NSO Group Spies on People on Behalf of Governments

The Israeli company NSO Group sells Pegasus spyware to countries around the world (including countries like Saudi Arabia, UAE, India, Mexico, Morocco and Rwanda). We assumed that those countries use the spyware themselves. Now we’ve learned that that’s not true: that NSO Group employees operate the spyware on behalf of their customers.

Legal documents released in ongoing US litigation between NSO Group and WhatsApp have revealed for the first time that the Israeli cyberweapons maker ­ and not its government customers ­ is the party that “installs and extracts” information from mobile phones targeted by the company’s hacking software.

Tags: , , , ,

Posted on November 27, 2024 at 7:05 AM17 Comments

Comments

It's Me November 27, 2024 1:58 PM

It sounds like the company was merely a front for the Mossad. If there was a little more distance between it and the Mossad, it also could have been considered a cut-out, knowing the source of information and the destination (Mossad)…and facilitating the transfer of information.

Whenever they get caught, which is always a risk, the company can fold and then perhaps resurrect under a different name and continue “business”. You can’t undo knowledge, especially if it is useful to you. Plus Mossad is not implicated.

The CIA does this all the time. In decades past, they even had their own airline…..not serving as a cut-out, but merely to facilitate movement of people and material.

One Random Geek November 27, 2024 3:11 PM

This method gives governments plausible deniability, and they can honestly say that they are not involved in bugging opponent’s (or dissident’s) phones.

Fake Spy November 27, 2024 4:38 PM

Yup,basically as with everything else – outsourcing. Plus here, the benefit is even bigger, instead of sloppy, incompetent government wannabe “spies” – you get R E A L Professionals. SaaS has a new meaning and it’s not wotcha think or are used to know, it’s Spying as a Service or HaaS. Give a man a fish a day, no, teach a man…, NO. I will Ph(f)ish for you and I’ll feed it to ya too, all ya gotsta do is just say “yum – I lika taste o’ dat.”

ResearcherZero November 28, 2024 12:05 AM

@Rontea

Lack of qualified staff to regulate rights frameworks and a “hodge-podge approach to the governance of data and technology.”

Additional government-wide law or guidance required:

“To assist federal agencies with consistently implementing civil rights and civil liberties protections when collecting, sharing, and using data, we suggest that Congress direct an appropriate federal entity to issue government-wide guidance or regulations addressing this matter. In its direction, Congress should consider delegating to such entity the explicit authority to make needed technical and policy choices or explicitly stating Congress’s own choices.”

‘https://www.gao.gov/products/gao-25-106057

ResearcherZero November 28, 2024 12:38 AM

@ALL

In many areas Privacy law does not cover emerging technologies that intrude into public, personal and intimate spaces. Privacy legislation was originally designed only for data, not to protect privacy and so does not cover collection, just the storage of that data.

Newer technologies since the conception of the Privacy Act are not mentioned by the legislation, yet it is the only legal guidance that is used to regulate invasive tech.
These new and emerging technologies can also discover further information about us by aggregating and comparing additional data points, or through further analysis of existing data that has already been collected. Finally they can sell this data without consent.

To enforce your rights requires appropriate legislation allowing you to take action.

Our faces may also reveal other types of data…

‘https://academic.oup.com/idpl/article/14/3/247/7697406

“a kind of virtual line up …every time we walk into one of those stores”
https://www.biometricupdate.com/202411/retail-facial-recognition-for-crime-prevention-finds-support-in-australia-uk

The Privacy Act 1988 was designed to protect data, not to protect privacy.
https://theconversation.com/your-face-for-sale-anyone-can-legally-gather-and-market-your-facial-data-without-explicit-consent-224643

The legal and regulatory landscape governing FRT use varies widely across jurisdictions.

‘https://www.frontiersin.org/journals/big-data/articles/10.3389/fdata.2024.1337465/full

ResearcherZero November 28, 2024 6:46 AM

NSO again refuses to hand over evidence claiming it doesn’t spy on activists.

‘https://www.jurist.org/news/2024/11/thailand-courts-dismissal-of-spyware-misuse-lawsuit-spurs-international-concern/

Clive Robinson November 28, 2024 1:06 PM

@ Bruce, ALL,

With regards,

“We assumed that those countries use the spyware themselves.”

I thought you were aware that NSO and several others run “A full Service Package” to customers. If for no other reasons than to stop the customer using the software against,

1, The licence fees requirements.
2, Various nations personnel.

