Middle East Eye / July 20, 2021
Israeli firm says it can’t be blamed for how states, as ‘sovereign customers’, use its technology.
The NSO Group is no stranger to scandal.
Claims made this week that the Israeli company’s Pegasus spyware technology has been used to surveil 50,000 phones – belonging to heads of state, journalists, human rights activists, political opponents and more – may be the highest-profile accusations against the firm, but they are not the first.
Pegasus, which infects phones with spyware through various means, has proven to be a boon to digital authoritarians wanting to track anyone perceived as critical of their rule.
It has also been the subject of numerous lawsuits and legal complaints.
French prosecutors announced on Tuesday that they had opened a probe into allegations that Pegasus had been used to spy on French journalists by Moroccan intelligence, after non-profit Forbidden Stories led an investigation that revealed that states including Saudi Arabia, the UAE, Bahrain and Morocco were using its technology to spy on citizens and dissidents, including Middle East Eye contributors Madawi al-Rasheed and Azzam Tamimi.
Family, friends and close contacts of murdered Saudi journalist Jamal Khashoggi were among the many thousands of people surveilled.
Over the years, NSO, which was founded in 2010, has repeatedly sought to absolve itself of responsibility for how states use their technology to spy on journalists and human rights defenders.
NSO claims it follows all of Israel‘s regulations governing the export of its products and only sells to Israeli allies, never to Israeli enemies. It also claims that it only sells to governments and never to individuals or unauthorized users, and that Pegasus is only intended to fight crime and terrorism.
However, it notes that once it sells the product, it has no control (or so it claims) over how the technology is used.
Middle East Eye delves into the long list of accusations NSO has faced over the years, and how the company has responded.
In August 2016, the United Arab Emirates was found to be tracking the iPhone of Emirati human rights activist Ahmed Mansoor using Pegasus spyware, according to a report by Citizen Lab and Lookout Security.
Mansoor was targeted by a text message that asked him to click on a link for information on prisoners tortured in the UAE.
NSO did not confirm that it created the spyware used to target Mansoor.
However, it said in a statement that it “sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations”.
“Moreover, the company does not operate any of its systems; it is strictly a technology company.”
Other countries the Citizen Lab report found may have used the technology included Mexico; Turkey; Israel; Thailand; Qatar; Kenya; Uzbekistan; Mozambique; Morocco; Yemen; Hungary; Saudi Arabia; Nigeria; and Bahrain.
In a related 2016 case, UAE authorities also employed Pegasus in a phishing attempt targeting MEE journalist Rori Donaghy, who reported critically about the abuses of the country’s autocratic regime.
In the midst of an investigation of this attack, Citizen Lab discovered that 1,100 activists and journalists in the kingdom had been similarly targeted and that the government paid NSO Group $600,000 in these attempts.
In February 2017, Citizen Lab revealed Pegasus had been used to target Mexican campaigners trying to address childhood obesity. The malware had accessed their phones when they clicked on links in texts that read, for example, “While you are working I am f*cking your old lady here is a photo” and “[your daughter] was just in a serious accident… here is where she is hospitalized.”
Later that year, The New York Times reported that the phones of Mexican political, human rights and anti-corruption activists who were investigating possible crimes committed by the government and its agents were infected with Pegasus. The NYT said the victims first noticed the intrusions in the summer of 2016.
The Mexican government denied all responsibility for the spying.
In August 2018, Amnesty International said one of its staff members, as well as several Saudi human rights defenders, had been targeted with Pegasus software, using text messages with links, saying, for example:
“Can you please cover [the protest] for your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington. My brother is detained in Ramadan and I am on a scholarship here so please do not link me to this.”
When Amnesty linked the spying to NSO, the company responded: “Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.”
Amnesty later said it was considering legal action to force the Israeli Defence ministry to revoke NSO’s export licence in light of the cyber-attack.
That same August, the New York Times reported that NSO was facing two lawsuits accusing it of actively participating in illegal spying.
