NSO Group's 2023 Irresponsibility Report

AT A GLANCE

On New Year's Eve, after a year of headlines dominated by accusations of human rights abuses, the Israel-based spyware maker NSO Group quietly released a second edition of its Transparency and Responsibility report. With 2023 having been marked by the unscrupulous use of its flagship product, the Pegasus spyware, the last iteration of NSO’s report dates back to another time when the company was in the headlines for its clientele as President Emmanuel Macron was targeted by Pegasus.

Our research has seen an unprecedented rate of spyware usage in 2023 for a variety of reasons running the gamet from anti-terrorist operations to unlawful spying on journalists and political dissidents; for this reason, and much more, we had referred to it as the year of spyware. In the case of Pegasus, we had specifically observed that, along other intrusive surveillance technologies, it was increasingly used across the globe to spy against political dissidents, journalists, and members of civil society. This wanton abuse of human rights both from authoritarian and illiberal regimes with cybersurveillance weapons such as Pegasus cannot leave anyone indifferent. As articles pointing out these tools' use pile up and investigative journalists keep monitoring the organization, NSO was simply unable to remain silent. Despite the fanfare tied to its release, and though it casts itself as a response to increased global scrutiny, we found that the report actually answers little about concerns raised about spyware. Ultimately, NSO remains intent on avoiding transparency and shifting the blame on its customers’ usage of Pegasus.

A Message From the CEO

From the start of the report, down to the open letter drafted by NSO’s CEO, Pegasus is cast as an essential tool in preventing and neutralizing terror attacks. NSO CEO Yaron Shohat kicks things off by stating that, "[the] 'success' of terror attacks like these [Hamas October 7th, 2023] were often facilitated by the use of end-to-end encryption applications which are used by terror organizations as a primary means for planning and executing attacks." Here, Shohat attributes the success of the October 7th attacks on end-to-end encryption (E2EE), which has already been disputed by a number of experts in national security. Beth Sanner, the former United States deputy director of national intelligence, is one such voice and attributes Hamas’ ability to “keep such a vast operation - which included many, many trainers, lots of operational training, and bringing in a vast amount of munitions - close-hold because they went very old school". That is to say that, as others have pointed out, Hamas cadres and footsoldiers simply decided to forego technology in planning and conducting the attack. Based on the current evidence, NSO’s indictment of E2EE seems unwarranted, yet, as we will see, will prove to be a red thread throughout this report.

Shohat continues, stating that "in 2021, we published our first Transparency and Responsibility Report to share who we are, what we do, and how we approach and embrace our responsibility to conduct business in an ethical manner and uphold human rights to the fullest extent." As mentioned earlier, the last report came after the discovery that President Macron had been targeted by the Pegasus tool. NSO's concerns about transparency and responsibility thus come across as being less about the ethics of manufacturing a product such as Pegasus and more about saving face and maintaining respectability in military industrial technology circles. More on this, Shohat affirms that "there has been a significant decrease in reports of product misuse during 2022 and 2023, a result attributed to our diligent compliance activities and efforts." We can assure you, the 27 page report does little to indicate or chronicle any "significant" decrease in product "misuse. Moreover, *no actual indicators were published by NSO pointing to a decrease of human rights abuses perpetrated through Pegasus.

What NSO says in this report is equally as important as how they say it. By casting its clientele’s profilgate use of Pegasus to perpetrate human rights abuses last year as “misuse”, used more than 60 times in the report’s 27 pages, NSO seems intent on downplaying these instances rather than calling them what they are. Ultimately, the company is walking a tightrope by seeming to denounce human rights abuses perpatrated by Pegasus, without angering its clients.

Downplaying the prevalent human rights abuses by their unscrupulous customers, they opt for the word misuse, rather than calling it what it is. The characterization of misuse is used 62 times through this 27 page report, roughly amounting to over two times per page. This portrays Pegasus misuses as mere incidents that rarely occur and that are blatant perversions of the initial intent behind the creation of this tool. After all, NSO is a business and seeks to turn a profit based on the products it sells and it has opted to sell to unsavoury entities to avoid missing debt repayments. As the Financial Times reported, in 2021, "NSO Group was in perilous financial straits, having gone months without a new sale and in risk of missing its debt payments and its November 2021 payroll payments. NSO CEO Shalev Hulio suggested to BRG that the company should improve its financial standing by starting to sell its products to high-risk customers previously deemed unacceptable." We would like to believe that this is no longer the case, but this report does not give us proof to the contrary. Considering the customer base NSO still has, trusting them at face value is a tall order. Those instances where the organization “even terminated customers who failed to meet our compliance expectations, and contractual obligations” that are cited in the report can, of course, not be validated: NDAs have been signed.

