The Israeli software surveillance giant NSO Group has long claimed that its spyware can’t be used to go after U.S. targets, but a new report published this week is casting doubt on whether Americans are protected from the firm’s intrusive surveillance technology.
According to the investigation, which a consortium of news organizations and security researchers published Sunday, NSO Group’s technology has been used against dozens of phones belonging to journalists, human rights activists, businesspeople, and private citizens around the globe to track their cameras, microphones, locations, call logs, and contacts.
But while the Israeli surveillance firm claims that its technology doesn’t work against phones in the U.S, several numbers that appear in a list at the center of the investigation belong to Americans working abroad, which could suggest foul play, advocates warn.
Among several high-profile individuals named are the Biden administration’s special envoy to Iran, Robert Malley, and United Nations diplomats, according to the investigation.
David Kaye, the former United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression, says the report raises serious questions about the entire ecosystem of private sector entities peddling intrusive surveillance software to governments and clients capable of abusing it.
“The fact that some American numbers appear in the dataset calls this into question—or, at the very least, calls into question the arrangements NSO Group has with its clients. Fundamentally, this highlights the opacity of the operation and of the industry more generally,” Kaye, a professor of law at the University of California, Irvine, told The Daily Beast. “What controls exist? What oversight is there? Is it independent? Do rule of law standards apply? Are there consequences for violations like this? In short, we do not know the answers to these questions, underscoring the need for global regulation and rigorous, transparent oversight processes.”
NSO Group said in a statement, as it has repeatedly, that it only sells its spyware, known as Pegasus, technology to intelligence agencies and governments to help them save lives and prevent crime.
According to previous investigations from security researchers, the spyware vendor’s technology has been used in surveillance operations against countless human rights defenders, journalists, dissidents, and privacy citizens around the world. Researchers have found NSO Group products surveilling journalists in Mexico, Morocco, Rwanda, and several other countries, to name just a few.
A spokesperson for NSO Group said in a statement to The Washington Post that it is “technologically impossible” for NSO Group’s products to target phones with the U.S. country code +1. NSO Group also says it can’t target foreign-registered phones if they are within the U.S.
But a spokesperson for NSO Group did not answer questions about whether NSO Group blocks surveillance for Americans outside the U.S. with foreign-registered numbers.
The investigation is just the latest indication that NSO Group and other spyware vendors like it lack the proper oversight to protect human rights and freedom of speech, advocates warn. The lack of clear information about who NSO Group allows its clients to target and who is protected is raising red flags in the halls of Congress.
“If surveillance companies like NSO are working with our adversaries to spy on American government employees working overseas, they need to be held accountable,” Sen. Ron Wyden (D-OR) said in a statement.
NSO Group said in a statement that the investigative report is made up of “false accusations” and said it is considering a defamation lawsuit.
And while the company says the allegations in the report are “baseless,” it also says NSO Group lacks visibility into clients’ hacking. “NSO does not operate the system and has no visibility to the data,” the firm said Monday.
Privacy and security advocates have long questioned such claims. As the thinking goes, either NSO Group is capable of knowing who the victims are and can therefore wash its hands of certain allegations, or it has no visibility.
Amnesty International found that NSO Group technology successfully broke into the phone of Saudi journalist Jamal Khashoggi’s fiancée and targeted his wife in the days around his killing. The CIA has reportedly assessed that Saudi Crown Prince Mohammed Bin Salman ordered the dissident’s murder.
And although the firm maintains that it has no visibility into its clients’ operations, NSO Group said this week, as it has before, that it does know its technology has not been used in relation to Khashoggi’s murder.
“As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the firm said in its statement.
Agnès Callamard, secretary general of Amnesty International, says NSO Group’s claims about abuses of its technology are farcical.
“While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse,” Callamard said in a statement. “The [investigation] lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril.”