The official excuse to customers was “the speed of change” that is the customer was “renting access to target” not “buying very quickly outdated access methods”.

Now we’ve learned that that’s not true: that NSO Group employees operate the spyware on behalf of their customers.

Actually no, it’s not “on behalf of their customers” that’s a mistake those who don’t think on it sufficiently in the right way, which includes most of NSO’s customers…

NSO work on behalf of a number of National Security organisations and feed back two basic types of intell to them and a third type to “the customer” who’s paying for it all.

So the NatSec Orgs get,

1, All the raw intell.
2, The processed intell which actually hemorrhages intell on the customer…

What the customer gets is varying degrees of processed intell, more or less like “management reports”.

Missing from the processing is things those NatSec Orgs do not want the “customer who is paying” knowing for various reasons.

So rather more than “outsourcing” look on it as NSO and those NatSec Orgs like China has supposedly done to US Industry.

They are getting paid by the customer with significant profit to do what the NatSec Orgs would have to do anyway. But they also get a couple of “cherries on top”.

Firstly, they get considerable insight on their customers needs, wants, interests and aspirations as fast as the customer does.

Secondly, they quickly get to know the customers “lack” in capabilities and organisational and managerial abilities.

Thirdly, there is also the chances that the “customer seniors” are being cheated on by the “customer operatives” who have their own political etc agendas.

So NSO and the NatSec Orgs not only get to see this effectively from the inside, they also get to “put a thumb on the scale” to change various outcomes.

But guess what, like any “Data Broker” it gives them “product to pad up and sell”.

In this respect they are playing a version of the game Peter Thiel saw more profit in, than you could imagine… Which was why he set up Palantir, to be the worlds largest Corporate intel Organisation.

His idea is get raw intel put in by the customers foot soldiers. Process the intel via AI systems. Wrap it up with other trace intel and data from Data Brokers, National Government and Corporate databases and sell it back ten times over.

More importantly the systems would be under Palantir control from the plug in the wall upwards. A major aim was “lock in by dependency”. After all if a box in the corner can convert the reports “rookie cops enter” into “actionable intelligence” why pay big money to have your own people develop the intel skills and bigger salaries and job mobility?

Better yet the local intel becomes part of regional / State intel so earns a nice fat fee there. And likewise with national / Federal intel getting a nice fat fee directly out of the tax payer purse.

And as those with the skills or stress retire they don’t get replaced so Palantir can move in new product at higher rental…

Then there is the “Corporate Side” to think of, there is real money to be made doing what you might think of as “Corporate Espionage” but as it’s sold as “only on people” not “only on product”… It’s not “industrial espionage” which is unlawfull but “Corporate employment research” which is perfectly legal…

Welcome to the fun side of corporate and political intel and what AI will –if they ever get it working– do to regulating the workers. In many ways it’s worse than what we hear the Chinese Social Credit Score will be.

Cybershow November 28, 2024 3:58 PM

Having slopbots run amok in the comments is even more dispiriting than
human hate or unhinged manic diatribes. The blandness is
soul-sucking. Propagandists can deploy slop to simply wear down
intelligent debate. It’s just a different flavour of vandalism
designed to curtail discussion.

I wrote here about people intent on using technology to spread misery
and violence beginning to combine offensive tools:

https://cybershow.uk/blog/posts/a-dubious-contraption

Slopbots are one more dubious contraption. Good fun for teenage
hackers to experiment with for trolling. Or to cheat at school or
work. Tools that can simulate intelligent opinions can fool a lot of
people, even ones who think themselves smart.

Mainly they add nothing of value and only subtract energy, but on the
plus-side they up the evolutionary game of conversation, forcing us to
counter slopspeak with better crafted quality commentary.

This is a taste of coming mayhem we’ll soon experience once they’re in
the hands of well organised operators with clear goals and more
vulnerable ecosystems to attack.

Just because you can doesn’t mean you should. That applies to
electronic voting, biometrics, AI and a whole lot more low rent tech
that are all “problems looking for solutions”, and with far too much
money behind them. They are things that are fascinating to a certain
mindset but without utility to humanity.

The reason we discuss them here, whether we realise it or not, is
because they rightly make us all feel a little more insecure.

ResearcherZero November 28, 2024 11:59 PM

@Clive Robinson

While NSO has claimed legal privilege to refuse handing over evidence, it has hacked the legal teams of targets, a breach of lawyer-client confidentiality, and has been called out by the UK court for “serial breaches of domestic criminal law”.

