New YorkIn June 2019, three Israeli computer engineers arrived at a New Jersey building used by the FBI, unpacked dozens of computer servers and placed them on high shelves in an isolated room. While setting up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters of NSO Group, the world’s most notorious spyware maker. Then, with his team in place, the tests began.

The FBI had bought a version of Pegasus, the main NSO espionage tool. For nearly a decade, the Israeli company had been selling its surveillance software on a subscription basis to law enforcement and intelligence agencies around the world, promising it could do what no one else – not a private company, not even a service – could do. state intelligence. It could do: consistently and reliably decrypt encrypted communications from any iPhone or Android smartphone.

Since NSO introduced Pegasus to the global market in 2011, it has helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as “El Chapo.” European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology to encrypt their communications than the Internet. that the researchers had to decipher them. The criminal world had darkened as it became increasingly global.

But when the company’s engineers walked through the door of the New Jersey facility in 2019, Pegasus’ numerous abuses were also well-documented. Mexico deployed the software not only against criminals, but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist who was jailed by the government. Saudi Arabia used it against women’s rights activists and, according to a lawsuit brought by a Saudi dissident, to eavesdrop on communications with Jamal Khashoggi, a columnist for The Washington Post, who was killed and dismembered by Saudi agents in Istanbul in 2018.

None of this stopped new clients from approaching NSO, including the United States. Details of the FBI’s purchase and testing of Pegasus had never before been made public. Furthermore, the same year Khashoggi was killed, the Central Intelligence Agency arranged and paid for the Djiboutian government to acquire Pegasus to help the US ally fight terrorism, despite longstanding concerns about abuses against terrorists. human rights there, including the persecution of journalists and the torture of government opponents. The DEA, the Secret Service and the US Army Africa Command had been in talks with NSO. The FBI was now taking the next step.

As part of their training, FBI employees bought new smartphones from local stores and set them up with fictitious accounts, using SIM cards from other countries: Pegasus was designed not to be able to hack US numbers. Pegasus engineers then, as they had in previous demos around the world, opened their interface, entered the phone number, and began an attack.

This version of Pegasus was “zero click”; Unlike more common hacking software, it didn’t require users to click on a malicious attachment or link, so Americans monitoring the phones couldn’t see evidence of an ongoing breach. They couldn’t see the Pegasus computers connecting to a network of servers around the world, hacking into the phone, and then connecting back to the computer at the New Jersey facility. What they could see, minutes later, was every piece of data stored on the phone as it unfolded on the large Pegasus computer monitors: every email, every photo, every text thread, every personal contact. They could also see the phone’s location and even take control of its camera and microphone. FBI agents using Pegasus could, in theory, almost instantly transform phones around the world into powerful surveillance tools, everywhere except the United States.

Since the 2013 revelations by Edward Snowden, a former National Security Agency contractor, about US government surveillance of US citizens, few debates in this country have been more tense than those about the proper scope of domestic espionage. Questions about the balance between privacy and security took on a new urgency with the parallel development of smartphones and spyware that could be used to harvest the terabytes of data those phones generate every day. Israel, wary of angering Americans by being complicit in other countries’ efforts to spy on the United States, had required NSO to program Pegasus so that it would be incapable of targeting American numbers. This prevented their foreign clients from spying on the Americans. But it also prevented Americans from spying on Americans.