For over two years the stories have persisted. A nagging suspicion led to dogged investigation and then a revelatory expose hit the internet. The name of an infamous spyware trafficker and the tech savvy sleuths on its trail will be forever linked in the history of modern electronic surveillance. NSO Group. Pegasus. WhatsApp. Amnesty International. Citizen Lab. Apple. Last month the United States government added NSO Group and three other companies to the Entity List maintained by the Department of Commerce subjecting them to licencing requirements for the export, reexport and in-country transfer of technology products. Today a group of eighteen U.S. lawmakers entered the fray advocating that Global Magnitsky sanctions be imposed on four technology companies for enabling human rights violations by selling their surveillance technologies to authoritarian governments. The call came as the Biden administration moves to restrict the sale of hacking tools while making human rights a cornerstone of its cybersecurity policy.

1. Introduction

On December 15, 2021, the Group of Eighteen lawmakers sent a joint letter to Secretary Janet Yellen of the Department of the Treasury, and Secretary Antony Blinken of the Department of State, requesting that sanctions be imposed on NSO Group and three other foreign surveillance companies. The signatories, led by Ron Wyden (D-OR), Chairman of the Senate Committee on Finance, and Adam Schiff (D-CA), Chairman of the House Select Committee on Intelligence, specifically requested the implementation of Global Magnitsky sanctions for abuses “including the arrests, disappearance, torture and murder of human rights activists and journalists, such as Jamal Khashoggi, by selling powerful surveillance technology to authoritarian governments.” (here) The punitive sanctions could freeze bank accounts and ban travel to the United States.

The letter follows widespread media coverage of the notorious Pegasus spyware deployed on the electronic devices of State Department employees (here) that I discussed more broadly in previous posts to On The Wire. The story emerged in 2019 from suspicion of a WhatsApp attack by Pegasus software linked to NSO Group and eventually culminated in publication of the explosive Pegasus Project by Forbidden Stories and Amnesty International earlier this year. Amnesty’s forensic methodology was “independently validated” by Citizen Lab. (here and here) Last month, Apple initiated a lawsuit against NSO Group seeking damages and a permanent injunction restraining the company from deploying spyware on Apple devices. (here)

2. Surveillance Mercenaries

The Group of Eighteen seeks to have NSO Group and the other three surveillance companies, their executive officers and senior executives, added to the Specially Designated Nationals list published by the Office of Foreign Assets Control. “These surveillance mercenaries sold their services to authoritarian regimes with long records of human rights abuses, giving vast spying powers to tyrants,” Senator Wyden told Reuters. “Predictably, those nations used surveillance tools to lock up, torture and murder reporters and human rights advocates. The Biden administration has the chance to turn off the spigot of American dollars and help put them out of business for good.” (here) Here are the key extracts from the letter describing the four companies:

• DarkMatter, which according to an investigation by Reuters, hacked into the devices and accounts of human rights activists and journalists, including Americans, on behalf of the United Arab Emirates. According to cyber researchers at the Citizen Lab at the University of Toronto, several of the activists targeted by DarkMatter were subsequently arrested and imprisoned, or convicted in abstentia by the UAE Government.
• Nexa Technologies (formerly known as Amesys), which, according to an investigation by the French news organization Mediapart, sold bulk internet monitoring technology to the governments of Egypt and Libya, resulting in the arrest and torture of human rights activists who were identified via their intercepted electronic communications.
• NSO Group, which, according to investigations by the Citizen Lab and Amnesty International, provided hacking software to Saudi Arabia, the United Arab Emirates, Mexico, Morocco, Bahrain, and other governments, resulting in those countries hacking into the devices of journalists and human rights activists. These researchers revealed that U.S.-based journalist Jamal Khashoggi’s associate Omar Abdulaziz, as well as Khashoggi’s wife, finance, and son, were targeted with NSO’s software both before and after his murder.
• Trovicor, which provided bulk internet monitoring technology to Bahrain. According to Bloomberg, this was used to intercept communications of activists who were then jailed and tortured.

