[Salon] Isreali spyware firm NSO Pegasus

[Chas Freeman <cwfresidence@gmail.com>]

https://www.hrw.org/news/2021/11/08/spyware-used-hack-palestinian-rights-defenders

For Immediate Release

Spyware Used to Hack Palestinian Rights Defenders
Groups Condemn Use of NSO Group’s Pegasus Against Palestinians

(New York, November 8, 2021) – The following statement condemning the use of Pegasus spyware against six Palestinian human rights defenders was issued today by seven human rights organizations, including Human Rights Watch:

We, the undersigned human rights organizations, condemn the hacking of six Palestinian human rights defenders with NSO Group’s Pegasus spyware, as uncovered by the Front Line Defenders (FLD) and confirmed by the Citizen Lab and Amnesty International. This attack is part of a broader assault on Palestinian civil society, and it raises serious questions about whether Israeli authorities were involved in the targeting. Three of the targeted human rights defenders come from prominent Palestinian civil society groups that Israeli authorities recently designated as “terrorist organizations.”

The Investigation

In October 2021, Front Line Defenders began collecting data on suspected hacking of the devices belonging to several Palestinians working for civil society organizations based in the West Bank. Their analysis indicated that six of the analyzed devices were hacked using Pegasus. Both the Citizen Lab and Amnesty International’s Security Lab independently confirmed FLD’s analysis.

Pegasus, developed by Israel-based company NSO group, is surreptitiously introduced on people’s mobile phones. It turns an infected device into a portable surveillance tool by gaining access to the phone’s camera, microphone, and text messages, enabling surveillance of the person targeted and their contacts.

NSO Group responded to reports of Pegasus being used to target Palestinian human rights defenders by saying that “[d]ue to contractual and national security considerations, [it] cannot confirm or deny the identity of our government customers.” It also reiterated its past statements that “NSO Group does not operate the products itself; the company license approved government agencies to do so, and we are not privy to the details of individuals monitored,” and that “NSO Group develops critical technologies for the use of law enforcement and intelligence agencies around the world to defend the public from serious crime and terror. These technologies are vital for governments in the face of platforms used by criminals and terrorists to communicate uninterrupted.”

NSO Group did not respond to Human Rights Watch’s request for comment at the time of this publication.

Terrorist Designations of Palestinian Organizations

Three of the six people whose devices were hacked work at the Palestinian civil society groups that the Israeli government designated on October 19 as “terrorist organizations” under its Counter-Terrorism Law of 2016, but they were targeted before Israel’s designation. The people hacked include Ghassan Halaika, a field researcher and human rights defender working for Al-Haq; Ubai Al-Aboudi, the executive director of Bisan Center for Research and Development; Salah Hammouri, a lawyer and field researcher at Addameer Prisoner Support and Human Rights Association, based in Jerusalem, in addition to three other human rights defenders who wish to remain anonymous. Two of the people targeted are dual nationals – one French, the other American.

Israel’s decision to designate the organizations as “terrorist” has drawn widespread international condemnation and criticism including from Sweden’s Minister of International Development Cooperation and Humanitarian Affairs, the High Representative of the EU for Foreign Affairs and Security Policy, Ireland’s Minister of Foreign Affairs and Minister of Defense, the French Ministry of Foreign Affairs, the EU Special Representative for Human Rights, US Congressional representatives, United Nations experts such as the UN High Commissioner for Human Rights and the UN Special Rapporteur for Freedom of Association, and international groups including Amnesty International and Human Rights Watch.

The UN High Commissioner for Human Rights, Michelle Bachelet, said that the designations were “arbitrary” and “contravene the right to freedom of association of the individuals affected and more broadly have a chilling effect on human rights defenders and civic space.”

A group of 17 UN experts, in a separate statement, concluded that the designations were a “frontal attack on the Palestinian human rights movement, and on human rights everywhere.” As stated, the designations would “effectively ban the work of these human rights defenders, and allow the Israeli military to arrest their staff, shutter their offices, confiscate their assets and prohibit their activities and human rights work.”

Surveillance of Palestinian Human Rights Defenders Violates Their Human Rights

Surveillance of Palestinian human rights defenders violates their right to privacy, undermines their freedom of _expression_ and association, and threatens their personal security and lives. It not only affects those directly targeted, but also has a chilling effect on advocates or journalists who may self-censor out of fear of potential surveillance.

