ma­tion about Rwanda do­mes­ti­cally and in­ter­na­tion­ally.”Car­men Aristegui, one of the most promi­nent in­ves­tiga­tive jour­nal­ists in Mexico, is rou­tinely threat­ened for ex­pos­ing the cor­rup­tion of the na­tion’s politi­cians and car­tels. She was pre­vi­ously re­vealed as a Pegasus tar­get in sev­eral me­dia re­ports. (Bernardo Montoya/AFP/Getty Images) Some ex­pressed out­rage even at the sug­ges­tion of spy­ing on jour­nal­ists.A re­porter for the French daily Le Monde work­ing on the Pegasus Project re­cently posed such a ques­tion to Hungarian Justice Minister Judit Varga dur­ing an in­ter­view about the le­gal re­quire­ments for eaves­drop­ping:“If some­one asked you to tape a jour­nal­ist or an op­po­nent, you would­n’t ac­cept this?”“What a ques­tion!” Varga re­sponded. “This is a provo­ca­tion in it­self!” A day later, her of­fice re­quested that this ques­tion and her an­swer to it “be erased” from the in­ter­view.In the past, NSO has blamed its client coun­tries for any al­leged abuses. NSO re­leased its first “Transparency and Responsibility Report” last month, ar­gu­ing that its ser­vices are es­sen­tial to law en­force­ment and in­tel­li­gence agen­cies try­ing to keep up with the 21st cen­tury.“Ter­ror or­ga­ni­za­tions, drug car­tels, hu­man traf­fick­ers, pe­dophile rings and other crim­i­nal syn­di­cates to­day ex­ploit off-the-shelf en­cryp­tion ca­pa­bil­i­ties of­fered by mo­bile mes­sag­ing and com­mu­ni­ca­tions ap­pli­ca­tions.“These tech­nolo­gies pro­vide crim­i­nals and their net­works a safe haven, al­low­ing them to ‘go dark’ and avoid de­tec­tion, com­mu­ni­cat­ing through im­pen­e­tra­ble mo­bile mes­sag­ing sys­tems. Law en­force­ment and coun­tert­er­ror­ism state agen­cies around the world have strug­gled to keep up.”NSO also said it con­ducts rig­or­ous re­views of po­ten­tial cus­tomers’ hu­man rights records be­fore con­tract­ing with them and in­ves­ti­gates re­ports of abuses, al­though it did not cite any spe­cific cases. It as­serted that it has dis­con­tin­ued con­tracts with five clients for doc­u­mented vi­o­la­tions and that the com­pa­ny’s due dili­gence has cost it $100 mil­lion in lost rev­enue. A per­son fa­mil­iar with NSO op­er­a­tions who spoke on the con­di­tion of anonymity to dis­cuss in­ter­nal com­pany mat­ters noted that in the last year alone NSO had ter­mi­nated con­tracts with Saudi Arabia and Dubai in the United Arab Emirates over hu­man rights con­cerns.“Pe­ga­sus is very use­ful for fight­ing or­ga­nized crime,” said Guillermo Valdes Castellanos, head of Mexico’s do­mes­tic in­tel­li­gence agency CISEN from 2006 to 2011. “But the to­tal lack of checks and bal­ances [in Mexican agen­cies] means it eas­ily ends up in pri­vate hands and is used for po­lit­i­cal and per­sonal gain.”Mex­ico was NSO’s first over­seas client in 2011, less than a year af­ter the firm was founded in Israel’s Silicon Valley, in north­ern Tel Aviv.In 2016 and 2017, more than 15,000 Mexicans ap­peared on the list ex­am­ined by the me­dia con­sor­tium, among them at least 25 re­porters work­ing for the coun­try’s ma­jor me­dia out­lets, ac­cord­ing to the records and in­ter­views.One of them was Carmen Aristegui, one of the most promi­nent in­ves­tiga­tive jour­nal­ists in the coun­try and a reg­u­lar con­trib­u­tor to CNN. Aristegui, who is rou­tinely threat­ened for ex­pos­ing the cor­rup­tion of Mexican politi­cians and car­tels, was pre­vi­ously re­vealed as a Pegasus tar­get in sev­eral me­dia re­ports. At the time, she said in a re­cent in­ter­view, her pro­ducer was also tar­geted. The new records and foren­sics show that Pegasus links were de­tected on the phone of her per­sonal as­sis­tant.