Unmasking the Menace of Pegasus

This episode recorded from a legal briefing session on Pegasus issue with Southeast Asia Freedom of Expression Network (SAFEnet) and Internet Law Reform Dialogue (iLaw) as two important proponents of democracy and media freedom in Southeast Asia.

INTRO

Welcome to New Naratif’s Southeast Asia Dispatches. I’m your host, Bonnibel Rambatan, Editorial Manager for New Naratif. New Naratif is a movement to democratise democracy in Southeast Asia, and this podcast is one of the ways we attempt to do just that.

This episode was recorded in front of an online live audience as part of our Media Freedom Network Legal Briefing activity. It is also part of our Pegasus Series, a series of podcasts, comics, articles, and other conversations on the Israeli spyware Pegasus and its unlawful applications in Indonesia and the rest of Southeast Asia.

Today we’ll be having two speakers: Imal from SAFENet, and Chatmanee Taisonthi from iLaw.

SPEAKER INTRODUCTION

Imal is the Head of Digital Security at SAFENet. Established in 2013 in line with the increasing criminalisation of expression in the digital arena in Southeast Asia, SAFEnet has since expanded its work to defend digital rights, including the right to Internet access, the right to freely express ourselves, and the right to safety in digital spaces.

Chatmanee Taisonthi is a full-time lawyer at Rising Sun Law responsible for the Pegasus spyware lawsuits. Her focus issues right now are environmental law, freedom of the press, and digital rights. She previously worked for the Human Rights Lawyers Association, taking part in monitoring SLAPP cases in Thailand and assisting in strategic litigation against abuses of power.

Plus, we also have some audience questions at the end, which is always fun. Without further ado, let’s get to the discussion.

INTERVIEW

Pegasus & Digital Security

Bonnibel Rambatan

Thank you so much for this opportunity for having me here. Just in case you missed out or you forgot what Pegasus is, it’s essentially a single-click exploits firewall, which means that you don’t need to do anything. You just need to receive a strange text message from an unknown number or a missed call from someone which you don’t even have to pick up. And boom, your data is all there. Even your biometric data, your camera data, everything is there.

Obviously, when you ask about what the government can do or will do with such data, we already have precedents, which is like Jamal Khashoggi was famously spied on using Pegasus, not only Jamal, but also members of his family, his late wife, who was there.

Then obviously, we all know how the authoritarian governments can work by leaking our data to sway public opinion, leak fake news, and all of these things, construct certain narratives about activists. That’s what makes it dangerous. Of course, it’s a really big threat to democracy.

I quoted Mbak Ika Ningtyas, whom I met during the AJI press conference back then. This is a matter of controlling information and closing down spaces for critique, voicing out against job officials, drafted bills, or even public services just in the form of complaints and social media can potentially put you at risk.

That’s definitely very dangerous for democracy, but it’s not always to include because we do need to do, and we can still do, and we need to do a lot of things, which is demand transparency from the government, create lawsuits, which we’ll be talking a lot more about with our guests today. Again, all of these questions that we have the right to ask the governments and also the cell phone providers, the technology providers, how are these dynamics at play here, which we will be discussing a lot more about today.

I wanted to just bring this discussion back into the current state of geopolitics today, which is making it a lot more relevant. But also at the same time, it should not be just treated as some coincidence or some, yeah, those two are happening at the same time. It’s not only the case that, oh, Pegasus spyware is a threat in Southeast Asia and the rest of the world, and it just so happens that it was made by Israel. That’s not the case. It’s just not as simple as that.

But as Antony Loewenstein, I’m quoting a few parts here in his book. It’s an excellent book called The Palestine Laboratory. It’s a very new book published just this year. It claims that Israel exports technology and occupation and ideology across the world, one of which is Pegasus.

Here we can ask who actually benefits from Israel’s occupation of Palestine? It turns out that many countries do, including Indonesia, including everyone, every government, every party that actually utilises Pegasus, because Pegasus, as well as other military softwares or military arms that Israel is developing, is actually developed in relation to their occupation of Palestine and using Palestine as a laboratory, so to speak, utilising the people there as unwitting test subjects for these things.

These are all very tied together in the current global geopolitical context, which once again, we can probably discuss in a little bit deeper later down the line. But I don’t want to take too much of the stage today, that’s just laying out the groundwork for what our discussion will be. Now let’s just move on. We have our first speaker, which is Kak Imal from SAFEnet. I’ll just hand over the floor to you, Kak Imal.

Imal (SAFEnet)

Thank you very much, Bonni. As you know, Pegasus is a Greek mythology. Then the spyware, especially in Indonesia, started to be widely discussed last year, if I’m not mistaken, especially after a report from the Indonesia Leaks.

Even though the research has been carried out for a long time before, at the time when we talk about Pegasus, pegasus maybe in 2020, 2018, 2019, many people consider it still a myth until now. Pegasus itself is a malware whose name, how I can spell it, Pwn Your Phone is known to attack iOS 15 and 16 via iMessage feature. So it’s attacking Apple devices.

