Pegasus spyware is being abused to target people in Thailand. The instigators? All indications point to the Thai authorities. But people in Thailand are not the only ones likely being spied on by those in power. Across the globe, revelations are emerging of governments using invasive technology to track, target, and silence critics.
It is time to put an end to the weaponising of surveillance technology — both globally and in Thailand. Thai authorities must immediately initiate an independent investigation to hold the perpetrators to account, and support calls for a global moratorium on spyware technology.
Last month, a report by Thai civil society groups, Internet Law Reform Dialogue (iLaw) and Digital Reach, and Toronto-based cyber research group, The Citizen Lab, revealed that the devices of at least 30 people in Thailand had been infected with Pegasus — a notorious hacking tool developed by Israeli company NSO Group, which has been implicated in privacy and civil rights violations across the world. These attacks mostly targeted activists, and often occurred before and during their participation in pro-democracy protests between 2020 and 2021. Barely five days after the report was released, five members of Thailand’s political opposition revealed their devices had also been compromised, coinciding with strong public statements in Parliament criticizing the Prayut administration.
Even as investigations by the groups were not able to conclusively identify the perpetrators of the attacks, the fact that, according to the State of Israel and NSO Group, Pegasus is only sold to governments and that there was disproportionate targeting of government critics incriminate one suspect — the Thai government.
This was supplemented by the statement of Chaiwut Thanakamanusorn, the Minister of Digital Economy and Society, confirming that spyware has indeed been used by Thai authorities, “just not under his authority”. Even as Chaiwut tried to back-track on his comments, Chaicharn Changmonkol, Deputy Minister for Defence, conspicuously failed to deny that the Thai authorities have Pegasus in their possession, insisting only that the government “does not have a policy to use spyware that would affect the public.” These vague statements only heighten suspicions of state involvement in the hackings. Incredulously, representatives of the current administration seem to be pulling the finger pointing towards them even closer.
Perhaps this is a symptom of impunity — since authorities in Thailand have made critical dissent incredibly difficult. Civil society, youth activists, journalists, academics, lawyers, and members of the political opposition have long suffered from state abuse of laws on defamation, sedition, contempt of court, and computer crimes, and increasing regulatory measures that control and censor online content.
In fact, Citizen Lab reported that they had first found evidence of Pegasus operations in Thailand in May 2014 — the same month of the military coup led by General Prayut Chan-o-Cha. Recent reports now seem to confirm that spyware has become yet another instrument at the disposal of the Prayut administration to stifle dissent and curtail civic space.
If the Thai government is indeed using Pegasus to spy on its critics, it joins a list of at least 44 other states who have also abused this technology. Since the Citizen Lab first revealed Pegasus abuses in 2016, and Amnesty International and Forbidden Stories released the Pegasus Project in July 2021, cases of spyware targeting from across the globe are continually thrust into the spotlight, invading and upending the lives of hundreds of people – from activists, journalists, members of the judiciary, women human rights defenders, and public health advocates, to heads of state. And as the scope of revelations widens, calls for accountability by victims, NGOs, lawmakers, and other stakeholders have intensified.
NSO Group has been taken to task for its sale of Pegasus. Even before the Pegasus Project, Apple and Meta’s Whatsapp had sued the NSO group for undermining the security of people who use their platforms. In November 2021, the US government blocklisted NSO Group and another spyware operator, Candiru, for violations of national security; and in April 2022, the European Parliament began an inquiry into the abuse of Pegasus and other spyware technologies in the region. Following reports that NSO Group had attempted to escape accountability for its abuses by getting acquired by a U.S. defense contractor L3Harris, civil society and the White House pushed back against the deal, resulting in the contractor ending the talks.
Demands for accountability have also targeted the wider spyware industry — which continues to facilitate human rights violations in secrecy, brazenly operating without regard for international law or commitment to human rights safeguards. Access Now and global civil society coalitions are campaigning for an immediate moratorium on the sale, transfer and use of surveillance technology, and urging member states of the UN Human Rights Council to support independent investigations into human rights violations facilitated by the sale and abuse of surveillance tools. In April 2022, Costa Rica became the first country to publicly call for an immediate moratorium on spyware use until the implementation of a regulatory framework to protect human rights.
Thailand, and the people who live here, will only suffer if it chooses to ignore reports of spyware abuse. What is happening in Thailand both feeds into and draws from a global movement against the abuse of surveillance technology. If Thai authorities fail to acknowledge the seriousness of the allegations placed at their feet, global attention will very likely push Pegasus back to their doorstep and strengthen local demands for accountability. Like France, Poland, India and Spain, the Thai government must launch an independent and effective investigation into Pegasus abuse, and take necessary steps to ensure such an investigation is not hampered by political interests, as is currently the case in Hungary.
The Thai government should also scrutinize and stop national procurement of surveillance tools, and join global calls for a moratorium limiting the sale, transfer and use of these tools. It should do so not only because it remains accountable to the people from whom they draw a mandate to govern, but because if the government stays silent, Thai people — and the rest of the world — will not.
Access Now is an international organisation that works to defend and extend the digital rights of users at risk around the world. Access Now provides thought leadership and policy recommendations to the public and private sectors to ensure the continued openness of the internet and the protection of fundamental rights. By combining direct technical support, comprehensive policy engagement, global advocacy, grassroots grantmaking, legal interventions and convenings such as RightsCon, we fight for human rights in the digital age.