The cost of deploying a spyware like Pegasus is, even by conservative estimates, rather steep. According to estimates based on documents on the NSO Group’s commercial proposal acquired by The New York Times in 2016, the Israeli spyware maker priced its surveillance tools on a par with traditional software companies — $500,000 installation fee, followed by $650,000 to spy on 10 iPhones or Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users.
Further surveillance targets, according to the report, required the client to pay an additional fee — $800,000 for 100 extra targets; $500,000 for 50 extra targets; or $150,000 for 20 extra targets.
In addition, NSO also charged an annual system maintenance fee of 17 per cent of the total cost every year after the initial order. The charges were for an initial fixed period of time, with renewals costing extra.
So, if the list includes 300 “verified” Indian cellphone numbers, the total cost, even on a conservative basis at pre-2016 prices, and assuming that a single agency was responsible for surveilling all these 300 targets, works out to an installation fee of $500,000 (multiple agencies mean several times that number), $1.3 million for the first 10 iPhone users and first 10 Android users, and $2.25 million for the remaining targets. The total amount adds up to $4.05 million, without taking into account the annual maintenance fee. Adding the maintenance fee of 17% every year (without factoring in the annual cost escalation), takes the cost up to around $7.5 million for the period between 2016 and 2021.
While it could not be confirmed whether these prices are for the Pegasus tool, it is one of the NSO Group’s mainstay product, and the estimates could mean an expenditure of well over Rs 56 crore, based on prices just for the initial period of a few months to a year. Additional costs are involved in renewal and extension of the validity period. This does not factor in the annual cost escalation, and the premium that the service has commanded.
NSO maintains that it sells its technologies solely to law enforcement and intelligence agencies of “vetted governments” for the purpose of “preventing criminal and terror acts”.
A better marker for the benchmark spyware rates comes from another Israeli for-profit spyware tool maker Candiru, whose software was allegedly deployed to conduct surveillance as per recent reports. This has a similar pricing structure, but with a much higher all-inclusive installation fee that pushes up the overall spend for clients.
For example, Candiru’s installation fee is around $28 million, nearly 60 times that of the NSO Group’s installation fee as stated in the 2016 report. However, given that Candiru’s installation fee includes exfiltration of 10 targets, a comparative NSO figure would be $1.15 million, making the more recent pricing model of Candiru nearly 25 times costlier than the 2016 NSO prices — an escalation that can be factored in NSO’s latest prices too. Using this comparison, the $7.5 million payout inflates to around $187.5 million, or Rs 1,401 crore at current exchange rates.
According to The Guardian, which is part of the current investigation led by French media rights organisation Forbidden Stories, the presence of a phone number in the database was not a confirmation of whether the corresponding device was infected with Pegasus or was subject to an attempted hack. “…the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts,” it reported.
A report by The Wire noted that Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were found to have been successfully infected and 14 showed signs of attempted infiltration. For the remaining 30, the report said the tests were inconclusive. This was mainly because in several cases, the devices had been replaced by their users. Fifteen of the phones were operating on Google’s Android operating system, none of which showed evidence of successful infection.
Candiru’s operations are broadly comparable with the NSO Group’s work, even as the operations were at a lower scale. According to a September 2020 report by Israeli newspaper Haaretz, Candiru offers a “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets, by using explosions and disseminations operations”.
According to a leaked commercial proposal document obtained by Haaretz’s sister-publication The Marker, the basic system software licence costs EUR 23.5 million before a EUR 6.65 million “special discount”. This includes the licence fee (for 3 operator workstation licences), software modules for Windows, iOS and Android devices, the infection vectors (hyperlinks, weaponised files, etc), system hardware, and professional and training services.
This initial fee is for concurrent exfiltration of 10 targets located in the country of the end-user, but the company provides additional pricing options. For additional 15 concurrent targets and one more country, the client would have to pay EUR 1.5 million over the initial fee. For 25 concurrent infiltrations and five more countries, it would be an additional EUR 5.5 million.
As per the Candiru commercial proposal document signed by an unnamed vice-president of sales, the client would have to make 50% of the payment upfront as down payment, while 40% would have to be paid upon delivery of the system to end-user terminal and the remaining 10% after competition of the training module.
The Haaretz reported that offensive cyber is a big business in Israel, and, citing industry sources, it noted that the industry generates about $1 billion in sales annually – the biggest of which is the NSO Group. The Pegasus-maker reportedly generated $240 million in revenues last year, up from $30 million in 2013.