The lawsuits, filed by a Qatari citizen and by Mexican journalists and activists, were filed in Israel and Cyprus, the newspaper said, and documents submitted with the lawsuits show that the UAE had been using Pegasus spyware for at least a year.
According to the NYT, the Emiratis had tapped the phones of the Qatari emir, a chief editor of a London-based newspaper, and a powerful Saudi prince. The UAE, along with Bahrain and Saudi Arabia, were at the time engulfed in a row with Qatar that saw the trio impose a land and sea blockade on their neighbour.
Citizen Lab said in October 2018 that Pegasus technology had infected the phone of a close friend of Jamal Khashoggi, Omar Abdulaziz, before the dissident’s murder – and that the software had targeted human rights defenders in Bahrain, the UAE, and elsewhere.
That same month, US whistleblower Edward Snowden said Pegasus had been used by the Saudi authorities to surveil Khashoggi before his death.
“They are the worst of the worst,” Snowden said of the firm. NSO denies its technology was used “in any way” with the murder.
Also in October, Citizen Lab said its own researchers were being targeted by NSO-linked operatives. The NSO denied the allegations.
Haaretz reported in November that NSO had signed a deal with Saudi intelligence in the summer of 2017.
In a response to Haaretz, NSO said it, “operated and operates solely in compliance with defence export laws and under the guidelines and close oversight of all elements of the defense establishment, including all matters relating to export policies and licenses.
“The information presented by Haaretz about the company and its products and their use is wrong, based on partial rumours and gossip. The presentation distorts reality.”
Then, in December, Abdulaziz filed a lawsuit against NSO, alleging that the company helped the Saudis spy on his communications with Khashoggi, the New York Times reported.
NSO Group yet again said its technology was “licensed for the sole use of providing governments and law enforcement agencies the ability to lawfully fight terrorism and crime”.
Contracts for using the software, it added, “are only provided after a full vetting and licensing by the Israeli government”, NSO said.
“We do not tolerate misuse of our products. If there is suspicion of misuse, we investigate it and take the appropriate actions, including suspending or terminating a contract,” it added.
The company’s CEO, Shalev Hulio, later said that NSO had not been involved in the “terrible murder” but didn’t respond to reports that Hulio had personally gone to Riyadh to sell the Saudis Pegasus software.
In February 2019, a private equity firm that bought the NSO spyware told Citizen Lab they were “committed to helping [it] become more transparent about its business”.
And in April, the firm reportedly froze new deals with Saudi Arabia.
In May, Amnesty said it would file a legal petition to the District Court of Tel Aviv to block NSO’s export licences, while a Saudi satirist living in exile in London filed a legal claim against Saudi Arabia, accusing the country of deploying Pegasus spyware to obtain personal information from his phone.
A Financial Times investigation that month revealed that attackers had been exploiting WhatsApp’s call function to spread Pegasus by ringing up targets.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company responded to the FT. “NSO would not, or could not, use its technology in its own right to target any person or organization.”
WhatsApp, which is owned by Facebook, filed a lawsuit against NSO Group in October that year, accusing it of unlawfully seeking to surveil journalists, human rights activists and others in 20 countries, including Mexico, the UAE and Bahrain.
The lawsuit, filed in a US federal court in California, accused NSO Group of seeking to infect approximately 1,400 “target devices” with malicious spyware that could be used to steal WhatsApp users’ information.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO Group said in a statement.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”
A month before, in September, NSO had developed a human rights policy, saying it would abide by UN guiding principles.
In November, a group of NSO employees filed a lawsuit against Facebook, saying the social media giant had unfairly blocked their private accounts when it sued NSO last month, accusing it of “collective punishment”.
Speaking at a technology conference in Tel Aviv the day before, NSO president Shiri Dolev defended her company, saying NSO technologies made the world safer.
Dolev also said she wished NSO could talk openly about the role it plays in helping law enforcement agencies catch terrorists.
“Terrorists and criminals use the social platforms and apps we all use every day,” she said.
