Apple Sues NSO Group

Piling more on NSO Group’s legal troubles, Apple is suing it:

The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

NSO Group’s Pegasus spyware is favored by totalitarian governments around the world, who use it to hack Apple phones and computers.

More news:

Apple’s legal complaint provides new information on NSO Group’s FORCEDENTRY, an exploit for a now-patched vulnerability previously used to break into a victim’s Apple device and install the latest version of NSO Group’s spyware product, Pegasus. The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto.

The spyware was used to attack a small number of Apple users worldwide with dangerous malware and spyware. Apple’s lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.

NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device—allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.

This follows in the footsteps of Facebook, which is also suing NSO Group and demanding a similar prohibition. And while the idea of the intermediary suing the attacker, and not the victim, is somewhat novel, I think it makes a lot of sense. I have a law journal article about to be published with Jon Penney on the Facebook case.

EDITED TO ADD (12/14): Supplemental brief.

Posted on November 24, 2021 at 9:29 AM50 Comments


TimH November 24, 2021 9:42 AM

This will be interesting, because if a court rules that NSO activities are illegal (“flagrant violations of US federal and state law”), then people in the US have a lever against cointelpro type spying against activists behaving legally, but annoying the gov. Think pipelines.

JonKnowsNothing November 24, 2021 10:02 AM


re: US federal and state law

Jurisdiction hopping is all about avoiding “boundaries”.

What happens in the US may stop in the US, but what happens elsewhere can keep on happening.

It’s a small matter of “How are you gonna do that?”

We have loads of examples where the “how” part failed, and continues to fail.

Some of the MSM reports have interesting tidbits on what NSO does technically, like turning off Apple’s internal logging and tracking systems so their software can run without the audit-marketing trails getting in the way.

Perhaps it’s a bit like Clifford Stoll’s book (1) where the spaghetti unwound over a 75 cent accounting discrepancy for 9 seconds of computer time.


Search Terms

The Cuckoo’s Egg / Clifford Stoll / satellite

Ivy Lee November 24, 2021 10:45 AM

Maybe Apple should spend more money on engineering better code and less on public relations stunts like this lawsuit.

Apple is NOT the intrepid defender of your privacy. Just like RSA they’ll be more than happy to help 5-Eye spies when no one is looking.

Pay no attention to the coiffured tech influencer who will be well rewarded for carrying Apple’s water.

Winter November 24, 2021 12:00 PM

NSO did break into mobile phones and helped others to do so. This is illegal in all jurisdictions if done without proper legal backing. As this hurts the brands of the biggest corporations on earth, the fate of NSO was sealed the moment this became public.

I never doubted that NSO would be destroyed. What is unclear is how much of it the owners can transfer to safe harbours before NSO is cratered.

Clive Robinson November 24, 2021 2:41 PM

@ ALL,

NSO are the current “lightning rod” for anti-surveillance sentiment, and that is hardly surprising based on the little we know about their past behsviours.

However let’s take a look on the flip side…

NSO’s behaviours were to monetize as much as possible and as quickly as possible research carried out into software vulnerabilities that came into their hands.

NSO’s distinctly vexatious behaviours unsurprisingly caused a significant upswell in anti-NSO research.

The result of this anti-NSO research was a lot of security vulnerabilities were found and fixed relatively quickly.

So ignoring NSO’s immoral, unethical and probably illegal behaviours for a moment, it can be said that it is highly unlikely that those vulnerabilities would have been fixed.

Now consider for a moment the difference between NSO and certain state entities. We know that in the US certainly, and most other First world nations probably, those in those entities are “legaly protected” in various ways. So their immoral, unethical and what for others would be illegal behaviour “gets a pass”. This has an unfortunate side effect, in that it momes the moral divide very adversely for the citizens of those nations.

So bearing in mind the legislation for “secrets” and “surveillance” in First World Nations that are increasingly “anti-democratic” and do much to foster various forms of unreasoned hate and violence

We need to ask the question,

“If the vunerabilities were only found and exploited by legaly protected near zero oversight morally and ethically bankrupt government entities, would the vulnerabilities ever have become publically known about, and fixed in the timely way they have been, because of NSO’s immoral and unethical behaviours?”

My view point is it is very, very unlikely.

