Researchers from the University of Toronto's outstanding Citizen Lab (previously) have published their latest research on the notorious and prolific Israeli cyber-arms-dealer The NSO Group (previously), one of the world's go-to suppliers for tools used by despots to spy on dissidents and opposition figures, often as a prelude to their imprisonment, torture and murder.
In today's report, HIDE AND SEEK, Citizen Lab's researchers identify traces of NSO surveillance technology in use in 45 countries — though some of these may be countries where victims of NSO surveillance have traveled to after being infected in another country.
Included in the list of countries where NSO software is operated are some of the world's most notorious autocracies, states where governments have shameful human rights records. The evidence suggests that NSO has customers in states where trade with Israeli companies is banned, like Bahrain and the UAE.
On 17 September 2018, we then received a public statement from NSO Group. The statement mentions that "the list of countries in which NSO is alleged to operate is simply inaccurate. NSO does not operate in many of the countries listed." This statement is a misunderstanding of our investigation: the list in our report is of suspected locations of NSO infections, it is not a list of suspected NSO customers. As we describe in Section 3, we observed DNS cache hits from what appear to be 33 distinct operators, some of whom appeared to be conducting operations in multiple countries. Thus, our list of 45 countries necessarily includes countries that are not NSO Group customers. We describe additional limitations of our method in Section 4, including factors such as VPNs and satellite connections, which can cause targets to appear in other countries.
The NSO statement also claims the "NSO's Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use." We have seen no public details concerning the membership or deliberations of this committee but encourage NSO Group to disclose them. NSO's statements about a Business Ethics Committee recall the example of Hacking Team's "outside panel of technical experts and legal advisors … that reviews potential sales." This "outside panel" appears to have been a single law firm, whose recommendations Hacking Team did not always follow.
The continued supply of services to countries with problematic human rights track records and where highly-publicized abuses of spyware have occurred raise serious doubts about the effectiveness of this internal mechanism, if it exists at all.
Tracking NSO Group's Pegasus Spyware to Operations in 45 Countries [Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert/Citizen Lab]
Cyber Sleuths Find Traces of Infamous iPhone and Android Spyware 'Pegasus' in 45 Countries [Lorenzo Franceschi-Bicchierai/Motherboard]