Last week news broke about how the privacy of many individuals have been violated by their governments using Israeli tech company, NSO’s Pegasus software. An investigative journalism collaboration coordinated by the non-profit news organization, Forbidden Stories and Amnesty International looked at a leaked data of 50,000 phone numbers from 50 countries around the world. These are largely targeted by governments, and they include journalists, human rights activists and some heads of state.

NSO has rubbished the reports and indicated that it doesn’t have an idea who its clients use the software on. It argues further that the product it sells to government clients – most commonly referred to as Pegasus – is intended to “collect data from the mobile devices of specific individuals, suspected to be involved in serious crime and terror.”
It has now been revealed that Ghana has been a customer of the controversial Pegasus equipment although apparently it acquired the machine but failed to acquire the software on which it runs.

Ghana is a customer of the NSO Group. The country purchased the Pegasus machine in 2016 with the same justification – to fight terrorism. However, by some unexplained circumstances, the country didn’t get the software. It is therefore unclear if the country even tested the software, and if it did, on who.

The purchase of the Pegasus machine became a subject of a court case soon after there was change in government after the 2016 elections. Some officials of the National Communications Authority and National Security who were involved in the deal – in which they made a payment of US$4 million to NSO were found guilty and sentenced to various jail terms in a widely publicized case. Instructively though, they were found guilty of corrupt self-enrichment from the transaction rather than for their official motives for acquiring the spyware.

Critics of the incumbent government and some human rights activists are demanding that it come clean as to whether it has since acquired the spyware on which the Pegasus equipment runs, and if so, what it is being used for. However, this is deemed uncharitable by government’s proponents who correctly point out that there is no evidence that the equipment is in use at all, not to talk about its being used to invade the privacy rights of citizens not suspected of having fallen foul of the law.

However, information has emerged that Ghana has acquired a different brand of spyware presumably to replace the Pegasus equipment.

In 2019, the UK and US governments and Interpol jointly procured and delivered to the Ghana government, another Israeli tech company’s product used for hacking.

According to the Committee to Protect Journalists (CPJ) Ghanaian security officials have confirmed to it that the US and UK governments, as well as Interpol, did provide Ghana’s security forces with digital investigations training and technology. Maame Yaa Tiwaa Addo-Danquah, a senior Ghana Police official told CPJ that tools made by the Israel-based Cellebrite corporation – whose website says their technology can break locks and encryption – and two US-based companies, IBM and Digital Intelligence have been provided to the country.

It is recalled that government itself attributed its significant public expenditure overrun for 2019 to originally unbudgeted spending on security issues to combat the threat of terrorism. Consequently, the conventional wisdom is that the acquisition of the Cellebrite equipment contributed to that expenditure overrun.
The CPJ has documented the use of Cellebrite’s Universal Forensic Extraction Device (UFED) by Nigerian security forces, as well as how the military targeted journalists’ phones and computers with a “forensic search” trying to reveal their sources.

These revelations are intensifying the phobia currently pervading some quarters in the Ghanaian media, especially political journalists working for media houses clearly opposed to the incumbent government as well as social activism journalists known to be critical of the State’s attitude to human rights.

Political and social commentators assert that the leaders of the #fix the country are obvious targets, although again, there is absolutely no concrete evidence that this is the case.

Another unfounded fear is that private corporations with the right connections could conceivably gain access to the equipment’s use for a fee in order to engage in industrial espionage against competitors. Again, such worries simply reflect the growing fear among Ghanaians in high positions or positions of influence that they might be being monitored digitally.

However, it is instructive that while such digital spying activities have been exposed in many countries around the world, no such scandals – not even the sniff of one – has emerged in Ghana.

According to Forbidden Stories, Pegasus – still the main target of the ongoing emergent global electronic spying controversy – has extensive capabilities: the spyware can be installed remotely on a smartphone without requiring any action from its owner. Once installed, it allows clients to take complete control of the device, including accessing messages from encrypted messaging apps like WhatsApp and Signal, and turning on the microphone and camera. It is still unclear how much of these capabilities the Cellebrite spyware now in Ghana’s possession, has.

The Forbidden Stories collaboration known as The Pegasus Project notes that contrary to what NSO Group has claimed for many years, including in a recent transparency report, the spyware has been widely misused. The leaked data showed that at least 180 journalists have been selected as targets in countries like India, Mexico, Hungary, Morocco, Togo, Rwanda and France, among others. Potential targets also include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of state.

During the investigation, the project team met with victims from all over the world whose phone numbers appeared in the data. The forensic analyses of their phones – conducted by Amnesty International’s Security Lab and peer-reviewed by the Canadian organization Citizen Lab – was able to confirm an infection or attempted infection with NSO Group’s spyware in 85 per cent of cases, or 37 in total.

The clients of NSO range from autocratic (Bahrain, Morocco and Saudi Arabia) to democratic (India and Mexico) and span the entire world, from Hungary and Azerbaijan in Europe to Togo and Rwanda in Africa.

Critics assert that while the governments justify the acquisition of the Pegasus software to fight terrorism, in actual fact they have used it on innocent citizens like journalists and human rights defenders serving the bigger public interest.