NSO Group’ has not denied in court that it reverse engineers other companies products, develops the exploits used to hack targets, and handles exploitation itself.

Presently there are several legal cases against NSO Group and it’s founders as Pegasus has been used to target lawyers, journalists, activists and other members of civil society.

‘https://techcrunch.com/2024/11/13/lawyer-allegedly-hacked-with-spyware-names-nso-founders-in-lawsuit/

NSO Group unlikely to be protected by sovereign immunity.
https://ijclinic.law.uci.edu/2022/11/22/one-step-closer-to-holding-nso-group-accountable-the-u-s-solicitor-general-recommended-the-supreme-court-deny-nsos-cert-petition-concerning-the-applicability-of-foreign-sovereign-immunity-t/

NSO Group likely violated U.S. law.

‘https://storage.courtlistener.com/recap/gov.uscourts.cand.350613/gov.uscourts.cand.350613.466.0.pdf

NSO Group developed, installed and commanded the exploits used against targets.

‘https://storage.courtlistener.com/recap/gov.uscourts.cand.350613/gov.uscourts.cand.350613.465.0.pdf

Rontea November 29, 2024 4:43 PM

@peter galbavy

Surveillance as a Service could be problematic for several reasons. First, it raises significant privacy concerns; constant monitoring can infringe on individual freedoms and civil liberties. Allowing private companies to control surveillance could lead to misuse of data, breaches of confidentiality, and lack of accountability. Furthermore, the commodification of surveillance services might prioritize profit over ethical considerations, undermining democratic principles. Additionally, there’s the potential for bias and discrimination if the surveillance systems are not managed with transparency and fairness. Overall, Surveillance as a Service demands a serious reevaluation with respect to ethical, legal, and societal implications.

Clive Robinson November 29, 2024 6:44 PM

@ ResearcherZero,

With regards,

“NSO Group unlikely to be protected by sovereign immunity.”

Because they are technically a “commercial company” with “share holders” not a “direct government agency”.

There are advantages and disadvantages of “arms length” organisations.

Whilst they might give protection against “Freedom of Information”(FoI) Requests and give Government ministers and those beneath them in effect “deniability” or “commercial confidentiality.

When infront of a Judge all that unrolls including the oft misused “Client Attorney Privilege”.

Put quaintly in the UK both Lawyers and Barristers are “Officers of the court” and as such have the duties of honesty and probity to the court.

Anything the client tells their legal representative is not privileged in the way it is to others. In fact the legal representative in the UK has a duty of honesty to the court, so if the client says something silly like “I done it” the legal representative is not allowed to argue that they are “innocent”, it can make trials interesting as all plaintiffs and defendants are entitled to “professional legal representation”.

It’s often why the more clued on legal representatives do a “three way” that is the real client has an in house or similar legal team and is their employer. That team do not “represent in court” they can be asked questions by the employer and even know their employer might have done something they should not have… But they do direct the Barrister and supply the input to the “bundle” of papers that goes to the Barristers and before the judge. They thus inform their employers court representatives in effect acting as a “firewall”.

Wannabe Techguy November 29, 2024 8:17 PM

@ Rontea
I agree, but governments are already doing all that. I don’t see how a private company is any worse.

T.J. Williams November 30, 2024 2:19 AM

Does anyone know if there is a repository where NSO files seized/collected by the court(s) can be downloaded? Something like the ‘Pandora Papers’ for NSO?

ResearcherZero November 30, 2024 8:06 AM

@Clive Robinson

Roll a dice in the Australian courts. Little oversight of the courts here, dependent on if it is an open hearing, and does not require suppression from government or may tickle the media’s fancy. If the matter is not too scandalous, and the litigant ugly enough, perhaps.

The main obstacle is the demeanour of the Officers of the Court and location. Plus a 50% chance of enough rogues with little concern for their duty to honestly uphold the law.
Avoiding courthouses outside of major metropolitan areas would be a very wise first step.
Court reporters are becoming more rare these days, especially courageous rural reporters.

All legal representation are at risk of communications interception and other tricks that may be used to target both them and their clients, no matter how petty a matter. Not that any rights exist that will be legally enforced if there is a breach of confidentiality.

GregW December 1, 2024 1:56 PM

So national governments are willing to leak their “selector” metadata to outside entities?! Crazy!

Although I guess I do it with “Google” all the time…

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.