Another malware called Find My Pwn, P-W-N. There is no focal letter, which was designed by Pegasus to attack to find my phone feature and then iMessage feature. All devices will be attacked with spyware. So in my background, if I close my camera again, if you’re not buying the product, you’re the product. I believe this is from the Social Dilemma movie.

In Indonesia, Pegasus have targeted top government and military officials. We believe that is what happened with the activists and journalists, we cannot test the victim. That’s the main problem.

The CitizenLab is experiencing the same thing when they want to test the telephone device of the number of hacking victims in Thailand. Many of the victims don’t want to be published as a victim because they are maybe a political or maybe military thing. This spyware is very expensive. The target will be top-level person

But how can we describe the top-level person? Is Imal not a top-level person? I don’t know. Maybe Bonnie is it? Maybe Raja is it? We are all able to be a victim. We never know how to indicate the top-level. Pegasus attack is targeted by planting a type of malware into someone’s phone. That is the very techy thing. But how to plant the malware? There are two types. There is a single click, one click and the zero click.

The one click type is when you get a message, text or pictures or phone call, anything and you click that message and the spyware will be planned for your device. But the zero click is more fun to play because you don’t have to click anything.

You have the money, you have the power, you send the spyware and you can spy on the one you want.

That’s the fun part of the technology. The big question every time we, SAFENet or maybe a technical person talk about Pegasus, the big question is, is there any application that can be used to detect, to prevent? Until today the answer is still no.

They create a myth, the myth has become a thing and now we cannot hold it back. If it comes, it comes. I often talk about digital security because that’s my area, digital security is not about the tools. Digital security is not about applications, about newest software, about the newest type of phone. No. That is number two, three, four, five, and so on.

The most important thing in digital security is the behaviour, how you use the tool, how you use the device.

Lawsuits on Pegasus

Bonnibel Rambatan

Thank you, Kak Imal. I think that’s a pretty good primer also. I think just adding on a little bit there, Apple just released, I think early September they did release a security patch for Pegasus. But then obviously, we can talk more about that.

But now let’s move on to what the activists in Thailand have done in response to that, which is to actually file lawsuits to several people, to the Thai government and all of that. For this, we will speak to Chatmanee and Apirak.

There are a couple of lawsuits there. We have the administrative lawsuit, we have a civil lawsuit. But let’s just do this one by one. Let’s just start with the very beginning, which is the legal overview of the condition in Thailand. Please, Chatmanee, Apirak.

Chatmanee Taisonthi (iLaw)

Before we start, I want to give a legal overview of Thai law. We  claim to be a democratic country and have a constitution which protects the right to privacy. And in that constitution, it said that the right to privacy cannot be violated or derogated unless it is provided by law necessary for the public interest. That is the whole thing we have to protect our privacy.

But the thing is that even though we have that protection, we still have a lot of laws that give power to the authorities to exploit your personal information or to probe and get access to your personal information, including using Pegasus spyware.

We have several things that the officers can use, like the Narcotic Control Act, Special Investigation Act, National Security Act, Cyber Security Act, Computer Crime Act. So all those laws give the officers the power to use spyware to hack into your system and get access to your personal information.

But why Pegasus Spyware? So what happened is that during the 2020-2021, we had a massive political movement in Thailand due to a failed governance of the military Junta. That resulted in the COVID, it came to the last straw was the COVID-19.

It was so bad that a lot of people died not because of the COVID directly, but mainly because of the failed governance and the dissemination of vaccines and other stuff, and the staff of medical staff. There was a huge political movement in those couple of years.

What happened is that we found a trace of Pegasus Spyware against the human right defenders of political activists, at least 35 people that have been hacked by Pegasus spyware. Just like Imal just mentioned that there are so many people that have been hacked by Pegasus spyware, but many of them refuse to send their phones or come forward that they have been hacked, that they have been a victim to the Pegasus spyware. That is the legal overview and what happened in Thailand a couple of years back when we just saw how Pegasus actually dangerous to our society.

What happened is that we had two lawsuits. The first one is administrative lawsuits which focus on the liability of the government authorities. We have Yingcheep Atchanont, who is the director of iLaw and the political activist at Arnon Nampa. He is a human rights lawyer.

Those two are the plaintiffs of the administrative lawsuit who sued against nine government authorities. The government authorities that we sued are the Office of Prime Minister who is the superior of the National Intelligence and National Security Committee. The next is the Royal Thai Police. The third one is the Ministry of Digital for Economics and Society, Royal Thai Army, Royal Thai Air Force, Royal Thai Navy, the Department of Special Investigation, the Ministry of Finance and Cybersecurity Oversight Committee.

So all of those nine, why we have to sue those nine authorities, is that because we found the trace that the government purchased Pegasus spyware from NSO, but we have no proof which authority used that. So we have to go back to the law. So we have to review the law in Thailand to see which authorities have the power to use spyware against people for specific purposes. That’s why the nine government authorities are being sued here.

