Buyer beware: The Israeli company helping governments spy on their own citizens
As smartphones have proliferated over the past few years and become indispensable communication tools for all of us, startups dedicated to hacking these phones on behalf of governments – including military, intelligence and police departments – have also multiplied.
Clients of these startups use the new technology to surveil criminals and terrorists in order to detect and disrupt their plans. That’s a legitimate use. But there are others that are much more lucrative for the companies – and much less palatable for open societies.
Take the example Emirati human rights activist, Ahmed Mansoor. In August 2016, he received a phishing message appearing to originate from a legitimate source. But he was suspicious and immediately sent his phone to the University of Toronto’s Citizen’s Lab for forensic analysis.
According to that analysis, it appeared that the Emirati authorities had purchased Pegasus, the most powerful commercially available malware programmes ever created and sold by Israeli company NSO Group.
If Mansoor had opened the link, it would have taken over his phone and given police access not only to everything on his phone (e-mails, contacts and text messages, for example) but also to the camera, video and audio capabilities. Police would have heard and seen everything he did and be able to anticipate his every action.
Pegasus strikes
In a related 2016 case, UAE authorities also employed Pegasus in a phishing attempt targeting MEE journalist Rory Donaghy, who reported critically about the abuses of the country’s autocratic regime. In the midst of an investigation of this attack, Citizen Lab discovered that 1,100 activists and journalists in the kingdom had been similarly targeted and that the government paid NSO Group $600,000 in these attempts.
While a commercial product, Pegasus – like several other similar spyware products now on the market – is clearly also a political tool enabling autocratic regimes to spy on their own citizens.
In fact, I’d go even further and say that Pegasus is often used as an offensive cyber-weapon used by the world’s elite to protect their interests and hinder the legitimate oversight of NGOs and other activist communities.
“The government buys [the technology] and can use it however they want,” Bill Marczak, a researcher with Citizen Lab, which has analysed several surveillance campaigns that it says were conducted with Pegasus, told HuffPost.
“They’re basically digital arms merchants.”
In recent weeks, the private equity group that owns NSO Group, which is now valued at $1bn, has been shopping the company around, raising major questions among digital rights activists about whether a new investor will curb the alleged use of the company’s spyware by governments against political dissidents and activists.
From army to tech
There are several firms making this type of malware in various countries, but some of the most successful are in Israel.
This is mainly a result of the Israeli Army’s SIGINT Unit 8200, the largest unit in the Israeli army, which monitors, intercepts and spies on Israel’s enemies in the Middle East and throughout the world.
Its officers receive the most sophisticated training in signals intelligence and use, and create the most advanced technology to do so. When they leave active duty, they find the tech world open to them. They can land lucrative jobs with major companies or use the expertise they acquire in the army to found their own startups.
Some of the most successful include Waze, Wix, Taboola, NICE Systems, Amdocs, Onavo (purchased by Facebook for $150m), Checkpoint, Mirabilis and Verint.
The phones of Mexican political, human rights and anti-corruption activists who were investigating possible crimes committed by the government and its agents were infected with Pegasus
Many of the projects involve cyber security, since that is what Unit 8200 is set up to defeat in its efforts to intercept the communications of Israeli enemy forces. Some ventures focus on protecting cyber security. Those are the good guys, or white hats in hacker terminology.
But others continue along the lines that Unit 8200 hackers pursued during service: they are designed to defeat the security features of various systems.
Perhaps the most successful of these companies is Herziliya-based NSO Group, whose corporate motto is “make the world a safer place”. But the company has arguably made the world much more dangerous for a wide range of human rights and political activists fighting against corporate and government impunity.
Billion-dollar vulnerabilities
NSO was founded in 2010 by two IDF veterans, Shalev Hulio and Omri Lavie, who themselves were not Unit 8200 veterans (despite reports suggesting otherwise). According to the Israeli publication Globes, Lavie served in the artillery corps and Hulio in the search and rescue service.
In high school, neither Hulio nor Lavie were especially good students and, according to the Globes report, they spent lots of time together on the beach. After leaving the IDF, they decided to become internet entrepreneurs.
