The NSO Group, the Israeli firm infamous for selling spyware to foreign governments that used it against activists, journalists, and dissidents, is in turmoil once again.
Just this week, the Washington Post reported on an account from a whistleblower, Gary Miller, who alleged NSO offered “bags of cash” to Mobileum — a California-based company that works with cellular companies to enhance security — to access global communication networks. Miller, then vice president of Mobileum, said NSO officials wanted to purchase access to the SS7 network, which allows companies to route calls and data for their users. Access to the SS7 network would allow the user to query locations, divert calls, and eavesdrop on targets, providing NSO with a skeleton key that its Pegasus app could use on any phone in the world — including U.S. phone numbers.
Miller reported the conversation to the online FBI tip portal several months later but never received a response.
The company’s role in enabling repressive regimes to conduct surveillance on their critics around the world — in deals licensed by the Israeli government — has led members of Congress like Sen. Ron Wyden (D-Ore.) and Rep. Adam Schiff (D-Calif.) to call for the imposition of sanctions on the firm under the Global Magnitsky Act, which permits the State Department to impose visa bans and freeze assets in U.S. banks against people or entities that commit human rights abuses or corrupt acts.
The latest allegations, which were made possible by a new “Project Pegasus” consortium involving the Post, the Guardian, Israel’s Haaretz and more than 15 other international news outlets, will likely fuel the push for more sanctions.
Just last week, prior to the revelations in the Washington Post, NSO’s chairman, Asher Levi, announced his resignation, although he insisted that his decision was unrelated to the myriad of scandals in which NSO has been implicated. His timing, however, was impeccable, coming just days before the latest revelation and a feature piece in The New York Times Magazine last weekend about NSO’s dealings with U.S. government agencies. The latter investigation revealed that NSO had developed a new spyware called Phantom specifically for U.S. law enforcement that could be used to transform American smartphones into “intelligence gold mines.”
Phantom is an adapted version of Pegasus, NSO’s notorious spyware which provides clients with full access to targeted phones via links in highly personalized phishing messages in WhatsApp, iMessage, and Android. In 2019, the Federal Bureau of Investigation paid NSO millions of dollars to test Phantom, triggering years of debate between the agency and the Department of Justice on the lawfulness of such surveillance. Last summer the agency decided against deploying either Pegasus or Phantom, according to the Times account.
However, in 2018, the Central Intelligence Agency paid for the government of Djibouti to obtain Pegasus despite the country’s record of persecuting journalists and torturing government political detainees, the Times reported. A spokesman for Djibouti’s government denied that the country ever acquired or used Pegasus.
Despite the earlier federal flirtation with NSO, the Commerce Department in November placed the company on the Entity List of businesses whose actions negatively affect U.S. national security and foreign policy interests. Placing NSO on the Entity List effectively banned the company from buying software components from U.S. vendors without a license. It is unclear why the U.S. went from testing the spyware to blacklisting the company, although Haaretz later reported that at least eleven State Department diplomats serving in Uganda found Pegasus spyware on their phones.
Spyware capable of infecting American phones brings home the myriad of reports that foreign governments have used NSO spyware to target activists and journalists around the world. In total, Pegasus has infected at least 450 phones belonging to activists, journalists, and dissidents in at least 16 countries, according to a digital forensics investigation led by Amnesty International and the University of Toronto’s Citizen Lab.
Pegasus’s stated purpose is to target and disrupt terrorism, trafficking, and other illicit crimes, but the spyware has been found on the phones of activists, journalists, and dissidents around the world. Targets were concentrated in countries such as Hungary, Saudi Arabia, and El Salvador, where repression of free speech against government corruption and other abuses are frequent. Perhaps most infamously, Saudi Arabia is believed to have used Pegasus to target the close friends and fiancée of Washington Post columnist Jamal Khashoggi, who was murdered and dismembered in the Saudi consulate in Istanbul in 2018.
But you wouldn’t know all of that if you read NSO’s Foreign Agents Registration Act filings with the Justice Department. Amid all the negative publicity, NSO appears to have launched a major effort to improve its badly damaged image and escape further scrutiny. The main PR firm that represents NSO Group — Pillsbury Winthrop Shaw Pittman LLP —has been busy. In its most recent brief dated January 12, Pillsbury claimed that NSO ``is in fact a force for good in the world," and that it only sells spyware to "governments in the coalition of Western democracy-led countries.”
The Israeli Defense Ministry regulates exports of the Pegasus license, a fact NSO repeatedly points to as evidence of its strict licensing criteria. The cast of suspects in Haaretz's NSO File, however, includes Saudi Arabia, Morocco, and the UAE — not countries known for their democratic governance. Last month, NSO added Chartwell Strategy Group to its PR campaign with a new contract for “strategic communications counsel.”
“Who will want to work with a company that’s been so publicly sanctioned by the U.S. government,” asked David Kaye, a former UN special rapporteur on the right to freedom of expression who called for global restrictions on surveillance technology shortly after the Commerce Department’s listing. “Who would invest in a company with this kind of black mark?”
Apparently, the state of Oregon would. In 2017, the Oregon Public Employees Retirement System invested $233 million in Novalpina Capital, a private equity firm that acquired a controlling stake in NSO in 2019, earning Oregon the dubious distinction of being the spyware company’s largest indirect investor. John Russell, the chairman of the Oregon Investment Council, defended the decision by insisting that divesting from “questionable sectors” would exceed the Council’s mandate and turn it into an “activist body.”
At least one Oregonian doesn’t see it that way. As noted above, Sen. Wyden and Rep. Schiff, chairman of the House Intelligence Committee, and a dozen other Democratic lawmakers, have proposed taking the Commerce Department’s decision one step further by implementing targeted Global Magnitsky sanctions against technology companies that have facilitated human rights abuses, including NSO. U.S. persons are prohibited from engaging in transactions with entities under such sanctions, effectively cutting them off from the political access and financial backing that many arms exporters depend on.
So why is this a necessary step? As Wyden and Schiff point out, “these surveillance companies do depend on the U.S. financial system and U.S.-based investors.” Since NSO depends on a significant amount of business and investors located in the United States, such as Oregon’s pension fund, this would be an effective way of sanctioning NSO’s ties to abusive governments. President Biden could also encourage U.S. allies to sanction the company, exerting pressure on UK-based Novalpina, which bought shares of NSO valued at $1 billion. Lastly, sanctioning NSO would be a way for the Biden Administration to regain trust with the American public after the CIA and FBI reported previous cooperation with NSO.
Even if the U.S. forgoes purchasing such surveillance technology, NSO customers like Saudi Arabia and the UAE remain eager consumers. International cooperation and diplomacy are more important than ever. A restraint-based approach to cyberwarfare is imperative to protect fundamental values of democracy – freedom of speech and right to privacy – and Global Magnitsky sanctions on human rights violators like NSO would be a strong step in enforcing those values on the world stage.
