Has NSO phone hacking co. finally gone transparent?
NSO Group on Wednesday night made its strongest effort yet to address criticism that its Pegasus software for hacking cell phones has been used to hack and oppress human rights activists in its client-countries.
While the company highlights its successes in blocking ISIS
terror attacks and cracking drug and pornography rings in Europe, Africa and
the Australia-Pacific regions, critics have said its software has been used to
abuse human rights in Mexico, Morocco and elsewhere.
In December 2019, NSO revealed to The Jerusalem Post that it
had canceled contracts with three clients at a loss of NIS 250 million.
In the report released on Wednesday, NSO updates those
numbers to five clients since 2016 at a loss of $100m. or NIS 330m.
The report also discloses that in 2020, “NSO conducted 12
product misuse investigations and preliminary reviews, all but one following
reports from external whistleblowers or media and NGO reports.”
In 2020, “out of the twelve reports raised through our external
and internal whistle-blowing processes: • NSO conducted five investigations
into product misuse on four continents, with the guidance of external
advisors.”
Next, NSO said, “Of the five: • One case resulted in
termination of NSO’s relationship with the End Customer. • Two resulted in the
required implementation of additional mitigation measures. • Two are still
being reviewed.”
“For the remaining seven reports, following our preliminary
review, we could not identify sufficient information to conduct investigations
despite our efforts or the report clearly was not related to the use of our
system,” said NSO.
Next, NSO said that it has an advisory board which has
vetoed doing business with 55 of the world’s more than 190 countries.
The advisory board has three NSO senior officials and two
Novalpina Capital (its main investor-partner) senior officials.
One of the NSO officials is General Counsel Shmuel Sunray
who has significant prior legal and security establishment credentials.
The rules of the board potentially allow the Novalpina
investors or Sunray to veto or slow certain deals.
There are also a range of senior legal experts who Sunray
consults who have serious backgrounds in civil society issues.
In addition, “From May 2020 through April 2021, approximately
15% of potential new opportunities for Pegasus were rejected because of human
rights concerns that could not be resolved.”
“In certain instances, in high-risk regions, NSO has either
rejected certain opportunities (e.g., in Asia-Pacific and the Middle East) or
deferred opportunities (e.g., Africa),” said the report.
In terms of what NSO says it has in its contracts – and it
shared several contract provisions – and its due diligence procedures and human
rights training for employees, it checks the boxes which human rights experts
would want.
The question is what all of the above facts mean underneath,
something which NSO itself admits it cannot or will not fully answer.
For example, NSO stated, “But we are aware that due
diligence, and even strong contractual provisions, are no guarantee that our
products in every instance will be used consistently with responsible business
conduct.”
“Those concerns are heightened because we are unable to
monitor immediate use, and have not yet determined whether there could be a
technological solution to prevent customers from targeting vulnerable
populations,” said the report.
It is unclear what steps NSO has taken to see if it can
better track how its clients might abuse its technology.
Considering that criticism of NSO has lasted some years, if
NSO is suggesting that tracking its clients’ potential abuse is possible, a
better understanding of the status of this project could be crucial to judging
NSO’s overall efforts.
Also, NSO does not name a single bad-actor client, leaving
no way for anyone else besides the Israeli Defense Ministry, Bulgaria and
Cyprus (the three countries from which NSO exports) to perform oversight or
check its data.
Moreover, NSO said, “a number of inherent challenges remain
given the nature of our customers. Because of the strict confidentiality
requirements of our customers, we are unable to provide actual or alleged
victims with information about adverse impacts or implemented remediation, or
even acknowledge relationships with specific customers.”
“Even where we identify product misuse, we cannot breach
these confidentiality requirements. While we cooperate with states to try to
ensure that when abuses occur within their jurisdictions those affected have
access to effective remedy, the confidentiality restrictions limit our ability
to do much more,” said NSO.
Other interesting statistics include NSO’s detailing that it
has: 60 customers in 40 countries with a breakdown of 51% intelligence
agencies, 38% law enforcement and 11% military customers.
Comments
Post a Comment