Basically, we claim that the plaintiffs were hacked by the Pegasus spyware during the political protest, political movement, and that use of Pegasus spyware was politically motivated to stifle people’s voice, to stifle the freedom of expression, to stifle the freedom assembly.

Why we know that is because we cross-check the timeline and the use of Pegasus spyware that we sent for the computer forensic and it’s matched. So it is politically motivated and it’s not for public interest and was not necessary.

So we sue them that first, it’s breached the Constitution, and the second is that it’s breached the Computer Crime Act because Pegasus spyware, as we all probably know now that it’s a highly invasive spyware that can get into all of your personal information, including your bank accounts, your bank statement, your microphone, your camera, your pictures and stuff.

So it’s hacked into a password protected system and information to ensure that the law and gain access to the information during the transmission. So our claims are that the use of Pegasus spyware violated the Constitution and the Pegasus spyware violated the Computer Crime Act. Based on that, we don’t just stop there.

We actually reach beyond the border of the domain legal principle. We reach for the international standards as well. We also claim that the use of the use of Pegasus spyware actually is a violation of ICCPR and UDHR and violated other human rights, which related to the right to privacy.

We mentioned here that the use of Pegasus spyware violated ICCPR, the Constitution that includes the right to privacy, the freedom of expression, and other related rights. So in the administration of lawsuits, we asked the court to order first to suspend the use of a Pegasus spyware against the plaintiffs and provide information about the previous use because we want to know which information that they actually gained from the plaintiffs and return those information back to the plaintiffs and delete it from the different database.

And the second one is compensation in total, $5,000,000. So $2,500,000 each. That also includes both the physical compensation and fundamental compensation as well. Right now, the case is still in the administrative court because the court has the order not to accept the case based on their view that the use of Pegasus spyware is in relation to a criminal investigation. They stated that this case should go to the criminal court instead.

Right now, that order is not being appealed because we stated that the use of Pegasus spyware is politically motivated. It is not a part of police investigation. It would put a lot of burden of truth on the plaintiffs who have to go through the whole process of a criminal case and that would result in more violation of their human rights. That is our first case.

Bonnibel Rambatan

I think we can move on to the second lawsuit, which is the civil lawsuit, as far as I understand, and we can collect the questions later in the Q&A session.

Chatmanee Taisonthi (iLaw)

The next lawsuit that we do concurrently is the civil lawsuit. It’s Jatupat versus NSO Group Technologies. He’s also a political activist and he’s also a recipient of the Guangzhi Human Rights Award. We only have one defendant for this case, which is NSO Group Technologies, who is the producer, developers of Pegasus Spyware in Israel.

We claim that the acts of producing, developing, selling, controlling, and using Pegasus spyware violated the Constitution and Computer Crime Act. Because as I mentioned that the use of Pegasus spyware against the political activists is politically motivated. It’s not legal and it serves just a purpose just to restrict people’s human rights and it’s illegally hacked into the password-protected system and information.

We also put it there that it’s also violated UDHR, ICCPR, and it is considered illegal under the Convention on Cybercrime. The reason that we try to put in the international standard is not only just to hold the defendants accountable, but we want to see some of the policy change by using the litigation forum to send some voice to the government or to the policymakers that the use of Pegasus spyware. The fact that the government is buying and using Pegasus spyware is not right.

It’s not in conformity with international law and you should have the policy changed to to restrict the use of Pegasus spyware in Thailand. So in this case, we ask for first, to suspend the use of Pegasus spyware against the plaintiff and return the information to the plaintiff and delete that information from the defendant’s database.

And the second one is to return the information that the defendant has given to Thai government agencies because we know that NSO is like a middleman that controls the Pegasus spyware and uses the Pegasus spyware against the target and transfers that information to the government agencies. So we want that information back as well.

And the last thing is compensation in total of $2,500,000. So in doing the Pegasus spyware case against all of those government agencies and also against the Israel-based company NSO group, which is overseas, there are a lot of limitations when it comes to file lawsuits in Thailand. 

The first one is the limitation obstacle in relation to obtaining the evidence and information, including the information concerning the government’s operation. In Thailand, we have a clause that calls for national security. That is basically a big umbrella where the government or the government officers can use to exempt themselves from accountability or exempt themselves from some of the legal provisions.

So the purchase of Pegasus spyware is now a sealed document, so we cannot get that document. Right now, that’s why we sue the governments and also to both courts so that we can use that forum to gain access to those documents.

The second is the limited knowledge of Thai courts. Thai courts are not that accustomed to spyware, really. And Pegasus Spyware is very new in Thailand, even though it happened quite a couple of years back— Thai courts don’t have that limited knowledge, and we have to explain that in both legal language and in human language that the court can actually understand. That is a huge limitation for us.

