Scores of journalists from seventeen news outlets worked together to expose evidence of industrial-scale spying that targeted journalists, activists, politicians, and business executives.

And the revelations are only just beginning.

The consortium began to publish its findings on Sunday. The stories indicate that numerous members of the media were “possible candidates for surveillance,” as The Guardian put it. Forensic tests affirmed the presence of spyware on some phones.

More will be coming out in the days ahead. The participating news outlets are dubbing this the “Pegasus Project,” teeing off the name of the spyware, Pegasus, which is ostensibly licensed by NSO Group to track terrorists and major criminals. How has the spyware been used? Has it been abused? Those are two of the key questions.

First things first…

How did this investigation begin? Washington Post executive editor Sally Buzbee explained it in a letter from the editor on Sunday afternoon. “The project was conceived by Forbidden Stories, a Paris-based journalism nonprofit, which, along with Amnesty International, a human rights group, had access to records that formed the basis of our reporting: a list of more than 50,000 cellphone numbers concentrated in countries known to surveil their citizens and also known to have been clients of NSO Group,” Buzbee wrote.

“Although the purpose of the list could not be conclusively determined, it is a fascinating document,” Buzbee wrote. “Out of the more than 1,000 identities that could be confirmed, there were at least 85 human rights activists, 65 business executives, several members of Arab royal families, 189 journalists, and 600 government officials and politicians, spread across more than 50 countries.”

Amnesty’s Security Lab was able to examine 67 smartphones. “Of those, 23 were successfully infected and 14 showed signs of attempted penetration,” WaPo reported. “For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced.”

WaPo interviewed some of the affected individuals, including Siddharth Varadarajan, co-founder of The Wire, a nonprofit news outlet in India. “This is an incredible intrusion, and journalists should not have to deal with this,” he said after learning that his phone was infected. “Nobody should have to deal with this.”

Who’s on the list?

Here’s what WaPo reported: “Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.”

There’s a whole lot of uncertainty associated with this, as Devan Cole noted in a story for CNN.com. But Amnesty’s secretary-general, Agnes Callamard, came out swinging. “The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice,” Callamard said Sunday.

I was also struck by this line in the WaPo story: “After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.”

“Out in the open…”

CNN has not independently verified the findings of the Pegasus Project probe. The seventeen participating outlets are Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, The Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, The Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS “Frontline.”

For an overview of the findings thus far, “Frontline” is running a live blog linking to major stories from the other partners.

Here’s the key quote from Dana Priest, one of the bylines on the WaPo report, who is also featured in a “Frontline” report. “For the first time,” Priest said, “we’ve been able to give readers a sense of just how enormous the private and unregulated spying business has become. It’s been a unique, and actually thrilling, experience to work with so many foreign journalists to pool our sources and resources to bring this difficult story out in the open, where it should be.”

NSO Group’s response

Quoting from Devan Cole’s story: “In a lengthy statement to CNN on Sunday, NSO Group strongly denied the investigation’s findings, saying in part that it sells its ‘technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts.'”

NSO Group also said it “does not operate the system and has no visibility to the data.” It said it will continue to investigate “all credible claims of misuse and take appropriate action based on the results” of such investigations…