The Israeli technology firm NSO GROUP has become notorious for its impressively sneaky and effective spyware, called Pegasus, and the laundry list of controversies involving how that software has been used, and a recently released investigation has sparked a new one this week. But how much do we really know about the company that’s behind Pegasus?
NSO Group first came under major scrutiny for their surveillance technology in 2016, when analyses by the NGOs Citizen Lab and Lookout Mobile Security discovered that the firm had exploited “zero-days”—unpatched security vulnerabilities—on Apple’s iOS. All it took was one click of a link sent through a text message for Pegasus to be installed on a user’s phone. Once on the phone, Pegasus enables keystroke monitoring of all communications, as well as enabling Pegasus operators to remotely record audio and video using the hacked phone’s camera and microphone. The discovery of Pegasus spyware on the phone of United Arab Emirates human rights activist Ahmed Mansoor highlighted the ability of governments to abuse Pegasus by targeting political dissidents rather than terrorists and serious criminals.
Since 2016, NSO has faced multiple accusations that Pegasus is being used to target journalists and activists around the world. These include Mexican journalist Rafael Cabrera, Citizen Lab’s own reporters, and the family of murdered Saudi journalist Jamal Khashoggi, among others.
The most recent addition to this list of Pegasus’ targets is actually 50,000 additions: reporting consortium The Pegasus Project released a report on Sunday that found a list of over 50,000 phone numbers that they believe were identified as “people of interest” by clients of NSO.
Ostensibly, Pegasus is supposed to be used only to “investigate terrorism and crime” and “leaves no traces whatsoever,” on the hacked device, which makes it nearly impossible to detect once installed. However, a Forensic Methodology Report by Amnesty International finds that neither statement is true. The report uncovers “widespread, persistent and ongoing unlawful surveillance and human rights abuses” that NSO’s spyware perpetrated on human rights activists, journalists, academics, and government officials across the globe.
NSO was founded in 2010. Pegasus was introduced sometime between then and 2016, but that’s really all we know about its creation, partially because NSO has tended to deemphasize Pegasus in its marketing and instead emphasizes their “range” of products—anti-drone, data analytics, search-and-rescue, and even COVID tracking technologies. NSO group has been notoriously secretive, releasing little-to-no information regarding their operations, customers, or safeguards against misuse. In 2016, when NSO first came under scrutiny for the Pegasus targeting of Mansoor, the firm did not even have a website. In February of 2019, Francisco Partners, a U.S. private equity fund, sold NSO Group to the firm’s Israeli co-founders Omri Lavie and Shalev Hulio, who partnered with Novalpina Capital to purchase a majority stake in NSO. NSO Group’s previous owners, Francisco Partners, bought the company in 2014 for $130 million. In 2019, it was valued at over $1 billion.
Novalpina, Lavie, and Hulio declared that, as the new majority stakeholders of NSO Group, they were committing themselves to more transparency and pledged to do “whatever is necessary” to prevent their technology being used to abuse human rights. The cornerstone of NSO Group’s human rights policy is a vetting process, in which NSO staff examine governments who hope to acquire the firm’s technology, looking at the country’s human rights record, its relationship to Israel, and the level of need for the surveillance tool. NSO claims to have passed on $300 million in sales opportunities as a result of their human rights review processes. However, as MIT Technology Review reported in August 2020, it’s completely possible for a country with a poor human rights record to acquire Pegasus: Morocco’s worsening record on human rights was outweighed by the country’s history of cooperation with Israel and its critical terrorism problem, so the sale was approved.
NSO licenses Pegasus to governments in 40 undisclosed countries, and has long maintained they do not operate the systems once sold to their clients, nor do they have access to the data of their client’s targets. This is the defense that the firm returns to, time and again, when reports surface that their Pegasus technology has been used as a tool of oppression and violence.
NSO states firmly that they will terminate their contract with any clients who abuse the technology. The company cites three instances of clients abusing Pegasus and subsequently having their contract terminated as evidence of NSO’s willingness to shut down abuse.
There are other guardrails in place once Pegasus is sold to a client, which include prohibiting U.S. phones from being infected with the spyware (Pegasus is supposed to self-destruct if it finds itself within American borders). And, though ad hoc teams are created to investigate when reports of abuse arise, there is reportedly no permanent internal team tasked with investigating and handling abuse.
NSO and their technologies are regulated by the export control authorities from the three countries from which their products are exported: Bulgaria, Cyprus, and Israel. Yet, because NSO repeatedly asserts that any misuse of the technology is done at the hands of the clients, rather than the company, it can be difficult to pinpoint where an abuse is coming from and who should be held accountable—as has been the case regarding a lawsuit brought by Facebook/WhatsApp against NSO.
Despite NSO’s self-proclaimed “unprecedented step forward” in the form of their recently released Transparency and Responsibility Report, there remains a lot that is unclear. Amnesty International points to the lack of accountability in the report for the unlawful surveillance of journalists and activists, the company’s refusal to acknowledge how their own policies have denied the right to remedy for victims of Pegasus’ unlawful spying, as well as NSO’s failure to “disclose all the legal challenges the company has faced resulting from the misuse of its technology.”
Amnesty, U.N. surveillance experts, and Edward Snowden (among others) are now calling for a global moratorium on the sale of not only NSO spyware like Pegasus, but all surveillance technology, until proper rules and regulations can be put in place internationally.