Omar Abdulaziz, a Saudi dissident who sought refugee status in Canada, was a close associate of murdered journalist, Jamal Khashoggi. They planned a number of projects to promote reform in their native country and combat Saudi propaganda efforts on social media. Around the time Khashoggi was murdered by Saudi assassins, Abdelazziz discovered that his cellphone had been hacked by one of the most powerful malware programs on the international market. It’s called Pegasus, and it’s manufactured by the Israeli cyber-war company, NSO Group.
Pegasus enables its owner to “break” a cellphone and intercept virtually every function of the device including its microphone, video, e-mail, phone and texting capabilities. In other words, once you’ve hacked such a phone you are practically inside the mind of the victim. You know every word he writes, every word he says, everywhere he goes.
NSO claims its product is used only to fight real crime like drug trafficking and terrorism. While there are such legitimate uses, Pegasus has become associated with some of the world’s most troubling attacks on human rights activists, journalists and corporate governance reformers. And these uses are extremely lucrative. The company’s profits hover well over $100-million annually. Two attempts at purchasing NSO by a venture capital firm and a technology company indicated that the Israeli company was that shiny high-tech bauble, a unicorn (with a $1-billion valuation).
NSO’s financial success rests on a dubious business model, which causes great suffering in countries whose intelligence agencies are engaged in violent repression of popular democratic voices. The New York Times documented that Mexican intelligence used it to monitor the activities of parents seeking the whereabouts of their murdered children, and journalists exposing human rights abuses. In Bahrain, a Shia human rights crusader discovered Pegasus had been used to crack his phone. As a result, Bahraini police intercepted his text messages and used them in criminal proceedings that ended in a ten-year jail sentence for threatening the prerogatives of the ruling Sunni family.
Pegasus has also been employed in attempts to “break” the phone of an Amnesty International staff member. The NGO has not named the staff member or his location, but the original text was written in Arabic and invited him or her to cover a protest outside the Saudi embassy in Washington DC.
This led the Israel chapter of Amnesty to demand publicly that the ministry of defense cancel NSO’s export license. Though that’s unlikely to happen just yet, it does add momentum to calls for restraining the worst excesses of this company.
Saudi Dissident Files Lawsuit in Israel Against NSO Group
A new lawsuit, initiated by Israeli-Palestinian law professor, Mazen Masri, who teaches at London’s City University, is one of a number of attempts by NSO victims to hold the company legally accountable for the damage it caused. As such, it could be a pioneering tactic in countering the increasing use of cyber-war weapons against NGOs, journalists and others fighting for justice in their societies. The Israeli lawyer who filed the suits in Israel told the New York Times:
“We are pushing to make the law catch up with technology” and show that the spyware makers “are complicit in these privacy violations,” said Alaa Mahajna, an Israeli lawyer who filed the lawsuits in cooperation with Mazen Masri, a senior lecturer in law at the City University of London.
As Abdulaziz was so closely associated with Khashoggi in his efforts to reform Saudi society that clearly the latter’s electronic devices would also have been targeted by Saudi intelligence. Edward Snowden has suggested publicly that the Saudi’s had succeeded in breaching the journalist’s cell phone, though there has been no direct confirmation from Turkey, which presumably has his computer and cell phones.
But the Saudis wouldn’t have even needed direct access to Khashoggi’s devices. Abdulazziz told reporters that he maintained long and close contact with the Saudi dissident journalist. They discussed freely and openly their distaste for the Saudi ruling family. Khashoggi, as his friend has said, didn’t hold back. He was unsparing and bitter in his belief that the regime was irredeemable. So MBS knew virtually everything he needed to know from intercepting Abdulazziz’s communications.
Israeli Technology Implicated in Murder of Khashoggi
Haaretz has tied NSO products like Pegasus directly to the Saudis, documenting sales of ten of millions which enable intelligence operatives to spy on the Saudi Crown Prince, Mohammed bin Salman’s enemies. A separate Haaretz report noted that former Israeli prime minister Ehud Barak, served a key role in brokering a deal by the Saudis to engage Israeli cyber-security firms in their efforts to purchase surveillance products like Pegasus. Though the article does not specifically say Barak brought the Saudis together with NSO, given that the company has indeed signed lucrative deals with them, it seems highly likely Barak made this match between the two parties. As such he would earn a hefty finder’s fee, though the story doesn’t mention this either. This is yet another way in which Israeli ex-generals and intelligence chiefs feather their nests with lucrative company directorships and deal-making on behalf of some of Israel’s shadier corporate interests.
Peter Micek, the general counsel of Access Now, which has led the technical effort to trace the use of Pegasus and protect its victims, told me his organization would welcome the opportunity to inspect Khashoggi’s devices to determine whether they were compromised. A tweet to the Turkish foreign minister asking if his country would consider permitting this transfer to the NGO, was not answered.
If the Saudis had hacked Khashoggi’s phone, they would have had a perfect monitoring system to know not just his physical whereabouts, but everything he did, said, or wrote. They’d know if he intended to visit the Saudi embassy in Istanbul and they’d know when. They could track him as he made his way there. It would enable his assassins to lay in wait and know the precise moment when they should pounce. But even if they didn’t have direct access to his device, they did have access to at least one of his close associates and possibly others.
All of this means that NSO Group quite possibly is an accessory to Khashoggi’s murder. No court has yet ruled on the question of culpability for the manufacturer of a product like Pegasus which is used to harm people and even kill them. But the new lawsuit filed in Israel may begin to pose some of these matters in a legal setting.
Cyber-Technology Companies as Extensions of Nation States
Another less understood aspect of NSO’s business model is that it is not simply a single company pursuing its own business interests. In fact, its very existence, its staff, its products are all deeply intertwined with the Israeli national security state. The company is an extension of the state. When it sells tens of millions in products to Saudi Arabia it is not merely enriching its bottom line. It is advancing Israeli security interest by drawing the Saudis ever closer to Israel.
This in turn, strengthens Israeli objectives in combating the Iranian regime, which is a shared enemy of Israel and the Saudis. The Bahraini regime too, which used Pegasus to trap Ahmed Mansour, is yet another Saudi ally. Other Gulf states have used Pegasus against domestic opponents and signed cyber-security and surveillance contracts with Israeli companies worth billions. Israeli technology has become a bulwark in propping up the region’s most autocratic, repressive regimes.
Call for International Accord Governing Use of Cyber-Hacking Tools
For years, activists, human rights advocates and scholars of international law have recognized that the field of cyber-war technology is a Wild West of moral ambiguity. There are no regulations, not even common consensus regarding behavior and methods used in this field.
But individuals and NGOs deserve special protection from invasive technology that violates privacy and endangers them physically. Unless they have engaged in criminal activity as defined under broad internationally-accepted terms (as opposed to terms defined by individual states, which might diverge from crimes as defined by most democratic states), targeting them should be illegal. Violators should be subject to punishment under terms determined by an international convention.
Since many of these cyber-tools are used covertly to advance the interests of nation states, we cannot trust countries to police these companies. Not to mention that the very nature of cyber-attacks transcends national borders. Therefore, regulation must be done by a body like the World Trade Organization, which includes countries as members, but supersedes them in regulating matters under its jurisdiction.
We can no longer even say such an agreement is necessary before someone gets killed. Someone has been. The United Nations and similar international bodies must begin to craft such a protocol now before more innocent people die.