On Monday, it was revealed that the French investigative journalism organisation Forbidden Stories and human rights charity Amnesty International had gained access to a leaked database containing tens of thousands of phone numbers under surveillance by clients of an Israeli security firm, NSO.
NSO's customers include governments and national security agencies. The company sells software known as Pegasus, a sophisticated spyware programme that can access even the encrypted messages on a mobile phone, all while remaining undetected.
Here's what's been revealed by the Pegasus Project so far.
How does Pegasus work?
It's spyware, a piece of software that spies on the user of a device. Unlike most spyware, Pegasus doesn't require its victims to unwittingly download it, for example by opening an infected attachment or clicking a link.
It can infect iOS, Android or Blackberry phones without alerting their owners. Once installed, it allows NSO's clients to take control of a device, to activate the camera and the microphone, see geolocation data and read the content of messages – even those sent via encrypted platforms like Telegram and WhatsApp.
Pegasus exploits the security flaws in mobile phones. The spyware came to public attention following the murder of Saudi journalist Jamal Khashoggi in 2016, and is believed to be linked to other cases as well.
What the Pegasus Project has uncovered is the extent of the spying.
"While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations," said Amnesty International Secretary General Agnès Callamard.
NSO said it "firmly denies...false claims".
Who uses Pegasus?
NSO says the software is not designed for mass surveillance, but for counterterrorism purposes. The company, formed in 2011, says it only sells to genuine government agencies and that it vets clients for their human rights records.
However, it has been accused of helping facilitate authoritarianism. The Pegasus software has been used by countries including Azerbaijan, Saudi Arabia and Azerbaijan.
According to Forbidden Stories' investigation, Israel's Foreign Ministry is heavily involved in vetting NSO's client list and put pressure on the company to sell to Saudi Arabia, despite its management's misgivings.
The spying scandal in numbers
Amnesty International and Forbidden Stories gained access to a leaked database containing 50,000 phone numbers from 50 countries including India, France, Hungary, Mexico and Morocco.
It was also reportedly used in Spain, although the Spanish government denies this.
Among the potential victims are some 600 politicians, roughly 200 journalists, 80 political activists and no fewer than 65 business people.
The Pegasus Project – the consortium of organisations set up to investigate the alleged spying – is made up of 17 media outlets from 10 countries. The team numbers some 80 journalists.
The project cannot say for sure if all 50,000 of the leaked phone numbers have been spied on.
On its website, NSO says that it does not manage the software on behalf of its clients. Its involvement is limited to vetting clients based on the guarantees they can provide, the company said.
If the allegations made by the Pegasus Project are proven correct, it would reveal major flaws in that vetting process.
How widespread is it?
While the information obtained by the Pegasus Project refers to victims of spying, rather than the clients of NSO, it has emerged that the Hungarian government led by Victor Orbán has used the software to spy on investigative journalists.
Moroccan security agencies tracked at least 10,000 phone numbers. Those in Mexico watched 15,000, including that of the journalist Cecilio Pineda Birto who was killed shortly after the Pegasus investigation began.
The majority of the remaining numbers came from India, Kazakhstan, Rwanda, Bahrain, as well as the previously-mentioned Azerbaijan, Saudi Arabia and UAE.
Among the first names that have come to light are the French investigative journalist Edwy Plenel, the founder of Mediapart who was allegedly spied on by Morocco, as well as the relatives of the murdered Saudi journalist Jamal Khashoggi and even the Turkish prosecutor investigating his murder.
Hungarian, Moroccan and Mexican journalists have also been named.
Several journalists from the Pegasus Project itself were also found to be victims of the alleged spying.
What does NSO say?
The governments named in the investigation have denied any involvement or wrongdoing.
NSO claims that the allegations of spying on journalists are the result of a "misinterpretation" of the leaked data, which is not related to the Pegasus customer target list "or any other NSO product".
In a statement sent to Forbidden Stories, NSO said it would continue to "investigate any credible allegations of misuse and take appropriate action".
According to NSO's transparency report, Pegasus is "not a mass surveillance technology" and "is only used when there is a legitimate legal or intelligence reason".
"NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds," the company said.
Analysis shows 85 per cent of phones on the list were infected
To corroborate the Pegasus Project's findings, Amnesty International and the Citizen Lab project based at the University of Toronto in Canada carried out forensic analysis of 43 phones identified on the leaked database.
They found that 85 per cent of the devices had either been infected by Pegasus or that an attempt had been made to install it.
"We have been recommending to each other this tool or that tool, how to keep [our phones] more and more secure from the eyes of the government," said Azerbaijani journalist Khadija Ismayilova.
"And yesterday I realized there is no way. Unless you lock yourself in an iron bunker, there's no way they won't interfere with your communications".