The research of Citizen Lab, an interdisciplinary research laboratory at the University of Toronto, has over the years contributed to increasing digital security for citizens. Apple, a global giant, recently introduced important security fixes to 1.65 billion of its devices based on his report. In December, Citizen Lab established that the mobile phones of three critics of the government in Poland, including the active senator Krzysztof Brejza, were under attack by military Pegasus software.
Katarzyna Kozłowska talks to John Scott Railton.
Fact: It seems Poland is in bad company. The institution where you work detected the Pegasus break-ins of the Polish senator’s phone, just as it previously detected the break-ins of the phones of human rights activists in Syria, Mexico and Egypt.
John Scott Railton, Senior Researcher, Citizen Lab: It is true. And it looks like we’ll find out about more cases.
Does it mean that people from Poland come to you with a request to examine the phone?
Citizen Lab does not comment on its findings until they are made public.
You have identified a Pegasus break-in on the phone of Polish senator Krzysztof Brejza. Brejza says directly that Polish secret services spied on him. Are these also the findings of the Citizen Lab or just the assumptions of the senator?
I would say there is a strong circumstantial link between the actions of individuals (and the people they may have upset) and the fact that they have been targeted for attack. However, at the moment we do not technically do not attribute this to a specific Pegasus client.
Our research essentially consists of two components. The first is the work that we have been doing for years, which is to monitor the entire globe in terms of using Pegasus. It was during this study that in November 2017 we came across the operator of this software in Poland. We published our findings then in the 2018 report. The second component is a more detailed analysis that we undertake in case something alarms us. When in November this year Apple [producent iphone’ów–red.] started sending messages to users that their devices could be infected with Pegasus, it turned out that the recipient of such a message in Poland is a person who criticizes the authorities.
Read more: This prosecutor’s office criticized Ziobro’s actions. She was prompted that she might have been a victim of a cyberattack
We began to take a closer look at the case and today we have three confirmed cases that are Pegasus targets. All these people are critics of the current government.
This only underlines the crucial importance of an independent investigation to be undertaken. There are many places where there is evidence of surveillance. For example, they have communication operators with logs – confirming that such and such a device logged in the network communicated with the Pegasus server. Likewise, the logs remain on the Pegasus server and whoever operates it will have access to information about what was hacked and from where.
The Polish services have not yet denied or confirmed that they are using or using Pegasus for operational activities. What do you think Polish citizens should think about it? What would you think?
I would take it like a wake-up call and think about what it means to me. It would be a red flag for me to say that someone was a political target of a hacker attack, combined with the authorities’ unwillingness to explain the matter. It is worth realizing that Pegasus is a surveillance tool that the Security Service could only dream of. In the times of the People’s Republic of Poland, in order to spy on someone, you had to have a network of informants, you had to install microphones and the entire infrastructure in the walls. Now it takes just one click to get into someone’s bedroom. As a citizen, I would like to know whether the government is using such a tool as intended or if it is abusing it. It is a real test of the rule of law today.
In the event of a breach into Senator Brejza’s phone, you found 33 attacks carried out in 2019. Why only in 2019?
You would have to ask who was the operator of the Pegasus.
But does that mean you haven’t explored other years? Or were these attacks simply absent in other years?
We identified attacks in 2019. They took place around the parliamentary elections in Poland.
Why was Senator Brejza’s phone hacked 33 times? In articles about Pegasus, I read that once this software is installed, the operator gains permanent access to the device of whoever is targeting him. What are these infections, anyway? These 33 infections …
Such advanced spyware as Pegasus usually doesn’t stay on the phone for very long. Its key feature is that it can infect your device multiple times. Pegasus operators usually act by hacking devices, stealing content of interest, such as chat logs or photos, and not keeping this infection on for long. After all, they can always silently and quickly re-infect a phone and “replenish” the database they build. And we can have chats on our phone for a year, two or even more years. It is a treasury for intelligence services. They can also steal account access “tokens” in the cloud, which means they can keep access to your accounts even after the hack has ended.
So whoever controls Pegasus might hijack the phone and get the content, but then want more. We noticed such a pattern in the case of Senator Brejza. Pegasus operators wanted to know not only what he had been doing in the past, but wanted to monitor him almost in real time. What the senator did on Monday, yes … but maybe again what he does on Thursday. And the next week and so on. When we observe this pattern of breaking into someone’s phone, it tells us that the owner is a priority for the services. That he or she is being targeted. This is very similar to real-time surveillance.
Who is funding your research on Pegasus? Is it just part of your work at Citizen Lab or is this research being carried out under a special grant?
We are completely transparent when it comes to financing. We have been receiving support from a wide range of organizations for years [są wśród nich m.in. The Canada Centre for Global Security Studies, John D. and Catherine T. MacArthur Foundation, Donner Canadian Foundation, Ford Foundation, Hewlett Foundation, Oak Foundation, Open Society Foundation; lista darczyńców dostępna na stronie internetowej Citizen Lab-red.]. Our research on Pegasus is not carried out under a separate grant and financed by a specific donor. We are a research institution based at the University of Toronto. We are researchers and we make our own decisions about what is the subject of our research. We have been independent for 20 years, and, importantly, we do not accept research assignments from governments and large corporations.
Many Poles are seriously concerned about the information about the possible surveillance of the senator with the Pegasus system. There is a great polarization in our country, and Poles also have a strong need to provide the authorities with feedback on their actions. There are many activists who organize protests, whole circles write open letters. If it is true that power has a tool that allows it to literally penetrate someone’s life, it means that many criticism or opposition actions can be frustrated. Worse, there may be a temptation in power circles: “Give the man, we’ll find a paragraph”, and this tool will quickly provide an excuse for paragraph-making. What are your three most important advice to critics of power in Poland?
We once developed a Digital Security Plan at Citizen Lab, which we then passed on to Consumer Reports. I recommend using it for everyone as a first step in planning your digital security.
Get advice on online safety: Security Planner
There are a few questions to be answered in the questionnaire, e.g. what type of technology you are using and what are your concerns. Based on the answers, the system develops personalized advice.
As for the advice themselves. First of all, make sure your phone always has updated software. If the case you are dealing with is sensitive [np. badasz nadużycia władzy–red.] and you think you may become a target for security surveillance, you should consult an expert about your digital security. In fact, there are very few measures of keeping the determined service away from your phone that you can take on your own. If you are a representative of the opposition or a critic of the authorities in Poland, remember that you must approach your digital security seriously. Because it looks like a threat is lurking there.
Second: remember that infection with software such as Pegasus does not require you, as a target, to take any action. However, I am not encouraging anyone to become a pessimist. Rather, the point is to think about how to make the costs of possible interception of your data rise significantly. Which brings me to another suggestion: use vanishing messages for anything remotely sensitive. This will make it more time consuming for someone to try to monitor you on a regular basis. And if you find out that your data has been intercepted after all, you may be relieved that the hacker only gains a one- or two-week history of your messages, not messages from several years.
Third: If you’ve received or received a warning from Apple that your phone may have been the target of Pegasus, don’t ignore it. Contact a trusted agency such as Citizen Lab to help you determine more details about a possible violation.