Pegasus Spyware in Southeast Asia

In this episode, we will talk about The Citizen Lab reports on Pegasus spyware, the lawsuit against NSO and Thai government, the impact of Pegasus on human rights, and the role of civil society.

INTRO

Welcome to New Naratif’s Southeast Asia Dispatches. I’m your host, Bonnibel Rambatan, Editorial Manager for New Naratif. New Naratif is a movement to democratise democracy in Southeast Asia, and this podcast is one of the ways we attempt to do just that.

You are now listening to a special edition of the podcast, the first of six episodes in the Pegasus series that we are co-producing together with KBR. Three episodes will be conducted in English, while three in Bahasa Indonesia, which you can find at Ruang Publik at KBRprime.id.

Israel-based “Cyber Warfare” vendor NSO Group produces and sells a mobile spyware suite called Pegasus. This spyware can access all your messages, calls, camera, microphone, even biometric data – and all it takes is for you to get a message or a call from them that you don’t even need to reply or pick up.

This zero-click military-grade spyware has been used in over 24 countries throughout the world. Initial investigations uncovered a list of 50,000 potential targets. The list included civilians, human rights activists, and political opponents. Clearly, democracy is at stake.

The Citizen Lab’s report found 10 Pegasus operators that appear to be conducting surveillance in multiple countries. In fact, they suggest that cross-border targeting and monitoring is a relatively common practice.  The report also mentions that the company has many customers with active infections in other countries, which would likely violate laws in those countries. This situation raises serious questions about the depth of the NSO’s duty of care and human rights concerns.

In 2022, iLaw, Digital Reach, and The Citizen Lab discovered a large-scale espionage campaign targeting pro-democracy demonstrators and activists calling for monarchy reform in Thailand. At least 30 people were infected with NSO Group’s Pegasus spyware.

Thailand’s parliament has so far failed to introduce regulation or countermeasures against the government’s extensive and evolving surveillance powers, while government accountability mechanisms have weakened and attacks on civil society continue. 

More recently, the investigative team at IndonesiaLeaks discovered that the spyware may have been in use since 2018, and may be increasing in usage in relation to the upcoming 2024 elections. Things are terrifying, to say the least.

SPEAKER INTRODUCTION

My name is Irene Poetranto. I’m a senior researcher for the Citizen Lab. We are a cybersecurity and human rights research lab based at the Munk School of Global Affairs and Public Policy at the University of Toronto, located in Toronto, Canada.

That is Irene Poetranto, a Senior Researcher for the Citizen Lab, an interdisciplinary research lab on digital technology and human rights at the Munk School of Global Affairs & Public Policy, University of Toronto.

(Yingcheep saying hello)

That is Yingcheep Atchanont, Director of iLaw, Internet Law Reform Dialogue, a Thai human rights and legal watchdog NGO popularly known for its efforts to discuss democracy and freedom of expression.

In this episode, we will talk about The Citizen Lab report on Pegasus spyware, the lawsuit against NSO and Thai government, and of course, the impact of Pegasus on human rights and the role of civil society.

INTERVIEW

The Citizen Lab Report

Let’s start with the couple of reports that the Citizen Lab has produced. Per my understanding, in 2018, the Citizen Lab found five Pegasus operators focusing on Asia, Singapore, and Thailand, among them. Then once again, another report in 2022 within discovering an extensive espionage campaign targeting pro-democracy protesters in Thailand. Can you tell us a bit more about those two reports?

Sure. In 2018, we published a report on the widespread use of Pegasus. The report is called, Hide and Seek: Tracking NSO Groups as Pegasus Spyware to Operations in 45 countries, which is available on our website, citizenlab.ca.

For this report, my colleagues scanned the Internet between August 2016 and August 2018 for servers associated with NSO groups as Pegasus Firmware, and found over 1,000 IP addresses that matched the fingerprint that we have for Pegasus servers and over 1,000 domain names that are pointed to them.

From this finding, we identified a total of 45 countries suspected to be using Pegasus at the time to conduct surveillance, including not just Singapore and Thailand, as you mentioned, but also Western liberal democracies like Canada, where the Citizen Lab is based, France, Switzerland, the United Kingdom, and the United States.