NSO is their third, and by far most successful venture. Its genesis came about through sheer happenstance, according to the founders. They had been asked by various clients whether there was a way to take control of a cell phone without having physical access to the actual handset.
Though they felt certain there was, they could find no tech engineer who had any idea how to do it, until one day while sitting in a cafe, the two overheard Unit 8200 veterans talking about just such a possibility. So in 2010, just as smartphones were being transformed from single-use objects into powerful, multi-use, indispensable daily devices, they founded NSO.
They began to cultivate clients in the ranks of police forces in various countries, offering the ability to spy on criminal suspects in ways no one had ever contemplated. They established a US sales subsidiary, WestBridge Technologies, to improve business penetration in one of its largest potential markets.
Through the Francisco Partners, the venture capital company which bought NSO in 2015, NSO came under the umbrella of a company which owned a number of other telecom companies which offered critical inside information to advance its hacking capabilities. For example, Intelligence Online reports that Boaz Goldman is the board chair of Inno Networks, which installs mobile communications networks (3G and 4G). He had just joined the board of a Luxembourg-based holding company which includes NSO Group in a complicated financial relationship. This business arrangement gives the cyberarms firm direct access to the very networks (SS7-Signal System 7) used to transmit text, email, phone calls, geolocation data and encryption keys.
NSO also began to cultivate sources who gave them access to cell phone prototype models before they came on the market, which permitted them to do forensic analyses so that NSO engineers could search for zero-day vulnerabilities which could grant them full-access to the phones their clients sought to target.
Grey zone
You would think that mobile phone makers would guard their products like Fort Knox and deny them from the praying eyes of hackers like NSO. But the company operates in a gray zone and manages to secure what it needs from various sources both inside and outside the manufacturing companies.
Before mobile phones, criminals communicated the way everyone else did: by landline, mail or in person. The technology to intercept or monitor such interactions was simple and primitive: for phones, it was a physical wiretap on a telephone line.
The wiretap would presumably have to have been approved by a judge and then implemented with the help of the phone company. There was an oversight process and it was generally respected, at least in democratic societies.
In the Mansoor case, the hack was directed at a citizen viewed by the state as a criminal. But he isn’t a criminal in any sense that a democratic society would recognise
Electronic communication changed all the rules, opening up new modes of spying on individuals. You could externally intercept the communications signals between callers. NSO took advantage of this, developing a programme that, once downloaded, would take over the user’s mobile phone.
So there was no longer a need to intercept calls because NSO’s client was in effect inside the phone itself. Police forces and governments could disrupt plots to commit crimes or terror attacks before they happened and preserve public order.
Truck-sized loophole
But there was a wrinkle in this otherwise beneficial technology: NSO Group only controlled those who bought the technology, but not its ultimate user. The original client could offer it to other individuals or agencies in its governments, or create a fictitious commercial identity to conceal its ultimate use of Pegasus.
NSO claims it follows all Israeli regulations governing the export of its products and only sells to Israeli allies and never to Israeli enemies. It also claims that it only sells to governments and never to individuals or unauthorised users. It claims Pegasus is only intended to fight criminals and terrorists, and never to be used for political purposes.
However, it notes that once it sells the product, it has no control (or so it claims) over who or how the technology is used. This is a loophole wide enough to drive a Mack truck through, and allows NSO – and a dozen other digital spying companies offering similar programmes - to evade responsibility for the unsavoury ways in which their technology is used.
In the Mansoor case, the hack was directed at a citizen viewed by the state as a criminal. But he isn’t a criminal in any sense that a democratic society would recognise. He hasn’t been charged with a crime, robbing anyone or planting a bomb. In 2011, he was sentenced to three years on charges of insulting the state (he was later pardoned and released) – and that was apparently sufficient in an autocratic regime like the UAE to put him under suspicion.
NSO’s technology has also fallen into the wrong hands in Mexico. As the New York Times has reported, the phones of Mexican political, human rights and anti-corruption activists who were investigating possible crimes committed by the government and its agents were infected with Pegasus. The Times says the victims first noticed the intrusions in the summer of 2016.
