On November 3, the U.S. Department of Commerce announced it had imposed export controls on the Israeli NSO Group, saying the company “developed and supplied spyware to foreign governments that used these tools to maliciously target” journalists and others.
The move represented a relatively new use for the Entity List for Malicious Cyber Activities, a tool used by the department’s Bureau of Industry and Security to limit a designee’s access to U.S. exports, lawyer Douglas Jacobson, who specializes in export control and sanctions, told CPJ in a recent phone call. Economic sanctions, a stricter control, are more common in response to human rights concerns, but export restrictions could have limited impact on the company, he said.
Commerce listed three other companies in its November 3 press release. NSO, however, is the best known of the group for its development of advanced Pegasus spyware which can infiltrate individual cellphones for surveillance purposes. The company says it sells to vetted government clients for law enforcement purposes and investigates reports of abuse – but forensic experts say dozens of journalists are among the targets. In July, reporting by 17 global media outlets found that at least 180 journalists were possible targets of surveillance by government clients of NSO. CPJ has found that some of those, such as the jailed Moroccan journalist Omar Radi, face severe reprisals for their work.
NSO told CPJ it was dismayed by the U.S. listing, and that its “rigorous compliance and human rights programs” have led to “multiple terminations of contacts with government agencies that misused our products.” The company has previously told CPJ that it investigated allegations that Pegasus was used to surveil Omar Radi, without elaborating on its findings.
The Commerce Department linked one of the other three newly-listed companies, Israel-based Candiru, to spyware used to target journalists. The University of Toronto-based Citizen Lab reported in July that Candiru appeared to be responsible for malware attacks Microsoft described as targeting “more than 100 victims around the world,” including unnamed journalists and human rights activists. CPJ attempted to reach Candiru for comment, but the company does not have a website and Eitan Achlow, who was identified as the CEO in news reports, does not allow messaging on his LinkedIn profile.
CPJ spoke to Jacobson about what the export restriction could mean for NSO Group. The interview has been edited for length and clarity.
What are the practical implications of being on the entity list?
[It] imposes a license requirement, but the U.S. is not penalizing NSO or Candiru or any of these other companies. They are just restricting their access to certain goods that are known to be subject to the Export Administration Regulations [everything that’s in the US or manufactured in the US, including software]. U.S. companies can [still] import goods from these companies if they want to.
The license requirement [could apply] to something as mundane as [the] desk chair you’re sitting on. A furniture company would need a license to export office furniture to the NSO Group. The license review policy is one of presumption of denial – if I wanted to submit a license on behalf of the client to NSO Group for office furniture, then I would have to convince the [Bureau of Industry and Security] to overcome this presumption of denial. It is intended to prevent them from getting certain technologies.
I would imagine this would have a negative impact on NSO, because this will limit their ability to acquire even a new Windows laptop computer, for example.
Will it be crippling? Doubtful. There are certainly many workarounds that companies could use in order to acquire what they need. The U.S. is no longer the only producer of high-tech knowledge, and many U.S. [goods] may not even be subject to [these export regulations] because they’re manufactured [abroad]. But I think that this is a high-profile action.
Somebody asked me yesterday, is this really something that would make a [supplier] think twice? If I was advising a German company [on whether to] sell to NSO, I [would] say that’s a business decision. Your goods are not subject to [U.S. export regulation], so you wouldn’t be violating US law by doing that.
But for certain suppliers, it’s a PR risk?
Correct. [In case] the Wall Street Journal or whomever did an exposé and said, “This company in Germany or this company in Japan continues to sell to NSO.”
Is there a penalty from Commerce if they catch a U.S. company supplying someone on the entity list without a license?
Absolutely. The maximum civil penalty for violations of the [export regulations] is the greater of $308,901 per violation or twice the value of the transaction that is the basis of the violation.
Does this export restriction include services such as web hosting, training, service maintenance?
This does not apply to services at all. [The export regulations] only govern the export of tangible goods, software, or technology information. If you’re just going to repair something that is broken, for example, and a repairman goes to Israel [to repair] a server and they’re not having to provide the company with any information or replacement parts, then that would not be prohibited. And “technology” is broad – there’s a definition of technology in the Export Administration Regulations, but it doesn’t cover everything.
The Global Magnitsky sanctions are administered by the U.S. Department of Treasury’s Office of Foreign Assets Control, or OFAC, and can be applied to companies. That’s human rights related, and that would have a much bigger impact on NSO.
[Economic sanctions like these] prohibit financial transactions by U.S. persons, company, or citizen. They are broad; they prohibit the export of U.S. goods, they prohibit payments to those individuals, and they also prohibit services [provided to them].
The Commerce Department announcement lists a number of subsidiaries for Candiru, but none of the known subsidiaries for NSO Group are listed. Does that mean those subsidiary companies would not be considered during implementation?
[It] doesn’t apply to any of their affiliates unless they are named. However, a company [supplying exported goods] has to be very careful because that affiliate may be a conduit by which the main prohibited company is acquiring goods that they shouldn’t be acquiring.
Something else that struck me about this listing was the reasoning that it was a consequence for human rights violations, particularly about journalists being maliciously targeted. Is that a normal reasoning to get a company on this list?
The criteria [include] reasonable cause to believe that the entity has been involved in activities that are contrary to the national security or foreign policy interest of the U.S.
Foreign policy is a broader, more amorphous term, of course. That is what is being used as the basis for these human rights designations, which is, relatively, a broader interpretation of foreign policy [in the context of the entity list].
How often is this list reviewed? What is the process?
The process is not an easy one, particularly when it comes to human rights issues. [China’s] Huawei has been on it for [almost] three years. There doesn’t appear to be much of an off-ramp for Huawei because of the national security issues – but there is an off-ramp. It does take time, [but] parties are removed from the entity list periodically. A company does have a chance to appeal their listing.
The problem is, [the group that would remove them is] the same group that added them. This is called the End-User Review Committee, which is an interagency group chaired by the Department of Commerce. There has to be some change in behavior or [proof] that they didn’t do what they were alleged to have done.