In January 2020, an Israeli judge ordered NSO to fight the hacking case brought against it by Saudi activist Omar Abdulaziz and to pay his legal fees; and a court ruled that Amnesty’s case to stop NSO exporting its software would be heard behind closed doors.
In the same month, Reuters reported that the FBI has been investigating NSO since at least 2017 over its possible involvement in hacking US residents and companies, as well as suspected intelligence gathering on governments.
The company also said it was not aware of any inquiry.
In April, court filings from the WhatsApp case showed that NSO denied responsibility for how its technology was used, saying WhatsApp had “conflated” NSO’s actions with those of its “sovereign customers”, according to The Guardian.
“Government customers do that, making all decisions about how to use the technology,” the company said. “If anyone installed Pegasus on any alleged “target devices” it was not [the] defendants [NSO Group]. It would have been an agency of a sovereign government.”
“NSO Group does not operate the Pegasus software for its clients”, it told The Guardian.
In June, an investigation by Amnesty International revealed that NSO spyware was used against prominent Moroccan journalist and human rights defender Omar Radi.
Amnesty’s report said the targeting of Radi happened three days after NSO’s new human rights policy was released.
In response, NSO said it was “deeply troubled” by the allegations and would immediately initiate an investigation.
“Consistent with our human rights policy, NSO Group takes seriously its responsibility to respect human rights, and is strongly committed to avoiding causing, contributing to, or being directly linked to negative human rights impacts,” NSO said in a statement.
However, the company distanced itself from having ties to Moroccan authorities and said that due to the nature of its business it must safeguard the confidentiality of its clients.
“We are obligated to respect state confidentiality concerns and cannot disclose the identities of customers,” NSO said.
Radi was jailed on Tuesday for six years on sexual assault and espionage charges, accusations which he denies.
In July 2020, a court in Tel Aviv rejected the petition of Amnesty and 30 human rights activists calling to revoke the export licence of the NSO Group, saying it had failed to provide evidence that the Pegasus software was used to spy on activists from the UK-based NGO.
In December, Citizen Lab reported that dozens of journalists at the Qatari-funded Al Jazeera news organization were targeted by a Pegasus attack through iMessage, in attacks likely linked to the governments of Saudi Arabia and the United Arab Emirates.
One Al-Jazeera journalist said he received death threats on his phone: “They threatened to make me the new Jamal Khashoggi”.
The NSO Group cast doubt on Citizen Lab’s accusations in a statement, but said it was “unable to comment on a report that we have not yet seen”.
The firm said it provides technology for the sole purpose of enabling “governmental law enforcement agencies to tackle serious organized crime and counterterrorism”.
Earlier that month, an Al-Jazeera anchor filed another lawsuit in the US, alleging that the NSO Group hacked her phone through WhatsApp over her reporting on Saudi Arabia’s powerful Crown Prince Mohammed bin Salman.
In December, a coalition of human rights groups, including internet rights group Access Now, Amnesty International, the Committee to Protect Journalists and Reporters Without Borders, joined Facebook’s legal fight against NSO, alleging that the company prioritizes profits over human rights, following a similar move by a number of leading tech companies, including Google and Microsoft.
This March, The Guardian reported that the US Department of Justice had renewed its investigation into the NSO Group, months after leading US tech companies said the Israeli firm was “powerful and dangerous” and should not be granted immunity over its role in hacking operations.
The Guardian reported that while the NSO Group was reportedly facing an FBI investigation in early 2020, the investigation seemed to have stalled and the Justice Department was now showing renewed interest in the case.
In July, an investigation led by Forbidden Stories and Amnesty International revealed that thousands of journalists, activists and officials have had their phones targeted or hacked using Pegasus.
In response, NSO denied the “false claims”, called the reports “uncorroborated theories” and part of a “salacious narrative… strategically concocted by several closely aligned special interest groups”.
“The technologies are also being used every day to break up pedophilia-, sex-, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones,” it added.
“Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”
“Notwithstanding the above,” it added, “NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.”
Frank Andrews is a news editor at Middle East Eye