Hungary’s opposition has called for ministerial resignations from Viktor Orbán’s far-right government over allegations it selected journalists, media owners and opposition political figures as potential targets for invasive Pegasus spyware.
The allegations, published last week by the Guardian and other members of the Pegasus project consortium, were backed up in a number of cases with forensic analysis of mobile devices carried out by Amnesty International, which showed phones had been infected with Pegasus, sold by the Israeli company NSO Group.
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
“At the very least, the minister of justice has to resign,” said Gergely Karácsony, the mayor of Budapest and the most likely challenger to Orbán for the prime minister’s post at elections next spring, in an interview at Budapest’s city hall on Tuesday.
On Monday evening, a protest against the government over the Pegasus affair drew about 1,000 people. “This scandal shows we cannot talk about the rule of law anymore in Hungary,” said Anna Donáth, a Hungarian MEP with the opposition party Momentum, told the Associated Press news agency at the rally. “Our demand is the resignation of the government.”
Hungarian law provides that in cases where national security is at stake, the intelligence services can order surveillance with no judicial oversight, only the signature of the minister of justice.
The justice minister, Judit Várga, has declined to comment on whether the Hungarian government uses Pegasus, but said “every country needs such tools”. She has not addressed what the national security justification could be for surveilling journalists, businesspeople or politicians.
In an interview earlier this month with Le Monde, a Pegasus project partner, Várga first said it was “a provocation” when asked if she would authorise the surveillance of a journalist. Later, her office asked for the question and the answer to be removed from the interview.
Last week, the Budapest prosecutor’s office opened an investigation into unauthorised secret information gathering. Few expect this to produce real results, though, with the government accused by opposition figures of ignoring the allegations.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Opposition MPs had demanded an emergency meeting of parliament’s national security committee on Monday, but the four MPs from Orbán’s Fidesz party did not show up, meaning there was no quorum.
“The government’s plan is not to discuss the issue,” said Péter Ungár, an opposition MP who sits on the committee. “I don’t know what you would call this, but it’s certainly not oversight.” He also said Várga should resign if she could not offer an adequate explanation about whether and why the surveillance had taken place.
At least five Hungarian journalists appeared on a leaked list reviewed by the Pegasus papers consortium, of numbers selected by NSO clients ahead of possible surveillance, including two from the investigative outlet Direkt 36, a Pegasus project partner. Also on the list was the number of the opposition politician György Gemesi, the mayor of the town of Gödöllő and head of a nationwide association of mayors.
“He’s been the mayor of a small town for 30 years, and for me it’s completely unthinkable that there would be any legitimate criminal or national security interest in surveilling him,” said Karácsony, who knows Gemesi well.
Karácsony, whose number is not on the leaked list, said the revelations about government surveillance were not that surprising. In 2019, during his campaign for mayor against the Fidesz-backed incumbent, audio was leaked of Karácsony discussing infighting among the opposition. He said that now, if he has sensitive discussions, he does so without phones or laptops in the room.
The liberal Budapest mayor is the favourite to win a primary vote, to be held among a broad group of opposition parties who want to field a united candidate to take on Orbán in elections next spring. Orbán, who is looking to win a fourth consecutive term, has clashed with the EU over rule of law, corruption and a recent anti-LGBTQ+ law.
Last week, Orbán announced the government would hold a referendum on “child protection”, involving a set of leading questions about sex education and sex changes, in what is being seen as an attempt to sow division and rally the conservative base of Fidesz around a “culture war” on LGBT issues.
Karácsony attended Saturday’s Budapest Pride march, in which tens of thousands of people marched through the capital, and the rainbow flag is flying for Pride month outside Budapest’s city hall.
“This is a very desperate attempt to divert attention from their weaknesses,” said Karácsony of the recent campaign, adding that the best option would be to boycott the “ridiculous” referendum.