Which brings us to the next serious question,

“If these court cases stop the likes of NSO existing in the future, how will we keep the research into vulnerabilities and anti-surveillance going at the rate it currently is, with the positive benifit it has for most citizens?”

It’s been said that for morals and ethics to exist in a positive way for society you need extream examples of good and more importantly bad to set where the line is.

No matter what we think of NSO their immoral and unethical behaviour has moved the line for the betterment of society. Because as a side effect it throws light on those government entities that try to hide their degeneracy and worse, and makes it clear that their behaviours are unacceptable. That is there is no “them and us” distinction where they can very falsely claim to be “the good guys” on “the moral highground” so go on to say / reason that their degenerate behaviours are somehow acceptable for “the common good”.

In short, bad as NSO has been, there are a lot lot worse hiding in the dark falsly thinking that no matter how bad their actions it is for “the common good”, which it realy realy is not. Thus NSO causing a bright spotlight to shine, helps banish the darkness in which the worst and their supporters try to hide.

Yes I want to see NSO and those that worked for them punished and incapable of doing so again. But I’m also mindfull they are just a single rat in an infestation. If we just keep killing rats one by one, the infestation will never go away.

The real solution to an infestation is to understand why there is one in the first place and that is the existance of a habitate, and at the base of that it’s “food supply”. Remove the food supply and not just that infestation ceases, but others will not move in to replace it.

In the case of software based surveillance, the “food supply” is vulnerabilities.

So what we want to know is,

Over all what is the most successful way to get rid of software vulnaravilities?

As that will rid us not just of the likes of NSO and others that fall in the “them” group, but more importantly those that falsly claim “for the common good” who see themselves in the “us” group.

Both the “them and us” infestations need to be eradicated and others must not be alowed to replace them.

But modern “corporatism” driven by “neo-con mantras” will not alow resources to be diverted to what they see as “unprofitable” activities.

So ultimately,

How do we make vulnerability eradication so profitable for corporations that it is seen to be the best investment for the resources?

Ted November 24, 2021 5:40 PM

Some are saying the sanctions applied to NSO earlier this month were a very significant win, even as the lawsuits come rolling in.

I didn’t realize the company could no longer legally buy many of the tools it needs to develop exploits. This includes iPhones and laptops with a Windows OS. NSO would have to receive explicit approval from the US government to purchase these, and the US is saying the default response will be no.

The momentum really is piling against them.

Ted November 24, 2021 10:11 PM

Some people had questions on what venue Apple was suing in. I didn’t realize it was through the US District Court, Northern District of California.

The official “Apple v. NSO Complaint” located on Apple’s page has a couple pages detailing the jurisdiction details of the case.

Apple really seems to be considering this an attack on their company proper, in addition to an attack on their products and customers.

… they purposefully directed and targeted their unlawful actions at California; used Apple products and services to target and cause harm to Apple at its principal place of business in California; created Apple ID and iCloud accounts using Apple servers located in California…

Clive Robinson November 25, 2021 2:52 AM

@ Ted, ALL,

The momentum really is piling against them.

Like a snowball down a mountain that creates an avalanche.

So the three obvious questions there are,

1, Who made the snowball?
2, Who chucked the snowball?
3, Why did they do what they did?

But… we also know that an avalanche can not happen unless a “tipping point” is crossed…

And we also know that for the tipping point to exist there has to be an instability build up in the environment. Where “potential” builds up by “restraint” and then some “action” releases it suddenly and to some observers violently[1].

Therefor underneath the event three precursor processors have to exist,

1, A continuous process,
2, A restraint mechanism,
3, A trigger action.

Importantly though the actual “trigger action” is almost irrelevant. That is if it’s not one thing then it will be another it is the “unknown straw that breaks the camels back” and just as arbitrary though many think otherwise[2].

The most important thing is the continuous process that builds, the falling of an individual snow flake is of little note or measurable effect. But when they fall in the billions over a period of time the effect not only becomes noticable, it becomes measurable as it builds.

It builds because of the restraint. Marbles in a jar are constrained you can build them up. Those same marbles on a flat polished wooden floor are not restrained so you can not build them up they simply roll away.

So the second thing to note is the method of restraint that causes the build up.

As such the build up has to be released, this can be slowely or quickly. As “prey animals” our brains don’t realy notice slow, but we do instictively notice quickly and respond to it.

