NSO Group does not sell Pegasus to just anyone. The company has implemented several processes to verify and prevent misuse of its spyware. Although largely insufficient, they do exist.
It’s ironic: “Project Pegasus” exposed more than ever the misuse of NSO Group’s spyware… barely 20 days after the publication of its first transparency report. The 32-page text detailed the company’s alleged efforts to prevent misuse of its Pegasus spyware. In principle, it should only be used in the context of legal investigations to arrest serious criminals: terrorists, pedophiles or even human traffickers.
But in practice, it continues to be used by governments to spy on (or at least try to) journalists, political opponents and other activists, as the numerous articles from the recent investigation prove again. Yet in its report, NSO Group put “human rights” at the center of its discourse, with no less than 188 uses of the term over 32 pages. He describes himself there as a standard-bearer of the surveillance industry, which would work for more transparency and a better balance between ” the duties of states to ensure public safety ” and the ” concerns about human rights and privacy “.
To put words into action, NSO Group details in administrative jargon the many safeguards it has put in place to comply with several organizations, including the European Union. Its new operation pushes it more than ever to sort through its customers, with an immediate effect: ” To date, NSO has turned down more than $ 300 million in potential sales as a result of its human rights research processes. “This amount corresponds to the refusal of” 15% of sales opportunities Of the company between May 2020 and April 2021.
10 Pegasus contracts terminated for abuse
Regularly cited in gloomy cases, NSO Group claims to adjust for ” address and reduce the human rights risks associated with [ses] products “. The company does this not only out of ethical will: it needs the authorization of the countries from which it exports its spyware (Israel, Bulgaria, and Cyprus) to continue its activity. They may even prevent him from selling Pegasus to certain customers. But NSO Group is confident on this last point: “ Our standards are higher than the export control requirements of most sovereign states, as well as those of the European Union. In theory, spyware should be used with permission from an independent body of the user, and it cannot be used against law-abiding citizens. A principle not always respected, as Project Pegasus shows.
The company says it refuses to sell its products to more than 55 countries that do not meet minimum standards. ” Requests from these countries do not even have to be presented to the steering committee for evaluation. She adds. And it is not limited to this upstream selection: it can also launch investigations on its customers following warnings made by internal or external whistleblowers, through a specific process. ” When customers have not been able to give sufficient guarantees to continue to be authorized to use our products, we have terminated these relationships. », Launches NSO Group.
NSO, a model of transparency for its sector
Results, since 2016: the company has “ disconnected from the system “5 clients following an investigation for misuse, and 5 others for” human rights concerns “. She believes in ” over $ 100 million »Termination of these contracts. Still, the figure seems low, compared to the number of scandals. ” Our ability to act is also limited by the fact that we have no visibility on the specific operational uses of our product, unless access is given by the customer (which is contractually required in the event of an investigation. on suspicion of misuse) “, Is justified NSO. In 2020, the group conducted 12 investigations for misuse of Pegasus. Result: a canceled contract, two cases where the company had to add safeguards and 7 dismissals for lack of “sufficient information” to prove the charges.
This is where Project Pegasus meets a limit: the list obtained by Forbidden Stories and Amnesty, while impressive in its length and the names cited therein, is ” than »A list of targets, not infected people. It is therefore still necessary to prove that there was an attempted infection, then to prove that the attack falls within the framework of the bad practices established by the company.
Finally, NSO Group, although it leaves room for misuse of its spyware, is far from being a deregulated company. Above all, it is – unfortunately – the most advanced in its sector in the implementation of protections against abuse.