The third and the fourth limitation is that the cost of suing foreign companies and the subsequent building the court’s documents to the defendants, to the defence and the translation fees and other stuff because we have to translate everything, we have to submit to the court the document in Thai, but we have to send them the document in English and we have to send them to Israel. That could have a lot of cost and a lot of obstacles in our way.

Right now, the good news is that the document has been delivered, so NSO has been served. They will appoint a lawyer and we will see how the court proceeds from here.

Trace

Bonnibel Rambatan

Thank you so much, Chatmanee. It does have some… Because last time I spoke to Yingcheep, and it seems like these limitations are really troubling. You can enumerate four of them, but then each of them is really causing a lot of trouble. I want to get back to that maybe a little bit later on how you’re managing all of that.

Some of you have submitted questions, which is like, do we have evidence that governments or elements within Southeast Asia are using Pegasus to spy on their citizens? Yes, I do believe that we do have that. That’s why the whole lawsuit thing in Thailand is happening.

That’s why Indonesia, with the whole Indonesia Leaks, is making big news splash in the media and among the activists again. But I’m just going to let… Let’s go to Kak Imal first. Can you tell us a bit about how we found out initially that the government is using Pegasus or some parties in Indonesia at least are using Pegasus to spy on citizens, but also government officials?

Imal (SAFEnet)

We all believe that we will find something when we are doing some random checking. We always said it’s our right to show ourselves, to talk about what we believe, to show our expression. But from the perspective of people in IT, in information technology, specifically from people who can read trash data.

Like Chatmanee, if I’m not mistaken. Then I will google it and then I will add another indicator like Thailand, like iLaw and something and something and something. Maybe I will find something. Maybe I’m not. I don’t know. But that is the fun part of trying to find something in the area.

We try to find the black cat in a room where there is no light. We don’t know if there is a black cat inside or not. From there, Indonesia Leaks try to search what happened with export import manifest and something, and something, and something. And find an item that the price is like when you buy an iPhone maybe two million, how can you say the price at dollar for iPhone? I don’t know. Yeah, $200 or maybe $2,000. I don’t know the price. But in that manifest, the document said, Iphone with price is 10 times higher.

From that something begins another investigation and find, this one is Pegasus sent from outside Indonesia to go inside and being used by people inside Indonesia.

Bonnibel Rambatan

It’s pretty amazing because we did manage to get there’s a mysterious transaction, as you mentioned, with exorbitant numbers. I also forgot the number back then, but we managed to get the actual hardware, the shipping number, the shipping code. Then, okay, this is Pegasus. 

Then the shell companies used to buy that. Then I think some people actually went to SCBD in Jakarta trying to find the office, but no one’s there. It’s all this tangled mess. To add to that complexity, just to remind everyone here, Indonesia does not have a diplomatic relationship with Israel, which means that this is actually a purchase that is illegal because it’s a military arm steal, but it’s conducted between two countries without diplomatic relationship, which again, adds yet another layer to this whole complexity.

I want to go to Chatmanee or Apirak, either of you can answer this, but can you tell us about the first time that the activists there or you guys at iLaw or the first inkling, the first evidence you have that, hey, yes, this is actually the Thailand government is actually using Pegasus against us? What was the first thing that gave it away?

Chatmanee Taisonthi (iLaw)

The first thing is that the human rights defenders or political activists actually received emails from Apple stating that you might be a target of a state-sponsored attack. That was our first clue, but we didn’t know what it was. iLaw organised all of this and sent the phones for the computer forensics with CitizenLab and have the result confirmed that, yes, you are hacked by Pegas’s spyware.

Not just that, but because we dug a little deeper and we found out Pegasus is only sold to the government. Then we have some reports that actually stated that we have been purchasing Pegasus and other spywares for quite some time. It shows through the IP address a domain name in Thailand.

There are some procurement documents from the government that’s been shown in the parliament session that suggest that the government is trying to buy a new version of Pegasus spyware, that’s the first thing.

We also have the parliamentary sessions that actually discussed the purchase of Pegasus spyware in Thailand. All of the documents are based on lawsuits. Right now, we’re trying to get more documents and more evidence by using the court forum as well. We’ll see how it goes from there, even if we will get any news evidence. From here.

Movement Against Pegasus

Bonnibel Rambatan

Yeah, so they’re basically updating their subscription to Pegasus, keeping getting me. That’s horrible. Skipping that for now, where and how can we get more information about this? There is lots of information available. I think our speakers here have also done lots of work on that. We have some links.

I think one of the biggest, if not the biggest investigation is right now conducted by Forbidden Stories, which is called the Pegasus Project. One of the other large investigations in the more technological side is conducted by the Citizen’s Lab in Canada, which we’ve also spoken about on our podcast. We can talk more about that later, surely.

But let’s move on to a couple of questions: Are there ongoing regulatory or legislative efforts in Southeast Asia aimed at controlling the sale and use of spyware like Pegasus and what can be done to strengthen such efforts?

Aside from the lawsuits here, has anyone, has maybe the government or activists been pushing for like, okay, this isn’t right. Aside from just suing the government, we should also make regulations, for example. Are there movements like this in Southeast Asia?

