A woman uses her iPhone in front of the building housing NSO Group on August 28, 2016, in Herzliya, near Tel Aviv, Israel. The company has come under increased scrutiny for the alleged use of its spyware tool, Pegasus, to target journalists. (AFP/Jack Guez)
A woman uses her iPhone in front of the building housing NSO Group on August 28, 2016, in Herzliya, near Tel Aviv, Israel. The company has come under increased scrutiny for the alleged use of its spyware tool, Pegasus, to target journalists. (AFP/Jack Guez)

NSO Group responds to spyware abuse allegations with spin

Entering the terms “NSO Group,” “journalists,” and “spying” into a Google search from a workstation in New York City recently produced a sponsored search result at the top of the page. The NSO Group manufactures some of the world’s most sophisticated and high-profile spyware, and its sponsored link invites readers to a slick website touting products to help government agencies monitor “terrorists, drug traffickers, pedophiles.” Journalists, their family members, and their sources are not mentioned.

The Committee to Protect Journalists has been tracking research by Citizen Lab, Amnesty International, and other local and international human rights groups involving journalists targeted by Pegasus, a spyware tool that the NSO Group markets and sells to governments. Once covertly installed by means of spear-phishing attacks that trick the recipient into clicking on a malicious link, the technology passes control of a phone’s camera, microphone, and contents to the attacker.

In statements to the media, NSO says it subjects clients to an internal ethics review and would stop doing business if they misuse its system. But it has declined to publicize if, or how, it has responded when these rights groups have documented Pegasus, or attempts to install it, on devices belonging to journalists and civil society activists from Saudi Arabia to Mexico. An NSO Group spokesperson contacted by CPJ for this article said that the company would not discuss particular instances where its technology was linked to spying on journalists, but said that NSO was setting the standard for “ethical” surveillance.

“We do not tolerate misuse of our products,” an NSO Group spokesperson told CPJ by email. “We regularly vet and review our contracts to ensure they are not being used for anything other than the prevention or investigation of terrorism and crime.” The spokesperson declined to be named because the comment was from the organization, not an individual.

In addition to the Google ads and website, NSO co-founder Shalev Hulio gave a rare on-camera interview to CBS’s “60 Minutes,” broadcast on March 24. Although he insisted that the company doesn’t enable human rights abuses, Hulio’s replies to correspondent Lesley Stahl revealed a troubling willingness to grant government agencies broad, unregulated powers to spy on journalists, lawyers, and other non-criminals–with no acknowledgement that journalists should be shielded from invasive surveillance, let alone that they may face retaliation from officials operating without oversight.

“If [journalists] are in touch with a drug lord… and in order to catch them, you need to intercept them, that’s a decision that intelligence agencies should get,” Hulio said. The NSO spokesperson did not directly address CPJ’s request to clarify under which circumstances NSO considers journalists to be legitimate targets for interception.

Heightened scrutiny of the NSO Group’s human rights record may be one reason for this increased public engagement. A new analysis by the digital rights groups Citizen Lab, R3d, SocialTic, and the international free expression organization Article 19 detailed an attempted Pegasus attack targeting Griselda Triana, the widow of Mexican journalist Javier Valdez. Valdez, the winner of CPJ’s 2011 International Press Freedom Award, was murdered in May 2017; the Mexican government has not charged anyone for ordering the killing, which CPJ believes was in reprisal for his coverage of narcopolitics.

“It made me mad,” Triana told CPJ of the spyware in a live Facebook interview on March 20. “This technology is supposed to be used against terrorists, criminals, people who put national security in danger…I couldn’t imagine how I could be put in this group.”

Triana was targeted immediately after her husband’s murder in 2017, when grief and her need for information left her particularly vulnerable to phishing, according to the new Citizen Lab report. The researchers determined that a text message purporting to link to a news article about the police investigation was one of several attempts to trick her into installing Pegasus on her phone.

The precise reason Triana would be targeted remains unclear, but it fits a pattern of spyware attacks on independent journalists and Mexican citizens who are prominent critics of the government or powerful figures. “If they were trying to get more information about my life with Javier,” Triana told CPJ, “that is so invasive.”

Triana is the 25th individual to have been “abusively targeted with Pegasus malware in Mexico,” according to Citizen Lab, which lists eight journalists and the teenage son of reporter Carmen Aristegui among the other targets. The Mexican Attorney General’s Office has yet to hold anyone to account, international news reports say. Mexican journalists have obtained documents showing NSO Group contracts worth millions of dollars licensing Pegasus software to the Mexican Attorney General’s Office. (The Attorney General’s Office is not the only Mexican government agency media reports have linked to spyware purchases. Leaked documents appear to indicate that state officials in Puebla, for example, used products made by the Italian firm Hacking Team to surveil their political opponents, according to The New York Times.)

NSO technology has also been deployed against journalistic targets beyond Mexico. Citizen Lab and Forbes have documented 2018 attacks against friends and sources of Saudi journalist Jamal Khashoggi directly before his murder in October.

In early 2019, the founders and management team at NSO Group announced that they were acquiring the company with backing from the British fund Novalpina Capital. Since 2014, the American private equity firm Francisco Partners has owned a controlling stake in NSO; Francisco Partners refused to comment on the record about its human rights vetting procedures when contacted by CPJ in October. Novalpina did not respond to an email query from CPJ asking for it to clarify whether it considers journalists legitimate targets of NSO spyware. But Stephen Peel, Novalpina’s founding partner, stated in response to Citizen Lab and its reporting that NSO “operates with the highest degree of integrity and caution.”

In a subsequent letter to a coalition of rights organizations on March 1, Peel said that NSO Group “should be operated in accordance with all aspects of the U.N. Guiding Principles on Business and Human Rightsincluding a commitment to robust transparency.”

Robust transparency would be a significant step to limiting abuse of spyware, but it is not yet evident in the company’s promotional material. NSO “take[s] a pioneering approach to applying rigorous, ethical standards to everything we do,” according to the website it has recently promoted. “Our process is setting a benchmark for the industry.”

“Dozens of innocent targets in Mexico is not much of a benchmark,” Citizen Lab Senior Researcher John Scott-Railton told CPJ in a text message.

“NSO is shirking responsibility for the illegal use of its product,” Mexican journalist Rafael Cabrera told CPJ by WhatsApp message. Citizen Lab reported that Cabrera’s device was likely infected with Pegasus in 2015 or 2016 after he helped investigate corruption scandals involving then Mexican President Enrique Peña Nieto’s administration. He and others like him are still waiting for answers about what happened–and for justice. “It seems like the Mexican government and NSO Group are banking on this being forgotten,” Cabrera said.

Editor’s note: The third paragraph has been corrected, and the sixth paragraph has been updated, to reflect comments by the NSO Group spokesperson.