Today we’re publishing some new interviews and documents on NSO Group and the whole surveillance industry. Here is a thread that I hope provides some new insight into the surveillance industry.
New: NSO Group CEO Shalev Hulio says the surveillance industry is going dark: “The industry is going away from regulation. I see companies trying to hide activity and hide what they’re doing.” https://www.technologyreview.com/2020/08/19/1007337/shalev-hulio-nso-group-spyware-interview/
New #2: I spoke with NSO’s top lawyer Shmuel Sunray who is tasked with rebuilding the company’s sales, diligence, and governance processes. He plays a big role in how Pegasus sales happen. He dove into the details with us. https://www.technologyreview.com/2020/08/19/1006458/nso-spyware-controversy-pegasus-human-rights/
Hulio described “export regulation shelters” that, like tax shelters, are abused to sell spyware with far less lawful oversight, transparency, and accountability. He defended NSO's actions and criticized competitors, calling for stronger international regulation of the trade.
In addition to laying out details about how sales of Pegasus happen, NSO also shared a redacted contract from 2019 worth reading over: https://beta.documentcloud.org/documents/20384745-signed-agreement
A detail: There was some recent confusion around what exactly NSO knows about customers and how abuse investigations work. Here's what I've learned about some of the key points that were discussed in news stories and around Twitter
If abuse is alleged, NSO says they may investigate, and the customer must cooperate or a kill switch cuts off service. If the customer says they did not target the person, NSO can obtain logs that contain a full target list (not, they stress, content) among other info
It’s not clear how NSO prevents these customers — intel agency hackers who have been credibly accused of human rights abuses — from tampering with these logs. NSO just says it’s impossible. But that's not what happens mostly.
Most of the time, NSO says, the customer will readily acknowledge they did target the person. From there, it’s up to NSO and the customer to hash out if the targeting was legitimate according to local law and NSO’s judgement — or if a human rights abuse occurred.
There is one notable absence in these abuse investigations: The Israeli Ministry of Defense, NSO’s chief regulator.
I also spoke to Maati Monjib, who researchers say was spied on by NSO’s malware. He talked about his life as a critic of Morocco’s monarchy: “The surveillance is hellish.”
A letter sent by eight Moroccan dissidents to the govt data authority said WhatsApp informed them they were spied on by NSO malware. The state ignored it publicly, the group said they were privately warned to drop the matter.
I want to learn more about the surveillance industry, if you know more you should get in touch. Signal: +1-650-488-7247, contact info in bio. Hulio says this industry must explain itself. We want to shine a spotlight to help.
Sunray laid out how a sale of Pegasus is made. This process has changed especially in the last year since NSO was sold and he came on board. https://www.technologyreview.com/2020/08/19/1006458/nso-spyware-controversy-pegasus-human-rights/
Hulio and Sunray both point to NSO's ability to add tech restrictions to Pegasus if a customer is an abuse risk. There are geographic restrictions -- e.g. you can't infect someone in the US or Israel, NSO says, as well as data and target limits. https://www.technologyreview.com/2020/08/19/1006458/nso-spyware-controversy-pegasus-human-rights/
It's becoming harder to track and understand the surveillance industry. The tech is going dark, as @jsrailton says, and many of the companies are deliberately dodging oversight on a global scale, Hulio says. https://www.technologyreview.com/2020/08/19/1007337/shalev-hulio-nso-group-spyware-interview/