So though we’ve noticed NSO it’s not that important, what is important is the growing process of fealings against our privacy being invaded it has been building almost unnoticed since the 1960’s. As for the restraint mechanism, well that is the desires of what might be termed “dark souls” and their quest for power or importance, it’s a mental disease when above a certain threshold. Unfortunately such people are attracted hierarchies where power accumulates at the top, the bigger the hierarchy not just the more power builds, but the greater the instability builds.

That is hierarchies are in turn avalanches or earthquakes building untill they are released.

The obvious solution is to stop hierarchies forming or growing, but in all of humanity so far, we’ve rarely seen how to do this.

One relatively modern example was the Campaign for Nuclear Disarmament (CND). Despite many attempts by politicians and those other dark souls behind them, they could not manipulate CND though they did try over and over. The reasons for these failures have been given by observers as,

1, Everything done in the open.
2, Respect for individuals views.
3, Respect for the majority choice.
4, Even core values were open for discussion.

The lack of restraint ment that power did not build up and the hierarchy remained more or less flat.

Is there a lesson there, well I’ll leave it upto to you to decide.

As where I am it’s nearly “nose to the grind stone time” and I have just enough time to grab a cupper of the hot brown stuff 😉

[1] Think of the energy in an earthquake, the stresses of tectonic movment restrained by friction build up and is effectively stored like that in a clock spring. So the process creates “potential energy”, that becomes considerable “kinetic energy” when the friction is over come at a point which then cascades to many other points and the chain reaction energy builds. This can be hellishly destructive, as somebody realised if you can reduce the friction, then the earthquakes happen more frequently but importantly the potential energy build up is less so there is less kinetic energy on release. So what could have ripped a city asunder, may be reduced to anoying little tremors. The same principle applys to avalanches and societal ills.

[2] Way to many people get this wrong not least chroniclers of events and historians especially they see the trigger as important like the fall of Rome and the Berlin Wall, Arch duke Ferdinand’s belt being to tight etc etc etc. It gave rise to the nonsense promulgated by the Dulles brothers in certain circles of their “single bullet that changes the world” theory (probably originally thought up by Allen Dulles, who was the longest serving head of the CIA).

SpaceLifeForm November 25, 2021 3:26 AM

@ Clive

Well said. There is lot there I could expound upon.

Many avalanches are actually primed by Sunlight.

SpaceLifeForm November 25, 2021 4:12 AM

@ Ted

Apple really seems to be considering this an attack on their company proper

That is probably because they have the receipts.

Ted November 25, 2021 6:14 AM

@Clive, SpaceLifeForm, ALL

But… we also know that an avalanche can not happen unless a “tipping point” is crossed…

Yes, good thought. There was a report that came out this month exploring surveillance technology companies seen in the international arms market.

It looks like the report is really examining all but especially the tallest poppies of the mercenary cyber arms market, and those who are doing it most blatantly at cyber arms fairs.

The risk is of course that these companies are putting profits over loyalties, and the nobody-but-us tenet is a relic of a much more innocent time, relatively speaking.

Boris November 25, 2021 7:41 AM

I’d argue that NSO group are doing Apple a favor. By finding security bugs they are ensuring iOS and others are updated, fixed, patched. IMO, that’s a good thing.

Perhaps the people affected by NSO should be suing Apple because Apple released code that is not secure enough?

Frank Wilhoit November 25, 2021 9:57 AM


The only way to “get rid of” software vulnerabilities is to prevent them.

This is two: (1) training and (2) scrapping today’s dog’s-breakfast hardware platforms and replacing them with ones whose architecture is comprehensible and whose behavior is deterministic : i.e. no concurrency, no speculative execution, etc.

We know why (2) is not going to be easy, but many people do not grasp the obstacles to training. In the US (without knowing how this stands in other places) training is an operational expense (as opposed to a capital expense). That, alone, guarantees that it will always take the lowest priority, except in the few industries where regulatory enforcement is strong enough to compel budgeting for it up front.

Meanwhile software will continue to be written by people who have only half learned the languages that they are doodling in, and who know essentially nothing about the real-world behavior (as opposed to idealised models) of the target platforms, wherefore good outcomes are excluded.

