An investigation by a consortium of media organizations has found that military-grade spyware licensed by an Israeli firm has been used to h...
 |
| An investigation by a consortium of media organizations has found that military-grade spyware licensed by an Israeli firm has been used to hack smartphones / Jon Gerberg. |
The US Commerce Department said the action is part of the Biden administration’s ‘efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.’
The United States on Wednesday added the Israeli spyware company NSO Group to its “entity list,” a federal blacklist prohibiting the company from receiving American technologies, after determining its phone-hacking tools had been used by foreign governments to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world.
The move is a significant sanction against a company spotlighted in July by the global Pegasus Project consortium, including The Washington Post and 16 other news organizations worldwide. The consortium published dozens of articles detailing how NSO customers had misused its powerful spyware, Pegasus. The Commerce Department said in a statement that the action is part of the Biden administration’s “efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.”
The company said in a statement that it is “dismayed by the decision given that our technologies support U.S. national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed. We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based on the American values we deeply share, which already resulted in multiple terminations of contracts with government agencies that misused our products.”
The company has consistently denied the findings of the Pegasus Project, which found that some of NSO’s dozens of law enforcement, military and intelligence customers in more than 40 countries target journalists, politicians and human rights workers on a routine basis with Pegasus, which can hack into a victim’s cellphone. NSO has acknowledged problems with certain customers in the past.
 |
| An Israeli woman uses her iPhone in front of the building housing the NSO Group in 2016. (JACK GUEZ/AFP via Getty Images) |
“The impact is broader than just the legal prohibition,” said Kevin Wolf, an international trade lawyer at the firm Akin Gump who previously ran the entity list process. “It’s a huge red flag.” It’s unclear how much U.S.-originating technology NSO Group uses in its company tools. But the listing could restrict NSO’s ability to use top-of-the-line cloud-computing services, made by tech giants such as Amazon and Microsoft, or hinder their trade with American researchers who study the kinds of software exploits and vulnerabilities that NSO depends on for infecting phones.
Forensic analyses of phones by Amnesty International, which provided technical support for the investigation, found evidence that NSO’s clients had used Amazon Web Services and other Internet service companies to deliver Pegasus malware to targeted phones.
An Amazon spokeswoman told The Post earlier this year that the company “shut down the relevant infrastructure and accounts” when it learned of the activity. (Amazon’s executive chairman, Jeff Bezos, owns The Post.) The blacklist could also weaken NSO’s standing with investors and cast a pall over the comp
Commerce officials said NSO Group and another Israeli surveillance company, Candiru, had enabled “foreign governments to conduct transnational repression,” allowing authoritarian governments to target “dissidents, journalists and activists outside of their sovereign borders to silence dissent.”
The research group Citizen Lab, in a July report, found that Candiru markets “untraceable” spyware to governments that may be used for repressive purposes. Working with Microsoft, Citizen Lab found that the spyware was used to target human rights activists, dissidents, journalists and politicians in the Palestinian territories, Iran, Lebanon, Britain, Turkey, Yemen and other countries.
“For years we have been documenting extensive and serial abuses of mercenary spyware sold by companies like NSO Group and Candiru,” said Ronald Deibert, director of Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. Commerce’s entity listing “is a very positive first step to bringing some public accountability and order to this otherwise poorly regulated marketplace.”
There are hundreds of companies on the entity list. The Trump administration added Huawei and at least 70 Chinese firms to the list in 2019, citing their alleged involvement in human rights abuses of Uyghurs, a mostly Muslim minority group detained en masse in Chinese “reeducation” camps.
But it is rare for the U.S. government to target companies from U.S. allies, including NSO Group’s home country of Israel. NSO’s addition to the list also marked one of the first times that the U.S. government had cited cyber-surveillance issues as the cause for the penalty.
Commerce officials can permit select U.S. companies to export products to listed companies only with a special government license, though they require all such transactions to marked with a “red flag” and urge firms to “proceed with caution,” federal guidelines state. Other listed entities include Chinese state-owned defense contractors, drone manufacturers and surveillance firms.
Besides NSO and Candiru, two other companies were added to the list: Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy PTE, with the government saying both firms had trafficked in hacking tools that could threaten “the privacy and security of individuals and organizations worldwide.”
While NSO says its spyware tools cannot be used on U.S. phone numbers, the U.S. number of at least one American diplomat was found on the list of numbers that served as a source document for the Pegasus Project investigation. The foreign-registered phone numbers of other U.S. government employees were also on the list.
After the Pegasus Project investigation, a French government probe found traces of Pegasus spyware on the phones of five cabinet ministers. And last month, a High Court judgment in the U.K. revealed that the ruler of Dubai had used Pegasus spyware to hack the phones of his estranged wife, Princess Haya, and top members of her legal and security teams.
A top Biden adviser raised concerns about the spyware to his Israeli counterpart during a July meeting at the White House. Members of Congress have also pushed for sanctions, investigations and new rules to combat spyware abuse, saying “the hacking for hire industry must be brought under control.”
The listing could also prove awkward for the network of Washington attorneys, consultants and other power brokers who have worked with NSO. Rod J. Rosenstein, former president Trump’s deputy attorney general from 2017 to 2019, is advising the company in its lawsuit with the Facebook-owned messaging giant WhatsApp.
David Kaye, a former United Nations special rapporteur who has called for global restrictions on surveillance-technology sales, said the listing will have major practical and symbolic implications for a company that has worked aggressively to attract investors, government clients and positive media coverage.
“They made this real effort to change the conversation about the work they're doing. This shows that attempt has failed,” Kaye said. “Who will want to work with a company that’s been so publicly sanctioned by the U.S. government? … Who would invest in a company with this kind of black mark?”
Kaye said the listing is a reassuring sign for the Biden administration's claims to making human rights a centerpiece for foreign policy. He also expects it could leave a lasting impact on the relationship between the U.S. and Israeli governments.
“NSO Group could not have operated without Israeli government knowledge and toleration, if not encouragement. So part of this cannot be seen merely as the U.S. government making a statement about this particular company; it’s also a statement about the Israeli government, its expert controls and engagement in transnational repression,” he said.