The Conflicting Principles of the NSO Group

Image: DNA India

By Abhiraj Singh

In a startling report, a global consortium of 17 news organizations along with two non-profits – Forbidden Stories and Amnesty International – revealed that the military-grade spyware ‘Pegasus’, a product of the Israel-based NSO Group, was illegitimately used in hacking smartphones belonging to politicians, diplomats, government officials, journalists, human rights activists, and business executives from Hungary, Mexico, India, and elsewhere. There has since been a worldwide uproar and many subsequent investigations over the alleged illegitimate use and violation of privacy through this spyware.

The NSO Group, while expressing concern about the list of phone numbers made public by the media, has since distanced itself from the whole event and challenged the report. It has said, “Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false.” In interviews with The Washington Post, the founders of the company, Shalev Hulio and Omri Lavie, have defended the spyware they have built.

In time, the numerous investigations going on shall hopefully reveal the truth. But the interviews with Hulio and Lavie are revealing in the kind of thinking going on in the founders’ heads. Much of it is conflicting, which I argue should be unsurprising given their ill-thought business policies. At the heart of the crisis that NSO finds itself in is its so-called ‘guiding principles’. I gather there are broadly three of them.

First, NSO will only sell to law enforcement and intelligence agencies of governments, after prior vetting, for the sole purpose of preventing crime and terror acts. As a corollary to this principle, NSO will terminate its contract with a party that misuses its technology. Second, once sold, NSO will not operate the system and will have no visibility to the data. Lastly, and which Hulio has said is the most important, is that NSO will seek approval from the export controls unit of Israel’s Ministry of Defense. These three decisions were made, Lavie has said, so that “we’d be able to sleep at night.” Presumably, they are meant as checks to their sales.

However, it is unclear how these principles guide, let alone check. The assumption in selling to governments is that it is better (read: safer) than selling to private enterprises. But this presupposes on their part that governments do not act for biased, immoral, or erroneous reasons. It glosses over the fact that the largest violator of rights is often the State, often using the very same law enforcement agencies to crush peaceful dissent labelled as terrorism. India, for instance, has often booked activists under anti-terrorism laws.

Further, while the founders state that they will terminate contracts with the parties found to be misusing their software, it is mysterious how they think this will happen given their policy of not looking into client data. The company presumably goes on with business as usual after the sale unless the misuse is brought to light by extraneous efforts, by the media for instance. This is possibly what happened in the case of Saudi Arabia, with whom terminating the contract was likely a response to the Khashoggi killing. And it is in reaction to media reports now, that the founders have made statements and conducted their own inquiries.

Again, the founders don’t say what kind of vetting they do of governments before selling Pegasus, but Saudi Arabia seems to have made the cut. Now, this should not be surprising when one takes into consideration the company policy to defer to Israel’s Ministry of Defense for approval. It is only to be expected that such approval will be in concomitance, or at least tainted, with the foreign policy concerns of Israel. So Saudi Arabia gets the spyware, but not China and Russia, even though any serious vetting would have revealed consistent human rights abuses by all three of them.

The NSO founders often publicly assert that their software is a force of good, meant to prevent crime and catch all kinds of criminals (though NSO cannot reveal exactly how Pegasus was used in these efforts due to privacy reasons). It’s clear, however, through their company’s meteoric rise in the span of a few years, that they have been more eager to introduce their revolutionary product in the (currently unregulated) market rather than think through the ethical consequences of Pegasus a bit more thoroughly. Their assertions thus reflect a naivety of thought, their good intentions undone by dint of their own guiding principles which allow selling spyware to governments that do not always have the cleanest human rights record, not looking into how their product is used yet claiming that their State clients use their product for good, and for the possibility of their sales to be tainted by Israel’s foreign policy purposes. It was therefore only a matter of time until reports of unsanctioned use and violations of privacy emerged. Indeed, Hulio, the CEO, has acknowledged that such violations have happened before.

To their credit, the founders have pledged to “take stern action” should any of the claims in the report be true. Hulio has said that he would “shut Pegasus down” if there were a better way to help governments deliver security. But one wonders what he considers to be ‘better’ security after developing spyware that can remotely hack a phone without the users’ knowledge or consent and finding that to be imperfect and susceptible to misuse. Would it be one with even more potential to monitor people without consent under the garb of providing security? Surely not. Surely the way must be away from developing military tech with ever higher and wider potential to infiltrate the common citizen’s privacy, and more towards an operative use that is precisely designed within specific operation parameters and unavailable for illegitimate deployment. To obstinately assert otherwise, often citing the greater good as people are prone to do, is to admit to a poverty of imagination when it comes to public security.

We should, in any case, not wait till a ‘better’ spyware is developed, or wait to receive news of more misuses of Pegasus, to realize that this product has vast potential to be exploited without any kind of oversight, whether in private or State hands, and therefore needs to be withdrawn, or at least the policies determining its use be fundamentally altered.

That Pegasus has been put to good use in catching criminals and preventing crime is believable; that only Pegasus, and not any other less intrusive tech, can do this work is either just lazy thinking or an unwillingness to innovate. The founders cannot hide behind what Lavie has said is “the price of doing business” or that “somebody has to do the dirty work”. Not only is that bad justification, but tech should never be developed with these criteria in mind.

The ball is now in NSO’s hands. Instead of seeing the Forbidden Stories et al. report as a campaign to discredit the company, its founders must take this as an opportunity to critically reflect both on their business policies as well as the product they sell. The rest of the world will be closely watching.

Abhiraj Singh is an independent researcher. Views are personal.


Like Cafe Dissensus on Facebook. Follow Cafe Dissensus on Twitter.

Cafe Dissensus Everyday is the blog of Cafe Dissensus magazine, born in New York City and currently based in India. All materials on the site are protected under Creative Commons License.


Read the latest issue of Cafe Dissensus Magazine“Special commemorative issue: 100 years of Satyajit Ray – the indefinable genius”, edited by Roshni Sengupta, Jagiellonian University Krakow, Poland.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s