Internal Documents Show How Close the F.B.I. Came to Deploying Spyware
The New York Times (archive.ph)
By Mark Mazzetti and Ronen Bergman
2022-11-12 10:00:22GMT
Christopher A. Wray, the F.B.I. director, acknowledged that the bureau considered deploying the hacking tool.Credit...Stefani Reynolds for The New York Times
WASHINGTON — During a closed-door session with lawmakers last December, Christopher A. Wray, the director of the F.B.I., was asked whether the bureau had ever purchased and used Pegasus, the hacking tool that penetrates mobile phones and extracts their contents.
Mr. Wray acknowledged that the F.B.I. had bought a license for Pegasus, but only for research and development. “To be able to figure out how bad guys could use it, for example,” he told Senator Ron Wyden, Democrat of Oregon, according to a transcript of the hearing that was recently declassified.
But dozens of internal F.B.I. documents and court records tell a different story. The documents, produced in response to a Freedom of Information Act lawsuit brought by The New York Times against the bureau, show that F.B.I. officials made a push in late 2020 and the first half of 2021 to deploy the hacking tools — made by the Israeli spyware firm NSO — in its own criminal investigations. The officials developed advanced plans to brief the bureau’s leadership, and drew up guidelines for federal prosecutors about how the F.B.I.’s use of hacking tools would need to be disclosed during criminal proceedings.
It is unclear how the bureau was contemplating using Pegasus, and whether it was considering hacking the phones of American citizens, foreigners or both. In January, The Times revealed that F.B.I. officials had also tested the NSO tool Phantom, a version of Pegasus capable of hacking phones with U.S. numbers.
The F.B.I. eventually decided not to deploy Pegasus in criminal investigations in July 2021, amid a flurry of stories about how the hacking tool had been abused by governments across the globe. But the documents offer a glimpse at how the U.S. government — over two presidential administrations — wrestled with the promise and peril of a powerful cyberweapon. And, despite the F.B.I. decision not to use Pegasus, court documents indicate the bureau remains interested in potentially using spyware in future investigations.
“Just because the F.B.I. ultimately decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate and potentially deploy other similar tools for gaining access to encrypted communications used by criminals,” stated a legal brief submitted on behalf of the F.B.I. late last month.
In a statement, Mr. Wyden said “it is totally unacceptable for the F.B.I. director to provide misleading testimony about the bureau’s acquisition of powerful hacking tools and then wait months to give the full story to Congress and the American people.”
He added, “The F.B.I. also owes Americans a clear explanation as to whether the future operational use of NSO tools is still on the table.”
An F.B.I. spokeswoman said “the director’s testimony was accurate when given and remains true today — there has been no operational use of the NSO product to support any FBI investigation.” A senior F.B.I. official added that, in addition to Mr. Wray’s public and classified testimony, bureau officials have also given classified briefings on the matter to members of Congress and their staffs.
The specifics of why the bureau chose not to use Pegasus remain a mystery, but American officials have said that it was in large part because of mounting negative publicity about how the tool had been used by governments around the world.
Pegasus is a so-called zero-click hacking tool that can invade a target’s mobile phone and extract messages, photos, contacts, messages and video recordings. Numerous governments, both autocracies and democracies, have purchased and deployed Pegasus in recent years. It has been used by police and intelligence services to hack the phones of drug kingpins and terrorists, but gained notoriety when it was revealed that governments, like Saudi Arabia, Mexico, Hungary and India had deployed it against political dissidents, journalists and human rights workers.
Mr. Wray’s closed-door testimony came just weeks after the Biden administration last November placed NSO and another Israeli hacking firm on a Commerce Department blacklist, preventing American companies from selling technology to the firms without permission from the U.S. government. On Capitol Hill, Congress is working on a bipartisan bill that would ban government agencies from using foreign commercial spyware such as Pegasus.
The Times revealed in January that the F.B.I. had purchased Pegasus in 2018 and, over the next two years, tested the spyware at a secret facility in New Jersey. Since the bureau first purchased the tool, it has paid approximately $5 million to NSO.
The Biden administration placed NSO and another Israeli hacking firm on a Commerce Department blacklist, preventing the firms from doing business with any American technology companies. Credit...Amir Levy/Getty Images
Since that story was published, F.B.I. officials, including Mr. Wray, have gone further than they did during the closed meeting with senators last December. They acknowledged that the bureau did consider deploying Pegasus, though they still emphasized that the F.B.I.’s main goal was to test and evaluate it to assess how adversaries might use it.