Chatmanee Taisonthi (iLaw)

I think in Thailand, iLaw has been trying to raise more awareness about the Pegasus spyware and the dangers of that spyware. Because the Pegasus spyware is relatively new in our countries, most people don’t know yet what is the Pegasus spyware, or whether they have to be hacked.

Right now, the first step is to raise awareness among people. I think another way to strengthen those efforts is that we need to have some public participation in the public government, more participation, including how the budget is spent as a way to check and balance.

I always think that the transparency policies for the government should be public, especially how you spend our money, because like Imal said, this is very expensive. I think transparency because you should be taking place as well.

Bonnibel Rambatan

Yeah, that brings it into this whole thing about civic spaces that are shrinking. But also it’s like a chicken and egg problem because to push for these regulations, obviously, you need big civic spaces, as you mentioned, people pushing for these changes, people demanding transparency on a larger scale, not only just for Pegasus, but on a larger scale.

But then with Pegasus here, people are scared and it’s just a bit of a challenge there. But I want to address the question in the chat box there from Nan, from EngageMedia. NSO has claimed they’re not responsible for the applied use of the software as per the article, which I would say is a very characteristic of tech CEOs when their inventions are used in horrible, horrible ways. They always say, We’re just the tools, we’re not responsible for using them. What would you say to this? Let’s go to Kak Imal first. What are your comments on these types of responses?

Imal (SAFEnet)

NSO people say it like that. It’s like when you buy a knife to cut onions or something in the kitchen, but that knife also can be used for something else, harmful to another person. So I think that is what the NSO people use, that analogy.

But the main problem is their tool is meant to wire tapping our communication. So it’s already by design for listening, to become a third person in personal communication. That’s a funny answer.

Bonnibel Rambatan

Chatmanee, does this hinder in any way the lawsuit, the civil lawsuit that you’re filing against NSO?

Chatmanee Taisonthi (iLaw)

It’s a hindrance, but it’s a predictable one because they have been arguing this forever, basically in every platform that they can. But we can support our claim in many ways. We know that NSO is responsible for this as they are the one producing and the one that’s selling and they have the duty of care to streamline what the clients are.

By selling to military governments, they know. It’s obvious what they are going to use it for. We’re going to have a lot of professional amicus that will help us with this and a lot of other documents or a lot of evidence that will be taken on this.

Public Participation

Bonnibel Rambatan

Yeah, hopefully their excuse doesn’t fly because it is a pretty silly excuse. To think that obviously they know what they’re doing and the context, again, in the context of the larger geopolitical conflict going on right now, it’s like you’re exporting even the ideology of it’s okay to crush other people and activists and stuff like that.

Obviously Southeast Asia, Thailand, Indonesia are not the only countries that’s been afflicted with Pegasus. But what do you think are the lessons that can be learned from the other regions, the other countries that have faced these similar challenges? What have they done? What did they do really to mitigate or to counter the threat of Pegasus from activists, from other countries or other regions? And are there successful strategies or policies that we can adopt?

Chatmanee Taisonthi (iLaw)

The lesson learned is that I think that litigation is one thing, but only litigation is not going to be successful to mitigate or control the use of Pegasus spyware. I think based on what we’ve learned, like the investigation from forbidden stories, public awareness and public participation is very important.

We also need public participation to put a lot of pressure on the government as well to succeed in controlling the use of Pegasus or abolish the use altogether.

I think another thing that we’ve seen from other countries is that the mega social media platforms, they should take action for illegal breach of privacy as well because NSO, the Pegasus spyware, is actually hacked into their system to gain our personal information.

I think that one of the successful strategies is the case in America that WhatsApp and Apple actually sued NSO for breaching the system. I think that that’s one of the strategies that we can look into and transparency policy should be adapted in some of these issues as well.

Imal’s Recommendations

Bonnibel Rambatan

It’s a very complex situation and it’s getting sued from multiple angles, but they’re still there, they’re still around. That means it’s very beneficial for a lot of oppressive and authoritarian regimes too. It’s obviously also very effective because the demand is still there.

Okay, so in the face of these increasing digital surveillance threats, how can we, individuals and organisations, better protect their privacy and data? What tools and practices are recommended and what cybersecurity parameters that’s effective to protect our data?

Well, okay, I’m just going to start a little bit bleak here because once you get Pegasus, a zero-click exploit, then it means that there’s nothing you can do. One day, you just get a missed call from an unknown number, and boom, your data is all gone. That’s how scary it is. You don’t even have to click on a link. With the single clicks, yes, you might have to click on a mysterious message or whatever, but it’s no longer like that. There’s absolutely nothing you can do.

But keep yourself updated with these security patches that Apple puts out, for example. Hopefully, there are others that’s coming out, but it is unfortunately a battle between a giant corporation versus another giant corporation that’s a lot more militaristic and authoritarian and stuff like that. Unfortunately, that’s the general gist of it. That being said though, anything, any recommendations, Kak Imal?

