top of page

Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy By Ronald Deibert

  • Writer: Daniel Foster
    Daniel Foster
  • Jan 20
  • 5 min read

Some books feel timely. Others feel prophetic.Chasing Shadows feels more like a forensic record of something already happening all around us — quietly, legally ambiguously, and with astonishing little public awareness.


Ronald Deibert, founder of Citizen Lab, doesn’t present spyware as a technological curiosity. He presents it as infrastructure: an industry, a market, and a political ecosystem that has grown in parallel with the internet itself. One that now sits at the intersection of national security, private profit, authoritarian power, and democratic erosion.


Reading this book doesn’t leave you shocked. It leaves you slowly, persistently uneasy.


The illusion of the personal device

Most of us experience our phones as intimate spaces. Private conversations. Private photos. Personal routines. They feel like extensions of ourselves.

Pegasus exposes how illusory that privacy really is.


Once installed, the spyware offers operators “complete, unfettered access” to a target’s device. They can:

  • Read messages, including encrypted ones

  • Access private photos for blackmail

  • Track movements via GPS

  • Activate microphones and cameras without the user knowing

  • And erase all traces using built-in self-destruct features


Deibert’s description is haunting in its simplicity:

“It was as though an invisible spy had now slipped undetected into the targets’ pockets and was looking at the world through their eyes—and they had no clue.”

This isn’t theoretical. It’s operational. And increasingly, the victim doesn’t even need to make a mistake.

The rise of zero-click exploits means no phishing link, no malicious attachment, no human error. As Deibert puts it plainly:

“There is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defence.”

That alone should provoke global outrage. Instead, it barely registers in public discourse.


An industry designed to avoid responsibility

NSO Group, the company behind Pegasus, claims its technology exists to help governments fight terrorism and serious crime. But the evidence consistently undermines that narrative.

Deibert describes NSO Group as emblematic of a much wider system:

“Unprincipled billionaires dodging taxes and regulatory oversight… mercenary companies employing highly trained software vulnerability hunters… authoritarians and kleptocrats ruthlessly manoeuvring to undermine anything or anyone who might get in their way.”

What’s particularly unsettling is how predictable the pattern becomes.

Spyware firms insist they conduct strict client vetting.Evidence shows they repeatedly sell to governments with known records of corruption and repression.When abuses are exposed, they deny responsibility.Then they continue selling.


Deibert is blunt about this: NSO’s supposed safeguards are “a shameless farce.”

And NSO is not unique. The book documents a rapidly expanding marketplace of cyber-mercenary firms across Israel, Europe, China, Russia, and beyond. Governments are no longer the only clients either. The market is expanding toward oligarchs, corporations, and organised criminal networks.

This isn’t a rogue industry. It’s a growth industry.


Citizen Lab: public-interest investigation in a hostile environment

What grounds the book ethically is Deibert’s depiction of Citizen Lab itself.

Rather than hacking or secrecy, their approach is slow, rigorous, and transparent.

“We specialise in using careful tools, methods, and open-source investigative techniques… to gather the incriminating evidence that bad actors inevitably leave behind them. Our mission is to serve the public interest, not subvert it.”

This matters because Citizen Lab’s credibility rests on trust. They often work directly with victims: activists, journalists, civil society organisations. These groups trust them because, as Deibert notes, the Lab’s independence is precisely what attracts people who “want to do good.”

That trust produces something unusual: intelligence that is often better than what corporations or governments possess, because frontline groups are often the first to experience repression.

They are, as he writes, “like canaries in the coal mine.”


How surveillance actually gets deployed

The book becomes most powerful when it shifts from infrastructure to lived experience.

Targets are rarely selected randomly. Operators rely on psychological profiling and manipulation. Attacks are crafted to exploit values, fears, and identities.

Ahmed Mansoor, a human rights activist in the UAE, received a text promising evidence of torture in prisons — something directly aligned with his work.

Journalist Rori Donaghy received an invitation to speak on a human rights panel. The attackers relied on his ethics to lure him.


