In late 2021, the United States government sanctioned NSO Group over its selling of Pegasus spyware to authoritarian regimes around the world. Earlier that year, the FBI had privately been making a push to deploy it in domestic criminal investigations.
A Freedom of Information Act (FOIA) request filed by the New York Times has led to the release of documents that show officials making a push to use Pegasus spyware from late 2020 into mid-2021. The department purchased the tool in 2018, but director Christopher A. Wray had testified in December 2021 that it was only for the purposes of testing its capabilities and figuring out how “the bad guys” might use it.
The documents indicate that the department gave up on its plans to use it in criminal investigations due to the swirl of negative press surrounding it, but still has its mind on using similar spyware tools at some point in the future.
FBI interested in Pegasus spyware use despite eventual sanctions on its manufacturer
In December 2021, Wray testified in a recently declassified closed-door session that the agency had purchased Pegasus spyware but was only interested in it for “research and development.” This was shortly after the Commerce Department had sanctioned NSO Group, placing it on a federal blacklist preventing it from receiving technology from American firms. But, though the FOIA documents were not specific about exactly how the agency wanted to use it, they make clear that officials were interested in making use of it in criminal investigations.
The media storm generated by the Pegasus Project reporting in mid-2021 appears to be what derailed these plans, as the FBI worried about public backlash once it was revealed that these tools were being used for criminal investigations. But prior to that the plans for deployment were in “advanced” stages, with briefings prepared for bureau leaders and guidelines written up to advise federal prosecutors in disclosing the use of the spyware during criminal proceedings.
The documents do not spell out the agency’s exact plans for using Pegasus spyware. However, the documents do specify that the agency tested out the “Phantom” variant of the spyware, which is designed to hack devices with US phone numbers. While the FBI does participate in international terrorism and trafficking investigations and has training offices overseas, it is primarily a domestic law enforcement organization. The documents are partially redacted, making it impossible to discern the agency’s full plans for using the tool in criminal investigations.
Senator Ron Wyden, who questioned Wray in December 2021, called the director’s testimony “misleading” and said that it was “totally unacceptable” for the agency to draw up plans to use spyware in criminal investigations and wait until months after the fact to notify Congress.
Pegasus shelved, but FBI not ruling out other forms of spyware in future criminal investigations
The Pegasus spyware has been available since 2016, and from its initial release has made use of various “zero day” exploits to penetrate Apple iOS and Android devices. For most of its history, the tool involved baiting a target into clicking on a malicious link or file in a text message (as is done by hackers and ransomware gangs looking to deploy malware). One of the developments that prompted all of the bad press last year was the discovery that Pegasus had been using a “zero click” attack that leveraged an oversight in Apple’s iMessage code to provide essentially full access to target devices when they simply received a malicious message (without even needing to open it).
The other development was the leaks included in the Pegasus Papers reporting, which showed that NSO Group had not been overly discriminating in which governments it was providing Pegasus spyware to (or in how its clients made use of it). Some authoritarian governments were found to have used it to track and spy on journalists, human rights activists and political opposition, in contrast to NSO’s claims that it was only sold and used for legitimate criminal investigations.
The use of Pegasus spyware has not been banned in the US, but there is a bill in the draft stage in Congress that seeks to do so. The FBI appears to have given up on it voluntarily as a result of the Pegasus Papers revelations, but a legal brief filed by the agency last month clearly states that it is willing to “test, evaluate and possibly deploy” similar tools in the future.
The issue is a particularly sensitive one due to the agency’s checkered history of domestic spying, dating back to the extensive COINTELPRO program. The National Security Branch Analysis Center (NSAC) has been repeatedly criticized by privacy advocates for indiscriminately sweeping up data, and in the late 1990s the agency developed its own keystroke-logging malware (called Magic Lantern) designed to be deployed via email attachment.