“Pe­ga­sus is some­thing that comes to your of­fice, your home, your bed, every cor­ner of your ex­is­tence,” Aristegui said. “It is a tool that de­stroys the es­sen­tial codes of civ­i­liza­tion.”Un­like Aristegui, free­lance re­porter Cecilio Pineda was un­known out­side his vi­o­lence-wracked south­ern state of Guerrero. His num­ber ap­pears twice on the list of 50,000. A month af­ter the sec­ond list­ing, he was gunned down while ly­ing in a ham­mock at a car­wash while wait­ing for his car. It is un­clear what role, if any, Pegasus’s abil­ity to ge­olo­cate its tar­gets in real time con­tributed to his mur­der. Mexico is among the dead­liest coun­tries for jour­nal­ists; 11 were killed in 2017, ac­cord­ing to Reporters Without Borders.“Even if Forbidden Stories were cor­rect that an NSO Group client in Mexico tar­geted the jour­nal­ist’s phone num­ber in February 2017, that does not mean that the NSO Group client or data col­lected by NSO Group soft­ware were in any way con­nected to the jour­nal­ist’s mur­der the fol­low­ing month,” Clare, NSO’s lawyer, wrote in his let­ter to Forbidden Stories. “Correlation does not equal cau­sa­tion, and the gun­men who mur­dered the jour­nal­ist could have learned of his lo­ca­tion at a pub­lic car­wash through any num­ber of means not re­lated to NSO Group, its tech­nolo­gies, or its clients.”Mex­i­co’s Public Security Ministry ac­knowl­edged last year that the do­mes­tic in­tel­li­gence agency, CISEN, and the at­tor­ney gen­er­al’s of­fice ac­quired Pegasus in 2014 and dis­con­tin­ued its use in 2017 when the li­cense ex­pired. Mexican me­dia have also re­ported that the Defense Ministry used the spy­ware.Ed­ward Snowden’s 2013 dis­clo­sure of highly clas­si­fied National Security Agency doc­u­ments re­vealed the agen­cy’s abil­ity to tap the elec­tronic com­mu­ni­ca­tions of al­most any­one and trig­gered an in­ter­na­tional boom in spy­ware de­vel­op­ment and de­ploy­ment. (The Guardian/Getty Images) Today’s thriv­ing in­ter­na­tional spy­ware in­dus­try dates back decades but got a boost af­ter the un­prece­dented 2013 dis­clo­sure of highly clas­si­fied National Security Agency doc­u­ments by con­trac­tor Edward Snowden. They re­vealed that the NSA could ob­tain the elec­tronic com­mu­ni­ca­tions of al­most any­one be­cause it had se­cret ac­cess to the transna­tional ca­bles car­ry­ing Internet traf­fic world­wide and data from Internet com­pa­nies such as Google and gi­ant telecom­mu­ni­ca­tions com­pa­nies such as AT&T.Even U.S. al­lies in Europe were shocked by the com­pre­hen­sive scale of the American dig­i­tal spy­ing, and many na­tional in­tel­li­gence agen­cies set out to im­prove their own sur­veil­lance abil­i­ties. For-profit firms staffed with mid­ca­reer re­tirees from in­tel­li­gence agen­cies saw a lu­cra­tive mar­ket-in-wait­ing free from the gov­ern­ment reg­u­la­tions and over­sight im­posed on other in­dus­tries.The dra­matic ex­pan­sion of end-to-end en­cryp­tion by Google, Microsoft, Facebook, Apple and other ma­jor tech­nol­ogy firms also prompted law en­force­ment and in­tel­li­gence of­fi­cials to com­plain they had lost ac­cess to the com­mu­ni­ca­tions of le­git­i­mate crim­i­nal tar­gets. That in turn sparked more in­vest­ment in tech­nolo­gies, such as Pegasus, that worked by tar­get­ing in­di­vid­ual de­vices.“When you build a build­ing, you want to make sure the build­ing holds up, so we fol­low cer­tain pro­to­cols,” said Ido Sivan-Sevilla, an ex­pert on cy­ber gov­er­nance at the University of Maryland. By pro­mot­ing the sale of un­reg­u­lated pri­vate sur­veil­lance tools, “we en­cour­age build­ing build­ings that can be bro­ken into. We are build­ing a mon­ster. We need an in­ter­na­tional norms treaty that says cer­tain things are not okay.”With­out in­ter­na­tional stan­dards and rules, there are se­cret deals be­tween com­pa­nies like NSO and the coun­tries they ser­vice.The un­fet­tered use of a mil­i­tary-grade spy­ware such as Pegasus can help gov­ern­ments to sup­press civic ac­tivism at a time when au­thor­i­tar­i­an­ism is on the rise world­wide. It also gives coun­tries with­out the tech­ni­cal so­phis­ti­ca­tion of such lead­ing na­tions as the United States, Israel and