ResearcherZero November 26, 2021 3:53 AM


Some of the people affected by Pegasus are dead, they are not going to be suing anyone. Though it wasn’t the malware that delivered the fatal blow, and some of them didn’t deserve it (the cartels may disagree).

Once access is gained to your communications, your legal strategy and discussions with lawyers is compromised, and this can be considered also “fatal”. Being able to collect the other parties’ tactics and evidence is pretty devastating, and most victims are totally unaware they are under surveillance, or know what to do about it even if they suspect.

The stronger party has far more resources.

The use of private surveillance of weaker opponents (victims of crime) is a very common practice and has been for a long time. It’s effective, it works, and little is ever reported about it.

SpaceLifeForm November 26, 2021 7:19 PM

Looking for the 84 page supplemental brief

I’m pretty sure it was mistakenly released unsealed, but is now sealed. Various folks have a copy, but tweets have been disappeared that referenced it. Does that tell you anything?

One tidbit that caught my eye was that the zero-click exploit FORCEDENTRY somehow leveraged the Apple Music app.

Anyway, Apple has the receipts.

Dancing On Thin Ice November 27, 2021 9:30 AM

Some say Apple should write better code without exploitable flaws.
Shouldn’t we be citing Schneier’s Law?
“Any person can invent a security system so clever that she or he can’t think of how to break it.”

SpaceLifeForm November 27, 2021 8:03 PM

@ Dancing On Thin Ice

Actually, I think I have a security system, but, I know how to disable it.

No backdoor required. It all gets down to reliabilty of bit transmission.

ResearcherZero November 29, 2021 11:06 PM

Israel has updated the list of countries local companies are permitted to sell cybersecurity tools to, reducing the overall number to 37 countries, down from 102.

The updated list includes:

Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the UK, and the US.​,7340,L-3923361,00.html

Clive Robinson November 30, 2021 5:07 AM

@ ResearcherZero, ALL,

The updated list includes:

Bulgaria !!!

What can I say other than,

One of the nicer things you can say about Bulgaria is that for a price they are “equall opportunity” oriented.

That is some of the politicians there, for the right price, act as facilitators to despots, tyrants, Drug Lords, Violent Crime bosses, and worse in many other parts of the world…

I suspect the same can be or has been said of other nation states on that list.

Ted November 30, 2021 6:12 AM

@ResearcherZero, Clive, ALL

Israel’s approved list: 102 to 37 countries

Great article.

When Israel’s Ministry of Defense says, “The State of Israel doesn’t specify its policy for supervising defense exports.” What does this mean? They don’t specify – or – they don’t supervise exports?

Also it’s funny that they name only a handful of the countries that fell off the list: Morocco, Mexico, Saudi Arabia, or the UAE. Who were the other ~60?

The Atlantic Council report says:

The resulting dataset shows that there are multiple firms headquartered in Europe and the Middle East that the authors assess, with high confidence, are marketing cyber interception/intrusion capabilities to US/NATO adversaries. […]

Many such firms congregate at Milipol France, Security & Policing UK, and other arms fairs in the UK, Germany, Singapore, Israel, and Qatar.

The report hones in on firms who may be selling interception/intrusion technologies to countries like Russia and China.

Will Israel’s changes have much effect on these firms?

ResearcherZero November 30, 2021 3:48 PM


Israel’s changes will have very little effect on those firms. The amount of time it takes to secure a business name and register a new company is very short.

ResearcherZero November 30, 2021 4:06 PM

Intelligence and Security Committee of Parliament (UK):

“Russian state interests, working in conjunction with and through criminal private interests, set up a ‘buffer’ of Westerners who become de facto Russian state agents, many unwittingly, but others with a reason to know exactly what they are doing and for whom. As a result, UK actors have to deal with Russian criminal interests masked as state interests, and Russian state interests masked by their Western agents.”

“The links of the Russian elite to the UK – especially where this involves business and investment – provide access to UK companies and political figures, and thereby a means for broad Russian influence in the UK. To a certain extent, this cannot be untangled and the priority now must be to mitigate the risk and ensure that, where hostile activity is uncovered, the tools exist to tackle it at source.”

Those comments from the Intelligence and Security Committee apply to any jurisdiction, as well as the usual bureaucratic nonsense, which requires an extensive amount of effort (years/decades), over a long period of time, for often very little outcome.
Though occasionally you can get lucky, usually after a certain threshold of civilian deaths.

