Project Pegasus: 3 weeks ago, NSO admitted misuse risk, said secrecy barred it from gatekeeping

Titled ‘Transparency and Responsibility Report 2021’, the policy document identified the potential misuse of NSO Group’s spyware against politicians, NGOs, journalists, lawyers etc among the “most salient human rights risks” associated with it.

These human rights risks, the NSO Group report noted, also include potential misuse “for reasons unrelated to national security or law enforcement, such as in support of litigation or to obtain information that may be embarrassing to individuals” or “by unauthorised personnel associated with states and state agencies”.

60 customers in 40 countries

“There are a wide variety of additional government-driven risks that could flow from our technologies. These could include rights associated with the legal and judicial process, such as freedom from arbitrary arrest and detention and similar abuses… as well as invasions of freedom of thought, conscience and religion, restrictions on freedom of movement or participation in civic life,” the Group said in the report.

Admitting that strict confidentiality restrictions limit its “ability to do much more,” the report said the company “cooperates with states to try to ensure that when abuses occur within their jurisdictions those affected have access to effective remedy”.

The Israeli firm claimed it investigated 12 reports of misuse in 2020 and, between May 2020 and April 2021, “approximately 15% of potential new opportunities for Pegasus were rejected for human rights concerns”. Since 2016, the Group claimed to have rejected over USD 300 million in opportunities as a result of its review process. This includes five customers, worth USD 100 million, who were “disconnected from the system” following investigation of misuse.

As a safeguard, the Group report said, the company requires, at a minimum, human rights compliance clauses in all customer agreements, along with commitment from customers “to only use NSO’s systems for legitimate and lawful prevention and the investigation of serious crimes and terrorism”.

The report, however, admitted that effective monitoring of customer activity remained a significant challenge in the absence of “immediate insight into the use” of its products, adding that a customer is contractually required to provide this information maintained in the customer’s systems logs in a tamper-proof manner. “Refusal to cooperate shall lead to immediate suspension of the customer’s right to use the system,” it said.

The Indian Express wrote to Chaim Gelfand, Vice-President (Compliance), NSO Group, asking if the company has launched an investigation into the latest reports on the misuse of Pegasus across the world and if its conclusions will be made public. A response is awaited.

Claiming that allegations of misuse amounted to less than 0.5% of the instances in which the

Pegasus system was used by its clients over the last three years, the NSO Group said it pre-barred over 55 countries as clients for reasons such as human rights, corruption, and regulatory restrictions.

The Group report claims the firm is strictly monitored by the Defense Export Controls Agency under the Israeli Ministry of Defense for licensing of Pegasus and its application for export licences were denied “in quite a few cases”. The company also exports its products from Bulgaria and Cyprus.

The Group claims to have completed reviewing 10 of 12 reports of misuse received in 2020. Of these, three were found to be actionable. While “additional mitigation measures” were implemented in two cases, NSO Group terminated relationships with one end-customer. For the remaining seven, the Group’s preliminary review “could not identify sufficient information to conduct investigations” or found the misuse report to be unrelated to company products.

In a media release Wednesday, NSO Group reiterated that “the list (of phone numbers published by a consortium of media houses) is not a list of targets or potential targets” of Pegasus.

“Enough is enough! In light of the recent planned and well-orchestrated media campaign led by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter,” the release stated.