Information obtained through arbitrary surveillance can be used to prosecute, monitor, harass, or detain human rights defenders, dissidents, and others who challenge authorities or dare to stand up to those in power. Both Al-Aboudi and Hammouri have been arbitrarily detained by the Israeli authorities and placed in administrative detention, a practice routinely used by Israeli authorities to imprison Palestinians without trial or charge based on undisclosed secret evidence. On October 18, a day before the designations, the Israeli interior minister revoked Hammouri’s residency status for “breach of allegiance to the State of Israel,” a move to effectively exile him from his home city, despite the international humanitarian law prohibition on an occupying power compelling people under occupation to pledge loyalty or allegiance to it.

The targeted organizations have also been subject to previous harassment by the Israeli authorities, including intimidation, arbitrary detention of staff, travel bans, office raids, and confiscation of equipment. The Israeli government has also applied some of these tactics to Israeli and international human rights advocates.

This targeting of human rights defenders with Pegasus provides further evidence of a pattern of human rights abuses facilitated by NSO Group through spyware sales to governments that use the technology to prosecute civil society and social movements in many countries around the world. Furthermore, these abuses underscore how NSO Group’s Human Rights Policy fails to prevent and mitigate human rights abuse in a meaningful way.

Call for Action

From the first revelations by the Citizen Lab in 2016 of NSO’s technology being used against the UAE dissident Ahmed Mansoor, to the recent Pegasus Project revelations by Amnesty International and Forbidden Stories, civil society has been calling for accountability for NSO Group and governments that use its technology and services.

Today, we, the undersigned organizations:  

• Reiterate our calls on states to implement an immediate moratorium on the sale, transfer, and use of surveillance technology until adequate human rights safeguards are in place, and  
• Press UN experts to take urgent action to denounce human rights violations by states facilitated by the use of the NSO Group’s Pegasus spyware and to provide immediate, robust support for impartial and transparent inquiries into the abuses.
  
   
  
  The November 3 decision by the US Department of Commerce to add NSO Group to its trade restriction list (Entity List), for “acting contrary to the foreign policy and national security interests of the United States” is a positive step. The Commerce Department cited the use of NSO Group tools by foreign government clients to “maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers” and to enable “foreign governments to conduct transnational repression” by “targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent.” 
  
  NSO Group said it was “dismayed by the decision” and will press to reverse it.
  
  We encourage other states to impose similar restrictions to prohibit the export, sale, and in-country transfer of NSO Group technologies, as well as the provision of services that support NSO Group's products.
  
  Signatory Organizations 

• Access Now  
• Human Rights Watch  
• Masaar - Technology and Law Community 
• Red Line for Gulf 
• 7amleh- The Arab Center for the Advancement of Social Media  
• SMEX 
• INSM Network for Digital Rights- Iraq 

For more Human Rights Watch reporting on Israel and Palestine, please visit:
https://www.hrw.org/middle-east/n-africa/israel/palestine

For more Human Rights Watch reporting on technology and rights, please visit:
https://www.hrw.org/topic/technology-and-rights

For more information, please contact:
In New York, Deborah Brown (English): +1-347-920-8978; or brownd@hrw.org. Twitter: @deblebrown
In Amman, Omar Shakir (English, Arabic): +1-646-725-8650; or +970-59-850-4903 (mobile); or shakiro@hrw.org. Twitter: @omarsshakir
In Washington, DC, Eric Goldstein (English, French): +1-917-519-4736 (mobile); or goldstr@hrw.org. Twitter: @goldsteinricky

============================================================================================================

Cambridge University halts £400m deal with UAE over Pegasus spyware claims

Exclusive: UK institution was in line for huge donation but has paused talks due to concerns Gulf state used hacking software

Richard Adams, Georgia Goble and Nick Bartlett

Thu 14 Oct 2021 15.44 EDT

Last modified on Fri 15 Oct 2021 07.28 EDT

The University of Cambridge has broken off talks with the United Arab Emirates over a record £400m collaboration after claims about the Gulf state’s use of controversial Pegasus hacking software, the university’s vice-chancellor has said.

The proposed deal, hailed by the university in July as a “potential strategic partnership … helping to solve some of the greatest challenges facing our planet” – would have included the largest donation of its kind in the university’s history, spanning a decade and involving direct investment from the UAE of more than £310m.

But Stephen Toope, Cambridge’s outgoing vice-chancellor, said in an interview that no meetings or conversations with UAE were now taking place after revelations related to Pegasus, software that can hack into and secretly take control of a mobile phone.

A university spokesperson said it had approached the UAE and other partnerships “with an open mind” and “these are always finely balanced assessments”, adding: “We will be reflecting over the next few months before further evaluating our long term options with our partners and with the university community.”