Ted November 30, 2021 4:12 PM


Israel’s changes will have very little effect on those firms.

Yes. I was afraid of this.

I am really curious about the following paragraph. Human rights are becoming more important? When did this happen?

However, in recent years the protection of human rights has become an increasingly prominent element of U.S. export control policy. See our blog post from last year for a more detailed discussion of these important policy shifts around human rights in the export controls arena. BIS’s press announcement for the interim final rule itself “encourages” regulated parties to consult the State Department’s human rights-focused due diligence guidance from last year for exports of surveillance products as a compliance aid in this context.

Ted December 3, 2021 12:43 PM

I am so confused by this lawyerly review of Apple v. NSO Group

The first minute of the Lawfare podcast gives some insight into the direction of the conversation. Essentially Kerr and Lubin seem to be saying that NSO’s attacks are against the end-users, where Apple has no jurisdiction.

But the 22-page complaint by Apple does not seem to support this. As we discussed before, the jurisdiction of the complaint seems to be based on the attacks of Apple’s software and servers in CA.

I saw a link to the podcast before I saw Orin Kerr’s tweet. So I didn’t know exactly what their take would be. Color me surprised. (Mind you I’m no lawyer, but I’ll be keeping an eye on the story.)

Why I don’t think Apple’s lawsuit against NSO Group has legal merit, on the latest Lawfare Podcast, with @AsafLubin and @ARozenshtein.

Clive Robinson December 3, 2021 2:24 PM

@ Ted,

Essentially Kerr and Lubin seem to be saying that NSO’s attacks are against the end-users, where Apple has no jurisdiction.

When it comes to Kerr I’ve read enough to know that I would “approach with caution”.

But lets look at it from a distance, does it matter if Apple have standing or not in one small part of the bigger picture?

The question is do they have standing as a legal entity? (which I rather suspect they do). Is there actually any reason why Apple can not “stand” for one or all users of it’s products? I suspect not if it becomes a “class action” on the users behalf…

But lets say there is some impediment, this simply raises the question of “How would a smart lawyer get around it?” As far as I remember Apple have more than one or two smart lawyers on their pay roll…

When it comes to law, one rule applies when you look at things “Never assume the specific applies in general”.

Orin Kerr has had a habit of talking very tight specifics in things he finds favourable to his argument, then expounding in general without joining the two.

As I understand it Apple are seeking an injunction against NSO. Specifically to stop NSO from using any Apple software, service or device.

If true that has nothing what so ever to do with Apple’s standing with respect to attacks on the “users” of it’s products.

Apple is simply enforcing the controls it has on it’s software etc.

Have a look in many End User Licence Agreements, which in the US are “contracts” you will find the software is NOT sold to the user and the user has very very limited rights. Whilst the supplier of the software can say to a user “stop using immediately” as and when they feel like it.

So yes I suspect that Apple will be alowed to procead against NSO, as the subject of Apples standing with respect to the users of their products does not arise.

But to be honest it’s not something I want to dig into very much. Because these sorts of court cases quickly have a habit of becoming not just rabbit holes but massive compleatly unproductive time sinks.

Further I suspect NSO will be “out of business” long before the case comes to a conclusion.

Look on NSO the same way you would suppliers of “knock offs” that are questionable under law. Such organisations tend to run behind a couple of layers of “front companies” that move money and assets away from sales and marketing. So if a challenge comes up there is no money in the pot or other assets, banning the front entity will not stop those behind things setting up new front entities and carrying on way more discretely. They simply have to make the product look sufficiently disimilar which is probably not that difficult.

So do not be surprised to see XNSO or similar pop up in the near future.

Ted December 3, 2021 2:50 PM


Re: Apple v. NSO podcast

Much appreciation for your response. The release of the podcast at about the same time Reuters released their article on US State Dept phones being hacked by NSO spyware is a little like ships crossing in the night.

So yes I suspect that Apple will be alowed to procead against NSO

Well, all law arguments aside, I’m kind of glad you think so.

ResearcherZero December 3, 2021 5:54 PM


I think so too.

When it’s government employees getting hacked, it’s a completely different matter than just civilians, NGOs, journalists.

