What To Know About The Spying Scandal Linked To Israeli Tech Firm NSO
Updated August 25, 2021 at 8:03 PM ET
JERUSALEM — Israel takes enormous pride in its high-tech industry. But one of its star cybersecurity companies, NSO Group, is at the center of an international spying scandal that has concerned U.S. officials, and the Israeli government plays a role.
The Pegasus Project, a consortium of international media outlets, says a leaked list of some 50,000 phone numbers showed that governments around the world sought NSO's cellphone hacking technology Pegasus to spy on people or mark them as potential targets, whether inside or beyond their own borders.
It says the phone numbers selected by governments for surveillance belong to a staggering array of potential targets, including political dissidents, human rights activists, 180 journalists in nearly two dozen countries, a Dubai princess escaping her father, the fiancée of slain Saudi journalist Jamal Khashoggi, and 14 heads of state, including French President Emmanuel Macron.
NSO, no stranger to controversy over its spyware, denies any connection to the list of phone numbers, and insists it sells its technology solely to governments to combat terrorism and serious crime. But outrage from France, questions from the U.S. and intensified global scrutiny on NSO has put the Israeli company — and the Israeli government, which vets the company's sales — on the defensive.
"Our concerns over this matter have been raised in meetings with senior Israeli officials," a senior U.S. official told NPR, speaking on condition of anonymity to discuss private diplomatic conversations.
Israeli defense officials announced an investigation and visited NSO's headquarters north of Tel Aviv, then briefed the French defense minister on its efforts. The company told NPR it temporarily suspended some governments' access to its software, declining to name the countries, as it looked into potential abuse. Multiple Israeli news outlets questioned NSO executives as the investigative reports were published last month.
"You didn't know about the software's very wide use against dozens of journalists in dozens of countries, to know what they are doing?" said anchor Ilana Dayan on Israeli Army Radio on July 22. "You didn't know that the ruler of Dubai used Pegasus to track his daughter and wife? ... You also didn't know that your software was installed in the phone of the fiancée of Saudi journalist Jamal Khashoggi, who was murdered by representatives of the regime in Riyadh? All that you didn't know?"
Those questions, critics of Israel's cyber-surveillance industry say, have largely elicited a collective shrug in a country whose economy, security and foreign relations lean heavily on the murky world of cyber espionage and arms exports. NSO has framed the reporting as an anti-Israel campaign, and a company employee argued it is the unpleasant reality that all governments spy.
"Intelligence is a f***ing s****y business," the employee told NPR, speaking on condition of anonymity because company policy states that NSO "will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign."
"Sacred cows" of the Israeli economy
NSO stands for the initials of its three founders, who quietly set up the company in 2010.
Israeli journalist Shay Aspril, who was the first to report about NSO in 2012 after the company's first sales to Mexico, warned its spyware could be used against journalists. His 2019 award-winning novel in Hebrew, The Judge, explores the dubious ethics of some Israeli high-tech fields, a reality he says many Israelis overlook.
"The defense industry and the high-tech industry are the two sacred cows of the Israeli economy. The Israeli public in general perceives those industries as creative, bold, profitable, qualities which most people in general tend to appreciate," Aspril told NPR.
The same week that the Pegasus Project's investigative reports about NSO were published, Israel hosted an annual cybersecurity conference in Tel Aviv. Prime Minister Naftali Bennett, a keynote speaker, made no mention of the NSO controversy but spoke about Israel's dominance in the global industry, fueled by military intelligence veterans who learn cybersecurity skills in the country's largely mandatory army service.
"Ultimately, they are thrown into the Israeli society at a young age with huge capabilities, and that is why we are seeing the boom, the high-tech boom," Bennett said.
Israeli tech advocates complain NSO has tarnished Israel's otherwise trusted cyber industry, which helps countries defend against threats. Israeli cybersecurity exports in 2020 were valued at $6.85 billion, according to Tel Aviv University. Palestinian advocates say Israel is a laboratory for spy technology, where young recruits in the military's most secretive intelligence units monitor Palestinians and others in the Middle East, then export their know-how to the private sector.
Whom to blame for the spying?
