NSO's Human Rights Advisors Stand By Spyware Firm Despite Pegasus Scandal

Human rights advisors to embattled surveillance company NSO Group are standing by the firm despite reports that authoritarian regimes are using its flagship Pegasus spyware to target tens of thousands of politicians, activists, journalists, lawyers, and other perceived opponents.

Newsweek spoke with several NSO Group external human rights advisors who have worked on the company's new human rights framework, introduced in recent years amid concerns about the privacy implications of Pegasus.

NSO and its advisors told Newsweek that the recent reports suggest its human rights and customer vetting processes may need reviewing or strengthening, but dismissed any suggestion of a moratorium on Pegasus use and sales.

Pegasus is malware that can infect a smartphone and transform it into a surveillance device, accessing and activating its microphones and cameras without a user knowing.

The Pegasus Project—a collaborative investigation by human rights and media organizations—recently probed a reported Pegasus target list of 50,000 phone numbers collected by NSO customers. That list was leaked to the Forbidden Stories non-profit in 2020.

Among those included on the list were French President Emmanuel Macron, Iraqi President Barham Salih, President of the European Council Charles Michel, and Pakistan Prime Minister Imran Khan. A host of human rights and anti-corruption activists, journalists, and others were also reportedly targeted.

NSO said last week it would no longer respond to media enquiries about the Pegasus revelations, declaring in one press release that "enough is enough" and maintaining that any abuse was the responsibility of the customers in question rather than the company itself.

The company now says it is launching an internal investigation, one that could result in customers being cut off from the Pegasus software if found to have abused their access.

"Our entire human rights policy and due diligence processes are always evolving," a spokesperson told Newsweek. "We are vigorously investigating any credible report on misuse of the system, and take necessary steps based on the findings. We have done so in the past and will continue to do so in the future."

This is not the first time Pegasus spyware has grabbed the headlines. The New York Times and Times of Israel reported that the United Arab Emirates has been using Pegasus since 2013. Mexican cartels and their government allies were reported in 2017 to have been using the software to target journalists and their families.

Journalists, activists, and politicians are also thought to have been targeted in India, prompting a lawsuit from Facebook which complained Pegasus customers were exploiting the firm's WhatsApp platform to access targets.

Pegasus software even helped the Saudi Arabian government spy on dissident journalist Jamal Khashoggi before his murder at the Saudi consulate in Istanbul, Turkey, in 2018.

Those familiar with internal human rights deliberations at NSO—including external advisors—told Newsweek it was little surprise to see Pegasus in the news again, though said the recent headlines would not dissuade them from their work.

"I wasn't surprised," Gerald Pachoud, managing partner at the Pluto Advisory firm and one of NSO's external human rights advisors, told Newsweek. "It's their main challenge," Pachoud said of privacy violations.

"The issue is something that has been out in the open for a long time...I think that's one of the main reasons why they started to look into improving the human rights processes."

'They Are No Angels'

NSO unveiled its first annual transparency report at the end of June, just before the Pegasus Project news broke.

The company press release lauded what it called "a historic first-foray by a significant industry leader into the public conversation about the interplay between public safety and security, and the preservation and protection of human rights."

Timothy Dickenson, a partner at Paul Hastings LLP and an NSO human rights advisor, said he had no plans to cease representation of the company.

Dickinson referred Newsweek to NSO for comment, adding: "The company is always looking to improve its processes...we're always looking to improve our processes and always looking to see how the company can learn from past experience.

"Corruption, human rights and other issues are certainly things that companies have to look at all the time. And I think NSO is certainly aware of that and is doing so."

"They are definitely looking in the right direction," Pachoud said. "For basically a spy company to put out their report and to acknowledge that they are trying to work on those things is interesting.

"They are no angels, and I don't see it as a perfect rosy picture, but that I think there is an ambition," Pachoud added. "The ambition is clearly based on collaborative efforts."

Barrister Cherie Blair—wife of former British Prime Minister Tony Blair—and her Omnia Strategy LLP law firm also advise NSO on its human rights program. Blair and Omnia declined Newsweek's request for comment, pointing to Blair's statement at the end of June praising NSO's first transparency report.

"I have been encouraged by the company's recent progress on human rights matters, and its recognition that big challenges remain and can best be tackled collaboratively and through developing binding standards for the industry," Blair wrote then.

The fourth human rights advisor—Yuval Karniel of the Israeli Karniel & Co. firm—declined Newsweek's request for comment. Karniel & Co. said it was "well aware of the ongoing coverage" of NSO and its Pegasus software.

Neither Omnia nor Karniel & Co. confirmed they would continue their advisory work, though NSO told Newsweek that both were still external advisors.

People who spoke with Newsweek said NSO has a vetting process for its customers to assess the likelihood of abuse of its software and to try and minimize such instances.

