Cybersecurity company NSO Group on Wednesday night made its strongest effort yet to address criticism that its Pegasus software for hacking cellphones has been used to hack and oppress human rights activists in its client-countries.
While the company highlights its successes in blocking ISIS terror attacks and cracking drug and pornography rings in Europe, Africa and Oceania, critics have said its software has been used to abuse human rights in Mexico, Morocco and elsewhere.
In December 2019, NSO revealed to The Jerusalem Post that it had canceled contracts with three clients at a loss of NIS 250 million.
In the report released on Wednesday, NSO updated those numbers to five clients since 2016 at a loss of $100 million or NIS 330m.
The report also discloses that in 2020, “NSO conducted 12 product misuse investigations and preliminary reviews, all but one following reports from external whistleblowers or media and NGO reports.”
In 2020, “out of the twelve reports raised through our external and internal whistle-blowing processes: NSO conducted five investigations into product misuse on four continents, with the guidance of external advisors.”
Next, NSO said, “Of the five: One case resulted in termination of NSO’s relationship with the End Customer. Two resulted in the required implementation of additional mitigation measures. Two are still being reviewed.”
“For the remaining seven reports, following our preliminary review, we could not identify sufficient information to conduct investigations despite our efforts or the report clearly was not related to the use of our system,” said NSO.
Next, NSO said it has an advisory board that has vetoed doing business with 55 countries.
The advisory board has three NSO senior officials and two Novalpina Capital (its main investor-partner) senior officials.
One of the NSO officials is General Counsel Shmuel Sunray, who has significant prior legal and security establishment credentials.
The rules of the advisory board potentially allow the Novalpina investors or Sunray to veto or slow certain deals.
There are also a range of senior legal experts whom Sunray consults who have serious backgrounds in civil society issues.
In addition: “From May 2020 through April 2021, approximately 15% of potential new opportunities for Pegasus were rejected because of human rights concerns that could not be resolved.
“In certain instances, in high-risk regions, NSO has either rejected certain opportunities (e.g., in Asia-Pacific and the Middle East) or deferred opportunities (e.g., Africa),” said the report.
In terms of what NSO says it has in its contracts – and it shared several contract provisions – and its due diligence procedures and human rights training for employees, it checks the boxes human rights experts would want.
The question is what all of the above facts mean underneath, something NSO itself admits it cannot or will not fully answer.
For example, NSO stated, “but we are aware that due diligence, and even strong contractual provisions, are no guarantee that our products in every instance will be used consistently with responsible business conduct.
“Those concerns are heightened because we are unable to monitor immediate use, and have not yet determined whether there could be a technological solution to prevent customers from targeting vulnerable populations,” said the report.
It is unclear what steps NSO has taken to see if it can better track how its clients might abuse its technology.
Considering that criticism of NSO has lingered for some years, if NSO is suggesting that tracking its clients’ potential abuses is possible, a better understanding of the status of this project could be crucial to judging NSO’s overall efforts.
Also, NSO does not name a single bad-actor client, leaving no way for anyone else besides Israel’s Defense Ministry, Bulgaria and Cyprus (the three countries from which NSO exports) to perform oversight or check its data.
Moreover, NSO said, “a number of inherent challenges remain given the nature of our customers. Because of the strict confidentiality requirements of our customers, we are unable to provide actual or alleged victims with information about adverse impacts or implemented remediation, or even acknowledge relationships with specific customers.”
“Even where we identify product misuse, we cannot breach these confidentiality requirements. While we cooperate with states to try to ensure that when abuses occur within their jurisdictions those affected have access to an effective remedy, the confidentiality restrictions limit our ability to do much more,” said NSO.
Other interesting statistics include NSO’s detailing that it has: 60 customers in 40 countries with a breakdown of 51% intelligence agencies, 38% law enforcement and 11% military customers.