NSO Group Attempting To Distance Itself From Damaging Leak By Offering Up Contradictory Statements And 'Nothing To Fear' Platitudes

from the not-so-fun-when-you're-the-one-being-scrutinized-by-outsiders dept

This truly is a pleasure to observe. Israeli malware merchant NSO Group -- the purveyor of powerful spyware capable of turning a target's phone into a spy agency's plaything -- is playing a whole lot of defense after leaked data seen by a number of journalists and activists appears to confirm that NSO's customers are targeting… activists and journalists. (And world leaders, religious leaders, NGO employees, and friends and relatives of all of the above…)

While the origin of this data remains unclear, it appears to be related to NSO and its customers. And although NSO claims to be very selective about who it sells this powerful spyware to, its customers include governments of questionable character, including Saudi Arabia, United Arab Emirates, Mexico, Kazakhstan, and Uzbekistan.

This has thrust Shalev Hulio, the CEO and co-founder of NSO Group, into the limelight. He's clearly unprepared to be there. His statements and responses to questions are, at best, contradictory. At worst, they're nothing more than deflections that aren't going to persuade anyone that the allegations made by several news agencies and rights groups are false.

Here's Hulio's attempt (in an interview with Calcalist) to explain that the list of 50,000 phone numbers couldn't possibly have anything to do with NSO Group:

According to Hulio, "the average for our clients is 100 targets a year. If you take NSO's entire history, you won't reach 50,000 Pegasus targets since the company was founded. Pegasus has 45 clients, with around 100 targets per client a year. In addition, this list includes countries that aren't even our clients and NSO doesn't even have any list that includes all Pegasus targets - simply because the company itself doesn't know in real-time how its clients are using the system."

So, Hulio claims agencies only target a few people every year and that he knows this because "the company itself doesn't know in real-time how its clients are using the system." If the company doesn't know what customers are doing, it's pretty tough to claim definitively that they aren't targeting more phones than NSO thinks they are or that they aren't violating their agreements with NSO by pursuing "off-limits" targets like journalists and heads of state.

It is possible NSO knows how many targets each customer has, but this information suggests it's pretty easy to exceed the "100 clients a year" Hulio insists governments aren't exceeding.

In 2016, The New York Times reported that NSO Group charged $500,000 to set a client up with the Pegasus system, and then charged an additional fee to actually infiltrate people’s phones. At the time, the costs were reportedly $650,000 to hack 10 iPhone or Android users, or $500,000 to infiltrate five BlackBerry users. Clients could then pay more to target additional users, saving as they spy with bulk discounts: $800,000 for an additional 100 phones, $500,000 for an extra 50 phones, and so on.

Here's another seemingly-contradictory statement from NSO, as provided to Forbidden Stories, which was instrumental in breaking news of this data leak:

NSO does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.

There's some word salad towards the end that means a whole lot of nothing, but pay attention to the opening of this statement: "NSO does not have insight into the specific intelligence activities of its customers." If this is true, there's no way NSO can definitively claim the leaked phone number list has nothing to do with its customers. And it also can't seriously claim that it cuts off customers who abuse the product to target individuals that aren't terrorists or criminal suspects.

This isn't the end of the flailing. Shalev Huilo also has conspiracy theories about the origin of the list currently in the news.

"I believe that in the end it's either Qatar or BDS or both," he said. "In the end it's always the same entities. I don't want to sound cynical now, but there are those who don't want [Israel] to import ice cream or export technologies."

Hulio is referring to Ben and Jerry's recent decision not to sell its ice cream in Israeli-occupied territories following years of BDS campaigns. Hulio also said that he doesn't think it's a coincidence that the investigation about his company dropped around the same time that another Israeli surveillance company, Cellebrite, is being challenged by digital rights group while attempting to go public, and the publication of an investigation about Candiru, yet another Israeli surveillance company.

"It's just illogical that this is all happening at once," he said.

Most of the time, coincidences are just that: coincidences. Far more rarely than people claim, coincidences aren't coincidences, but rather evidence of a conspiracy. In this case it's the former, an actual coincidence. And Hulio knows that because even he can't connect enough dots to narrow this down to a single perpetrator.

And the flailingest thing of all is this statement by Hulio, which echoes the statements made by government spy agencies when they're caught with their surveillance pants down:

“The people that are not criminals, not the Bin Ladens of the world—there’s nothing to be afraid of. They can absolutely trust on the security and privacy of their Google and Apple devices.”

Oh really? Then all these journalists and activists who have been targeted by NSO spyware are the "Bin Ladens of the world?" That's a bullshit response, especially when Hulio admits it can't control or even monitor its customers' use of the malware it sells them. Given the number of human rights violators it sells to, people who are not criminals or Bin Laden-alikes still have plenty to be afraid of.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: malware, shalev hulio, surveillance
Companies: nso group