During a congressional hearing in March, Mr. Wray said the bureau had bought a “limited license” for testing and evaluation “as part of our routine responsibilities to evaluate technologies that are out there, not just from a perspective of could they be used someday legally, but also, more important, what are the security concerns raised by those products.”
“So, very different from using it to investigate anyone,” he said.
A June letter from the F.B.I. to Mr. Wyden made similar points, saying the bureau purchased a license “to explore potential future legal use of the NSO product and potential security concerns the product poses.”
The letter continued, “After testing and evaluation, the F.B.I. chose not to use the product operationally in any investigation.”
During his time as F.B.I. director, Mr. Wray has worked to build good relations with lawmakers from both parties, especially after the tumultuous years of his predecessor, James B. Comey. He has earned praise from some on Capitol Hill for his public testimony during the Trump administration years — on issues including Russia and domestic extremism — that infuriated President Donald J. Trump.
The internal F.B.I. documents and legal briefs submitted on behalf of the bureau give the most complete picture to date of the bureau’s interest in deploying Pegasus. While heavily redacted, the internal documents show that, from late 2020 until the summer of 2021, the F.B.I. had demonstrated a growing interest in potentially using Pegasus to hack the phones of F.B.I. targets in criminal investigations.
In September and October 2020, after the bureau had tested the product, F.B.I. officials put together PowerPoint presentations that included “detailed discussions of the potential risks or advantages of using the NSO tool” and “proposals for specific steps the F.B.I. or D.O.J. should take before making a decision about whether to use it.”
On March 29, 2021, two months after President Biden took office, the bureau’s Criminal Investigative Division circulated a 25-page memorandum that documented the division’s recommendations supporting the use of Pegasus “under certain specific conditions,” which were not clear in the redacted documents.
Days later, the same division proposed guidelines for government lawyers around the country who prosecute cases brought by the F.B.I. about “how the tool’s use could be appropriately addressed in criminal discovery.”
Then, in May last year, the bureau’s Criminal Investigative Division prepared a document about the potential use of Pegasus for a daily briefing for Mr. Wray. There is not clear evidence in the redacted documents that the Pegasus information ultimately was included in his briefing, or what Mr. Wray’s views on the matter were.
On July 22, 2021, according to the government’s legal brief in the FOIA case late last month, the decision was made to “cease all efforts regarding the potential use of the NSO product.”
The New York Times (archive.ph)
By Mark Mazzetti and Ronen Bergman
2022-11-12 10:00:22GMT
Christopher A. Wray, the F.B.I. director, acknowledged that the bureau considered deploying the hacking tool.Credit...Stefani Reynolds for The New York Times
WASHINGTON — During a closed-door session with lawmakers last December, Christopher A. Wray, the director of the F.B.I., was asked whether the bureau had ever purchased and used Pegasus, the hacking tool that penetrates mobile phones and extracts their contents.
Mr. Wray acknowledged that the F.B.I. had bought a license for Pegasus, but only for research and development. “To be able to figure out how bad guys could use it, for example,” he told Senator Ron Wyden, Democrat of Oregon, according to a transcript of the hearing that was recently declassified.
But dozens of internal F.B.I. documents and court records tell a different story. The documents, produced in response to a Freedom of Information Act lawsuit brought by The New York Times against the bureau, show that F.B.I. officials made a push in late 2020 and the first half of 2021 to deploy the hacking tools — made by the Israeli spyware firm NSO — in its own criminal investigations. The officials developed advanced plans to brief the bureau’s leadership, and drew up guidelines for federal prosecutors about how the F.B.I.’s use of hacking tools would need to be disclosed during criminal proceedings.
It is unclear how the bureau was contemplating using Pegasus, and whether it was considering hacking the phones of American citizens, foreigners or both. In January, The Times revealed that F.B.I. officials had also tested the NSO tool Phantom, a version of Pegasus capable of hacking phones with U.S. numbers.
The F.B.I. eventually decided not to deploy Pegasus in criminal investigations in July 2021, amid a flurry of stories about how the hacking tool had been abused by governments across the globe. But the documents offer a glimpse at how the U.S. government — over two presidential administrations — wrestled with the promise and peril of a powerful cyberweapon. And, despite the F.B.I. decision not to use Pegasus, court documents indicate the bureau remains interested in potentially using spyware in future investigations.
“Just because the F.B.I. ultimately decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate and potentially deploy other similar tools for gaining access to encrypted communications used by criminals,” stated a legal brief submitted on behalf of the F.B.I. late last month.