China the abil­ity to con­duct far deeper dig­i­tal cy­beres­pi­onage than ever be­fore.The regime in Azerbaijan has worked for a decade to si­lence in­ves­tiga­tive jour­nal­ist Khadija Ismayilova. Forensics by Security Lab de­ter­mined that Pegasus at­tacked and pen­e­trated her smart­phone nu­mer­ous times from March 2019 to as late as May of this year. (Aziz Karimov/Pacific Press/LightRocket/Getty Images) Azerbaijan, a long­time ally of Israel, has been iden­ti­fied as an NSO client by Citizen Lab and oth­ers. The coun­try is a fam­ily-run klep­toc­racy with no free elec­tions, no im­par­tial court sys­tem and no in­de­pen­dent news me­dia. The for­mer Soviet ter­ri­tory has been ruled since the Soviet Union col­lapsed 30 years ago by the Aliyev fam­ily, whose theft of the coun­try’s wealth and money-laun­der­ing schemes abroad have re­sulted in for­eign em­bar­goes, in­ter­na­tional sanc­tions and crim­i­nal in­dict­ments.De­spite the dif­fi­cul­ties, roughly three dozen Azerbaijani re­porters con­tinue to doc­u­ment the fam­i­ly’s cor­rup­tion. Some are hid­ing in­side the coun­try, but most were forced into ex­ile where they are not so easy to cap­ture. Some work for the Prague-based, U.S.-funded Radio Free Europe/Radio Liberty, which was kicked out of the coun­try in 2015 for its re­port­ing. The oth­ers work for an in­ves­tiga­tive re­port­ing non­profit called the Organized Crime and Corruption Reporting Project, which is based in Sarajevo, the Bosnian cap­i­tal, and is one of the part­ners in the Pegasus Project.The fore­most in­ves­tiga­tive re­porter in the re­gion is Khadija Ismayilova, whom the regime has worked for a decade to si­lence: It planted a se­cret cam­era in her apart­ment wall, took videos of her hav­ing sex with her boyfriend and then posted them on the Internet in 2012; she was ar­rested in 2014, tried and con­victed on trumped-up tax-eva­sion and other charges, and held in prison cells with hard­ened crim­i­nals. After global out­rage and the high-pro­file in­ter­ven­tion of hu­man rights at­tor­ney Amal Clooney, she was re­leased in 2016 and put un­der a travel ban.“It is im­por­tant that peo­ple see ex­am­ples of jour­nal­ists who do not stop be­cause they were threat­ened,” Ismayilova said in a re­cent in­ter­view. “It’s like a war. You leave your trench, then the at­tacker comes in. … You have to keep your po­si­tion, oth­er­wise it will be taken and then you will have less space, less space, the space will be shrink­ing and then you will find it hard to breathe.”Last month, her health fail­ing, she was al­lowed to leave the coun­try. Colleagues arranged to test her smart­phone im­me­di­ately. Forensics by Security Lab de­ter­mined that Pegasus had at­tacked and pen­e­trated her de­vice nu­mer­ous times from March 2019 to as late as May of this year.She had as­sumed some kind of sur­veil­lance, Ismayilova said, but was still sur­prised at the num­ber of at­tacks. “When you think maybe there’s a cam­era in the toi­let, your body stops func­tion­ing,” she said. “I went through this, and for eight or nine days I could not use the toi­let, any­where, not even in pub­lic places. My body stopped func­tion­ing.”She stopped com­mu­ni­cat­ing with peo­ple be­cause who­ever she spoke with ended up ha­rassed by se­cu­rity ser­vices. “You don’t trust any­one, and then you try not to have any long-term plans with your own life be­cause you don’t want any per­son to have prob­lems be­cause of you.”Con­fir­ma­tion of the Pegasus pen­e­tra­tion galled her. “My fam­ily mem­bers are also vic­tim­ized. The sources are vic­tim­ized. People I’ve been work­ing with, peo­ple who told me their pri­vate se­crets are vic­tim­ized,” she said. “It’s de­spi­ca­ble. … I don’t know who else has been ex­posed be­cause of me, who else is in dan­ger be­cause of me.”Is the min­is­ter para­noid or sen­si­ble?When Siddharth Varadarajan, co-founder of India’s in­de­pen­dent on­line news out­let the Wire, learned his phone had been pen­e­trated by Pegasus, his mind im­me­di­ately ran through his sen­si­tive sources. (Raj K Raj/Hindustan Times/Getty Images) The fear of wide­spread sur­veil­lance im­pedes the al­ready dif­fi­cult me­chan­ics of civic ac­tivism.