Imal (SAFENet)

When someone asks me this question, I will ask another question to answer it. Who is your partner to sleep with? It’s a very personal question, but that’s important. Who is the closest thing? What is the closest thing when you sleep? Is it your partner or your phone? The answer is our phone.

We attached this small device when we first start to open our eyes and before we close our eyes. Even in the bedroom, sometimes we just bring our phone. What tools and practice can be recommended? Your behaviour.

Last year to prevent the Pegasus, there was a small thing to do, but I don’t know if it still can be done until this day. That small thing is restarting your smartphone. Periodically, you restart your smartphone. That is a small thing and we never do that.

Bonnibel Rambatan

What does it do? What does it do? What does restarting the phone do for those not knowing?

Imal (SAFENet)

In your device there is a lot of hardware and one of the hardware is RAM, random blah, blah, blah memory. It’s technical, you don’t have to know about that. But that memory will be erased back to zero when you restart the device. This firewall is planned there. When you restart your mobile phone, it’s gone. Random access memory. Thank you.

There is RAM, there is ROOM and there is storage. When you restart your smartphone, your smartphone, your laptop, boom, it’s gone. I believe that still can be happening. We still can do that maybe last year. I don’t know if the newest Pegasus can be erased by that simple, cheap method. But this is the fun part.

NSO is not only creating Pegasus. Don’t worry if there is no Pegasus in your place right now, don’t worry. The NSO still has another product. There is a Circle.

Chatmanee’s Recommendation

Bonnibel Rambatan

Yeah, that’s both hopeful and bleak at the same time. I’m not sure how it happens. Thank you for the information though. Chatmanee or maybe, Apirak, we haven’t heard from you. Do you have any recommendations?

Chatmanee Taisonthi (iLaw)

There’s no absolute protection against Pegasus. As a lawyer, I don’t know any other technological advance. So better update your iOS or Android. If you get an email that you might be a target for the state sponsor tag, maybe reach out to the organisations in your countries to help with that.

In Thailand, you can reach out to iLaw if you get the email to get your phone checked and other stuff. Just be aware of your surroundings. If you’re having super, super important secretive meetings, maybe consider leaving your phone out of the meeting or some stuff. That’s more like a manual way to fix the problem. But I guess that you should be aware of what you’re doing. I guess that would be one way to protect your data.

Open Government Partnership

Bonnibel Rambatan

Yeah, thank you. Again, it’s a pretty complicated challenge. There are also other kinds of their other products, just addressing what Kak Imal said earlier, working with different kinds, but changing your behaviour to as to not rely so much on your phone, leaving it somewhere so that if you’re worried that it might spy on you, that’s always a small but minimum thing, but it might help.

Don’t click on anything you don’t know. That’s also always a good thing. Even if you might get inheritance from a Nigerian prince or something, just try not to click on those things.

Looking ahead, what are the key actions and advocacy initiatives that should be prioritised in the fight against Pegasus and similar spywares in Southeast Asia? I want to relate this to Nan’s comment earlier, strategy to promote transparency that leads to, from Chatmanee’s earlier comment to this one. You’d like to invite CSOs to turn to the Open Government partnership initiative. Nan, would you like to unmute yourself and tell us more about this.

Nan (EngageMedia)

Yeah, sure. Hi, everyone. My name is Nan, Digital Rights Project Coordinator for EngageMedia. Open Government Partnership is a cluster of CSO and government. It’s a channel for collaboration between government and CSO to co-draft action plans to address different areas to improve democratic processes.

And one of these policy areas is digital governance and it does include the surveillance software and what we talked about today as well. I think at the top of my head, what we can do is first we have to push our government to be open to this initiative because it will boost the international community.

But how the process works is that once your government signs or pledges to collaborate in the OGP then they will co-draft the action plan with a number of CSOs for the next four years. And then the OGP will have a mechanism in which they will monitor whether that action plan is being addressed and whether actions are taken.

And if we put surveillance technology into the priority list of the policy areas to be addressed, then we can ask the governments to, for example, be transparent about their procurement of any technology, even the name of national security.

I paste the link there. If you would like to learn more about it, there’s so many resources that you can learn from. Unfortunately, Thailand has not signed up for this yet. You can sign up at the national government level or local municipal level, so you can start small as well.

But I put the link here, Indonesia has pledged for a number of commitments actually, and has been following through with it. And so I think it could be a channel where a CSO could push this at the international stage.

Collaborations Needed

Bonnibel Rambatan

Oh, cool. Yeah, I didn’t know the mechanisms of this and just connected with the pushing for transparency of procurement, of surveillance software and stuff like that. Thank you, Nan, for this information. Okay. All right, let’s go to Shoeb first and then Nan, if you have other responses, we’ll let you speak afterwards. Thank you. Shoeb, go ahead.