The Guardian’s Pegasus Project revealed a leak of more than 50,000 phone numbers that, it is believed, were linked to people of interest to clients of NSO Group, the Israeli company behind Pegasus. The principal government responsible for selecting hundreds of UK numbers appeared to be the UAE, the Guardian found.

“There were further revelations about Pegasus that really caused us to decide that it’s not the right time to be pursuing these kinds of really ambitious plans with the UAE,” Toope told the Varsity student newspaper.

Asked if he would consider pursuing the deal in the future, Toope said: “No one’s going to be rushing into this. There will be no secret arrangements being made. I think we’re going to have to have a robust discussion at some point in the future. Or we may determine that it’s not worth raising again. I honestly don’t know.”

Toope said he had not met the UAE’s ruling prince and was not holding meetings with anyone from the state. “There are existing relationships across the university on a departmental and individual academic level but there are no conversations about a big project,” he said. “We’re aware of the risks in dealing with many states around the world but we think it’s worth having the conversation.”

News of the potential collaboration, with documents seen by the Guardian detailing “joint UAE and University of Cambridge branding” and new institutes based in the Gulf state, caused an outcry over the prospect of financial ties with a monarchy notorious for alleged human rights abuses, few democratic institutions and hostility towards the rights of women as well as those of LGBTQ+ people.

Talks over the partnership were supported by the university’s internal bodies, despite concerns. But Toope’s remarks suggest that it was the UAE’s alleged use of the controversial hacking software that was responsible for ending the talks.

In July, shortly after the Cambridge-UAE partnership was announced, the Pegasus Project revealed that more than 400 UK mobile phone numbers appeared in a leaked list of numbers identified by government clients of NSO between 2017 and 2019. The UAE was identified as one of 40 countries that had access to Pegasus, and the principal country linked to the UK numbers.

The Cambridge-UAE project was to have included a joint innovation institute and a plan to improve and overhaul the emirates education system, as well as work on climate change and energy transition. “Are those important enough things to think that we might be able to mitigate the risks? The answer is: I don’t know quite frankly,” said Toope, who is to step down at the end of the academic year.

Dubai, the emirate city ruled by Sheikh Mohammed bin Rashid al-Maktoum, is also believed to have been an NSO client. The phones of Sheikh Mohammed’s daughter Princess Latifa and his ex-wife Princess Haya, who fled the country and came to the UK in 2019, both appeared in the data.

Last week a high court judge ruled that Sheikh Mohammed hacked the phone of Princess Haya using Pegasus spyware in an unlawful abuse of power and trust.

Dubai did not respond to a Guardian request for comment on the Pegasus Project at the time. Sheikh Mohammed did not respond, although it is understood he denies attempting to hack the phones of Latifa or her friends or associates, or ordering others to do so.

In multiple statements, NSO said that the fact that a number appeared on the leaked list was in no way indicative of whether a number was targeted for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO Group in any way.”

A university spokesperson said: “The University of Cambridge has numerous partnerships with governments and organisations around the world. It approached the UAE as it does all potential partnerships: with an open mind, and rigorously weighing the opportunities to contribute to society – through collaborative research, education and innovation – against any challenges.”

 

Israeli Cyber Firm NSO Group Blacklisted by U.S. Amid Phone Hacking Allegations

Commerce Department action will block trade with U.S. firms and could interrupt foreign contracts

The Israeli government tightly controls the export of NSO Group’s software as defense technology.

Photo: AMIR COHEN/REUTERS

By Dustin Volz, Byron Tau and Robert McMillan

Updated Nov. 3, 2021 3:29 pm ET

WASHINGTON—The Biden administration on Wednesday placed Israeli cybersecurity company NSO Group on an export prohibition list that will restrict the firm from obtaining some types of technology from the U.S.

NSO Group was placed on an “entity list” by the Commerce Department, which said the firm had been acting “contrary to the foreign policy and national security interests of the United States.”

The Commerce Department also placed three other similar vendors—based in Israel, Russia and Singapore—on the entity list. The move came after an interagency panel composed of the departments of Defense, State, Energy, Treasury and Commerce determined that the conduct of the companies warranted inclusion on the list.

The designation will block exports from the U.S. to NSO Group of both hardware and software without a Commerce Department license, and could make it more difficult for the company to seek contracts with international customers. The department said it would review any future license applications with a “presumption of denial” but retains discretion to grant them in some circumstances.

