Pegasus in Hungary: A Surveillance State Unmasked


The hacking of dissidents worldwide is even more widespread than we thought. This year’s largest cross-border investigative undertaking, the Pegasus Project, has revealed that at least 10 governments have used sophisticated Israeli spyware to gather information on human rights activists, independent journalists, and opposition politicians. The only EU member in the pool of offenders was Hungary. This might not be an unexpected development for most readers, but it is a further blow to both independent journalism and the sanctity of citizens’ privacy.

Surveillance - stock photo

During the last two weeks, the Hungarian public discourse – at least the part of it that takes place in the limited spaces not controlled by the government – has been dominated by the Pegasus affair. As it turns out, the Hungarian state most likely purchased sophisticated spyware from the Israeli cyber-arms firm NSO and used it to hack into the phones of some of the country’s best-known journalists.

Forbidden Stories, a Paris-based media non-profit, and the human rights NGO Amnesty International have acquired a leak with 50,000 phone numbers that are believed to belong to people whose phones were hacked using NSO’s flagship software, Pegasus. The leak includes almost 200 journalists, close to 100 human rights activists, and even the phone numbers of European Council President Charles Michel and French President Emmanuel Macron made it onto the list. The leaked data indicate 10 countries whose governments have been behind the hackings: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates.

One of the Hungarian targets, Szabolcs Panyi, has reported on deals between the Kremlin and the Hungarian government, on Chinese influence in Hungary, and lately on the role of German lobbies in keeping international criticism of Viktor Orbán at bay. His colleague at the non-profit investigative journalistic outlet Direkt36, András Szabó, has published highly-regarded investigations into cronies of the Fidesz party and the political decision-making processes of the Orbán administration. Both journalists are recipients of the country’s prestigious Soma Award for investigative journalism. Forensic evidence suggests their phones were hacked in 2019, a few days after they sent media inquiries to Hungarian ministries related to investigative stories they were working on.

The software used to infiltrate their devices exploited the zero-day vulnerabilities of software running on mobile phones that allows “zero-click” attacks, whereby spyware can access a phone without interacting with its user (e.g. without the user clicking on suspicious links or opening emails). The software allowed access to messaging apps, pictures and videos, and even facilitated control of the photograph and video functions, thereby turning the phone into a surveillance device. This indicates the authorities were trying to figure out what kinds of sensitive information the journalists might have handled and who provided it to them. The government has thereby not just invaded their privacy, but also violated press freedom.

In fact, Article 10 of the European Convention on Human Rights safeguards not just the content of a news article or other forms of communications, but also the means of transmitting such information. This was, among other matters, highlighted in the Goodwin v. United Kingdom judgement of the European Court of Human Rights: “Protection of journalistic sources is one of the basic conditions for press freedom. (…) Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest. As a result the vital public watchdog role of the press may be undermined, and the ability of the press to provide accurate and reliable information be adversely affected.” (A summary can be found here.)

A number of targets in Hungary

The exact scale of the surveillance in Hungary is not known. Many of the suspected targets have changed phones since the infiltration took place, thereby making it impossible to verify that the breach happened; in other cases, the details are still being investigated and have not yet been published.

The leak provided to Forbidden Stories included 300 Hungarian phone numbers. Direkt36, the investigative outlet that had two of its prominent journalists on the list, is also the one investigating the Hungarian developments related to the use of NSO’s Pegasus spyware. So far, it has identified four journalists, a local “fixer” who assisted a US journalist in gathering information on the Russia-led International Investment Bank that relocated to Hungary in 2019 (the US journalist could not be targeted, as Pegasus does not allow the hacking of US phone numbers), the owner of one of the largest Hungarian media organisations (Zoltán Varga of Central Media Group), a former minister in Orbán’s first government (Attila Chikán, who has since turned into a critic of Fidesz and its policies), the son of an oligarch who fell out of favour with Orbán, and a Belgian PhD student at Central European University. The article mentions that the list also includes the numbers of an opposition politician and of a prominent lawyer.

Journalists were already cautious

It is not exactly surprising that the government of EU Member State Hungary is spying on persons who are critical of its illiberal politics or those who aim to uncover the massive corruption in the country. There had already been some indications that this was the case. The situation of the rule of law and freedom of the press in Hungary has been in constant decline ever since Viktor Orbán was elected Prime Minister in 2010; already in 2014, leaks showed that the country’s government is a user of Finfisher spyware (produced by the German company Gamma) which, according to investigative news startup, is “commonly used in oppressive regimes to monitor political opponents and NGOs”. A 2015 report by Privacy International mentions that the Hungarian government has also used a program developed by the Italian company Hacking Team that can “be used to hijack computer and mobile devices whilst remaining undetectable to users.”