Shoeb (Bangladesh)

I have one question because I understand this discussion is more focused on Southeast Asian countries like Indonesia, Thailand, and other countries. But in Bangladesh, we had faced a very similar incident in the case of Pegasus, using the Pegasus spyware because you stated earlier, for the Forbidden Stories report.

From 2022, various media have published so many reports which clearly indicate that the NSO group is selling their spyware. It’s not just Pegasus, there are other spyware activities that are sold in Bangladesh and the Bangladesh government is legally purchased and used against the people.

Also it’s very interesting to say that. Our experience is also very similar to Indonesia because we don’t even have a diplomatic relation with Israel. But our civil society and our technical group is very, even sometimes they’re not understanding what is going to hear and not intervene in this matter to dissolve it or something like that.

My question is for Imal, Chatmanee and also Nan, is there any way to look into a country like Bangladesh? Is there any way to focus? It’s not just technical collaboration. We need an awareness campaign against spyware and we also need capacity building in our civil society organisations and activists. They are really able to understand the possible danger and also identify these problems. I’m sorry, my English sucks.

Bonnibel Rambatan

No problem. Thank you so much for the information. I didn’t know that Bangladesh is also dealing with this despite the lack of diplomatic relations with Israel, which is fascinating. So to your question regarding moving beyond Southeast Asia and building capacity building and stuff like that, would SAFENet be? Oh, yeah, I don’t know. I guess, Mas Imal, I’ll just hand it over to you.

Imal (SAFEnet)

Actually, what Shoeb told us is something that we hope we will do after this discussion. We just are not done with just today we talk about this. We have mitigation like that and that, that, that, that. No, and also not only and also others, spyware is still growing and everyone can be a victim. So yeah, and NSO is just a corporation. Indonesia is one of the countries.

It’s like an economic relationship. The one who had something to sell and someone who had money to buy, just like that. And there are still a lot of sellers out there. So yeah, it’s important that we gather and do something to address this issue.

Bonnibel Rambatan

Yeah, okay. Hopefully that can be connected. I think, Nan, Engage Media with the… Also the Open Government initiative, that’s a bit wider, right? You might want to speak a bit more about that?

Nan (EngageMedia)

Yeah. I know I’m supposed to address a few-comments comment. We have an ongoing project, Greater Internet Freedom initiative, that covers both south and Southeast Asia because we do notice a pattern of violations and digital rights and general safety issues. We work in Bangladesh, Sri Lanka, Maldives, and then Indonesia. We’re from seven countries. I’m the coordinator for that project, so feel free to reach out for any collaboration.

Bonnibel Rambatan

Kirana also raised their hand, which I think is fantastic. We’re already building connections and solidarity networks here and there. I hope this could really build up more into other things, which New Narrative would love to be a part of as well. Let’s all keep in touch. But yeah, Kirana.

Kirana (APHR)

Hi, hello. I’d just like to share what we do at APHR, ASEAN Parliamentarians for Human Rights, we’re a network of former and current members of parliaments across Southeast Asia. We currently don’t have members in Laos. In Cambodia we have one, but those make it on the block countries, but others we have.

As a part of our greater internet freedom advocacy, we also try to, as much as we can, inform parliamentarians about these deals, government deals with procurements and this, what is it? Pegasus and others concerning security and defence deals with other countries because also opposition parliamentarians are at risk, especially in Thailand, where I think there are cases where opposition MPs in Thailand have been targeted as well and not just the CSO.

We’re trying to increase policy makers’ awareness of these deals and it’s not just concerning the opposition. With politics, you can be in the ruling government now, but can be the opposition 5-10 years later. Nobody’s benefiting out of this. Everyone can be targets. That’s what we’re trying to do as well. I think I’ll just like to share that.

The Importance of Solidarity

Bonnibel Rambatan

Yeah, that’s an excellent point that even people who sit in governments and I think even people in Indonesia who sat in the military have really high positions were also targeted by Pegasus. It’s definitely something that is not just the activists, but it’s also the activists and opposition governments and a couple of people who otherwise the activists might actually hate.

But hey, both of us are getting Pegasus by the same or maybe by different people. But Pegasus is a pain for all of these multiple people, multiple parties. Which brings me to the question, though. Yeah, Chatmanee, maybe you can take this.

But have you heard anything about people who are actually not activists, maybe, as Kirana mentioned, opposition of the government and stuff like that, who have also been targeted by Pegasus and would like to support the cause? Or has the lawsuit so far been very concentrated to just a handful of activists without really people from other parties or other positions of power getting involved?

Chatmanee Taisonthi (iLaw)

There are some opposition that actually have been targeted by Pegasus and they take that matter into the parliamentary sessions. But our laws should focus on political activists because we want to show the pictures that this one is politically motivated and because we don’t want the court to reject our case based on.

Because iLaw filed one lawsuit before ours and it was rejected because there were a lot of plaintiffs in that lawsuit. It’s like to go back to these lawyers, academics, academics, academics and other stuff, but it was rejected because the court viewed that as a different occasion. That’s why our lawsuit only focuses on one plaintiff-one plaintiff or two plaintiffs at maximum right now.