It’s like the debate over anonymity on social media. When it was just a matter of some women and less represented members of society being trolled on social media, the politicians had little interest. Once it became personal however, then the government became more focused.

Politicians just can’t have whatever shenanigans they may have been involved with in their lives just spilling out on to the internet. The same goes for anyone in a position of privilege. We might all discover they were involved in some crimes, heaven forbid. The legal system is well set up to stop such ludicrous behavior.

SpaceLifeForm December 3, 2021 6:32 PM

@ Ted, Clive, ResearcherZero

Even if the ships are not visible, the signal does travel over the horizon.

Ted December 3, 2021 7:46 PM

@ResearcherZero, Clive, SpaceLifeForm, Izzy

Once it became personal however, then the government became more focused.

You have some really great thoughts. Also I just started reading the Nov 4 “On Pegasus” article you posted. Looks really interesting so far. Thanks so much for sharing.

The Kerr/Lubin Lawfare podcast summed up some previous history that I hadn’t known. Some of which I see was discussed here, as Bruce wrote in July:

Most interesting is a list of over 50,000 phone numbers that were being spied on by NSO Group’s software.

So I see I have some catching up to do. I am going home now to take a test, so I hope to catch up on more reading later tonight. It’s a joy to share these discussions with you all.

SpaceLifeForm December 3, 2021 8:28 PM

@ Ted, Clive, ResearcherZero

There is a specific ship of state, that has been leaking for decades.

For some reason, the rats never leave.

The bilge pumps are about to fail.

We need to let it dock so we can capture the rats.

Clive Robinson December 3, 2021 11:21 PM

@ Ted, Izzy, ResearcherZero, SpaceLifeForm, ALL,

… previous history that I hadn’t known. Some of which I see was discussed…

There is a lot more yet to be discussed.

1, It’s almost certain that US Officials have been targeted for quite some time.

2, It’s very likely parts of the US Gov and Executive knew this from NSA and similar activities and for various reasons chose to ignore it.

3, It’s very likely that parts of the Israeli Government were not just aware of this but actively encoraged it.

4, It’s more than likely that parts of the US Gov were more than aware that Israeli Government officials were endangering the lives of US Government employees and willfully chose not to take action to protect or defend them.

5, These behaviours by those in the US Gov were not in any way part of “National Security” they were for “personal ressons” involving Money, ideology, etc.

6, We have reason to know of these behaviours because US President Barack Obama made it public about the behaviours of the members of the US houses…

The question people should be asking is,

If the US puts, China, Iran, North Korea, and Russia on a “special list” for lesser reasons, why is Israel left off?


If the US has had witch hunts of those they think might be aiding or assisting Chinese and Russian interests, why have they not had the same for those known to be actively aiding and assisting Israeli interests in conflict with those of the US, it’s Government, and more importantly those US citizens employed by the US?

In short who controls the head and who the tail of this dog, and which is wagging which?

Ted December 3, 2021 11:39 PM

@Clive, ResearcherZero, SpaceLifeForm, ALL,

There is a lot more yet to be discussed.

You are completely right about that. The story about the US state officials being hacked still feels nascent and a little flat, for being the bombshell that it is. I hope more continues to come out.

Just to throw one more article on the pile, here’s one from Wired, plus an excerpt:

To the extent that NSO’s claims about limiting its customers’ targeting were ever even credible, this shows that the guardrails in NSO’s product were insufficient,” says Jake Williams, an incident responder and former NSA hacker. “This was completely predictable. When governments have capabilities sold to them by NSO and have unmet intelligence requirements, we should absolutely expect those governments to use any tool at their disposal.”

Were governments even the only ones who could buy and deploy these tools?

Clive Robinson December 4, 2021 12:08 AM

@ Ted, ALL,

Were governments even the only ones who could buy and deploy these tools?

As I noted about one of the countries still on the Israeli OK list, Bulgaria. It is well known that in the past certain government people there would act as intermediaries to put a “Government Only” stamp on private deals.

So I would say that yes criminals and worse could get access one way or another without much difficulty if they wanted to.

If you think about it for a moment though, you will see that the phone of a criminal getting such spyware put on it by “law enforcment” would look legitimate, thus not stand out much. The fact an official on the take from one criminal set it up on another criminals phone and is now sharing the data collected would not show up on an overview audit…

Criminals like cats can be skinned in many ways by friend or foe alike.