One was a lawyer representing the parents of 43 college students murdered by Mexican police in a case which has never been prosecuted. Others were investigating corruption by high-level corporate executives in collusion with elected officials.
According to internal NSO emails dated from 2013 seen by the New York Times, the Mexican government paid NSO more than $15m for three projects. Mexican officials have denied that they were involved in the spying and have opened an investigation.
Such uses violate the provisions of the Israeli export license under which NSO sold its product. But there is little possibility Israeli officials will intercede in this case. They are interested in promoting Israeli exports, not stifling them. Nor do they see their role as serving as an ethics monitor regarding the behaviour of Israeli companies.
Middle East Eye contacted the Defence Export Control Agency of the Israeli Ministry of Defence for comment on its relationship with NSO. It had not responded by the time this article was published. We also posed questions to the press office of the Ministry of Defence, which also had not been answered by time of publication.
As an example, many Israeli arms exporters are suspected of engaging in bribery and other corrupt practices in order to gain weapons contracts with foreign militaries. Few of these companies have been investigated by Israeli authorities, though several have been barred from doing business in various countries.
Citizen Lab told Forbes that NSO had registered domains in Israel, Kenya, Mozambique, Yemen, Qatar, Turkey, Saudi Arabia, Uzbekistan, Thailand, Morocco, Hungary, Nigeria and Bahrain, suggesting that Pegasus could have been used in these countries, although there was no clear evidence
According to internal NSO emails, contracts and proposals seen by the New York Times, NSO charged clients $650,000 to spy on 10 iPhone owners, plus a $500,000 setup fee.
It’s clear what a gold mine this business could be - and also why NSO could be tempted to relax ethical considerations to maximise its profit potential. Middle East Eye reached out to an NSO co-founder and the company’s publicist for comment. Neither responded.
Being the clever entrepreneurs that they are, Lavie and Hulio decided they should play both sides of the street. That’s how in 2013 they started Kaymera, another Herzilya-based tech startup designed to protect clients against unwanted cyber-intrusions.
In most other business ventures, such boundary crossing would raise red flags. There could be benefits to sharing knowledge: as soon as an NSO engineer learned of a company’s vulnerability, it could share that with Kaymera in order to patch it.
But the opposite could happen just as easily: Kaymera could notify NSO about a vulnerability it discovered in a client’s communications or computing systems. This knowledge could, in effect, be monetised on behalf of the two companies. Middle East Eye contacted Kaymera for comment and the company did not reply.
The problem is that in a national security state like Israel, ethical considerations like these take a back seat to both security and financial gain.
Unicorns and golden geese
NSO’s growing client base and the revenue it generated came to the attention of venture capital firms looking for lucrative investment opportunities. One of these was US-based private equity firm Francisco Partners.
In 2014, the firm bought a controlling interest in NSO for $120m. The best VCs invest for the long-term in a company offering, not just capital investment, but strategic and governance advice. But others invest for the short term. Francisco was one of these.
Interestingly, Francisco Partners and an NSO offshoot have a history of involvement with former Trump administration national security advisor, Michael Flynn, who resigned in February after speculation over his links to Russia.
According to financial disclosure forms, a Luxembourg-based NSO offshoot, OSY Group, paid Flynn $40,280 for his role as an advisory board member from May 2016 until January this year. Flynn – who reportedly has worked for several cybersecurity firms - also consulted for NSO’s corporate owner, Francisco Partners, but he never revealed how much they paid him.
A month before Michael Flynn joined OSY’s board, the NSO Group opened a new DC-area arm called WestBridge Technologies which, according to Huffington Post, is 'vying for federal government contracts for NSO Group’s products'
A month before Flynn joined OSY’s board, the NSO Group opened a new DC-area arm called WestBridge Technologies which, according to Huffington Post, is “vying for federal government contracts for NSO Group’s products. Hiring Flynn would provide NSO Group with a well-connected figure in Washington, to help get its foot in the door of the notoriously insular world of secret intelligence budgeting”.
