The head of the Israeli surveillance giant NSO Group pledged Sunday to investigate potential cases of human rights abuses following a sweeping report by The Washington Post and other media organizations that uncovered how NSO’s government clients had deployed its spyware tool Pegasus against activists, journalists and private citizens around the world.
The company has raced to address growing outrage from human rights activists, technology executives, political dissidents and the general public over the widespread hacking and surveillance revealed in the Pegasus Project, an investigation by The Washington Post and 16 international media partners. By Monday, government and political opposition leaders from the European Union, France, India, Hungary and other countries had expressed fury and demanded answers as to whether the surveillance system had been abused.
The investigation detailed how a leak of more than 50,000 phone numbers helped expose the use of tool for the targeting and surveillance of politicians, journalists and business leaders. Stories were published Sunday and Monday, and more are expected in coming days.
In an interview Sunday, Shalev Hulio, NSO’s chief executive and co-founder, continued to dispute that a list of more than 50,000 phone numbers assessed during the investigation had any relevance to NSO. The numbers were concentrated in countries known to have been NSO clients, the investigation found, and forensic analysis of some of the smartphones on the list showed evidence of a suspected Pegasus targeting or successful hack.
But Hulio nevertheless told The Washington Post that some of the reported allegations were “disturbing,” including the surveillance of journalists. He also said the company intended to investigate the allegations regarding Pegasus and would terminate the contracts of clients in cases where it learned the tool had been misused.
“Every allegation about misuse of the system is concerning me,” he told The Washington Post. “It violates the trust that we give customers. We are investigating every allegation … and if we find that it is true, we will take strong action.”
NSO — the initials stand for the first names of three company founders, including Hulio — has said its products should be used only by its government clients to investigate terrorism or major crimes. NSO said in a transparency report last month that it had terminated five clients following investigations of misuse since 2016, including one case last year in which Pegasus was misused to “target a protected” individual.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to the list of numbers and shared it with the news organizations, which did further research and analysis to determine whom the numbers belonged to. Amnesty’s Security Lab conducted forensic analyses on smartphones obtained to find traces of attempted or successful hacks.
Before publication, NSO called the investigation’s findings exaggerated and baseless. The company said in statements last week that it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.
On Sunday, Hulio was more conciliatory. “The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
Hulio said Sunday that NSO had suspended two clients in the past 12 months for human rights abuses.
The investigation has fueled tensions over the spyware in NSO’s home country. The Israeli government on Sunday released a statement following publication saying the country “does not have access to the information gathered by NSO’s clients.”
The head of Israel’s liberal Meretz party said Monday he would meet this week with the nation’s defense minister to discuss the spyware. The Israeli Defense Ministry must approve any Pegasus license to a government that wants to buy it.
European Commission President Ursula von der Leyen said Monday that if the investigation’s allegations are confirmed, they would be “completely unacceptable and against any kind of rules we have in the European Union” on press freedom.
“Free press is one of the core values of the European Union,” von der Leyen said at a news conference.
Hungary’s foreign minister, Peter Szijjarto, told reporters at a news conference Monday that he did not and does not “have any knowledge of this alleged data collection” and that he has asked the director of the Foreign Ministry’s information office to look into the matter.
Hungarian opposition lawmakers were calling for a parliamentary inquiry, although because Orban’s Fidesz party dominates the Hungarian legislature, it was unclear whether there would be the votes to do so.
“This is the Hungarian Watergate affair, and if Fidesz keeps quiet about it, it is an admission,” said Janos Stummer, a far-right opposition lawmaker who is the head of the parliament’s national security committee, in an interview with hvg.hu, a news outlet.
In France, a spokesman for the French government, Gabriel Attal, said Monday that the allegations, if confirmed, would be “extremely serious.” Speaking on France’s public broadcaster, Attal said the revelations will prompt official inquiries.
Among the list of over 50,000 phone numbers that were assessed during the investigation, more than 1,000 were French. The French online investigations site Mediapart said Monday that the revelations showed the publication “was spied on by Morocco.” The news site said it would file a complaint.
India’s home minister, in charge of national security, released a statement Monday that called the investigation “a report by the disrupters for the obstructers. Disrupters are global organizations which do not like India to progress.”
In the Indian Parliament, the information technology minister, whose number was on the phone list, called the report “sensationalism” and said the country has well-established procedures to ensure no unauthorized surveillance takes place. Neither addressed the question of whether the government had deployed Pegasus.
In India, the investigation found evidence of Pegasus infiltration in the phones of five journalists and a political adviser for opponents of Prime Minister Narendra Modi. Hundreds of Indian phone numbers were on the list, including the country’s main opposition leader Rahul Gandhi.
Edward Snowden, the former National Security Agency contractor whose 2013 leak of highly classified documents sparked a global conversation about government spying, said on Twitter that the leak would be “the story of the year” and called for a “comprehensive moratorium” on sales of phone-hacking tools.
NSO, he added, “should bear direct, criminal liability for the deaths and detentions of those targeted by the digital infection vectors it sells, which have no legitimate use.”
The reports re-energized calls for stronger regulation of the digital surveillance tools that governments use to monitor the public. David Kaye, a United Nations expert on freedom of expression issues from 2014 to 2020, said Sunday that the “out-of-control spyware industry” should be placed under “a global moratorium” that would halt the sale and transfer of such technologies.
Will Cathcart, the head of WhatsApp, the Facebook-owned messaging service fighting NSO in court on allegations the company spied on 1,400 WhatsApp users, urged companies and governments on Sunday to “hold NSO Group accountable” for building spyware used to “commit horrible human rights abuses all around the world.”
“This is a wake up call for security on the internet,” he tweeted. “The mobile phone is the primary computer for billions of people. Governments and companies must do everything they can to make it as secure as possible. Our security and freedom depend on it.”
Madawi al-Rasheed, a prominent Saudi academic and dissident who lives in exile in London, said Sunday on Twitter that she was among those targeted for surveillance or hacking by the Saudi regime. Rasheed, a visiting professor at the London School of Economics Middle East Center and the author of a recent book on Crown Prince Mohammed bin Salman, is also co-founder of a Saudi exile opposition party that was launched last year.
“An axis of evil is developing in the Middle East to spy on activists and suffocate democracy-KSA, UAE and Israel,” she wrote in another Twitter message, referring to the Kingdom of Saudi Arabia and the United Arab Emirates. “All close allies and partners of the USA.”
Some inside NSO’s home country of Israel also questioned the potential users of such tools. One of Israel’s most prominent cyber investors, Erel Margalit, said his firm has drawn a red line when it comes to investing in cybersecurity, focusing only on defensive tools rather than offensive ones that are used to attack an adversary.
“It’s tricky,” said Margalit, the founder and executive chairman of the Israeli investment fund Jerusalem Venture Partners. “You know the people you are selling to, but you don’t know what your technology is used for; you know where it starts but you don’t where it ends.”
— — —
The Washington Post’s Michael Birnbaum in Riga, Elizabeth Dwoskin in Jerusalem, Kareem Fahim in Istanbul, Niha Masih in New Delhi and Rick Noack in Paris contributed to this report.
— — —
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.