Executive Summary

As it continues, NSO’s report continues in the paradoxical realm, this time stating that its "capacity for action is also limited by the fact that we do not operate our products, nor do we have any real-time visibility or influence with respect to the particular individuals investigated by our government customers using our products". And so, as Pegasus is cast as a key tool in the fight against terrorism and in securing individual rights to security, its operator has no recourse to ensure that such a powerful weapon does not end up in the wrong hands. Over and over again, the authors aim to shift blame and dispel any notion of responsibility for the use of their weapon against innocent citizens: "we are not at fault", "we are not to blame", "we can't do anything to stop it" are the report’s operative clauses. This report thus attempts to dispel falsehoods, explain what Pegasus does, and, just as importantly does not; which are interestingly peppered with accusations not voiced by any critic of Pegasus. Hence, the CEO defends Pegasus against being a mass surveillance tool, which is a claim that hasn't been made by anyone familiar with the use of the tool. By stating obvious facts about what Pegasus cannot do, the authors attempt to draw attention away from what it has been used for.

About NSO Group

Following a short introduction of the company, the authors describe NSO's mission, solidifying it with the statement, "[terrorist] organizations, organized crime groups [...] continue to exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications." While this is true, as was seen in recent years, many of these E2EE applications, and more specifically phones, have been compromised by both intelligence agencies and law enforcement alike, negating the need for cybersurveillance weapons such as Pegasus. Another onslaught against E2EE happens here, as the authors illustrate what they describe as the "Going Dark" problem. It is described as “greatly [benefitting] law-abiding citizens who seek to protect their information from malicious hackers", without recognizing the extent to which E2EE is a legitimate way to maintain privacy. From malicious hackers? From overreaching governments? From authoritarian regimes? Indeed, from any prying eyes that want access to the most intimate confines of our lives. Secure and private communications are not the depraved and suspicious desires of potential enemies of open societies; they are a right and increasingly relevant in our times. Mischaracterizations of desires for security and privacy are deeply counterproductive, but do highlight to whom this transparency and responsibility report is in fact addressed.

Our Products

Restating that they do not bear responsibility for the weapons that have made some of 2023’s most unsavoury headlines, NSO asserts that it "does not operate Pegasus, nor do we have any knowledge about the individuals whom our government customer might be investigating or the plots they are trying to disrupt as part of their highly confidential intelligence and law enforcement operations." This same lack of visibility is true for those deploying Pegasus to target political dissidents, journalists, activists, human rights lawyers, or political figures. Therein lies the problem as NSO Group cannot possibly know how the tool is used or on whom, they must rely upon whatever narrative is told to them by their customers. Though they highlight that Pegasus is “subject to strict regulatory oversight from export control authorities who conduct their own assessments of human rights risks", it is not a saving grace of any sort. Pegasus’ political ties to governments made it so it was even endorsed by Prime Minister Netanyahu:

Pegasus has been used by government agencies to address serious crimes and save lives on a massive scale. With our technology, intelligence and law enforcement authorities around the world have thwarted numerous terrorist attacks, captured and brought pedophiles to justice, broken up criminal organizations and drug trafficking rings, and freed kidnapping and human trafficking victims.

The highly sensitive and confidential nature of intelligence and law enforcement operations of sovereign governments prevent publication of details related to these success stories. This creates significant information asymmetry between the benefits derived from the use of Pegasus and the potential adverse impacts associated with its use. In turn, this begs the question of the point at which the risks outweigh the benefits of using Pegasus? Is it acceptable to monitor people on whims, can we stomach innocent people being monitored through extremely intrusive technologies? We do not know the number of terrorist attacks prevented, sexual traffickers arrested, and narcotics gangs disrupted. We do, however, know that an insurmountable number of individuals have had their human rights violated with Pegasus for no good reason. We are once again asked to trust the word of NSO group, a company motivated by profit that is at this point proven to be consistently derived from both authoritarian and illiberal regimes.

Highlighting the United Nations’ Universal Declaration of Human Rights’ rights they seek to protect, NSO conveniently leaves out the Right to Privacy.

Our Approach to Human Rights

NSO assures its readers that "we do not license our products to customers where, following our human rights-focused due diligence process, we believe there are inadequate protections in place to mitigate the risk of misuse, or where country-specific conditions create an unduly high risk of misuse." Yet, Pegasus found a home in the hands of warlords fighting for the control of Libya, the hereditary autocracy  that is Azerbaijan, and Jordan, to name only a few. They further attest that NSO Group "fully recognizes that sophisticated cyber intelligence tools like Pegasus can be misused to negatively impact individuals’ right to privacy, chill free speech, and undermine public discourse", in turn halfheartedly downplaying the widespread effects that Pegasus can have on a society.

Picture yourself, a journalist, an activist, or one who aspires to be either of those, finding out that you were targeted with Pegasus. Imagine that, as is the case too often in areas of the world, your government has a track record of targeting these groups of people. You may self-censor, forego any sort of dissidence, and their control over your thought, speech, and expression grows that much stronger, cementing a hold on an entire population.