While some governments may be using Pegasus as part of lawful, criminal or national security investigations, we are concerned with the fact that Pegasus has been found in countries with a history of human rights violations, including against civil society and political opposition, for example, Thailand.

We then published a report on Thailand in 2022 called GeckoSpy: Pegasus Spyware used against Thailand’s Pro-Democracy Movement, which was a collaborative effort by the CitizenLab, iLaw in Thailand and Digital Reach Southeast Asia, an NGO working in Southeast Asia.

The CitizenLab forensically confirmed that 30 individuals were infected with Pegasus and that these individuals were associated with the movement for democracy and reforms to the monarchy in Thailand.

The report was triggered by a notification sent by Apple to Thai civil society members in November 2021, and we suspected that the infections that we observed took place between October 2020 and November 2021. We now know that countries around the world have purchased sophisticated technologies like Pegasus for surveillance in the name of safeguarding national security and combating terrorism and organised crime.

However, the circumstances surrounding the purchase and use of such tools are often shrouded in secrecy. Again, typically a government state that is for national security reasons. And so it is difficult to determine when exactly Pegasus started operating in Southeast Asia. But we know from the work of the investigative team of Indonesia Leaks that Pegasus has been used in Indonesia since 2018.

Pegasus in Thailand

Okay. You mentioned that it’s difficult to know when and how it started operating in Southeast Asia or in fact, maybe in other countries as well. But was Thailand the first or is it the highest usage in Southeast Asia?

Obviously, because you mentioned those years, those are pretty much in parallel to the Thai protest. The report did mention that it targets pro-democracy, protest, protesters and stuff like that. Do you have any more information on how or hypothesis on how it started operating, how it started entering Southeast Asia?

That’s a great question. I think it’s difficult to tell precisely because how and when exactly countries start using the software is often secretive because countries or governments would say that they’re using this software for national security reasons to combat terrorism, as I mentioned.

However, from our investigations, Thailand is the case where we have confirmed the most infections. However, this does not mean that other infections do not exist, because the way that Pegasus operates is that it is difficult to detect and therefore it is also difficult to confirm infections and we are continuing our investigations into the use of Pegasus in Southeast Asia.

Fingerprints

Okay, I want to go back a little bit into the thing that you mentioned that you found fingerprints and you found… Your whole investigation found these infections, although they are very hard to detect. Can you maybe tell the listeners a little bit about what do you mean when you say you found fingerprints?

So for the fingerprinting of Pegasus, we’ve done multiple research on Pegasus spyware. And so we have indicators that we have developed from six years of tracking Pegasus spyware infections, including samples of Pegasus code that we obtained from infected devices.

And so based on these indicators that we have, we were able to assess with high confidence that the phones belonging to these Thai pro-democracy protesters and activists were hacked by Pegasus spyware.

Attack Patterns

I see. Do you find any attack patterns or do you find any patterns in those discoveries?

Yes. We know that many countries today use Pegasus and other sophisticated spyware or surveillance tools manufactured by other companies operating in this space. In general, though, in terms of attack patterns, we have noticed that these tools are increasingly used against those who advocate for change.

So, for example, we have found the use of Pegasus against reform minded bishops and priests in Togo. It has been used against a scientist, an activist working on obesity and soda consumption in Mexico. We found Pegasus being used against journalists, lawyers, activists and their family members.

So, for example, a slain Mexican journalist’s widow was targeted by spyware, as well as Jamal Khashoggi’s widow, Hanan Elatr. As you may know, Jamal Khashogghi was murdered inside the Saudi Consulate in Istanbul in 2018. Furthermore, we have found that a child of a Mexican journalist who was a minor at the time was also targeted by spyware.

Recent media reports have also found that senior Indonesian government and military officials were targeted with spyware. The secretive nature of the use of spyware, again, supposedly to protect national security and the lack of comprehensive regulation both at the national and global level regarding its use, make this technology prone to abuse.

