New evidence indicates NYPD held internal demo on Pegasus spyware

Beyond My Ken | Wikimedia Commons

Judah Duke, Business Editor

An email retrieved by Motherboard indicated the New York Police Department was given a demonstration of a controversial spyware product from the Israeli cybersecurity firm, NSO Group Technologies, in 2015.

The spyware, known as Pegasus, was sanctioned by the U.S. government last year.

Based on a brochure attached to the email, the capabilities of the complex hacking system include obtaining access to a user’s social media accounts, location, camera, microphone, screen capture, texts, emails and more.

But Pegasus is not like other hacking tools — while others require user interaction to clear a mobile device’s security protocols, this spyware does not need the user to click a questionable link, but instead takes advantage of hidden cracks in the Android or iOS operating systems.

Programs that initiate these “zero-click” exploits are harder to trace, eluding even the most advanced users. Pegasus was created as a response to the increasing use of data encryption by criminals and terrorists, letting customers secretly monitor a target’s private information.

NSO Group marketed the system as an emerging necessity for any government wishing to effectively combat terrorism in an age of exponential technological growth. The broad international campaign shot the cybersecurity entity onto the world stage of defense.

So, what business did the NYPD, a municipal police force, get involved in that led to courting a highly sophisticated, transnational spyware service?

The answer to that question lies somewhere within the NSO Group’s methodical operation. Over the past few years, it has sought to position itself among a plethora of intelligence agencies around the world as the one seemingly integral safeguard of law and order.

Motherboard, Vice’s tech division, found evidence last year that indicated the company tried to sell its hacking technology to both the San Diego and Los Angeles Police Departments. The FBI confirmed that it had obtained a license for Pegasus in a statement to The Guardian last month.

These developments were especially shocking since the U.S. Department of Commerce added NSO Group to a blacklist in November 2021. This blocked the company from receiving any services from companies based in the United States.

The list contained four other foreign companies involved in “malicious cyber activities” that, as the department put it, “threaten the rules-based international order.”

The New York Times reported that the FBI procured Pegasus in 2019, for reasons the bureau has since described as “product testing and evaluation only.” The FBI also claimed the technology was never used to aid in any investigation.

The blacklist was established after these presentations to the NYPD and other American police departments and agencies, possibly as a result of this surreptitious investigation into the ins-and- outs of the system.

The damage the technology experienced before the government became wise to its repressive possibilities, however, may have made all the difference.

Not only does soliciting this tech from private firms increase potential violations to people’s right to privacy, but the consequences of Pegasus falling into the hands of rogue antagonists may ironically give the intended targets of this tool the upper hand.

The infamously ambitious sophistication of the technology has been met with a flurry of criticisms, ranging from violations of terms of service to what the U.S. government referred to as “malicious targeting” of journalists, government officials, activists and more.

Condemnation for the software was not only received from the government; criticisms have been voiced from within the private sector as well.

WhatsApp and Apple Inc. have both brought allegations against the NSO Group to court, citing breaches of licensee agreements through the surveillance and targeting of users.

Press releases were packed with demands for effective accountability of state-sponsored spyware and the strengthening of privacy protections for everyone involved.

The Pegasus demo referred to in the 2015 email was likely presented to the NYPD Intelligence Bureau, the Urban Areas Security Initiative task force. This initiative was charged by the Department of Homeland Security to address terrorist threats, and is composed of law enforcement agencies, fire departments as well as public health and other localities.

These days, safe and reliable cyberspace infrastructure can mean the difference between keeping people safe from hostile influences and societal collapse.

The Motherboard report about the Pegasus demo has been followed by growing concerns of the threat of cyberterrorism on city systems.

On Feb. 22, Mayor Eric Adams and Gov. Kathy Hochul announced the new Joint Security Operations Center, a co-operated state and city program that aims to be a bulwark against future cyber attacks.