Why NSO Group’s Response to Pegasus Misuse Allegations Raises More Questions

The company's denials live in two grey areas, in which there is a suspicious lack of transparency.

Listen to this article:

The first line of defence that Israel’s NSO Group deploys – every time it faces an allegation of how its flagship spyware product has been misused – is how the company has no idea what its government clients do with Pegasus.

The Tel Aviv-based firm’s first ‘transparency report’, released in June 2021, is peppered with references to how its work is centred in an industry cloaked in confidentiality.

In fact, the report starts with what it says are three common myths about the company, the second one being:

Myth: NSO operates Pegasus, and collects information about the individuals it is used against. Fact: NSO licenses Pegasus to sovereign states and state agencies, does not operate Pegasus, has no visibility into its usage, and does not collect information about customers.”

And yet, in response to recent reporting by the Pegasus Project – an international consortium of 17 news organisations that reported on a leaked list of numbers, some of which forensic tests showed to have been targeted with the Israeli spyware – NSO has been extremely quick to churn out denial after denial.

‘Financial Times editor Roula Khalaf was not a target’, ‘French President Emmanuel Macron was not a target’, and so on. Sometimes these denials have come within hours of media organisations asking the company for specific information on an individual.

When a lawsuit was brought against the NSO Group by a Saudi dissident who alleged that Pegasus was used to spy on the late Jamal Khashoggi, the company said it cannot comment on the specifics of the case, but nevertheless claimed that the Washington Post columnist was never targeted with the spyware.

What explains this contradiction?

On the one hand, NSO consistently insists that it has no visibility into what its clients do and thus is not responsible for any misuse. And on the other, it is able to issue seemingly concrete denials any time an allegation of misuse comes into the public domain.

Also read: NSO’s Employees Sleep Soundly Even as Journalists, Rights Activists Targeted By Pegasus Do Not

The answer the company puts forth is that it has the ability to check up on its clients or perform an inspection when allegations of misuse are raised.

However, the lack of details regarding this process, when coupled with the suspiciously speedy pace of denials, naturally raises questions.

These are two grey areas within which the company’s denials live in:

1) How quickly can NSO perform an investigation across all of its clients and determine whether a specific individual was targeted by any of them?

2) Can a recalcitrant customer hamper this investigation in any manner? Or worse, can it tamper with evidence to specifically mislead a probe?

Question 1: Speed of a probe

In its responses to the Pegasus Project, NSO has responded to queries on the targeting of specific individuals – while remaining stoically silent on others – in extremely short periods of time. Sometimes days, sometimes just hours.

By its own admission, the spyware firm has 60 customers spread across 40 countries. NSO’s confident and speedy response indicates that it has the ability to conduct a thorough and deep probe across all these customers in the matter of a few days.

It’s important to keep in mind a few details while evaluating this premise.

Also read: A Look at How Pegasus Brings the Best of Technology to Achieve the Worst

First, the company’s clients are secretive intelligence agencies and hardened departments within militaries or law enforcement organisations, not used to internal, let alone external, oversight. In other words, they are unlikely to be the type of people who are quick to pick up the phone or respond when accused of human rights violations.

Secondly, it is unclear how NSO would go about conducting such a probe. Would it involve going through all the customer’s logs – i.e, combing through all targets their clients were interested in and then ensuring a particular individual’s number had not been targeted? Such an exercise would necessarily involve violating a customer’s privacy.

And yet, the NSO Group would have the world believe it can carry out such an investigation in less than a day.

In fact, the sensitive nature of an investigation into potential misuse is acknowledged in the company’s own transparency report.

Illustration: Pariplab Chakraborty

In its transparency report, the NSO Group implicitly acknowledges the sensitive nature of probing an allegation of misuse. The report lays out a series of steps that it takes whenever it comes across a report of potential misuse such as the Pegasus Project.

First, the company notes, it conducts a “preliminary review” to determine whether there is sufficient information to launch an investigation. As part of this, the firm’s Vice President for Compliance coordinates with the “management committee” to determine how to proceed.

Following the preliminary review, the committee appoints an investigation team, led by an attorney, “if the determination is to proceed with a full investigation”.

“Investigations may include review of data, interviews, meetings, and evaluation of objective risk factors, including an analysis of whether the customer has engaged in previous human rights abuses,” the report notes.

During an investigation, the report says, NSO’s compliance team also meets directly with the customer to “understand customer compliance with the terms of the agreement”. Investigation results are then shared “with the management committee and the GRCC [governance, risk and compliance committee] to collaboratively determine next steps and potential remediation”.

Now, it’s entirely possible that this process was just set aside or quickly accelerated in light of the nature of the Pegasus Project’s reporting. But there are good reasons as to why the investigation necessarily proceeds at a slow pace – no intelligence or law enforcement agency in the world would want its usage of Pegasus to be examined by the NSO Group. Which brings us to the second question…

Question 2: Is there a possibility that a probe can be misled?

The following disclaimer appears in all places where NSO talks about the visibility it has with regard to what its clients do with Pegasus.

It usually goes like this: “Our capacity for action is also limited by the fact that we do not have visibility into the specific operational uses of our products, unless that access is granted by the customer (as contractually required in the event of an investigation of suspicion that the system has been misused).” [Emphasis added].

More specifically, when the NSO Group launches an investigation into allegations of Pegasus misuse, it says that all of its customers are contractually required to provide information which is maintained in their systems in a “tamper proof manner”.

It also notes: “Refusal to cooperate shall lead to immediate suspension of the customer’s right to use the system”.

The usage of these particular phrases – ‘contractually required’, ‘refusal to cooperate’ etc – is odd.

Primarily, because it is unclear whether a client’s cooperation is absolutely needed to conduct an accurate investigation. In other words – does NSO have a method that allows it unhindered access to everything its customer does, regardless of whether or not a client cooperates with a probe? If it does, why does it not just come out and say so?

The implication that access needs to be granted by a customer, and that this will be enforced through a contract, comes with disturbing implications.

Also read: NSO Group’s Response to the Pegasus Project and Our Take

But more than that, it’s unclear whether the NSO’s investigation can be hampered by a dishonest client. The muddled phrasing around a customer’s logs – whether clients are required to provide information in a tamper-proof manner or whether the system itself maintains information in a tamper-proof manner –  lead to another question: Can a dishonest customer cleverly tamper with data on their end in a manner that misleads an investigation?

What doesn’t help matters is that NSO bizarrely states at one point in its transparency report that there have been some cases where it was “unable to conclusively determine whether there was or was not a misuse”.

This admission could imply a range of things – starting from the more simple (‘we don’t know whether a particular individual should have been spied upon’) to the more damning (‘we can’t determine accurately whether an individual was spied upon by a client’).

Ultimately, if the NSO Group wants to stand by the assurances it gave in the aftermath of the Pegasus Project’s revelations, it should provide transparency on all these fronts.

The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read all our coverage here.