Pushback Efforts

Yeah, and it’s obviously very terrifying, right? Especially because it’s difficult to detect, zero-click, no interactions needed, and also targeting of family members and minors. That’s very harmful to say the least.

In your research or per your knowledge, what are the efforts to fight back against those who use the spyware or maybe against NSO themselves? I also understand that it is widely used by the government, but also it’s been used by the Mexican cartels, it’s been used by others and you can purchase it as a private entity and all those things which makes it even scarier.

What are your thoughts on this and what are your thoughts on people who are trying to fight back?

Great question. NSO group claims that they only sell their spyware to governments, so law enforcement and intelligence agencies. However, a research by the Citizen Lab and others have found that these tools have been used against civil society, as you pointed out.

In terms of pushback efforts, so David Kaye, the former Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression at the United Nations, had argued that an immediate moratorium on the global sale and transfer of surveillance tools like Pegasus is needed until there are rigorous human rights safeguards that are put in place.

However, despite this call for a moratorium or a ban on the sale of sophisticated surveillance tools like Pegasus, we know that states have continued to use these tools again for national security purposes, as they claim, and therefore we are unlikely to see a moratorium be put in place, especially by a multilateral organisation like the UN, anytime soon, right? Because states have continued to use these tools.

In the meantime, however, we have seen lawsuits being launched by my colleague, Yingcheep, and his colleague in Thailand, as well as by journalists and Meta’s WhatsApp against NSO Group and Khashoggi’s widow, Hanan Elatr is also suing NSO group.

These legal efforts are very important and they need to go hand in hand with demands for our governments to increase accountability over the use of surveillance tools. And there needs to be better regulation globally over the sale and use of spyware.

iLaw Report

Right, in this whole context of the Thai protests and so on, it’s been years. Maybe let’s just start there in the report that you titled “Parasite that Smiles: Pegasus Spyware Targeting Dissidents in Thailand.” Can you maybe tell us a bit more about that report?

Yeah, okay. First, I am a victim of Pegasus spyware. Myself and my phone, the phone that I’m using right now to talk to you guys is actually infected by Pegasus spyware. Yeah, they are listening, they are listening. But this is going to be live, so they know what we are talking about.

My background is a lawyer. I’m quite bad at technology. I don’t know what Pegasus was. I don’t know what spyware is before, but I work for human rights, so I was against the government. In November 2021, I got a warning email from Apple titled that state-sponsored attackers may be targeting your iPhone. At the same time, on the same day, many of my friends are in the circle who are working against the government. They got the same email.

First, when I read the email, I didn’t believe that this was actually happening. I don’t think they are looking for something from me because I didn’t do anything. I felt that I didn’t do anything. Then I don’t believe some instructions tell me what to do if I want to know more. Then I contact a lot of people.

Then I contacted people from Citizen Labs, the organisation in Canada, and they told me that if I want to know more about what happened to my phone, I have to follow the instructions to do forensic on my phone. I did. It’s quite complicated.

I didn’t exactly do it myself because I don’t understand the process, the computer process, and I follow the instructions and ask someone to support me. Then we sent the files to Canada to do forensic and they found that I was infected by a Pegasus spyware for 10 times, which is almost the highest number.

I was shocked at that time, but because I work a lot in law and when I know that this is happening to me, I felt that I have to sue someone back.

Then after I knew that I was infected, I spent months trying to find out what Pegasus spyware is, and there were so many, many reports, official reports on the internet, but in English, not in Thai at all. There is zero article in my language. Then I have to read a lot of English reports and articles and try to get to know this thing.

I know a bit, but not really an expert. But I have to prepare to find someone who did this to me and try to find a case to ask for compensation to find some accountability in the country. Then I have to study more.

I need to know how many people are exactly affected by the Pegasus spyware, how much exactly the Thai government is using this thing. I asked hundreds of Thai citizens who we think are at risk to inspect their phones and send the data to Canada for computer forensic. Then we found in the report that at least we found 35 iPhone users of Thai citizens that are infected by Texas.