“Some­times, that fear is the point,” said John Scott-Railton, a se­nior re­searcher at Citizen Lab, who has re­searched Pegasus ex­ten­sively. “The psy­cho­log­i­cal hard­ship and the self-cen­sor­ship it causes are key tools of mod­ern-day dic­ta­tors and au­thor­i­tar­i­ans.”When Siddharth Varadarajan, co-founder of the Wire, an in­de­pen­dent on­line out­let in India, learned that Security Lab’s analy­sis showed that his phone had been tar­geted and pen­e­trated by Pegasus, his mind im­me­di­ately ran through his sen­si­tive sources. He thought about a min­is­ter in Prime Minister Narendra Modi’s gov­ern­ment who had dis­played an un­usual con­cern about sur­veil­lance when they met.The min­is­ter first moved the meet­ing from one lo­ca­tion to an­other at the last mo­ment, then switched off his phone and told Varadarajan to do the same.Then “the two phones were put in a room and mu­sic was put on in that room … and I thought: ’Boy, this guy is re­ally para­noid. But maybe he was be­ing sen­si­ble,’” Varadarajan said in a re­cent in­ter­view.When foren­sics showed his phone had been pen­e­trated, he knew the feel­ing him­self. “You feel vi­o­lated, there’s no doubt about it,” he said. “This is an in­cred­i­ble in­tru­sion, and jour­nal­ists should not have to deal with this. Nobody should have to deal with this.”Priest re­ported from Ankara, Istanbul and Washington, Timberg from Washington and Mekhennet from Berlin. Michael Birnbaum in Budapest, Mary Beth Sheridan in Mexico City, Joanna Slater in New Delhi, Drew Harwell and Julie Tate in Washington, and Miranda Patrucic from the Organized Crime and Corruption Reporting Project in Sarajevo con­tributed to this re­port.For­bid­den Stories, a Paris-based jour­nal­ism non­profit, and Amnesty International had ac­cess to a list of phone num­bers con­cen­trated in coun­tries known to sur­veil their cit­i­zens and also known to have been clients of NSO Group. The two non­prof­its shared the in­for­ma­tion with The Washington Post and 15 other news or­ga­ni­za­tions world­wide that have worked col­lab­o­ra­tively to con­duct fur­ther analy­sis and re­port­ing over sev­eral months. Forbidden Stories over­saw the Pegasus Project, and Amnesty International pro­vided foren­sic analy­sis but had no ed­i­to­r­ial in­put.More than 80 jour­nal­ists from Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, the Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, the Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS Frontline joined the ef­fort.Pri­vate Israeli spy­ware used to hack cell­phones of jour­nal­ists, ac­tivists world­wid­eDespite the hype, iPhone se­cu­rity no match for NSO spy­wareKey ques­tion for Americans over­seas: Can their phones be hacked?Ja­mal Khashoggi’s wife tar­geted with spy­ware be­fore his death­Dana Priest, a re­porter at The Washington Post for 30 years, cov­ers na­tional se­cu­rity is­sues. Recently, she has in­ves­ti­gated Russian dis­in­for­ma­tion op­er­a­tions, cen­sor­ship around the world, the mas­sive na­tional se­cu­rity state, CIA op­er­a­tions and vet­er­ans is­sues. She is the Knight Chair in Public Affairs Journalism at the University of Maryland.Craig Timberg is a na­tional tech­nol­ogy re­porter for The Washington Post. Since join­ing The Post in 1998, he has been a re­porter, ed­i­tor and for­eign cor­re­spon­dent, and he con­tributed to The Post’s Pulitzer Prize-winning cov­er­age of the National Security Agency.Souad Mekhennet is a cor­re­spon­dent on the na­tional se­cu­rity desk. She is the au­thor of “I Was Told to Come Alone: My Journey Behind the Lines of Jihad,” and she has re­ported on ter­ror­ism for the New York Times, the International Herald Tribune and NPR.