Francisco Partners held NSO for only a year before it began shopping it with a $1bn valuation. In recent weeks, Blackstone Group, one of Wall Street’s biggest investment houses, reportedly agreed to purchase a 40 percent stake in NSO.
Blackstone’s $400m investment would have made NSO a “unicorn” (a startup achieving a $1bn valuation or more) and offered its founders – and Francisco Partners - a huge payday.
Given the increased penetration of the world market that the Blackstone investment would have given NSO, the reports alarmed internet freedom activists.
Access Now, a US-based NGO advocating a free and open internet, created an online petition and campaign seeking to educate the public about the NSO’s business model. Citizen Lab joined the project writing an open letter to Blackstone’s board of directors urging them to “carefully consider the human rights and ethical implications” of their potential investment.
Blackstone pulls out
This week, reports emerged that Blackstone had pulled out of discussions with NSO without finalising a deal. Responding to a request from comment from Middle East Eye on the day the end of talks was announced, a Blackstone representative declined to comment on the deal. Another venture capital firm, ClearSky Technologies, had been reported to have agreed to purchase a 10 percent stake in NSO. But it too confirmed to Middle East Eye it would not be investing in the company.
An NSO spokesperson declined to discuss the talks or why they fell apart with Reuters.
'This dead deal should show other private equity firms, including NSO’s current owners Francisco Partners, that there’s nothing to be gained - and a whole lot to lose - by investing in human rights abuse'
- Peter Michek, Access Now
But it seems likely that the controversy generated by Access Now and questions raised by journalists made the firm wary of the liability it would be taking on.
“Until Blackstone speaks up,” Peter Micek, Access Now general counsel said, “we won’t know whether they heard the voices of human rights defenders, journalists, and crime victims whose lives were upended by NSO Group’s tools.
“But this dead deal should show other private equity firms, including NSO’s current owners Francisco Partners, that there’s nothing to be gained - and a whole lot to lose - by investing in human rights abuse.”
All this highlights renewed questions about how NSO does business and the weaknesses of its ethical model. Why, for example, does Pegasus leave NSO’s sight and control once it licenses it to a client? Why can’t the company place explicit provisions into its contracts directing who and how it will be used?
Terms of use
It seems ludicrous that a company whose technology is designed to infiltrate and monitor the activities of targeted individuals would not be able to monitor the uses to which its products are put.
Of course, if NSO could monitor how clients are using its products, it could be held liable if they violate the terms of use. Human rights activists targeted or imprisoned as a result of Pegasus could possibly sue NSO in some jurisdiction for their suffering. That would be yet another reason for NSO to prefer to be ignorant of what happens once the malware leaves its servers.
It is imperative that a future buyer be aware of, and respond to these concerns, in a constructive way. Also, the states which are already clients of NSO need to do a much better job of monitoring how the surveillance technology is used in their jurisdictions.
Countries which are considering becoming NSO clients must also create safeguards to ensure Pegasus is only used against the real bad guys, but not against civilians, public health advocates, lawyers, journalists or political activists.
- Richard Silverstein writes the Tikun Olam blog, devoted to exposing the excesses of the Israeli national security state. His work has appeared in Haaretz, the Forward, the Seattle Times and the Los Angeles Times. He contributed to the essay collection devoted to the 2006 Lebanon war, A Time to Speak Out (Verso) and has another essay in the upcoming collection Israel and Palestine: Alternative Perspectives on Statehood (Rowman & Littlefield).
The views expressed in this article belong to the author and do not necessarily reflect the editorial policy of Middle East Eye.
Photo: An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on 28 August, 2016, in Herzliya, near Tel Aviv (AFP)
New MEE newsletter: Jerusalem Dispatch
Sign up to get the latest insights and analysis on Israel-Palestine, alongside Turkey Unpacked and other MEE newsletters
Middle East Eye delivers independent and unrivalled coverage and analysis of the Middle East, North Africa and beyond. To learn more about republishing this content and the associated fees, please fill out this form. More about MEE can be found here.