Let’s say all of them are working against the current government. Not this one, but the previous one. That’s it. Then we released the report on the fact that we have filed. This will be evidence that I will submit to the court to seek some accountability from our government.

Lawsuit Against NSO and Thai Government

You did, right? I law filed a lawsuit, as far as we know, because you filed a lawsuit against NSO in 2022 and then you filed another lawsuit earlier this year against the Thai government. How are they doing?

The first case, I filed a civil case against NSO Group, which is an Israeli company that produces Pegasus spyware. We believe that they sell to the Thai government and they are actually behind all operations against my privacy and my phones and my colleagues’ phones.

Eight people filed the case together in Thai Civil Court and they said that the eight persons, our rights were not violated at the same time, at the same incident, so we cannot file the case together. And the court, let’s say they gave back the case to us. If we want to file a case against NSO group, we have to file individually, not eight people in one case.

And we also filed a case in the administrative court against the Thai government, Thai police, Thai army. And the court said, This is not going to be an administrative case. If our rights are violated, it will be a crime. So we have to go to criminal court.

There is no progress in the court process at all. I can understand that the court, the judges, they are like me. They are lawyers, they don’t know technology and they don’t know what to do with this.

We have evidence that we submit. We have computer forensic report from the Citizen Lab that indicate that we are infected by Pegasus spyware and what dates, which should be enough to prove that we are infected and enough to prove that we are actually behind what is happening because no one else can use this technology except the producer, the manufacturer, the NSO, and also the Thai government who can buy.

The court feels reluctant if they accept the case and if they consider the case, they will be faced with a lot of computer evidence, a lot of computer language and we and both sides will fight on technology matters and the court doesn’t know how to deal with this. They try their best to not accept the case at all, which is quite disappointing for me.

NSO Bankrupt Strategy

How do you mitigate that? If there’s enough pressure to actually process this with the court, if enough people. Are you trying to get more people on board and give pressure to the court to accept the case? Or what is your approach?

Some parts we haven’t decided yet, but in the case, we have already submitted a new case individually, like one person as a plaintiff and the court already accepted the case. But the case is going to take years.

The civil case is not that much hope because we filed the case against NSO. And NSO, the company, was sued in many countries in the world. Then they decide technically that they will be bankrupt and they already get bankrupt.

If we win the case, we’re not going to get any compensation because we cannot enforce from their properties. This is difficult. For the administrative case against the government, this is going to be much more serious and we’re going to appeal the recent order from the court.

Lawsuit Target

But what do you hope for? Obviously, again, there’s all of these challenges and then NSO is also declaring bankruptcy.

From the civil case against NSO, I expect to see that I win. I just want the ruling from the court to say that is actually violating our rights and this is illegal, then someone needs to pay compensation. If we have those legal sentences, I think I will be satisfied.

Even though we cannot really enforce to get any money, money is not the main purpose of filing cases, but we need legal precedents. But also from the administrative court,

I just want to see some official mechanisms saying that the government is doing something wrong, very wrong against us. Just something to confirm that this should not keep going at all.

Thai Protests

Aside from the legal case itself, are there any solidarity movements or other pressures, other protests as part of the democracy protests in Thailand? What is the situation?

Not much, let’s say the 35 people, actually many of them are very young. They are young people who organised protests in 2020 against the current regime. They were spied on by the government because the government wanted to know where they would organise the movement.

There are 35 people including five politicians, the opposition politicians, three academics and three NGO workers, which include me. We have to admit that the students, the young people, maybe most of them are not that ready for court cases and for some official movement. And someone they don’t give consent to move on because they want to end it there.

We picked eight people who are ready, two academics, two NGO workers and some of the political activists who are, let’s say they know what is going to happen. They are aware of what is going to happen if they really fight the case against our opponents. We picked only eight people, but the rest, I know that they want to join, they want compensation, but maybe joining as a plaintiff against the government is not that easy for them.

The protest is going on, but not only on Pegasus. Pegasus can draw a lot of attraction in society just for some time. People in Thailand are now aware that Pegasus exists. They are aware that the government is watching by something, by some technology, and we don’t have that privacy. But there are much more issues that we are angry with the government, the previous one and the current one. 

