A first version of BYTES OF REPRESSION was exhibited at “Practicing Sovereignty. Interventions for open digital futures” exhibition by Weizenbaum Institute in Berlin (Germany) in June 2022.

For many years now law enforcement and intelligence agencies around the world extended their tools arsenal with spy software (spyware), often times produced by a private commercial company, designed to silently install on targeted computers or mobile devices in order to extract files, intercept calls, emails and text messages, as well as lurk through the embedded microphones and webcams. However, for just as long, researchers and investigators documented countless cases of abuse involving the illegal spying of journalists, activists and human rights defenders everywhere. Especially over the last year, the systemic nature of this abuse and the scale of the problem became more apparent.

In 2021, Nex led technical investigations with the international journalistic consortium Pegasus Project, which revealed the targeting of countless journalists, activists and politicians around the world with the “Pegasus” spyware, produced by the Israeli company NSO Group. The revelations sparked a global surveillance scandal which continues to unfold. The targeting of politicians and government officials across Europe also demonstrated how Pegasus poses not only a threat to human rights and personal freedoms, but to democracy and national sovereignty as well. As a result, the European Parliament launched a committee of inquiry.

Spyware is designed to be stealthy and remain unnoticed. It escapes accountability by benefiting from its apparent immateriality. But, as with any other software, spyware is also an architecture of bytes. A living digital being that someone, somewhere, created with some thousands of lines of code. Bytes of Repression attempts to demystify and deconstruct Pegasus. Through data visualizations of its components, recovered from an infected iPhone, you can interact with binaries which profited hundreds of millions of euros while crushing dissent the world over.

Technical description

A specifically-designed software using 2D and 3D data visualization algorithms displays the binary content of all components of the Pegasus spyware as recovered from the infected phone of a targeted activist. For example, in the screenshot below the viewer can observe the visualization of libwacalls.dylib, Pegasus’ plugin responsible for intercepting WhatsApp calls. Other similar files, for example include libimo.dylib for imo, or libvbcalls.dylib for Viber.

On the first display, the system maps the binaries’ bytes relationships by turning sequential bytes values into trigrams, then used as spatial coordinates on X, Y and Z axes. For example, a trigram would contain byte values at locations {0, 1, 2} then {1, 2, 3}, {2, 3, 4}, etc., until processing of entire binary file completes.

Through observation, it is possible to identify recurring patterns within the resulting cube, often indicating unique characteristics of the visualized binary. For example, a keen eye might be able to recognize visual structures that are unique to the targeted operating system, the programming language used to code the spyware, or, for example, the employment of encryption of other obfuscation techniques.

In the installation, through a hand tracking system, the viewer can interact with this 3D visualization, rotating it and interrupting its rendering.

On the second display, instead, it’s possible to see a 2D visualization of the binaries’ content. The blocks (or pixels, depending on size) are provided a color or a gamma based on the byte value from 0 to 255. For example, in the screenshots below, a byte value of 0 translates to a black block. A byte value of 255 appears white instead, and shades of gray will scale for values in between. Through this technique it’s possible to quickly observe the whole structure of the binary.