NSO has refused to disclose its list of customers, though the company says it has previously rejected potential customers over human rights concerns and cut ties with others.

The Pegasus Project identified potential NSO clients in at least 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.

The list of reported customers has raised questions over whether the vetting process is stringent enough. It is no secret that Saudi Arabia, the UAE, for example, suppress dissent and harass critics. A recent statement from Amnesty International said: "A reasonable person ought to have known the abuses were likely."

One source familiar with the company's processes who did not wish to be named told Newsweek there has always been recognition that Pegasus could be abused and that the vetting process would not necessarily catch all malign actors.

"Everyone acknowledges that whether you're selling a gun or a missile or a bomb or an aeroplane or a drone that all these products can be misused," the source said.

"I think that, honestly, the company was already aware that changes were needed," Pachoud said.

"So that's why they started to develop their whole process. At worst it just confirmed that indeed change is needed."

"There is never enough due diligence, but you need to do something that is manageable. And clearly, that's something that is developing, it's something that is fairly new for the company."

The Israeli government must sign off on any foreign exports of Pegasus software, so powerful and politically significant is the spyware.

Observers have suggested that the government is using the software as a diplomatic tool, encouraging NSO to sell to nations like Saudi Arabia and the UAE where Israel is hoping to build political capital.

In 2018, NSO cut ties with the Saudis after Khashoggi's brutal murder. But according to The Guardian, the company allowed Riyadh to resume use of Pegasus in 2019 after the Israeli government intervened.

"It's the harsh reality of life," Pachoud said when asked about political pressure on NSO, "which doesn't mean that they shouldn't try to work with that element. Dialogue among many different stakeholders to me seems the best way."

NSO has rejected any suggestion of official pressure or involvement, though says it retains an open dialogue with the Israeli government.

Israel has created a task force to respond to and investigate the latest Pegasus revelations. One senior Israeli official told Axios: "We are trying to fully understand its ramifications. We will have to check whether the reports about NSO warrant a change in our policy regarding the export of offensive cyber technology to other countries."

The government may yet be forced to review its export rules. "I'm not talking about one specific state but I think that the export control requirements should be much, much clearer," Pachoud said. "If there is an area where we don't see any movement, it's this kind of regulation."

Several of those who spoke with Newsweek framed Pegasus as wiretapping technology, describing the software as a logical next step from more rudimentary surveillance techniques.

But human rights groups involved in the Pegasus Project disagree, citing the ease with which the spyware can infect target phones. The high-profile names on the reported target list revealed by the Pegasus Project suggests there are few barriers to Pegasus users, even when going after heads of state.

"NSO Group's targeted digital surveillance tool is inherently prone to human rights violations, given its design and the lack of checks in place to ensure its proper deployment," Amnesty International said in a statement.

United Nations High Commissioner for Human Rights Michelle Bachelet said: "If the recent allegations about the use of Pegasus are even partly true, then that red line has been crossed again and again with total impunity."

Amnesty is among those calling for a moratorium on the use and sale of Pegasus and other similar spyware software, a demand NSO sources dismissed as short-sighted.

The company says Pegasus has become vital to global anti-terrorism and crime-fighting strategies.

"We provide law enforcement and intelligence agencies around the world the ability to overcome end to end encryption, a platform that terrorists and criminals use to communicate and plot," an NSO spokesperson told Newsweek.

"This, and similar technologies are the ones that allow millions of people around the world to sleep better at night."

No Crackdown

There has so far been little sign from governments that they want to crack down on spyware like Pegasus. "It's not like this is going to go away," said the source familiar with NSO's process. "I don't think law enforcement would ever want that to happen, because it would take away from them an extremely valuable tool for their investigative activity."

Pachoud added that a moratorium is "a nice and simple answer...but it's not realistic because states will most likely refuse it, because they want to use Pegasus."

The furor around Pegasus is part of a wider conversation on the balance of privacy and security. This kind of advanced spyware is relatively new, and there are few international frameworks to control its sale or use.

It is difficult for states to agree on rules on the sale of more traditional conventional weapons like guns, missiles, bombs, fighter aircraft, drones. Pegasus and similar spyware are less deadly but perhaps more insidious. Its strategic value means governments may not want to curtail its use, even with the serious human rights issues that come along with it.

Pegasus represents a surveillance innovation more invasive than anything that came before. Silently hijacking targets' phones—now our constant companions—wins Pegasus users unrivaled access, without anyone knowing they are there.

The ethics and legality of its use will remain murky territory, but those involved say there is no putting Pegasus back in its box.

NSO Group Pegasus spyware file photo
This studio photographic illustration shows a smartphone with the website of Israel's NSO Group which features 'Pegasus' spyware, on display in Paris, France on July 21, 2021. JOEL SAGET/AFP via Getty Images