In Mexico, Carmen Aristegui was relentlessly targeted for investigating corruption. When that failed, operators began targeting her son, who was still a minor.

This tactic — “relational targeting” — appears repeatedly. Families, friends, colleagues become collateral damage. Operators described the process as almost gamified. Some even treated it like “live-action role-playing,” boasting about hacking the world’s most sophisticated spyware systems.

It’s not just invasive. It’s dehumanising.


“Counterterrorism” as political cover

One of the most consistent patterns across countries is how easily the language of national security becomes a justification for political repression.

In Hungary, Pegasus was used not against terrorists, but against journalists investigating corruption connected to Viktor Orbán.


In Spain, members of the Catalan parliament — including its president — were targeted.

In El Salvador, virtually all remaining independent journalists were placed under surveillance by Bukele’s government.


In Poland, Greece, Hungary, Spain, Mexico — the list expands across both authoritarian and nominally democratic states.

As Deibert observes, “combatting terrorism” has become a convenient umbrella under which governments extend domestic surveillance, clamp down on dissent, and monitor NGOs.

Even when exposed, consequences are limited. Governments deny, delay, obfuscate. In Spain, officials went so far as to accuse Citizen Lab of being part of foreign influence operations.

The playbook is familiar: deny legitimacy, invoke national security, stall accountability.


A global infrastructure of insecurity

The book also reveals something more structural: the global digital system itself is riddled with vulnerabilities.


SS7 networks allow tracking and interception across international telecom systems.Zero-day exploits allow companies to break into devices using flaws even Apple doesn’t yet know about.Surveillance-as-a-service firms allow governments to outsource targeting to third-party companies operating from other jurisdictions.

Deibert describes a world where:

“Any government security agency anywhere in the world can contract with a surveillance vendor and… pinpoint where you and your device are right now.”

This isn’t fringe capability. It’s commercial.


The psychological and human toll

Perhaps the most overlooked cost of surveillance is its emotional impact.

Victims describe anxiety, paranoia, isolation, and a permanent loss of safety. Knowing someone has seen your messages, your photos, your private moments fundamentally alters your relationship with the world.

Women often bear disproportionate harm. Deibert documents cases involving sexualised threats, threats of rape, doctored photos, extortion, and reputational destruction. In one particularly disturbing case, Chinese authorities allegedly produced a fabricated documentary about a woman’s fictional sex life and uploaded it online.

Surveillance here is not abstract power. It is intimate harm.


Privatised power and the erosion of democracy

The broader story Chasing Shadows tells is about the privatisation of coercive capability.

Tools once confined to state intelligence agencies are now:


  • Developed by private companies

  • Sold on international markets

  • Shielded by corporate secrecy

  • Used by governments with weak oversight

  • Increasingly available to non-state actors


Alongside this has emerged what Deibert describes as a new global elite: wealthy, mobile, deregulated, and largely insulated from accountability.


Meanwhile, the mechanisms designed to restrain power — courts, regulators, parliaments — appear consistently outmatched. Even the European Parliament’s own surveillance inquiry acknowledged that once national security is invoked, transparency effectively disappears.

This imbalance feels like the book’s true subject.

Not just spyware.But power without friction.Authority without visibility.Technology without ethics.


Fighting the future anyway

For all its bleakness, the book does not end in surrender.

Citizen Lab’s existence itself is a form of resistance. So are the journalists who expose these practices. So are the victims who continue speaking despite enormous personal cost.

Deibert closes with a line that feels less like optimism and more like defiance:

“The future may be bleak, but who’s to say you cannot fight the future?”

That, ultimately, is why Chasing Shadows matters.

Not because it reveals some hidden conspiracy.But because it documents, with evidence, how quietly democratic norms can erode when technology, power, and profit align — and how much effort it takes to push back.


This isn’t a book about gadgets.It’s a book about power.And it’s one that deserves to be read slowly, uncomfortably, and seriously.

 
 
 

Comments

bottom of page