These days, our attachment to phones is almost akin to a body part, for better or worse. Spyware such as Pegasus gives its operators full-view into the deep recesses of one's life by being able to infiltrate one's mobile device. It listens in as you leave your phone idly by and have private conversations, order groceries, or even engage intimately with those you love. Such a power is enough to bolster self censorship, undermine public discourse, and quell dissent. In this context, NSO's accounts are slaps in the face of those violated by Pegasus. The authors proudly state that "since the establishment of our human rights compliance program in 2019, we have learned from our past experiences and continuously improved our processes." Nine years after its inception NSO Group instituted a "Human Rights Compliance Program", for which they expect recognition. As reports of human rights violations by Pegasus continue being reported upon, one can't help but wonder what function this program actually fulfills. They assure us that "we integrate our Human Rights Policy into our business processes in order to identify, prevent, and mitigate the risks of adverse human rights impact." Once again, despite this, its failures are both frequent and spectacular.

Assessment of Risks

While considering the risks inherent to the work they do, they recognize that "these risks, when realized, can result in violations of fundamental human rights, including the right to privacy under UDHR Article 12 and ICCPR Article 17.

As previously mentioned in the report, NSO appears to prioritize rights to security at the detriment of rights to privacy and one could say that its business model is fundamentally antithetical to the right to privacy. NSO reiterates that it "does not sell any [...] products to sanctioned countries, countries on the Financial Action Task Force (FATF) blacklist, or countries that do not pass our human rights due diligence." Considering the aforementioned examples of regimes that rely on Pegasus, one wonders about the diligence and complexity of the human rights due diligence they perform. Their methodology is exposed as follows:

"For opportunities classified as moderate- or elevated-risk, we undertake some or all of the following measures to prevent or minimize the risk of product misuse:

  • Enhanced human rights training and contractual safeguards for operators and management;
  • Periodic customer certifications and declarations, including prior to maintenance renewals; - Periodic on-site audit by the company’s Compliance Team or by an independent third-party auditor;
  • Periodic activity reports submitted by client executives;"

While "periodic" on-site audits are conducted, the company has made it clear earlier in the report that it cannot have any insight into the goings on of their clientele. So what do these "periodic" on-site "audits" entail precisely? Ostensibly, they do not contribute to deterring or stopping misuse of Pegasus. Insights into their periodic activity reports are again protected by the use of Pegasus in special operations: we are once again left without any specificities on how precisely these curb the misuse of Pegasus.

NSO relies on individualizing the responsible use of Pegasus, stating that its customers  "are required to:

  • Receive and review NSO Group’s Human Rights Policy and understand the terms expressed therein;
  • Not use the company’s products against officials of any foreign governments;"

Wording is key, receive and review, and make sure you understand it! Whether that acknowledgment translates to action is not of NSO's concern nor part of its mandate, which leaves plenty of room for misuse and abuse. Responsibility is also individualized for NSO staff, as the CEO states that "between January 2021 and December 2023, we held human rights training sessions for a total of 546 participants across all company’s departments." While the number of employees at NSO Group varies depending on the source, what is clear is that this number in a vacuum means nothing. What percentage of NSO employees received this training? What was the length of the training, was it a 5 minute refresher on how to not violate human rights? Can this be considered a genuinely effective response to the systemic abuse of Pegasus?

UNDER THE MICROSCOPE

Taken in a vacuum, this Transparency and Responsibility report would be another failed attempt at cleansing a company’s reputation, an umpteenth desperate plea from an embattled company to turn the spotlight away from its misgivings. Sanctioned since 2021 by the US, the NSO Group is mounting a quiet comeback since the attacks of October 7th, even enrolling former diplomats to lobby on its behalf to get a renewed bill of health amongst nations and military industrial titans alike. This report was a cornerstone in NSO’s attempt to whitewash its image and was not aimed at the broader public, but at its potential customers.

Full-blown wars are erupting across the globe as societies living in nominal peace are marred by political radicalism and social and economic crises. As authoritarian regimes grow bolder and more radical, illiberal rulers are elected across the Western world and, as the last few years have shown, the temptation to invoke security to bypass due process and institutions is stronger than ever. Tomorrow’s states of exceptions will not resemble those of yesterday and products such as Pegasus are bound to play a central role to them.

NSO will continue making its case, arguing that it does not, in fact, operate Pegasus, that E2EE usage is suspicious, and that it has appropriate processes for internal validation. What Pegasus has proven to us is that it is a formidable tool to stifle dissent, intimidate journalists and members of civil society, and keep an eye on select individuals. If NSO’s rehabilitation attempts succeed in our current political climate, the focus on protecting security will have eclipsed the importance of preserving civil rights and privacy.