This week the EU Commissioner called for urgent action on Pegasus spyware, stating that any indication of intrusion should be investigated by every member of the EU for a possible breach to be brought to justice.

It was one of the biggest stories this summer – and yet with the churn of news cycles and so much going on in the world, it soon faded. But with such major ramifications, it should remain on our radar. Here’s our recap with key thoughts to consider.

What’s the story?
In July 2021, 17 major media organisations around the world published the findings of a painstaking investigation into the extent of surveillance spyware used to monitor targets via their smartphones.

The list of those suspected of being targeted by the Pegasus spyware, created by NSO Group, included politicians and heads of state, journalists, human rights campaigners and more. The powerful spyware enables its users to monitor many elements of a person’s communications, including the phone’s precise location, the content of encrypted messages and even operating the microphone remotely to turn the handset into a listening device.

The response was shock and widespread outrage, and the issues at the heart of the debate around privacy continue to run and run. It’s a highly complex space and there is much to consider, but here are five quick thoughts:

Balancing interests of national security and personal privacy is hard
Part of the problem for politicians and tech companies is that it’s hugely unpalatable for encrypted platforms to be seen to provide safe havens for terrorists, child abusers, drug dealers and more. At the same time, it’s impossible to adequately weigh this cost against the benefit of personal privacy for billions of the world’s citizens. That the two things are incompatible presents a huge challenge for governments and tech companies alike.

Who should control who gets their hands on powerful surveillance technology?
Is it correct or appropriate for a private, profit-making company to be the arbiter of who can buy and use surveillance technology? When decisions are motivated by commercial interests, this creates an obvious incentive to deal with rogue states or authoritarian governments. So what customers and use cases do we deem acceptable? Hacking terrorists = good, hacking journalists/politicians = bad? Who should decide, and how?

There is no such thing as a workable backdoor into encryption
As security professionals and technologists are no doubt bored of telling politicians the world over, there is no such thing as a ‘backdoor’ into encryption for law enforcement. Any such method would fundamentally weaken encryption, damaging personal privacy for everyone who uses such services. The investigation into the Pegasus spyware is a powerful demonstration of what happens when governments find ways to attack and diminish citizens’ privacy.

Protecting journalism and journalists is more important than ever
It’s worth remembering that the widespread use of the Pegasus spyware only came to light as the result of a painstaking investigation by a number of major media outlets and highly skilled investigative reporters. A sizeable number of the phones suspected of being infected with the Pegasus spyware belong to journalists. It’s vitally important for democracy that journalists and media organisations are able to do their jobs and hold governments to account without fear of reprisals.

The encryption battle will rumble on
As new developments from the Pegasus Project reporting continue to emerge, it’s clear that we are no closer to resolving the battle between the right to personal privacy and the interests of law enforcement and governments. Though it will have been in development for some time, Apple’s latest anti-child sexual exploitation announcement can be seen as an attempt to find a way to tackle crime without eroding personal protections and the privacy on which Apple has built and marketed its ecosystem. Apple will hope this latest development is something of a middle ground, but the early reaction from privacy campaigners and academics has been broadly negative.

Part of the problem with privacy is that it’s Pandora’s box: damage to privacy is irreversible. Amnesty International called the Pegasus Project’s findings “a global concern” and stated that “anyone and everyone is at risk.” The Pegasus Project revelations should remind us just how precious privacy is.