It’s not just NSO spyware that poses a threat to whistleblowers and journalists

With the police raids over the Matt Hancock CCTV leak, the UK risks mimicking despots who deploy surveillance software.

Sign Up

Get the New Statesman's Morning Call email.

Sometimes threats to whistleblowing and a free media are obvious. And they are rarely more obvious than those detailed in the new disclosures from Amnesty International, the Guardian and other publications under the banner of the Pegasus Project, alleging that politicians, activists and journalists were potential targets for spyware operated by the Israeli surveillance company NSO. 

Attempted targets reportedly ranged from politicians in India, to the fiancée of Jamal Khashoggi, the journalist and activist killed and dismembered in a Saudi Arabian embassy, to reporters working in Azerbaijan shortly before their arrest and detention, to Roula Khalaf, the editor of the Financial Times.

Such targets could have their communications monitored almost without limit thanks to so-called zero-click attacks – hacking attempts that don’t rely on the target opening a suspicious attachment or clicking a sabotaged link.

Even sophisticated activists, journalists and whistleblowers can do very little to prevent such attacks – and once a phone is compromised in this way, even secure encrypted chats are available to the attackers. NSO says it does not know who its clients select as targets and that it has rules about to whom it will sell, but such tools are potentially a gift to abusive governments.

It is a telling irony that we only know the full scale of this menace to activists, whistleblowers and journalists because of the hard work of… activists, whistleblowers and journalists.

It might seem somewhat self-serving to focus on threats to such groups, but the reality is these civil society institutions are the last line of defence when the official channels are at best idle and at worst actively part of the problem.

Any powerful institution that can stop its own staff speaking their minds, activists finding out about any potential malpractice, or journalists about it and protecting their sources, can prevent itself from being scrutinised – a set-up that has rarely (if ever) led to an organisation behaving better than it did before.

It’s easy for us to agree that targeting people who hold those in power to account is bad. Tut tut, we can say, as we move on; someone should really do something about that.

But threats to journalism and whistleblowing in the UK can be more insidious, and often pass with little outcry. There has been a huge activist response to measures in the new policing bill that could threaten the right to protest in the UK – leading to the #BanTheBill movement and weekly protests. What has passed virtually unnoticed alongside it is a Home Office plan to update Official Secrecy laws for the post-Snowden era.

The proposed measures are potentially far-reaching: removing the minimal existing public interest defences for those who leak confidential information, defining public disclosure as little more than another form of espionage (on the basis that if something is published in the media, it’s worse than if just one spy agency gets hold of it), and extending the reach of such rules.

Leaks to the media are undoubtedly annoying for the government, but they are rarely major security risks. If they were, those found to have been behind them would be damaged for life. Instead, they tend to be quietly welcomed back into politics after a brief exile. Look at Gavin Williamson, who was sacked as Theresa May’s defence secretary following the leak of National Security Council information on Huawei. May stopped short of accusing Williamson of being behind the leak, but did stress she had “lost confidence in his ability to serve”.

Boris Johnson clearly does not share those concerns, having reappointed Williamson to the cabinet. The argument that the risk of potential leaks is so great that sweeping new powers for the Home Office are needed is undermined by the Prime Minister's more relaxed approach. 

And there are threats more immediate to journalism still. The Sun recently revealed an affair between Matt Hancock and a woman he had brought into a senior government role – during a period when he was responsible for the UK’s social distancing rules and guidelines. Like or loathe the Sun, or tabloids in general, that is a major story in the public interest.

There are rumours that the paper’s source was motivated by extreme anti-lockdown or even Covid-sceptic reasoning, but these are both unconfirmed and largely irrelevant: lots of good stories come from bad places. Companies dish on their rivals, people leak about their internal enemies or vendettas, and so on – it is often better not to know how the sausage is made.

To date, two homes have been raided by Information Commissioner’s Office in connection with the investigation into the Sun scoop. Few other leaks, even when they concern government departments, spark this kind of investigation. It is hard to see how a story could be so clearly in the public interest to the extent that a cabinet minister resigned over it, and simultaneously warrant the persecuting the possible sources of it.

In its response to the Hancock story, the government risks mimicking the despots who take advantage of NSO tools to crack down on reasonable scrutiny. It may wish to think again, if not because it’s the right thing to do, then at least because when British authorities take this route, it doesn’t usually end well.

James Ball is the Global Editor of The Bureau of Investigative Journalism. He tweets @jamesrbuk.

Free trial CSS