The technology company NSO Group has been called everything from a cybersurveillance weapons dealer to an amoral 21st century mercenary. And the labels are sticking. Human rights experts at the United Nations have called for a global moratorium on the sale and transfer of surveillance technology until regulations are in place that guarantee its use in compliance with international human rights standards. That call came four months ago against the backdrop of a report by Forbidden Stories and Amnesty International that Pegasus spyware developed by NSO Group had been used to target journalists, activists and heads of state. It is still echoing as the pressure on the notorious spyware trafficker ratcheted up this month.

1. Introduction

NSO Group Technologies Limited is an Israeli company known for its Pegasus spyware, capable of remote zero-click surveillance of smartphones, that I discussed in previous posts to On The Wire. (here and here) On July 18, 2021, Forbidden Stories and Amnesty International exposed the widespread surveillance of the mobile devices of hundreds of journalists, human rights defenders and political leaders who were targeted by Pegasus. Forbidden Stories and Amnesty International requested that Citizen Lab of the Munk School of Global Affairs and Public Policy, at the University of Toronto, undertake an independent peer review of a sample of their forensic evidence and general methodology. In a post to its web site, Citizen Lab reported that it “independently validated” Amnesty’s forensic methodology.

The heat on the beleaguered company intensified this month with two significant developments. On November 3, 2021, the U.S. government added the firm to the Entity List maintained by the Department of Commerce blacklisting it from receiving American technologies. The move came after a determination that Pegasus was used by foreign governments to target journalists and government officials worldwide. It is a significant sanction following publication of the Pegasus Project by the Forbidden Stories consortium. Then, on November 23, 2021, Apple Inc. initiated a lawsuit against NSO Group and its parent Q Cyber Technologies in a bid to hold them accountable for the surveillance and targeting of Apple users.

2. The Entity List

The Entity List is a trade restriction tool maintained by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. Listed entities are subject to U.S. licence requirements for the export, reexport and in-country transfer of specified items such as U.S. technology products. On November 3, 2021, BIS issued a ruling adding four foreign companies to the list for engaging in activities contrary to the national security or foreign policy interests of the United States. NSO Group was one of the four companies put on the list.

The Department of Commerce stated in a press release that NSO Group was listed for two reasons. First, there is “investigative information” that the Israeli company developed and supplied spyware to foreign governments that used the technology to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers. Second, the spyware has enabled authoritarian governments to target journalists and activists outside their borders for the purpose of silencing dissent. (here)

In conversation with The Washington Post, former United Nations special rapporteur, David Kaye, said that NSO Group could not have operated without the “knowledge and toleration” of the Israeli government. However, U.S. State Department spokesman, Ned Price, emphasized that the action was not being taken against the Israeli government. Mr. Price encouraged further discussions with the government of Israel to ensure that mercenary spyware is not used to target journalists and human rights defenders. Professor Ron Deibert of Citizen Lab described the entity listing as a “very positive first step to bringing some public accountability and order to this otherwise poorly regulated marketplace.” (here)

In a post to Lawfare titled Recent Additions to Entity List Part of Broader U.S. Effort Targeting Spyware dated November 29, 2021, Charles Capito, Brandon L. Van Grack and Logan Wren argued that the new additions to the Entity List reflect accelerated efforts by the U.S. government to target companies and individuals that provide offensive cyber tools for uses that violate human rights. The listings also demonstrate the willingness of the United States to adapt existing national security tools to confront new priorities “treating intelligence collection operations as a potential national security threat.” (here)

3. The Apple Lawsuit

On November 23, 2021, Apple filed a lawsuit in the United States District Court, Northern District of California (San Jose Division), styled as Apple Inc. v. NSO Group Technologies Limited and Q Cyber Technologies Limited (here) seeking damages and a permanent injunction restraining the defendants from using spyware on Apple devices. Here are three key extracts from the allegations contained in the Complaint and Demand for Jury Trial:

• Defendants are notorious hackers – amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens. (para. 2)
• NSO admits that its destructive products have led to violations of “fundamental human rights,” which have been widely recognized and condemned by human rights groups and governments, including the U.S. Government. To ensure that their products can be used by others to maximum effect, NSO reportedly provides ongoing technical support and other services to their clients as they deploy NSO’s spyware against Apple’s products and users, including journalists, human rights activists, dissidents, public officials, and others. Most recently, the Guardian reported that six Palestinian human rights defenders – one of whom is also a U.S. citizen – were attacked and surveilled using NSO’s spyware. Although NSO claims that its spyware “cannot be used to conduct cybersurveillance within the United States,” U.S. citizens have been surveilled by NSO’s spyware on mobile devices that can and do cross international borders. (para. 12)
• Defendants seek to operate with impunity by hiding behind their unnamed customers. Indeed, in response to another lawsuit brought against NSO and Q Cyber by other victims of their attacks, NSO and Q Cyber argued that they should enjoy some form of “sovereign immunity” based on the status of the governments to whom they claim they sell their products and services. But as the Ninth Circuit recently held, NSO and Q Cyber are not sovereigns and are not entitled to sovereign immunity. See WhatsApp, Inc. v. NSO Group Technologies Ltd., […] (9th Cir. Nov. 8, 2021). (para. 14)

Apple retains ownership of its operating system software (iOS) under its Software License Agreements. It therefore asserts standing because the defendants “intentionally accessed and attempted to access” the operating system on users’ devices “without authorization”. Apple further claims that the defendants “knowingly and with the intent to defraud” accessed the operating system on users’ devices using information from Apple’s servers and then installed the Pegasus spyware. Apple has therefore been forced “to engage in a continual arms race” as the defendants update their malware to counter Apple’s security upgrades. (paras. 60, 66-7, 70)

4. The Initial Fallout

Apple is not the first tech giant to bring legal action against NSO Group. The spyware hawker was sued in 2019 by WhatsApp following allegations that Pegasus was deployed to target 1,400 of its users including diplomats, journalists and activists. It has also faced legal action or criticism by Microsoft, Meta Platforms, Alphabet and Cisco Systems. (here) The WhatsApp litigation was cited  in the extracts from the Apple complaint I referenced above. Following the WhatsApp case, the blacklisting on the Entity List and now the Apple lawsuit, NSO’s persistent white hat claim that its spyware saves “[t]housands of lives” by providing government with the tools to hunt down “pedophiles and terrorists” is waning in credibility. (here)

On November 23, 2021, Stephanie Kirchgaessner, U.S. investigations correspondent for The Guardian, reported that Moody’s Investors Service announced that NSO was facing increasing risk of defaulting on about $500m of debt after the Biden administration placed it on the Entity List. Some digital rights experts have suggested the Apple lawsuit threatens NSO’s survival. “NSO is now poison,” said Professor Deibert. “No one in their right mind will want to touch that company. But it’s not just one company. This is an industrywide problem.” (here) Apple has announced that it will contribute $10m, as well as any damages from the lawsuit, to organizations pursuing cybersurveillance research and advocacy. (here)

5. Conclusion

Apple’s senior director of commercial litigation, Heather Grenier, described the actions of NSO Group as a “flagrant violation of our terms of service” in a statement to The New York Times. “This is our stake in the ground, to send a clear signal that we are not going to allow this type of abuse of our users,” she added. (here) But that really begs the question, doesn’t it? Even if the lawsuit achieves a degree of accountability, will this kind of “stake in the ground” be an effective deterrent? In a piece titled Notorious Pegasus spyware faces its day of reckoning published in The Guardian edition of November 27, 2021, Professor John Naughton of the University of Cambridge said that Pegasus is classified as a “munition” requiring approval of the Israeli government before it can be sold to foreign customers. (here) It is not a consumer product. And there’s money in play. In 2016 NSO Group was apparently charging government agencies $650,000 for the capacity to spy on ten iPhone users on top of a $500,000 setup fee. “[E]ven if NSO now slides into insolvency, Pegasus will not disappear, because there are plenty of non-democratic customers for its capabilities,” Professor Naughton concluded.