In recent years, journalists in Hungary have been cautious enough to use end-to-end encrypted messaging apps and secure calling services when communicating with their sources, deleting sensitive messages and call data from their phones right away to make sure there are no traces of the conversation left. Those who work at outlets like Direkt36, with a focus on investigations, might have taken additional steps given the sensitivity of their topics. However, this latest development shows that most of the known precautions might not have been enough, as the authorities are able to access even those kinds of channels that have so far been deemed relatively safe (such as seeing what has been communicated on WhatsApp or Signal).

The state’s dilettantism shouldn’t provide a false sense of comfort

That the government has such a powerful tool at its disposal is worrying, even if the authorities’ use of the spyware has so far not always been well thought out or effective. There are indications that often the spies themselves did not know what they were looking for, or at least did not seem to understand who could provide them with useful information, making some parts of the operation wasteful.

This can be seen in the example of a third Hungarian journalist known to have been surveilled: Dávid Dercsényi, who currently runs the municipality’s official newspaper in Budapest’s 8th district and previously worked on current affairs articles for a number of different news outlets. In his case, the authorities even surveilled his ex-wife’s phone, although he has been separated from her for years.

Dercsényi is not a cutting-edge investigative journalist and has never claimed to be one. According to his own recollection, the hacking of his phone must have happened after he sent an email inquiry to the Hungarian authorities about information he had found in a news story on Hungary published abroad that he was summarizing. For that particular article he was not talking to any primary sources.

While this kind of dilettantism on the part of the government could give us some grounds for Schadenfreude, it is far from comforting. This should not divert our attention from the fact that at least some such intrusions may have been successful and probably caused serious problems for sources and for whistle-blowers.

Another blow to democracy

A week after the Pegasus scandal broke, on 26 July, a thousand people protested in front of Budapest’s House of Terror, a museum commemorating the victims of past dictatorships. The government, however, avoided comment on the issue, and a meeting of the Parliament’s National Security Committee was sabotaged by the absence of members of the governing party. Sándor Pintér, the Interior Minister, claimed in a statement to the news site Telex that the Hungarian national security services have not engaged in illegal surveillance since Viktor Orbán assumed power in 2010. Nevertheless, it is telling that the Hungarian Justice Minister, Judit Varga (not related to the earlier mentioned Zoltán Varga), called on Le Monde prior to publication to cut a question and answer from an interview she had given the paper. The interviewer had wanted to know whether she would ever authorise the covert surveillance of journalists or opposition politicians. Varga called the question a provocation, not knowing that the interviewer was working on the Pegasus Project and thus  was in possession of proof.

Interior Minister Pintér’s use of the word “illegal” above has to be explained a bit more in detail. With the help of the Hungarian Civil Liberties Union (TASZ), Telex has looked at the legality of surveillance operations in Hungary. They found that a relatively vague regulation enables four security agencies and the Counter-terrorism Centre to engage in secret surveillance if the agencies claim there is no other way for them to access the data they need. The article adds: “There are no restrictions on surveilling certain professionals, nothing that forbids wiretapping journalists or even lawyers, and there are no extra prerequisites in such cases either.” The Justice Minister has to authorise the process. Judit Varga has claimed that an undersecretary takes care of this issue.

In its ruling on the case of Szabó and Vissy v. Hungary, the European Court of Human Rights has already highlighted the dangers of this procedure as follows: “Given that the scope of the measures could include virtually anyone, that the ordering is taking place entirely within the realm of the executive and without an assessment of strict necessity, that new technologies enable the Government to intercept masses of data easily concerning even persons outside the original range of operation, and given the absence of any effective remedial measures, let alone judicial ones, the Court concludes that there has been a violation of Article 8 of the Convention (right to respect for private and family life).”

The revelations about the use of Pegasus are, therefore, a further blow to the rule of law in Hungary, violating both press freedom and privacy rights.. While vague regulations and previous leaks about the Hungarian government’s possible use of spyware had already worried observers and led journalists and human rights activists to be extra-cautious about how they communicate, the current revelations of the government’s blatant misuse of its power will be felt widely. The most obvious impact will be a chilling effect on critical journalism and on the quality of information that will be available to voters.

In recent years we have seen that journalists are finding it hard to talk to people on the record in Hungary, as possible information sources fear repercussions if quoted in the independent media. The authorities themselves are discouraging people working in the public sector from talking to the press. This was made painfully clear during the COVID-19 pandemic, when health workers were instructed not to give information to the press and journalists were denied entrance to hospitals – leaving media consumers completely underinformed about the extent of the pandemic. In addition, a vaguely-phrased emergency law during the first wave of the pandemic temporarily introduced a penalty of up to five years in prison for those who were found to be communicating in a way that endangered the government’s emergency response. The law did not differentiate between factual and fabricated information in this context, and therefore many journalists feared that even just a critical news article could lead to a possible prison term.

Now, with the Pegasus revelations, even the few remaining anonymous sources and whistle-blowers will think twice about giving information to a journalist, knowing that the government has the tools to track them down. This, in turn, will make it even harder for news media to perform their watchdog function, to uncover corruption, or to report about politicians’ misuse of power – the kinds of information that would allow citizens to make informed decisions before casting their votes on election day.