NSO’s challenge: Will it open up?

Is it able to prevent potential abuses by its clients?

IDF recruits at the Military Intelligence language school (photo credit: IDF SPOKESPERSON'S UNIT)
IDF recruits at the Military Intelligence language school
Israeli surveillance firm NSO stands accused of having its technology used by the Saudis to track journalist Jamal Khashoggi (who the Saudis eventually murdered), of allegedly harassing human rights activists from Mexico to Morocco, and of hacking WhatsApp.
Does NSO have the capacity to restrain its clients? And, is it responsible for what its clients do?
NSO denies that its clients – other than in three cases where it cut off their services - have abused its technology. It also says that it has foregone $250 million in potential business to avoid abuses by clients. It also recently committed to follow UN guidelines to avoid abuse of its technology, though there is a debate about how serious its commitment is in that regard.
But let’s assume the company is incorrect and some clients have figured out a way to abuse the technology without NSO knowing. Or, in some cases, clients could have figured out a way to reverse-engineer aspects of the technology, which led to using it in an abusive way.
Whose fault is it?
NSO critics believe the company has clever ways of compartmentalizing different activities it is involved in by using third-party subsidiaries. In this way, NSO is unlimited from a practical business perspective – the company can sell to whoever it wants – but can formally deny any direct connection to clients who use its technology in a problematic or even evil way.
The Hebrew daily Haaretz recently published an investigative report claiming that NSO had sold its technology to specific problematic individuals in Ghana. The report said that through providing those individuals technical support, NSO was (and is sometimes) able to learn who its clients’ targets were, even if NSO did not know when it first provided the technology.
NSO sources, who spoke to The Jerusalem Post on condition of anonymity, denied these allegations in general – and in some cases, specifically. NSO said there are countless examples in which third parties may have made preliminary contact with NSO, but no sale resulted. In other words, third parties may have even received some potential NSO sales materials, but NSO eventually decided not to do business through them for a variety of ethical, strategic or political reasons, the company claims.
In addition, NSO is clear that the Defense Ministry oversees the company and even some aspects of its activities and which clients it accepts are highly coordinated with the ministry.
This might accrue to NSO’s benefit at an expected January 16 hearing between Amnesty International and the Defense Ministry; Amnesty is currently supporting a legal action against the Defense Ministry to demand that it revokes the export license of NSO Group.
The biggest argument in NSO’s favor, however, is that in September the company announced that it adopted UN policy guidelines for the sale and use of surveillance technologies, like its Pegasus software, which allows penetrating a target’s telephone data.
But soon after, UN Special Rapporteur David Kaye and Amnesty charged that NSO is using its announcement about following UN guidelines as a fig leaf, while actually doing nothing “on the ground” to implement the guidelines and observe international standards.
The best way to judge whether NSO is doing more harm than good, or whether it is getting a handle on policing the use of its technology, could be how it implements its September decision.

UNTIL NOW, no outlet had gotten any real indications about how NSO will police these guidelines. But the Post was given unique access to NSO sources who discussed the dilemmas that are being debated internally within NSO itself.
These sources said that NSO is likely to put a report out about the level of its compliance with these UN guidelines sometime in the next year.
Will that report contain examples or quantitative data about situations where clients (without their names) abused NSO’s technology and a narrative about how NSO handled these abuses?
It is hard to say, as on the one hand, NSO is afraid to provide such information.
It may have concerns of violating the contractual anonymity of its clients or that it will “spook” them. Even if the clients’ names are not used, the very publication of any details can often help clever researchers figure out who an anonymous violator is.
On the other hand, if NSO does not include such basic information, how can it credibly rebut the continuously growing pool of documents, testimonies and lawsuits that paint a nefarious picture of the lines it is willing to cross?
One sign of hope is that some of the people NSO has brought on to enforce the new guidelines, both international names like former US Homeland Security secretary Tom Ridge and internal legal professionals with serious reputations, would likely not agree to have their names soiled with a fig leaf to cover up abusing human rights activists.
Another big question, which will give indications of how serious NSO is in doing things right, is its whistleblowing procedures.
NSO could merely establish formal procedures for individuals in authoritarian countries to blow the whistle on their regimes’ misuses of NSO technology, placing all of the onus on those individuals. This would be a clear sign of not being serious. There are few, if any, individuals in authoritarian countries who are going to take that kind of a chance with their career and their lives.
However, if NSO presents some creative procedures that would make and incentivize whistleblowing as viable by parties who might actually blow the whistle, that would be a sign of taking the safe use of the company’s technology very serious.
The final line is the Defense Ministry.
The ministry actually knows what is going on, and with its licensing power, could actually restrain NSO and its clientele if it chooses to do so or is forced to do so by the Tel Aviv District Court.
Hopes, however, should not be high with the court on this issue.
The High Court of Justice itself in recent years pretty much gave the ministry a pass on weapons Israel likely sold to Myanmar, which were likely used to commit war crimes. This is an area that courts do not like to weigh in on.
In other words, the best hope may need to be that NSO founder and CEO Shalev Hulio and the rest of the top tier of the company have learned enough from recent media headaches and lawsuits to make their own decision to take the UN guidelines seriously.
Right now, the general public does not know whether to cheer NSO for thwarting terror attacks or to shun it for the mountain of problematic allegations it faces.
Whether NSO opens up sufficiently about its business, and some of the problems that occur (intentionally or unintentionally), will probably determine its legacy.