People are protesting, but Pegasus is just only one part of the movement.

Being Pegasus Victim

How do you personally feel about that? Because you did mention that you are right now recording on the iPhone, which has Pegasus in it. Do you feel threatened? Do you feel that it might jeopardise your safety or your life?

The first two days when I first found out were weird. I don’t know how to do it with my phone. I don’t really want to take it beside myself. The first two months were awkward and I don’t exactly know how to do them.

I know that Pegasus is unavoidable. We cannot protect ourselves. When it comes into the phone, we cannot kick it out by ourselves. There’s nothing I can do at all. But after that, it’s a new kind of awareness. The phone must be with me, nearby me almost all the time, like other people. But we have to know that they are listening.

Whenever we talk, if we talk about dinner tonight, if we talk about what we are going to do on holidays, we just keep talking and let them listen. We have to be aware that they are listening. But whenever we want to talk about something that we don’t want the government to know, then we have to leave the phone outside, that’s it. And even though on my bed, before I sleep every night, when I use my phone on my bed, I have to be aware that they know what I was doing.

Maybe I watch the video clips on TikTok and I have to be aware that they also know that I am watching this thing.

Yeah, how does that make you feel? And also the others, and do you talk amongst with the other people who are also, whose phones are also infected by Pegasus? Is there a discussion there? Because it must feel, aside from just the severe breach of privacy and the dangers, it must also feel super awkward to just know that people are listening and it’s like you can prove it, right?

I don’t know if this is good or not, but the technology we have so far, we don’t know exactly what they do. We don’t know if they are listening now or they will listen again later. We don’t know which photos or video clips that they took from our phones or if they took them all. We don’t know. We know they just attack us. And once they can take control of our phones.

But we don’t know when they took control of what they did. So when we don’t know, we don’t know how to feel. I think it’s going to be more awkward if we know how many minutes they are listening and how many times they access, which photo, is going to be more awkward. But when we don’t know, we imagine that maybe they don’t know.

What can We Do?

I think in that context, it’s easy to feel defeated. It’s easy to be very pessimistic, to be very defeatist. How can we fight against those feelings? If we’re just citizens, what do we do? How can we demand the government to actually do that moratorium or do that investigation? Or how do we properly form lawsuits against these parties that’ve been using Pegasus?

I think there are a couple of things that we can do. The first is I think

we need more advocacy or awareness-raising regarding the harms that these spyware pose to individuals and societies, including their chilling effect on political engagement and free expression, which is harmful to the quality of our democracy.

We also know that NSO Group is only one among many companies that operate in the secretive surveillance industry. Therefore, we need to bring these companies out of the shadows, so to speak. And to do so, we need more research and collaboration regarding sophisticated surveillance tools like Pegasus. So we need more cooperation among researchers, journalists and activists to determine which spy work companies are operating in the world or in Southeast Asia specifically, what tools and capabilities they offer and who is using them.

In terms of legislation, we need to demand our governments to enact comprehensive privacy laws that could provide legal protections against those that have been targeted by spyware. We also need human rights due diligence legislation that requires companies like NSO Group that manufacture the Pegasus spyware to take steps to mitigate risks posed by their clients’ use of spyware. And there needs to be a remedy mechanism for individuals who have been the target of surveillance.

And finally, I think we need to level economic pressure and more negative publicity against companies that make spyware and their investors, particularly those whose products have been used to illegally monitor journalists, politicians, and activists.

Checks & Balances Mechanism

It’s one thing to have laws against these things, but it’s another to actually demand accountability, to actually have the mechanisms of checks and balances. You did mention that there are privacy laws that we can demand and we can enact further, but without a comprehensive checks and balances mechanism, without a functioning… If like, okay, there are laws, but then it gets broken, but then there aren’t exactly any consequences for those. Because again, these are terrible.

For example, in the case of Indonesia itself, trading in these kinds of surveillance software is tantamount to military arms deal, essentially, since it is military grade and stuff like that. But how do you push for a better and what is your vision actually for a better mechanism of checks and balances? Also maybe in the context of Southeast Asia that we know has a very, I guess, flimsy democracy with everyone claiming that they’re democracies, but also making all of these authoritarian practices and all those things.

