On October 1, 2018, a day before Jamal Khashoggi was murdered and dismembered inside the Saudi consulate in Istanbul, Citizen Lab, a University of Toronto-based project that investigates cyber espionage against civil society, released a report titled, “The Kingdom came to Canada”. It alleged that a cellphone used by Omar Abdulazis, a Saudi dissident activist living in exile in Canada, had been infected by Pegasus, the notorious malware sold by Israeli company NSO Group. “We have high confidence that the cellphone of Omar Abdulaziz... was targeted. Abdulaziz has been outspoken on an ongoing diplomatic feud over human rights issues between Canada and Saudi Arabia,” the report said.
But neither Citizen Lab nor Mr. Abdulaziz knew then that the alleged spying saga had a lethal subplot. Mr. Abdulaziz was a close friend of Khashoggi, the Saudi dissident journalist who was critical of Crown Prince Mohammed bin Salman. He spent hours talking to Mr. Abdulaziz on the phone. By infecting Mr. Abdulaziz’s phone, Pegasus might have got information on Khashoggi’s thoughts and movements. In December 2018, two months after his friend was killed by Saudi agents, Mr. Abdulaziz filed a lawsuit in Israel against NSO. The company fiercely dismissed the allegations that its products had anything to do with Khashoggi’s killing, but refused to say if it sold Pegasus to the Saudi authorities. Asked about the reports that he had travelled to Saudi Arabia to sell Pegasus for $55 million, NSO chief executive Shalev Hulio told CBS’s 60 Minutes in March 2019, “I’m not gonna talk about [a] specific customer.”
This has been the standard response of NSO whenever it’s hit by serious allegations — deny any involvement and refuse to divulge further details.
Last week, when a media consortium, including The Washington Post , The Guardian and The Wire , reported that thousands of numbers were selected by NSO’s clients for potential surveillance, including that of journalists, activists, dissidents and world leaders, the company dismissed the reports. The consortium, which got a leaked database of 50,000 numbers, reported that at least 37 phones were infected by Pegasus, including that of Hatice Cengiz, Khashoggi’s fiancee. Hundreds of numbers from India is on the list. The malware can remotely spy on a device and steal its data without the victim ever knowing about it.
NSO, in a statement, said the list “is not a list of Pegasus targets or potential targets. The numbers in the list are not related to NSO Group in any way. Any claim that a name in the list is necessarily related to a Pegasus target or potential target is erroneous and false.” On Wednesday, it issued another statement, saying it would no longer respond to media inquiries.
The company that is at the centre of a global controversy today has had humble origins on the outskirts of Tel Aviv a decade ago. It was founded by three Israelis — Niv Carmi, Shalev Hulio and Omri Lavie — in 2010. The name NSO comes from the first letters of the founders’ names. Mr. Lavie and Mr. Hulio are reported to be former members of Israel’s ‘Unit 8200’ signals intelligence arm. Mr. Carmi was a former operative of Mossad, the Israeli intelligence agency. Headquartered in Herzliya, near Tel Aviv, NSO had some 50 employees at the beginning. A group of investors headed by Eddy Shalev, a partner in Israeli venture capital fund Genesis Partners, had invested some $1.8 million in the company for a 30% stake.
NSO started making headlines after Mexico announced in 2012 that it had bought the group’s solutions to fight drug lords. Apparently, NSO’s tools helped Mexican authorities track the movement of ‘El Chapo’ Guzman that led to his arrest in 2014 — something Mr. Hulio confirmed in the 60 Minutes interview. In the same year, American private equity fund Francisco Partners took a majority stake in the company for about $130 million. NSO saw rapid growth in its business in the following years. With governments across the world turning to cyber intelligence to fight terrorism and serious crimes as well as track down dissidents and critics, the solutions NSO offered were in high demand. Besides Pegasus, the company offers a host of technologies to fight drone incursions, improve search-and-rescue operations and advanced data analytics solutions. “NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime,” the company says on its website. In a 32-page Transparency and Responsibility Report released earlier this year, NSO dismisses allegations that Pegasus is a mass surveillance tool. “Data is collected only from individual, pre-identified suspected criminals and terrorists,” it says. However, the same report adds: “NSO licenses Pegasus to sovereign states and state agencies, does not operate Pegasus, has no visibility into its usage, and does not collect information about customers.”
Co-founders Mr. Lavie and Mr. Hulio bought back the company from Francisco Partners in 2019 with investments from Novalpina Capital, a London-based private equity firm. At the time of the transaction, NSO was valued at $1 billion. Between 2012 and 2021, NSO has seen a manifold rise in its client list. The tightly held company never reveals the names of its clients, but the 2021 report states it has 60 customers in 40 countries. Fifty-one percent of its clients are intelligence agencies, 38% law enforcement agencies and 11% military. Israel has identified Pegasus as a cyber weapon and its exports are controlled.
Ties with Israel
In 2019, after the company was bought back, Mr. Lavie, Mr. Hulio and Novalpina Capital promised to establish “a new model for public transparency” and do “whatever is necessary” to prevent their technologies being misused. This was a rare public acknowledgement from the top management that all is not well with the use of NSO’s products. Citizen Lab had released several reports alleging that NSO products were being used by governments to target their critics. Before Mr. Abdulazis’s case, the Lab had reported that Ahmed Mansoor, a human rights defender and critic of the UAE government’s policies who is currently in prison, was targeted. The researchers later discovered Mexican journalist Rafael Cabrera and the Lab’s own researchers were also targeted. In 2019, months after the company’s leaders promised transparency, WhatsApp sued NSO over allegations that 1,400 of its users, including at least 100 members of civil society, were attacked by NSO’s spyware. According to a report in Financial Times , NSO had developed malware that can infect a phone simply by making a call. The potential victim doesn’t have to click a link or even answer the call. Once it rings, the malware is in and can start stealing data and exit without leaving any trace on the phone’s call log. The WhatsApp case is still under way.
The latest reports by the Pegasus Project on illegal surveillance call into question, once again, NSO’s claims on “transparency” and “accountability”. This time the allegations are wider in scale and graver in nature. On the list of potential targets are 14 world leaders – three Presidents, including France’s Immanuel Macron, three sitting Prime Ministers, seven former Ministers and a King — and hundreds of civil society members.
NSO is not just a private tech company that’s gone rogue. It has deep ties with the Israeli state, which it has never hidden from the public. The Israeli government itself is using its technology, NSO has said. Many of the company’s 500-plus staffers, including the founders, are from Israel’s military intelligence units. In 2019, NSO’s lawyers argued in a court that revealing clients’ names “will meaningfully harm the foreign relations of the state”. Last year, Defence Minister Naftali Bennett, who’s now the Prime Minister, proposed to deploy NSO’s tools to track down Israelis’ movements to check the spread of the coronavirus. It did not pass the Cabinet, but was a testament to the company’s clout in the establishment. In recent years, Israel has built stronger diplomatic ties with Gulf monarchies and rightwing governments elsewhere by offering clandestine security solutions.
John le Carré once wrote, “A desk is a dangerous place from which to view the world.” Now, it’s the phone. In theory, NSO’s spyware can take over a potential target’s phone. If not checked, it’s the ultimate toy in the hands of a surveillance state. The allegations pose serious questions on both NSO’s practices and Israel’s policies. It’s to be seen whether they will come clean on them.