Like Donald Trump, Israel’s premier cyber-spying firm has had a rough couple of weeks. Things began promisingly enough when an over-indulgent Israeli district court dismissed a lawsuit brought by Amnesty International on behalf one of its staff members whose phone was hacked by a Gulf state. The NGO correctly called the ruling “disgraceful:”
“Today’s disgraceful ruling is a cruel blow to people put at risk around the world by NSO Group selling its products to notorious human rights abusers. At a moment when NSO and the Israeli MOD [Ministry of Defense] should be held accountable for their practices, it is appalling that the court has failed to do so,”
NSO’s client, of course, did employ its Pegasus malware to hack the staff member’s phone. Despite the fact that Citizen Lab did a forensic examination of the phone showing it was hacked by a nation-state, the court ruled that Amnesty had failed to prove that NSO or one of its customers was responsible for the hack. I’ll bet if the company’s CEO came to court and admitted the crime the court would have let him off. That’s how much the Israeli judicial system is in the pocket of the national security state.
— John Scott-Railton (@jsrailton) July 16, 2020
Thankfully, a federal court in California ruled completely opposite in a case brought by Whatsapp regarding another NSO exploit which targeted 1,400 users and their communications. The vulnerability was used again by a Gulf State to target its perceived enemies. When Citizen Lab discovered the exploit, Whatsapp sued NSO. Yesterday’s ruling rejected an attempt by NSO’s lawyers to dismiss the case before trial. The judge found more than sufficient cause to permit the case to move forward. Though Whatsapp has not won a final victory, this ruling shows it has a likelihood of prevailing and should be warning sign to NSO.
NSO is spending tons of money hiring the Big Guns of the DC lobbying world in its fight against Whatsapp. This portion of one of its filings (below) reveals that former acting Attorney General, Rod Rosenstein has been hired to offer legal advice. Of course, NSO is trying to hire Big Names to show the U.S. legal community that it has them on its side. And of course Rosenstein is happy to earn Big Bucks defending the unscrupulous, just as he once represented Donald Trump.
WOW! Just discovered that Rod Rosenstein is defending spyware company NSO Group in the @WhatsApp case. Quite the career pivot after prosecuting foreign hackers as Deputy Attorney General. THREAD 1/ pic.twitter.com/8Y3tSsZ33t
— John Scott-Railton (@jsrailton) May 30, 2020
Yesterday, Citizen Lab (CL) announced a new set of charges against NSO, in which the Spanish government’s intelligence agency used Pegasus to hack the phones of the political leaders of Catalonia including the former provincial leader, living in exile in Belgium, and the speaker of the regional parliament. The victims have announced the filing of a lawsuit against the national intelligence chief.
Another shocking development is an interview published in Die Welt with NSO CEO, Hulio, in which he contradicts an earlier claim by the company that it was not responsible for abuse of its products by its clients because it could not monitor their use of Pegasus. In the interview, Hulio admits that NSO can and does monitor client use:
Hulio also admits for the first time [that] NSO is, in fact, able to discover who its customers spy on with the help of Pegasus.
Hulio says that his company only sells the program if customers agree to allow NSO to document its use. Every step is recorded on company servers, he says, and NSO has access to those records. If the customer does not adhere to the agreement, NSO can even remotely disengage Pegasus, Hulio says. “We can send a command to the system to stop working. It will prevent from all new installations to happen. So you will not be able to install it on a new phone. The system will be useless.” He says the company has even made use of the function on one occasion, although he declines to name the country and agency involved.
However, Hulio absolves NSO of any culpability for the abuse of its malware saying that he was in no position to second-guess a client about the reasons for targeting a particular individual. The moral contortions of this statement are a sight to behold:
NSO does, in fact, bear some of the responsibility for how Pegasus is used. And for a private company, that is a huge amount of power, particularly given that the program has been sold to dozens of countries and deployed against thousands of people.
Many of those people are innocent of any wrongdoing…Why wouldn’t NSO prevent a thing like that despite apparently having the ability to do so?
Hulio prefers to dodge such questions. He doesn’t want his company’s software to be used to violate human rights, he says. But intelligence work is challenging and “That’s what it takes to catch the bad guys sometimes…
The classification of who is a terrorist and who is not, he says, can certainly be a matter of some contention, with each country having a different view. But NSO, he insists, has no influence over such debates. Furthermore, he adds, just because a human rights activist is placed under surveillance doesn’t mean that there are no legitimate reasons for such monitoring. “Is a lawyer a legit target? A human rights activist, is he a legit target? Yes or no? A sixteen year old kid? The answer is: it depends.” What he means to say is that outsiders are not in a position to determine if the target of surveillance is innocent or not.
But NSO’s role as a direct accessory in the assassination of Jamal Khashoggi and the prison sentences of numerous human rights activists in the Gulf mean that it is not an “outsider” at all. Are cigarette companies outsiders when their customers smoke their product and die of lung cancer? Are gun companies absolved of responsibility when their products are used to commit mass murder (despite what Congress may say)?
Citizen Lab has also exposed continuing abuse by the Mexican government targeting journalists covering criminal operations of drug cartels. In one recent case, a reporter who founded a newspaper reporting on drug crime in the heart of a cartel’s territory was forcibly removed from his car, his body riddled with ten bullets, his computer and cell phone stolen. Afterward, his wife, who is also a human rights activist, was targeted by Pegasus. CL has traced the hack attempt to the Mexican government. Other reporters at the same newspaper were also targeted by Pegasus.
If you are wondering why the wife of a reporter murdered by a drug cartel would have her cell phone hacked by Mexican authorities remember, there is no line distinguishing drug dealers from the state. Often they are interchangeable.
One of the bitter ironies of this incident is that Hulio loves to point out that Pegasus was used to capture El Chapo, a notorious Mexican drug lord. In all his interviews, he trumpets that Pegasus is meant to expose drug dealers, terrorists and sex traffickers. He doesn’t note that often it is his own clients, the police and intelligence agencies of brutal dictatorships who are the criminals.
Hulio’s refusal to monitor customers’ use of his product is a disavowal of moral responsibility. It’s also ironic that Hulio (like Mark Zuckerberg in his Georgetown speech) welcomed international regulations to govern the use of cyber-spying technology. He said his company would adhere to such standards. But he went on to note that it was unlikely this would ever happen. Clever boy: say you’d be happy to play by the rules, while blaming the world for not creating any rules to play by.
But this does expose a massive breakdown in international governance. Cyber-surveillance is a lucrative industry which, by its very nature, transcends national boundaries. If any commerce was meant to be regulated globally it would be this one. The outrageous ruling in the Israeli case proves that nations cannot be trusted to monitor and regulate companies like NSO. Yet neither the United Nations nor any other world body has mounted an effort to create such a regulatory body. Doing so is critical if we are to stop the egregious criminal behavior of companies like NSO.
Venture capitalist, Stephen Peel bought a controlling interest in NSO a few years ago. Now, he is seeking a financing syndicate to buy him out and reward him for his billion-dollar investment. The syndication is being managed by Jeffries Group. Citizen Lab has warned both companies of the criminal implications of the operations of company they are investing in and the operational damage they could incur by advancing NSO’s commercial interests. Neither Novalpina nor Jeffries appears to have much in the way of moral compunctions when there are massive amounts of money to be made.