The NSO Group has been in the headlines for months now. Since the report in recent weeks about the Israel Police also obtaining Pegasus, NSO stories have been coming out daily in Israel.
Alongside Tomer Ganon’s report in Calcalist about the Israeli police’s misuse, Ronen Bergman and Mark Mazzetti’s investigation in the New York Times made the biggest splash with a few new revelations - including some you may have missed.
Most of the interest in Israel focused on former prime minister Benjamin Netanyahu’s direct involvement in preserving Saudi Arabia’s access to the spyware after the murder of Washington Post colouminst Jamal Khashoggi. But the most significant findings came from the United States.
The United States may have blacklisted NSO, but it appears from the NYT article that its position regarding the offensive company hasn’t always been so negative. In fact, the CIA purchased the NSO software for Djibouti, without giving a thought to the fact that the state is ruled by an oppressive tyrant. Also, the article’s revealed that even the FBI bought the spyware and considered using it.
If your conclusion is that this proves the United States’ hypocrisy, you’re in good company. If you also concluded that NSO is merely a company that fell victim to a struggle involving international political and economic interests, you’re also in excellent company.
Those are exactly the conclusions reached by Bergman himself, who followed his NYY report in an article he published in Hebrew last Sunday in Yedioth Ahronoth in which he claimed that NSO isn’t the only responsible party.
“What responsibility does Israel’s government bear and what account must the CIA now give?” he wrote.
This statement has much merit, but it also hides some key issues.
American hypocrisy or an Israeli fiasco?
No one would dispute that Pegasus, especially in recent years, is an advanced, sophisticated and impressive espionage software. Google’s Project Zero investigators would agree it’s one of the most sophisticated they’ve come across. But the NYT story makes it out to be the holy grail of cyber. If you destroy Pegasus nothing will fill the void, the article seems to say, and pedophilia and terrorism will run rampant.
But there is cyber-magic and NSO isn’t the only company capable of providing such a service. There are more than enough companies, not only in Israel.
The real problem is that the more the technology is privatized, and the more companies like NSO have the tools and big money to lure developers, the more dependent on them the state becomes.
The American administration is certainly keen to restrict the distribution of military technologies, but its foreign policy isn’t determined solely by moral values, despite declarations to the contrary. Much of Israel’s cyber sales and exports happen with U.S. blessing if not encouragement, much like with Djibouti.
The U.S. has made peace with the idea that to make peace with enemies you must sometimes help them assassinate journalists - and to make big bucks you must sell spyware to corrupt regimes. Israel plays a key role - with oversight serving a single role: Plausible deniability.
In carrying out the “one job” it had, Israel has failed colossally. Not only was Pegasus detected in the mobile phones of journalists abroad, it even managed to find its way into American diplomats’ phones.
There’s more. Candiru entered the list alongside NSO after Microsoft found its spywarewas also used against American targets. More and more, the Americans, like Israelis, are beginning to understand that such tools can easily be used against them - oversight or not.
FBI vs Pegasus
Did the FBI really want Pegasus? Bergman and Mazzetti write in the NYT that the FBI wanted the software very much - but the issue was being contested from a legal standpoint.
On Wednesday the FBI confirmed to The Guardian that it had obtained the Pegasus spyware, but didn’t want to make “any operational use of it” and used it only for “product testing and evaluation.” A source who spoke to the Guardian said, “They weren’t using it at all. Like, not even switching it on. But they kept paying for it and they wanted to renew (the contract). It was a one-year test project and it cost about $5 million, and they renewed for another $4 million. But they didn’t use it.”
The FBI, it turns out, has been investigating NSO since 2017. It’s not clear what these suspicions are, but on Wednesday Omer Benjakob and his colleagues in the Pegasus Project constirum exposed, together with Forbidden Stories, that in August 2017 senior NSO executives offered the American mobile security firm Mobileum in a video meeting “bags of cash” in exchange for access to an international mobile signaling network that could allow them to track people through their cellphones.
Whistleblower Gary Miller worked in Mobileum at the time and attended the meeting. He was also the one who sent the information about it to the FBI in an anonymous tip.
There’s no way of knowing whether this investigation was the reason the FBI signed a contract with NSO. But the possibility that the FBI wanted to investigate Pegasus to know how to devise a protection from it (or to learn a few tricks from it) seems much more likely than the way it was presented in the NYT.
Snowden was right
Surprisingly, Bergman concludes his article in Yedioth by pointing an accusing finger at platforms like Whatsapp for using encryption by default: This is good for human rights activists, but it’s also good for the bad guys who now have a digital paradise to carry out their dark deeds without fear of being caught. Aren’t companies like WhatsApp responsible for making sure their platform is free of these satanic messages, or at least enables enforcement agencies from “good” states, with a court order, to conduct an investigation and read, write or hear what these villains communicate?
Enforcement and intelligence agencies worldwide have been running campaigns to open or weaken the codes for at least two decades. But, as cryptologists and privacy activists repeatedly point out, if you leave a back door open - you don’t control who can enter through it.
For more than a decade encrypted online communication was unusual. Only after Edward Snowden revealed the NSA’s espionage operation almost ten years ago did encryption become standard.
The United States is in a better place legally due to Snowden’s discoveries and his and many others’ ongoing struggles. In Israel, the situation is different, the discourse and the law still lagging behind. For example, the police minister was surprised to learn that NSO forgot to switch off some of Pegasus’ functions in the version they sold the Israeli police, allowing them to snoop on their targets beyond the scope of the flimsy warrants they were given.
This is perhaps the most important lesson here: there’s no such thing as “good” states. In all the world, including the U.S. and EU, such technologies are a double edged sword. Even the most democratic state will abuse it for their needs, no matter who they are and how dedicated they are to fighting terror or even to preserving privacy. If not at home, than in Djibouti.
So here too we must not let the Knesset or the government get away with citing security considerations and providing a legal cover that casts almost complete darkness on this cyber world. We must not let the defense and foreign ministries get away with knowingly allowing the sale of these technologies to horrific regimes. We cannot let the police, the Shin Bet or the Israeli army get away with using that technology - either against Israelis or against Palestinians. We must not let the courts get away with serving again and again as a rubber stamp on dark practices.
Finally, these companies must also not be allowed to get away with it. Those companies that are always combatting “only terror and pedophiles,” while contributing to bolstering despot regimes, enabling attacks on human rights activists and deepening corruption in dozens of states worldwide.