The UK private equity firm, Novalpina, which purchased a minority stake in the world’s leading cyber-war company, NSO Group, has released several statements heralding the Israeli firm’s adherence to the highest standards of ethical practice; despite leading media outlets reporting numerous instances in which its malware led to the abuse, imprisonment, and even murder of human rights activists and lawyers, and journalists.
I reported here that Novalpina’s founder, Stephen Peel, fancies himself a philanthropist dedicated to promoting good government, economic development in Africa, fighting corruption, etc. Until a few days after the NSO transaction closed, he was the finance chair of Global Witness and a key member of its board of directors. Neither Peel nor the NGO are saying whether Peel resigned or was pushed. Though Global Witness’ board chair released a statement inferring that the reported uses of NSO’s technology violated the principles on which GW was based, he did not say this explicitly. But it was clear that Peel’s continued presence on the board would have caused endless heartache and bad PR. I submitted questions to Mark Stephens, GW’s board chair. He has not responded to them.
In response to a series of questions I posed to Novalpina, its strategic communications advisor, Iain Dey of Edelman, released the following statement to me:
Novalpina statement re: NSO Group
…Novalpina Capital is committed to operating under the highest standards of corporate governance, acting with integrity and a respect for human rights at all times. We are a signatory to the UN Principles on Responsible Investing, and we also believe that NSO Group should be – and can be – operated in accordance with the UN Guiding Principles on Business and Human Rights.
NSO Group is a world-class business whose technology plays a vital role in helping intelligence agencies and law enforcement investigate and protect the public from terrorism and crime. The due diligence process that we undertook on this transaction was very thorough and conducted over several months. It included a comprehensive assessment of NSO’s approach to vetting potential customers and its process for addressing questions of misuse.
At the same time, we understand the concerns expressed by a number of NGOs that this technology has the potential to undermine human rights.
Over the coming months, we will build upon the existing ethical conduct and governance framework for NSO Group to ensure that this is grounded in the United Nations Guiding Principles on Business and Human Rights and underpinned by a commitment to full transparency in line with those Principles.
We intend to work closely with human rights activists and other civil society groups in designing that framework to ensure that the critical life-saving technology supplied by NSO Group to intelligence agencies and law enforcement is used responsibly and ethically.
This response essentially ignored the questions I’d asked and offered what appeared to be a template consisting of its talking points defending NSO and the purchase. So I tried again with a new set of more detailed questions:
Since your statement appears to be generic and not specific to my questions, let me ask them more specifically:
1. in Novalpina’s purchase agreement, which party/parties will be responsible for any potential financial obligations arising from legal settlements with parties suing NSO Group for damages? Is Novalpina assuming any of these? Francisco? Or NSO itself?
2. your statement says NSO “should” and “can be” operated according the UN Principles on Business and Human Rights. That implies that it does not follow these principles currently. Assuming that is so, what specifically will Novalpina do to ensure it comes into compliance?
3. considering the massive levels of abuse of ethical principles in NSO’s previous sales of its products to police, intelligence agencies, and corporations; that is, clients who used them to spy on journalists, human rights activists and victims, human rights lawyers–how was your “due diligence” research conducted? What criteria did you use in such evaluation that permitted you to determine it did follow ethical principles or would follow them in future?
4. you mention that NSO’s technology has the “potential” to undermine human rights. This neglects the fact that human rights groups like Amnesty International, Access Now, the NY Times and others have already documented real abuse of such principles in the past ( and likely ongoing) by NSO’s technology. I’m curious why your statement refuses to address this past abuse. If you don’t acknowledge the damage already done, how can the NGO community trust that you will avoid it in future? And if you prefer to focus on the future, how specifically will NSO and its financial partner, Novalpina guarantee that things will be different?
5. which human rights NGOs will you be working with to ensure NSO complies with ethical principles and does not endanger such values? And how will you recruit them? How do you propose to gain the trust of such NGOs whose employees have been targeted by Pegasus?
In other words, your statement is long on aspirations and extremely short on tangibles. Given the damage done in the past and continuing today as far as we know, how do you propose to achieve these lofty and vague goals.
Thank you for your follow-up questions, which we have passed to Novalpina Capital. The company has already indicated that it wishes to engage with the human rights NGOs and other civil society groups that have indicated their interest in this area, a number of whom have separately asked questions that are similar to your own. We will revert with further information in due course.
Last November, NSO began its own PR offensive designed to neutralize the bad press and highlight supposed constructive uses of its technology. To do so, it organized dog and pony shows in which it boasted about the terror attacks it thwarted, the pedophile rings it broke, etc. The response from invited audiences was thunderous applause. If you didn’t know better, you’d think that NSO was doing the cyber-equivalent of curing cancer.
The problem with these claims is that they’re undocumented. We know that the company has lied in the past about uses of its technology. For example, co-CEO Shalev Hulio vehemently denied that Pegasus played any role in the murder of Jamal Khashoggi. But in fact, we know that the malware infected the phone of one of the journalist’s closest associates. This in turn could easily have given Saudi Arabia’s killers all the information they needed to track their victim to the consulate where he was murdered. Edward Snowden has made such a charge himself.
If we cannot trust NSO’s denials of wrongdoing, how can we trust its claims of good deeds? Unlike in the former cases, in which Citizen Lab has documented through physical inspection of infected cell phones the presence of Pegasus, the company has provided no external documentation of its claims. It has offered no physical evidence of text messages intercepted, cell phone audio of conversations between conspirators; not even confirmation from intelligence agencies or governments that it used the product in its criminal investigations. Without such evidence, why should we trust them?
As for Dey’s claims that Peel wants to reach out to NGOs to assure them of the ethical uses of NSO products: why would Amnesty International, whose employees were targeted and hacked by Pegasus, be interested in such an overture? It’s more likely that Novalpina will use such meetings to co-opt criticism, rather than actually change the Israeli firm’s cyber-protocols or business model.
If you were a CEO whose company was generating $250-million in revenue a year, why would you change your business practices–unless you faced prison time or your company was threatened with bankruptcy. But unlike Harvey Weinstein, who lost his entire company, NSO’s founders are basking in the notoriety, not to mention the millions showered upon them by the likes of Stephen Peel. Governments and intelligence agencies are beating a path to their door.
There is no set of rules to follow, despite what Novalpina claims. Companies engaging in cyber-war don’t adhere to UN principles and it’s laughable to pretend that they do and that they would even want to. It would be wonderful if NGOs themselves could organize an international lobby to pressure adherence to such a set of protocols; along with a set of sanctions or punishments for those who violate them. If Peel made this sort of proposal, people might take him seriously. But he won’t because he cares more for return on investment than protecting journalists from being murdered.