Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International had access to a list of phone numbers concentrated in countries known to surveil their citizens and also known as clients of NSO Group, an Israeli firm that is a leader in the field of spyware. The two nonprofits shared the information with The Post and 15 other news organizations worldwide that have worked collaboratively to conduct further analysis and reporting over several months. Forbidden Stories oversaw the Pegasus Project, and Amnesty International provided forensic analysis but had no editorial input.

The reporters of the Pegasus Project found that NSO’s Pegasus spyware, meant be to licensed to governments for tracking terrorists and criminals, was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and the two women closest to murdered Saudi journalist Jamal Khashoggi.

Below are the responses from countries named in the project to questions from reporters:

Azerbaijan:

Awaiting response.

Bahrain:

Awaiting response.

Hungarian Prime Minister Viktor Orban’s office:

Hungary is a democratic state governed by the rule of law, and as such, when it comes to any individual it has always acted and continues to act in accordance with the law in force. In Hungary, state bodies authorised to use covert instruments are regularly monitored by governmental and non-governmental institutions.

Have you asked the same questions of the governments of the United States of America, the United Kingdom, Germany or France? In the case you have, how long did it take for them to reply and how did they respond? Was there any intelligence service to help you formulate the questions?

Please be so kind and publish our reply in full, without any modification.

Indian government:

India is a robust democracy that is committed to ensuring the right to privacy to all its citizens as a fundamental right. In furtherance of this commitment, it has also introduced the Personal Data Protection Bill, 2019 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, to protect the personal data of individuals and to empower users of social media platforms.

The commitment to free speech as a fundamental right is the cornerstone of India’s democratic system. We have always strived to attain an informed citizenry with an emphasis on a culture of open dialogue.

However, the questionnaire sent to the Government of India indicates that the story being crafted is one that is not only bereft of facts but also founded in pre-conceived conclusions. It seems you are trying to play the role of an investigator, prosecutor as well as jury.

Considering the fact that answers to the queries posed have already been in public domain for a long time, it also indicates poorly conducted research and lack of due diligence by the esteemed media organizations involved.

Government of India’s response to a Right to Information application about the use of Pegasus has been prominently reported by media and is in itself sufficient to counter any malicious claims about the alleged association between the Government of India and Pegasus.

India’s Minister of Electronics & IT has also spoken in detail, including in the Parliament, that there has been no unauthorised interception by Government agencies. It is important to note that Government agencies have a well established protocol for interception, which includes sanction and supervision from highly ranked officials in central & state governments, for clear stated reasons only in national interest.

The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever.

In the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian State. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.

This news report, thus, also appears to be a similar fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.

In India there is a well established procedure through which lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States. The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act ,1885 and section 69 of the Information Technology (Amendment) Act, 2000.

Each case of interception, monitoring, and decryption is approved by the competent authority i.e. the Union Home Secretary. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

There is an established oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary. In case of state governments, such cases are reviewed by a committee headed by the Chief Secretary concerned.

The procedure therefore ensures that any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.

Israel:

The State of Israel regulates marketing and export of cyber products in accordance with the 2007 Defense Export Control Act. Control lists are based on the Wassenaar Arrangement, and include additional items. Policy decisions take into account national security and strategic considerations, which include adherence to international arrangements. As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end use /end user certificates provided by the acquiring government. In cases where exported items are used in violation of export licenses or end use certificates, appropriate measures are taken.

Israel does not have access to the information gathered by NSO’s clients.

Kazakhstan:

Awaiting response.

Mexico:

Awaiting response.

Moroccan government:

The Moroccan authorities do not understand the context of the referral by the International Consortium of Journalists “Forbidden Stories”, requesting “the responses and clarifications of the Moroccan Government on the digital surveillance tools of NSO Group.”

It should be recalled that the unfounded allegations previously published by Amnesty International and conveyed by Forbidden Stories have already been the subject of an official response from the Moroccan authorities, who have categorically rejected these allegations.

The Moroccan authorities are still waiting, since 22 June 2020, for material evidence from Amnesty International.

Additional comment, July 19

The Moroccan government has expressed its great astonishment at the recurrent and coordinated publication, since Sunday 18 July, by foreign newspapers under the banner of a coalition called “Forbidden stories”, of erroneous information in which their authors falsely claim that Morocco has infiltrated the telephones of several national and foreign public figures and officials of international organizations through computer software.

In a statement, the government said it categorically rejects and condemns these unfounded and false allegations, as it has done with previous similar allegations by Amnesty International.

It reminded national and international public opinion that Morocco is a State governed by the rule of law, which guarantees the secrecy of personal communications by the force of the Constitution and by virtue of the Kingdom's treaty commitments and judicial and non-judicial laws and mechanisms guaranteeing personal data protection and cybersecurity to all citizens and foreign residents in Morocco.

It added that it is not permitted by the force of the Constitution to access or publish, in whole or in part, the contents of personal communications or to use them against anyone except by order of the independent judiciary and in accordance with the terms and conditions laid down by law. Law enforcement agencies are obliged to respect the provisions of the law and may not act outside its framework.

The statement also pointed out that the government of the Kingdom of Morocco has never acquired computer software to infiltrate communication devices, nor have the Moroccan authorities ever resorted to such acts, adding that the media collective, in all the news articles it has disseminated, has so far been unable to provide evidence to support its claims.

Aware of the ulterior motives and aims behind the dissemination of these false allegations and their context, the Moroccan government challenges the above-mentioned collective, as it did with Amnesty International, to provide realistic and scientific evidence that can be subject to professional, impartial and independent expertise and counter-expertise on the veracity of these allegations.

The government of the Kingdom of Morocco reserves the right to take the measures it deems appropriate in the face of the false allegations made by the above-mentioned collective, which are aimed at damaging the country’s image, its achievements in the field of fundamental rights and freedoms, its status and its supreme interests, the statement concluded.

Rwanda, from Vincent Biruta, minister of Foreign Affairs and International Cooperation:

Rwanda does not use this software system, as previously confirmed in November 2019, and does not possess this technical capability in any form. These false accusations are part of an ongoing campaign to cause tensions between Rwanda and other countries, and to sow disinformation about Rwanda domestically and internationally. This is libel, and enough is enough. The questions related to the ongoing terrorism trial of Paul Rusesabagina and his 20 co-accused have been extensively addressed by the court. For any future inquires related to cybersecurity, please contact the National Cyber Security Authority (NCSA).

Saudi Arabia:

Awaiting response.

United Arab Emirates:

Awaiting response.