What are your thoughts on this?

Yeah, I mean, these are all really great questions. I think because we know that Star Wars, such as Pegasus, is being used globally and therefore we need global solutions. We need global checks and balances. And that’s why some have argued that a ban on the sale and the use of these technologies need to be put in place because such checks and balances do not yet exist.

I think that the countries where these companies are headquartered, they need to put in place export controls that restrict the sale of these tools, particularly the countries that are known to have a long history of human rights violations. And there are many countries in Southeast Asia that have such a history, including Indonesia and Thailand.

And so I think companies, as I said before, need to conduct due diligence and do so in an active way to ensure that even after the sale has been made to these countries, that these tools are not being misused to target civil society and political opposition, for example.

And in terms of privacy laws, if we’re talking about the privacy laws that currently exist in Indonesia, a lot of civil society members have said that there are flaws in the law, that the Indonesian privacy law could be made stronger.

For example, there needs to be an independent body that ensures compliance, not just by the private sector, but also by the government. And instead of the government being accepted from the privacy law, the privacy law needs to also govern government conduct, and that needs to include the conduct of surveillance.

There needs to be, for example, in Indonesia, a more harmonised legislation that governs the use of wiretapping and surveillance, as opposed to different government agencies having their own laws on how they can purchase surveillance software, how they can conduct wiretapping and surveillance. And a lot of times the ways in which they conduct wiretapping surveillance, they’re not transparent.

It’s difficult for civil society or the public to know exactly how these government agencies are purchasing and using surveillance software. And it’s difficult to demand accountability because there are so many different laws that govern wiretapping and surveillance, if we’re talking about Indonesia, combined with inadequate protections under the current privacy law in which government activities are accepted, and the fact that it is a government body that will conduct oversight, I think is problematic.

I think at minimum there needs to be an independent body that ensures compliance with the privacy law and the privacy law needs to be strengthened to protect the risks that emanate from the use of surveillance software.

The Battle Against Pegasus

How do you hope this whole situation in Thailand, but also the rest of Southeast Asia, because there are multiple cases, including in Indonesia, more recently. What’s your outlook? What’s your hope for this battle against Pegasus?

The main objective is not winning the court case. The court case is also what we expect, but the main objective is winning social awareness. If we can spread out the information through this podcast, through this talk, or to any channels, and let the people know that this thing is actually happening.

It’s not just a sci-fi movie, but the government is really doing so good by spending so much money to buy this high technology, and they are really intentionally using it against its citizens for political purposes. We want society to know and to be aware of this.

We are not going to win soon because the company who produces the technology is much better than us in terms of technology, in terms of resource, in terms of money because they are so rich selling this thing to all governments in the world. We cannot really fight them technically or legally. But if the people in the world are really aware that this technology exists and it’s not right, it’s wrong. 

It’s totally wrong to spy on people by the government, with money from taxpayers for their own political purpose. If society is really aware and if this privacy issue becomes a priority in people’s concerns, maybe we can fight back in the far future, like 10 years, 20 years.

Trust but Verify

So there’s this common come back, right, from people and it’s also been used by the police that’s like, oh, yeah, there’s this surveillance thing, but if you have nothing to hide and it’s like if you have then you shouldn’t worry or you’re just a regular civilian, you’re not some big shot, so we’re not going to monitor you. It’s too expensive. So you shouldn’t worry. Why should you worry about Pegasus? Just be a good citizen, essentially.

We both know why this logic is flawed, but I want to hear your opinion. What would you say to those people when they say these things, when they try to justify, don’t worry about surveillance, you’re safe, you have nothing to hide? What do you say to these people?

Yeah, I hear these remarks all the time. It just reminded me of a quote by Ronald Reagan, trust but verify. Governments say that, Oh, just trust us. We’re not going to target good citizens. Those people who are not involved in acts of crime or terrorism.