According to a report by Reuters, DarkMatter helped set up a UAE cyber espionage program targeting Americans that led to charges being filed by the U.S. Department of Justice against Marc Baier, Ryan Adamas and Daniel Gericke – three former U.S. intelligence and military operatives allegedly involved in the program. (here) Following publication of the letter, NSO Group maintained its posturing as only a purveyor of Pegasus “to governments authorized by the State of Israel, for the sole purpose of preventing terror and crime.” (here) Trovicor, in a public statement, said the claim that it “provided bulk internet monitoring technology” to Bahrain is “untrue” and the lawmakers likely “confused Trovicor with another company that has been mentioned in the press in the past.” Trovicor asked for a retraction. DarkMatter and Nexa Technologies had not responded at the time of posting.

3. Magnitsky Sanctions

Sergei Magnitsky was a Russian tax accountant. In 2009, he was tortured, denied medical attention and found dead in Matrosskaya Tishina detention facility in Moscow. He was targeted by Russian authorities for his role in exposing a $230 million tax fraud scheme allegedly involving high-level government officials. The tag name “Magnitsky legislation” is often used to describe laws that provide for government sanctions against foreign individuals. On December 23, 2016, the Global Magnitsky Human Rights Accountability Act was signed by President Barack Obama building on a predecessor Russia-focused statute. (here) Described by Human Rights Watch as “an important step for global accountability” (here) the new statute allows for the executive branch to impose visa bans and block all U.S.-based property and interests in property of foreign persons who:

1. have engaged in extrajudicial killings, torture, or other gross violations of internationally recognized human rights against individuals who either seek “to expose illegal activity carried out by government officials” or “to obtain, exercise, defend, or promote internationally recognized human rights and freedoms, such as the freedoms of religion, expression, association, and assembly, and the rights to a fair trial and democratic elections;” or,
2. government officials or senior associates of such officials who are engaged in or responsible for acts of significant corruption. Individuals who have acted as agents of or on behalf of human rights abusers or who have materially assisted corrupt officials can also be sanctioned.

On December 20, 2017, Executive Order 13818 was signed by President Donald Trump titled Blocking the Property of Persons Involved in Serious Human Rights Abuse or Corruption. The Executive Order broadened the scope of the statute by changing the requirement of gross violations of internationally recognized human rights to serious human rights abuse, and changing acts of significant corruption to corruption. The Executive Order also eliminated the requirement that the facilitation or transfer of the proceeds of corruption only apply to transfers to foreign jurisdictions.

The Canadian version of Magnitsky legislation is the Justice for Victims of Corrupt Foreign Officials Act (Sergei Magnitsky Law) that received Royal Assent on October 18, 2017. (here) The statute empowers the Governor in Council to make orders or regulations for the seizure of a foreign national’s property in Canada where:

1. a foreign national is responsible for, or complicit in, extrajudicial killings, torture or other gross violations of internationally recognized human rights committed against individuals in any foreign state who seek: (a) to expose illegal activity carried out by foreign public officials; or, (b) to obtain, exercise, defend or promote internationally recognized human rights and freedoms, […];
2. a foreign national acts as an agent of or on behalf of a foreign state in a matter relating to these activities;
3. a foreign national, who is a foreign public official or an associate of such an official, is responsible for or complicit in ordering, controlling or otherwise directing acts of corruption; or,
4. a foreign national has materially assisted, sponsored, or provided financial, material or technological support for, or goods or services in support of, an act of corruption.

Although it has been criticized for inadequately utilizing the Magnitsky law, the Canadian government has imposed sanctions against various foreign nationals including President Nicolas Maduro and nineteen other Venezuelan officials “for gross violations of internationally recognized human rights” (here), Major General Maung Maung Soe for playing a “significant role” in human rights abuses committed by the Myanmar regime against the ethnic Rohingya population (here), and seventeen Saudi nationals believed to be responsible for or complicit in the extrajudicial killing of Washington Post columnist Jamal Khashoggi. (here)

4. Conclusion

On November 3, 2021, the Biden administration added NSO Group and Candiru (Israel) to the Entity List maintained by the United States Department of Commerce that I discussed in my last post. (here) The sanction was implemented because they “developed and supplied spyware” to foreign governments enabling them to “conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent.” (here) Positive Technologies (Russia) and Computer Security Initiative Consultancy (Singapore) were also added to the list “based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.” The action was taken as part of the administration’s efforts “to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.” In an article earlier today for the British technology site, The Register, journalist Thomas Claburn said the application of Global Magnitsky sanctions would be more severe than the consequences flowing from placement on the Entity List. “[I]t could put those targeted right out of business,” he concluded. (here) Mr. Claburn may be right if the early reports of financial repercussions sustained by NSO Group are accurate.