NSO says it has no control over who is spied upon, but that in recent years the company has tightened its protocols, choosing its clients more carefully and blocking governments from access to the spyware on five occasions. The company won't identify its clients, but The Washington Post reports the company stripped access from Saudi Arabia and Dubai in the United Arab Emirates in the past year.
"The ultimate responsibility is on the one who actually conducts the abuse," NSO general counsel Shmuel Sunray told NPR. "If there is a serious abuse of the human rights, a targeting of a journalist ... just for him per se being a journalist, we would just shut down the system."
The Israeli government passed a law in 2007 regulating the export of cyber technology. "Policy decisions take into account national security and strategic considerations," the Israeli Defense Ministry said in a statement. "In cases where exported items are used in violation of export licenses or end use certificates, appropriate measures are taken. Israel does not have access to the information gathered by NSO's clients."
The Pegasus Project reports NSO has sold its spyware to authoritarian governments and states with limited freedoms, including Hungary, Saudi Arabia and the United Arab Emirates, countries Israel has courted for closer ties, echoing Israel's decades-long history of selling arms to dictatorships to boost its foreign relations.
"NSO commercial interests and Israel's security and international interests were kind of blurred together," says Tehilla Shwartz Altshuler, a researcher at the independent Israel Democracy Institute. "What's bothering me is the fact that all this has been done very far from the public eye of the Israeli public."
In addition to the Defense Ministry investigation, a parliamentary committee said it would consider tighter export controls. Those reviews are taking place behind closed doors.
"Extraordinary audacity and contempt for human rights"
This month, a group of United Nations human rights experts called for a global moratorium on sales of surveillance technology, and demanded answers from NSO and Israel.
"Given the extraordinary audacity and contempt for human rights that such widespread surveillance shows, if the denial of collusion by the NSO Group is to have any credibility at all, the company must disclose whether or not it ever conducted any meaningful human rights due diligence," the experts said. "We also urge Israel, as the NSO Group's home country, to disclose fully what measures it took to review NSO export transactions in light of its own human rights obligations."
Cyberspying isn't just an Israeli phenomenon, and democracies should lay out global rules for regulating it, said David Kaye, former U.N. special rapporteur on freedom of opinion and expression. "It's possible that Israel could be part of the solution to the global problem of the spread of spyware," Kaye told NPR. "But because of its integration into government already, it may make it harder for Israel to move forward on this."
Tech companies against NSO
The most visible pressure against NSO is coming from the tech world. Amazon Web Services told Amnesty International, a partner of the Pegasus Project, it shut down NSO accounts. Before the latest revelations, Facebook-owned messaging app WhatsApp sued NSO for allegedly exploiting the app to infiltrate cellphones, with Google and Microsoft supporting the lawsuit.
Even some Israeli techies are speaking out. From the main stage at the cybersecurity conference in Tel Aviv, Israeli cybersecurity veteran Iftach Ian Amit — formerly hired by companies to hack into their systems, now dedicated to defending them — called on tech companies not to hire former employees of companies like NSO. Though that's been his own practice for years, it was the first time he made it a public call.
"Have a statement that says, 'I'm not going to work with anyone who ever operated in those shady industries.' It's going to cause a very simple supply chain effect. People wouldn't want to work there because they would know this is their last job in the industry," Amit said in a closing keynote address to the audience on July 21, the same day the Israeli prime minister addressed the conference.
In an interview with NPR, Amit said only a few tech leaders in Israel have joined his pledge. "There's an attempt to harp on the patriotic side of things," he said. "It's us versus them. So, you know, if you're not supporting us, you're against, you're anti-Israeli, which is preposterous, of course."
His own tipping point came 10 years ago when a Latin American government agency approached his former company. It revealed a real-world application of NSO's technology spying on a government official's phone, and asked him to develop a similar product. He quit the company soon after, but he believes many other Israeli spyware businesses, not just NSO, supply questionable regimes.
"I am 100% certain that they do have legitimate customers, that they do have work that ends up with putting the right people behind bars and finding them," Amit said. "But I think that there's been a tipping point where greed kind of took over and it was just unscrupulous. You're doing more harm, I think, than good."
Amit knows some former employees of NSO. They'll go out for drinks together. But he says they know he'll never agree to do business with them.
Copyright 2021 NPR. To see more, visit https://www.npr.org.