Ted December 4, 2021 12:23 AM

@Clive, ALL

The fact an official on the take from one criminal set it up on another criminals phone and is now sharing the data collected would not show up on an overview audit…

No comprendo. Is this from a real world example or are you threat modeling? Also, Bruce said this:

Nicholas Weaver postulates that “part of the reason that NSO keeps a master list of targeting…is they hand it off to Israeli intelligence.”

Do you think there is a master list? I didn’t read a whole lot deeper on this, but I can.

Clive Robinson December 4, 2021 1:42 AM

@ Ted,

No comprendo

No problemo 😉 it’s down to the joys of secrecy and how that effects oversight.

Look from the point of view that you are an independent oversight entity that has a list of phone numbers of phones with the spyware on you have been given that you are now auditing.

Being from outside the organisations that put the spyware on the phone you will have very limited information. However you will ask questions as to if it “appears” appropriate use of the spyware.

One such is “Does this phone’s user fall under the remit of the organisation?”.

So phone XXX being used by AAA is being observed by YYY Organisation.

So who is AAA? in this case a “known crime boss” what is YYY’s remit? “Law enforcment”.

So does YYY spying on AAA look legitimate?


The fact that someone in YYY is actually taking money from BBB for the information on AAA is not visable to the audit.

The auditors are unlikely to check with YYY to see if AAA is being actively investigated, because it might well “tip off” either AAA or YYY.

But even if they did check the chances are that the person on the take from BBB if they are in any way sensible will have “legitimized” the surveillance on AAA within YYY anyway so it won’t raise any red flags.

The fact that investigations of AAA would be kept as secret as posible by YYY not just extetnally but internally as well to avoid “tipping off” makes things all the easier for the person on the take from BBB.

The auditor almost certainly does not want to risk their position either so probably won’t or are not allowed to contact YYY anyway.

It’s just one of many reasons “oversight” is easy to avoid, thus fails.

The fact that what Uganda was getting upto was caught was because,

The remit of Uganda Law Enforcment etc is unlikely to cover spying of phones who’s users are known to be US State Dept emoloyees so stands out. It also tells us the order to do it came from so far up the hierarchy that the person giving the order had no understanding of the potential consequences or how to mitigate them, or just did not care.

Historically this has happened before…

We know that emoloyees of US Gov entities familiar with the use and deployment of the Pegasus software were some years back deployed to certain Middle East countries on alledgedly “anti-terrorist” activities (Project Raven, Purple / Black briefings[1]).

Some reported grave concerns about what it was being used for was not anti-terrorist related. It was kept hushed up by the US entities,untill some of the employee concerns grew so grave they became public whistleblowers.

[1] Ironically it was Edward Snowden damaging Booz Allen that caused some to join Project Raven, who then got their own ethical dilemas and turned public whistleblowers when the approved reporting channels failed…

Ted December 4, 2021 9:14 AM


The fact that someone in YYY is actually taking money from BBB for the information on AAA is not visable to the audit.

Argh!!! I want to pull my hair out! Also thanks for the link to the Reuter’s article and the explanation. They are good journalism (often and IMO). From Reuter’s:

“There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government,”

Oh good. Moral obligations are such a good safeguard. Sheesh x10.

SpaceLifeForm December 4, 2021 7:20 PM

@ Ted

OSINT homework problem

See how much you can find out about the Shin Bet coronavirus-tracking app being shut down in 5 to 6 days.

SpaceLifeForm December 4, 2021 9:15 PM

@ Ted

See how much you can find out

Or not find. Keep digging.

Connect dots. Think outside the box.

Observe that which you do not see.

Ted December 4, 2021 10:21 PM


Read this and let me know where you have more questions or interests?

Some points (from a light read):

  • The public was outraged over the program’s (temporary 5-day?) reinstatement
  • The four human rights groups who filed a petition against the program’s extension were: Association for Human Rights in Israel (ACRI), Adalah, Physicians for Human Rights and Privacy Israel
  • ACRI is on twitter and they seem happy right now; they also tweet in Hebrew (
  • “So far, Israel has registered three cases of Omicron, with several dozen other people suspected to have been infected.”

Your turn 🙂

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.