Okay, but why should we trust you? What are the mechanisms in which we can verify that you are targeting legitimate, suspected terrorists? And because terms such as terrorists, just to get as an example, is very fraught. Who is a terrorist? How is the term defined? Or how does someone become a suspected criminal?

A lot of these terms can have multiple interpretations, especially in a case where in Indonesia there are different agencies with different laws that are allowed to conduct wiretapping and surveillance. How do we know who is doing what and under what definition?

Unless there is a mechanism for the public to ensure accountability, unless there is mechanism to have independent oversight, unless there are mechanisms to ensure transparency, again, with the purpose of verifying that these tools are used in a legal way, in a legitimate way,

I think that we should not blindly trust our governments because we know it is a fact that these tools have been abused. And that’s why mechanisms to ensure accountability, transparency and independent oversight are necessary.

What can the Listeners Do?

Yeah, I think that’s a great answer. In other words, it’s not just about the surveillance, but it’s also about the structure that underlies the surveillance and tries to justify and validate that. That’s why we should care. Even though we might not be a target of Pegasus per se, but the fact that it exists, the fact that we’ve built a structure of society in which something like Pegasus is allowed to exist and operate, I think that’s what everyone should really care about.

On that note, if our listeners really, really care about pushing back against Pegasus, what can they do? What are the concrete actions? Do you maybe have information on certain organisations? In Indonesia, we can learn how to build lawsuits, for example. How do we start? How do regular citizens who care about this issue start getting together and demanding change? Where is the starting point there, do you think?

Yeah, that’s an excellent question. I think in Indonesia, there has been progress in that Indonesia finally has a law that protects privacy. We know, however, that law is inadequate. And so I think that is an issue that a lot of Indonesian citizens can take upon, which is demanding better privacy protections in the country in the form of amending the laws in ways that, as many scholars have pointed out, could strengthen privacy protections for citizens in the country.

Especially because in addition to the government’s submission of the use of Pegasus spyware in Indonesia, we know that different Indonesian government agencies have also been hacked. And the personal data of many Indonesians can now be found on the web. So there is a clear need for better privacy protections in Indonesia, not just because of Pegasus, but also other hacking incidents.

And in Indonesia, there are many great civil society organisations that are working in this space. One of them is Safenet, Southeast Asia Freedom of Expression Network. And this organisation has conducted a lot of advocacy regarding the use of Pegasus in Indonesia, but also on other Internet freedom issues that Indonesian citizens need to pay attention to.

There are other organisations such as the Alliance of Independent Journalists, AJI, ICT Watch. So I think there are a lot of great work being done by Indonesian civil society to continue to make sure that the issue of privacy, the need for better safeguards and oversight over the use of spyware by the Indonesian government, that these issues do not fade into the background, that these issues remain relevant and are covered by the media in Indonesia.

And there’s also the investigative team of Indonesia Leaks that has surfaced a number of articles regarding the use of Pegasus in Indonesia. So I think if Indonesians are interested in learning more about these issues, they can start by learning about the work of these organisations and continue to be vocal, whether that’s online or offline, joining campaigns and things like that, to continue to press for our government to be more transparent, more accountable, and to establish independent oversight. There is a great opportunity to do this, especially because Indonesia has an election next year.

What Gives You Hope?

Okay, I guess starting off learning about Pegasus, I personally felt very, very dismal, I suppose, because it’s like, well, powerlessness is evident. If you really just take it at a service level, people who have the resources can just target anyone and just breach their privacy in such an egregious way.

But I think your points just now about all of this work being done, all of these movements coming to the service can really give us a sense of hope. It can really give us a sense of like, yeah, we can actually fight for this, fight back against Pegasus and against all of the structures that’s been enabling Pegasus.

This might be a question in a few parts, but also to wrap up, how do you personally feel about where this is all heading? You’re really steeped in the work, in the research itself, and you are aware of people pushing back. But also there are risks, right? In Thailand, it’s been several years and also in Indonesia, it’s really just coming to the surface.

But as you mentioned, we have an election. Are you hopeful? Are you cautious? Maybe you can tell us what gives you hope. Obviously, all of these other movements, but also what gives you hope, but what do we need to still be cautious about?