Like I mentioned, litigation is one thing, but we also still need support from someone in power that can help us have some light policy changes, policy reform about digital surveillance, about the Pegasus spyware.

Even if we do not engage with them in a litigation, we still have to engage with them in some social campaign or social forums and other stuff. I think that our role would be in that sense more entirely.

Bonnibel Rambatan

Yeah, okay, I see. Mas Imal, what about in Indonesia? Have you ever talked to or has like, SAFENet, ever spoken to the people in governments who are targeted or in the military who are targeted by Pegasus. Has there been a conversation with people in power?

Imal (SAFEnet)

They don’t want to speak. They don’t want to talk about that.

Bonnibel Rambatan

Yeah, even if they were a target. They still don’t want to talk about that. I see. That’s a little curious though.

Imal (SAFEnet)

Maybe there is a bigger power behind.

Bonnibel Rambatan

Yeah, maybe. There’s always those kinds of backroom dealings and discussions that’s happening, unfortunately. Let’s start with you again, Kak Imal, about what do you think is the most important thing for us to do right now about the key actions, advocacy initiatives or simply, you did mention about digital hygiene, you did mention about changing behaviours, but how do we actually push to prevent, to mitigate these threats in the future?

As Pegasus keeps getting more advanced, as spywares keep getting more advanced, there are other products, there are all of these things, but we also need to be more advanced not only in our behaviour, but also in our solidarity and also in pushing for legislations, I guess, or again, advocacy of certain kinds, what do you think needs to be prioritised right now?

Imal (SAFEnet)

Besides to speak about training, to learn something new about techy-techy things that we don’t have to learn about that all of us. Someone has to still push the law issue like Chatmanee from iLaw. I don’t know if in Indonesia there will be people like that. And yeah, changing our behaviour is also important.

We cannot depend on our security, digital security to our phone, mobile phone, to software, to tools, to updating, but also we must take care ourselves right now. We don’t have any regulation yet to support us. In SAFENet, we believe someday we can build collective awareness, if I may say it like that.

I don’t know what will be called, but we can come together and say that this issue, not only Pegasus, not only NSO, but wiretapping and illegal access, spyware and something like that, is illegal practice. The important thing for me is supervision and accountability that has been done by credible and independent institutions or people is a must. If we don’t have that, we still have to hide ourselves.

Bonnibel Rambatan

Yeah, thank you so much, Kak Imal. Chatmanee, what about you? Any thoughts on this and your final remarks as well?

Chatmanee Taisonthi (iLaw)

Just to add on. In Thailand, we have a lot of laws, and sometimes having too many laws is not a good idea. The laws in Thailand right now are used for tools. It’s used as tools for the government to exploit your privacy, to exploit personal information. It’s very fake and open for interpretation in a way that it could violate human rights.

To add on to that, I think practice is the problem, legal permissions is the problem. One of the ways to advocate for this is to policy change, having some healthy dialogue with people in power, with the policymakers to I think the policy should be a little bit more human rights centric, people centric and set a clear criteria for the use of surveillance technologies that means it did the law or whatever.

Just so that the laws can be used to actually protect people and not be a tool for the government to exploit your privacy, to exploit your tax, to buy some expensive spyware to get access to personal information. Just to add on, I think policies and legal provision reform might be one of the ways to fight against bigger systems.

Bonnibel Rambatan

I guess to synthesise that, this is a challenging time. This is a very complex issue, again, with the whole surveillance thing, with the whole spywares, but also drinking civic space in general across Southeast Asia and beyond. I’m sure we all have a lot of anxieties, a lot of fears, a lot of questions maybe surrounding this still despite the discussions.

But as Kak Imal said earlier, take care of ourselves, take care of each other, stay vigilant. Make sure you practise digital hygiene. Again, be wary of your behaviour, and then push for collective awareness of these things, and collective awareness specifically in the realm of, as Chatmanee mentioned, how are laws and how are all of these narratives being used against us.

A lot of laws doesn’t mean it’s not always a good thing. It can be a bad thing when it’s exploitative. So collective awareness and also critical awareness of whether the things we practise, whether the things we obey, whether the laws that are being enacted are already human centric or not, and then just demanding them, just creating conversations about enlarging these civic spaces and stuff like that.

Okay, so thank you so much once again. Give a big round of applause to our two speakers. I know this is online, but still this has been amazing. Thank you so much, everyone else, for the participation.

OUTRO

And there you have it. Our first podcast recorded in front of a live audience. If you’d like to participate in these kinds of discussions as they happen, and get to ask questions directly to the speakers and share your own thoughts and experiences, become a member at newnaratif.com/join. We would really, really appreciate it.

My name is Bonnibel Rambatan, and this has been Southeast Asia Dispatches. Brought to you by New Naratif, and produced by Dania Joedo. I’ll see you around.

RELATED PUBLICATIONS