Modern day investigators have the luxury of seemingly endless technological resources that allow them to investigate in ways that Sherlock Holmes could have only dreamed of. The gift of modern technology and all its bells and whistles does come with a catch. In recent months, several revelations of spying using advanced spyware highlight the ethical quandary faced by investigators when choosing to deploy various technical tools. Although sophisticated technology allows investigators to gather far greater intelligence in even faster ways, investigators, lawyers, and law enforcement cannot lose sight of the legal and ethical constraints to which they are bound. Doing so could imperil a successful investigation and result in enduring legal and reputational damage to investigators, and the law firms and clients they work for.
In several recent well-publicized cases, Pegasus spyware, developed by NSO Group, a technology firm staffed by former members of the elite Israeli Intelligence Corps, is at the center of the storm. While NSO Group primarily enters into licensing agreements with government agencies, there is evidence that private actors are utilizing the spyware as well. Pegasus is described as malware that exploits vulnerabilities in iPhones and Android devices to extract messages, photos, emails, and other personal information. Pegasus can even activate a device’s microphone to record phone calls without any indication of its presence. As Gene Hackman, playing a paranoid former communications expert, retorted in the film Enemy of the State, “they can [even] read the time off your … wristwatch!”
These intrusions are accomplished through infected hyperlinks or by a more sophisticated method known as a ‘zero-click’ hack. Pegasus utilizes this method as it doesn’t require any action from the end-user such as clicking a corrupted hyperlink. Rather, the malware stealthily exploits a software vulnerability without giving any indication to the user of the device. Apple recently made headlines for deploying an emergency software update to address the vulnerabilities in its iOS messaging system that the Pegasus spyware exploited.
In light of this, it’s no surprise that NSO Group has been embroiled in numerous high-profile controversies. Recently, a Washington Post investigation revealed that Pegasus spyware was used to surreptitiously compromise the personal cellphones of thirty-seven journalists, human rights activists, and business executives. A forensic review of these phones found Pegasus-linked SMS messages used for infiltration of the devices. These intrusions were also detailed in a July 2021 Amnesty International report that challenged the claim by NSO Group that its Pegasus spyware is only used to “investigate terrorism and crime.”
According to published reports, Pegasus spyware has also been tied to a high-profile child custody battle involving the Jordanian-born Princess Haya bint Al Hussein and her ex-husband, Sheikh Mohammed bin Rashid al Maktoum. In 2019, the princess moved to Britain where a civil custody battle has since played out. Soon after, her attorney became aware that both of their phones had been hacked with the Pegasus spyware. During legal proceedings related to the custody battle, England’s High Court reached the same conclusion. In its ruling, the court found that the ex-wife’s phone—along with several of her close associates’ personal phones—was indeed hacked with the Pegasus spyware.
Famed singer Britney Spears also made headlines recently for being the victim of intrusive spying during the period of her highly contested conservatorship. While the Spears case did not involve Pegasus spyware, the implications are the same. According to published reports, Spears discovered that her father, in his role as conservator, hired a private investigative firm to monitor nearly all of her electronic communications. This firm was able to access Spears’ iCloud account and mirror all of her texts, calls, and app activity onto another Apple device where it was monitored in real-time. This information was reportedly then relayed to her father and former business manager as part of their efforts to track her movements.
Pegasus spyware and other advanced tools are undoubtedly effective for intelligence gathering. However, their benefits are limited by the legal and ethical constraints that guide an investigation. Whether an investigation is being conducted in connection with a civil or criminal proceeding, or as part of a general background investigation, it’s critical to not lose sight of the importance of abiding legal and ethical limitations. A prudent investigator will procure information that can be admissible as evidence in court while also being mindful of the potential for civil or criminal liability during the course of an investigation. Where an investigator is working for a lawyer, she needs to be mindful that she is an agent of the lawyer, and thus has the same ethical obligations as counsel. This demands knowledge of laws in applicable jurisdictions as well as the relevant codes of professional conduct that guide lawyers.
Given the intrusive nature of Pegasus spyware, the fruits of any surveillance conducted with it are likely to face high hurdles to admissibility in legal proceedings. Moreover, wiretapping, possession of wiretapping equipment, and gaining unauthorized access into a computer are all illegal under federal law in the United States. As reflected in a number of the above cases, courts have not been receptive to the evidence obtained via these intrusive technologies. There has also been substantial adverse publicity which threatens to create significant reputational damage to accompany the substantial legal risk.
Invasive technology also bumps up against increasingly strict data privacy regimes around the world. In general, as the laws and policies that regulate surveillance in foreign jurisdictions are more restrictive than those in the United States, careful planning is required. Prior to any investigation, an inquiry should be made to determine whether there is a legitimate basis for surveilling an individual. This inquiry is critical in jurisdictions such as the EU where, under the GDPR and its data protection laws, there must be a legitimate basis for collecting personal information. Investigating with knowledge of the applicable legal and ethical constraints will lead to more actionable outcomes. An investigator who ignores these guardrails is more inclined to capture intelligence that is not admissible in court or worse, causes reputational damage.
Risk management is vital to a successful investigation. Investigators who obtain information improperly pose many risks to their clients, including exposure to common law tort for invasion of privacy. Law firms and corporations may be liable under this legal doctrine as investigators are generally agents operating under their control. Most American jurisdictions have adopted ABA Rule 8.4(a), stating that an investigator’s unethical acts may be imputed to the attorney.
In deciding whether to conduct surveillance in any form, close consideration must be given to legality, ethics, and reputational risk. An attorney who retains an investigator must consider the ethical and legal constraints impacting the planned surveillance and the potential impact of negative front page headlines on lawyer and client alike. New York does not prohibit physical surveillance in general, but limits surveillance in areas where there is a reasonable expectation of privacy. Not all states or countries are alike and special consideration must be given to the applicable legal standards for surveillance.
Put simply, lawyers and clients alike need to think twice before authorizing investigators to undertake the intrusive surveillance today’s technology makes possible.