Can I be hopefully cautious or cautiously hopeful? I don’t know. I think I am optimistic in the sense that I’ve seen some progress in terms of the advocacy and awareness raising regarding the risks of the use of sophisticated surveillance tools like Pegasus.

We know, for example, earlier this year that President Biden in the United States made moves to limit government use of commercial spyware. And we know that governments in the EU, in the European Union, they’re also concerned about the use of spyware by countries around the world, including by some EU members of the Pegasus spyware.

And I am glad to see that this issue is being taken up by many NGOs operating grassroots in many countries around the world who are all doing excellent work in terms of really highlighting the impact of a spyware like Pegasus on local populations.

Our report on Thailand would not have been possible without the amazing work that iLaw is doing in Thailand and DigitalReach Asia is doing in the region.

And so I’m very optimistic that we can move towards better regulation and at the very least, better awareness regarding the risks of Pegasus and why we need to continue to put pressure on our governments to, again, be more accountable, be more transparent, and to have independent oversight over the use of such a powerful tool.

How to Raise Awareness?

The awareness is increasing and including the listeners here in this podcast that we hope to disseminate this information. I guess my next question and I guess this would be the last question is after they find out that this whole thing is happening, what do you think they can do to help this mission?

What do you think they can do to help raise awareness maybe or help the cases or build solidarity, anything to fight back against Pegasus and against everything going on in this context?

A few months after we released the report that Pegasus is existing in Thailand, when I meet people, people ask me about this, like they really want to know. But this is two years already since we first released the report. People tend to forget. When I talk to people that I was infected by Pegasus, their faces seem like, What is it? They don’t understand at all.

People can forget. What I want people to do is just not forget, which is not easy. If they don’t forget, they have to know that the use of Pegasus is not only because one or some bad guys are bad, but

The use of Pegasus is because the system is corrupt. The government is freely exercising its power with no check and balance system. If they really know that this is wrong, then I want them to join the movement to change the system. They should vote for other people who want to change the system not to maintain the current system.

They should be able to support our or anyone’s campaign for constitutional amendment to build better structure for the country. The rights which are already violated is just a piece of jigsaw in the big picture that the country is not going the right way.

If people don’t forget that this is happening and people see the big picture and then we move the big picture together, that’s what we want to see.

And it’s not really just about the particular surveillance. It’s not just about the court cases, but it’s about the larger structures that we shouldn’t be okay with. This thing shouldn’t be happening, right? We shouldn’t be enabling this severe breach of privacy laws. I do hope that we will be moving forward in that direction.

We, of course, at New Narrative and our friends at KBR will be doing our best also to push all of these awareness forward. Thank you very much. We wish you luck in all of the work that you’re doing in all of these legal cases and everything else.

Hopefully, we can move forward together and just really make this vision come true and just really help everyone else to just gather the solidarity to keep putting pressure on the government to not allow, limit or possibly no longer allow the usage of these kinds of softwares.

Okay, thank you very much, Irene.

Thank you. It’s been a pleasure.

Thank you very much Yingcheep.

Sure. Bye. Thank you.

OUTRO

And that wraps up our discussion with Irene Poetranto and Yingcheep Atchanont. You can find all of the reports mentioned in this podcast on our show notes at newnaratif.com. You can also listen to this episode and other episodes of our Pegasus Series at KBR Prime’s Ruang Publik podcast, which you can find on KBRPrime.id.

Spread the news, share this podcast, or write to us your opinions and questions regarding Pegasus and unlawful surveillance of civilians. You can also find comic explainers and information for discussion events on our website and social media channels. And whatever you do, as Yingcheep mentioned, you can always help by not forgetting.

If you’re in Indonesia and you suspect that you might have been a target, you can contact SAFENet’s fast response team at trace.mu.

My name is Bonnibel Rambatan, and this has been a Southeast Asia Dispatches special episode on Pegasus. Brought to you by New Naratif and KBR, and produced by Dania Joedo and Malika. I’ll see you around.

RELATED PUBLICATIONS