The Israeli government also tightly controls the export of NSO Group’s software as defense technology and NSO Group operates under Israeli export law—but the U.S. designation would bar the company from working with U.S. cybersecurity vendors and researchers to obtain the kind of security vulnerabilities it relies on to power its intrusion software without a waiver from the Commerce Department.

A recent series of articles published by a global consortium of journalism organizations alleged that one of NSO Group’s main software intrusion tools, known as Pegasus, has been used by dozens of law-enforcement and intelligence customers around the world to target and break into cellphones belonging to politicians, human-rights activists and journalists.

NSO Group has generally denied the reports, and said a list of phone numbers said to include targets of Pegasus spyware used in the reporting is inaccurate.

“NSO Group is dismayed by the decision given that our technologies support U.S. national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed,” an NSO Group spokesman said in a statement Wednesday on the designation.

NSO Group said it has terminated contracts with numerous governments that have abused its software and put in place compliance and human-rights programs to deter future abuse.

Echoing the findings of recent news reports, the Commerce Department’s new rule said NSO Group “developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

The State Department said the designation against NSO Group and other vendors reflects the Biden administration’s commitment to human rights as part of U.S. foreign policy and its goal of halting “the proliferation and misuse of digital tools used for repression.”

The move underscores a widening rift between the Biden administration and the current Israeli government. Last week, the State Department said it opposed Israel’s approval of more than 3,000 settlement homes in the West Bank, the first move to expand settlements under the current government, which is made up of right-wing and leftist parties as well as an Arab political faction.

Last month, the U.S. also said it wanted an explanation from Israel of the government’s decision to designate six nongovernmental human-rights organizations working in the West Bank as terrorist organizations.

Israel’s tech sector, the biggest driver of the country’s economy, has longstanding links with the country’s military and defense sector. A spokesman for the Israeli prime minister’s office didn’t respond to questions for comment.

NSO Group has been under fire for years by privacy advocates who have said it and firms like it sell high-powered hacking tools to governments with poor track records on human rights. The firm sells cybersecurity tools that can be used to remotely extract data from devices like phones and computers.

Such software—built on vulnerabilities in consumer technology made by companies like Apple Inc., Microsoft Corp. and Alphabet Inc.’s Google—is valuable for intelligence and espionage and is widely used by governments around the world.

Sophisticated governments such as the U.S. and Israel have robust government-run cyber intrusion programs and capabilities. Other governments rely on private vendors—often staffed by retired intelligence officers—for their capabilities. NSO Group doesn’t comment on its customers, but The Wall Street Journal has reported it has provided capabilities to governments in the Middle East, Mexico and India.

The Trump administration used entity list designations against Huawei Technologies Co. and other firms, but it is more uncommon for firms based in countries that are allied with the U.S. to be added.

The new designation appears to represent a split between the Biden administration and the Israeli government over the propriety of exporting intrusion software to certain countries and for certain purposes.

Wednesday’s action is the latest effort by U.S. authorities to try to control a largely ungoverned international marketplace for hacking tools that often sees American technology and expertise wind up in the hands of foreign governments. The Biden administration also recently charged three former U.S. intelligence officers with unlawfully providing similar intrusion services to the government of the United Arab Emirates. They paid a $1.68 million fine and agreed not to work on future offensive cybersecurity operations as part of an agreement to resolve the criminal charges.

Facebook in 2019 brought a lawsuit against NSO Group, alleging the company’s spyware infected the phones of some users after it was delivered through the WhatsApp messaging platform. The lawsuit is ongoing, and NSO Group has disputed the allegations. Carl Woog, a WhatsApp spokesman, said Wednesday the company was grateful for the entity listing and that it hoped other nations take similar steps to protect private conversations online.

NSO Group is best known as a maker of surveillance software, but in recent months, the company has increasingly billed itself as a maker of defensive cybersecurity products. Wednesday’s Commerce designation could complicate that effort, said John Scott-Railton, a researcher with the Citizen Lab, an academic research group that studies state-sponsored cyber espionage.

“This is bound to have a chilling effect on NSO’s futures in the eyes of investors,” said Mr. Scott-Railton, long a critic of the company. “This is a huge long-term blow for the kind of confidence that third parties are going to have in NSO and it’s also the clearest signal we have about what the US government thinks of what NSO is doing.”

He added: “NSO has had months of crisis, following the revelations from the Pegasus project and other big reports. This latest case makes it clear that the company is not only out of the woods but that their fortunes are very much less certain than they’d like investors to believe.”

—Thomas Grove contributed to this article.