In a statement, Mr. Wyden said “it is totally unacceptable for the F.B.I. director to provide misleading testimony about the bureau’s acquisition of powerful hacking tools and then wait months to give the full story to Congress and the American people.”
He added, “The F.B.I. also owes Americans a clear explanation as to whether the future operational use of NSO tools is still on the table.”
An F.B.I. spokeswoman said “the director’s testimony was accurate when given and remains true today — there has been no operational use of the NSO product to support any FBI investigation.” A senior F.B.I. official added that, in addition to Mr. Wray’s public and classified testimony, bureau officials have also given classified briefings on the matter to members of Congress and their staffs.
The specifics of why the bureau chose not to use Pegasus remain a mystery, but American officials have said that it was in large part because of mounting negative publicity about how the tool had been used by governments around the world.
Pegasus is a so-called zero-click hacking tool that can invade a target’s mobile phone and extract messages, photos, contacts, messages and video recordings. Numerous governments, both autocracies and democracies, have purchased and deployed Pegasus in recent years. It has been used by police and intelligence services to hack the phones of drug kingpins and terrorists, but gained notoriety when it was revealed that governments, like Saudi Arabia, Mexico, Hungary and India had deployed it against political dissidents, journalists and human rights workers.
Mr. Wray’s closed-door testimony came just weeks after the Biden administration last November placed NSO and another Israeli hacking firm on a Commerce Department blacklist, preventing American companies from selling technology to the firms without permission from the U.S. government. On Capitol Hill, Congress is working on a bipartisan bill that would ban government agencies from using foreign commercial spyware such as Pegasus.
The Times revealed in January that the F.B.I. had purchased Pegasus in 2018 and, over the next two years, tested the spyware at a secret facility in New Jersey. Since the bureau first purchased the tool, it has paid approximately $5 million to NSO.
The Biden administration placed NSO and another Israeli hacking firm on a Commerce Department blacklist, preventing the firms from doing business with any American technology companies. Credit...Amir Levy/Getty Images
Since that story was published, F.B.I. officials, including Mr. Wray, have gone further than they did during the closed meeting with senators last December. They acknowledged that the bureau did consider deploying Pegasus, though they still emphasized that the F.B.I.’s main goal was to test and evaluate it to assess how adversaries might use it.
During a congressional hearing in March, Mr. Wray said the bureau had bought a “limited license” for testing and evaluation “as part of our routine responsibilities to evaluate technologies that are out there, not just from a perspective of could they be used someday legally, but also, more important, what are the security concerns raised by those products.”
“So, very different from using it to investigate anyone,” he said.
A June letter from the F.B.I. to Mr. Wyden made similar points, saying the bureau purchased a license “to explore potential future legal use of the NSO product and potential security concerns the product poses.”
The letter continued, “After testing and evaluation, the F.B.I. chose not to use the product operationally in any investigation.”
During his time as F.B.I. director, Mr. Wray has worked to build good relations with lawmakers from both parties, especially after the tumultuous years of his predecessor, James B. Comey. He has earned praise from some on Capitol Hill for his public testimony during the Trump administration years — on issues including Russia and domestic extremism — that infuriated President Donald J. Trump.
The internal F.B.I. documents and legal briefs submitted on behalf of the bureau give the most complete picture to date of the bureau’s interest in deploying Pegasus. While heavily redacted, the internal documents show that, from late 2020 until the summer of 2021, the F.B.I. had demonstrated a growing interest in potentially using Pegasus to hack the phones of F.B.I. targets in criminal investigations.
In September and October 2020, after the bureau had tested the product, F.B.I. officials put together PowerPoint presentations that included “detailed discussions of the potential risks or advantages of using the NSO tool” and “proposals for specific steps the F.B.I. or D.O.J. should take before making a decision about whether to use it.”
On March 29, 2021, two months after President Biden took office, the bureau’s Criminal Investigative Division circulated a 25-page memorandum that documented the division’s recommendations supporting the use of Pegasus “under certain specific conditions,” which were not clear in the redacted documents.
Days later, the same division proposed guidelines for government lawyers around the country who prosecute cases brought by the F.B.I. about “how the tool’s use could be appropriately addressed in criminal discovery.”
Then, in May last year, the bureau’s Criminal Investigative Division prepared a document about the potential use of Pegasus for a daily briefing for Mr. Wray. There is not clear evidence in the redacted documents that the Pegasus information ultimately was included in his briefing, or what Mr. Wray’s views on the matter were.
On July 22, 2021, according to the government’s legal brief in the FOIA case late last month, the decision was made to “cease all efforts regarding the potential use of the NSO product.”
