The NSO ‘Surveillance List’, What It Is and Isn’t

Kim Zetter’s Zero Day newsletter has been a consistently good read. Today’s issue, about that mysterious list of tens of thousands of phone numbers forming the basis of much of the Pegasus Project reporting, is a great example:

There is nothing on the list to indicate what purpose it’s meant to serve or who compiled it, according to the Post and other media outlets participating in the Pegasus reporting project. There is also nothing on the list that indicates if the phones were spied on, were simply added to the list as potential targets for spying or if the list was compiled for a completely different reason unrelated to spying.


Those varying descriptions have created confusion and controversy around the reporting and the list, with readers wondering exactly what the list is for. The controversy doesn’t negate the central thesis and findings, however: that NSO Group has sold its spy tool to repressive regimes, and some of those regimes have used it to spy on dissidents and journalists.

The reporting associated with the Pegasus Project has been enlightening so far, but not without its faults. The confusion about this list of phone numbers is one of those problems — and it is a big one. It undermines some otherwise excellent stories because it is not yet known why someone’s phone number would end up on this list. Clearly it is not random, but nor is it a list of individuals whose phones were all infected with Pegasus spyware. This murkiness has allowed NSO Group’s CEO to refocus media attention away from the ethical dumpster fire started when his company knowingly licensing spyware to authoritarian regimes.