By Danna Ingleton, Deputy Director of Amnesty Tech
In June last year, one of my colleagues at Amnesty International received a WhatsApp message from an unknown number. It contained details about a protest supposedly taking place at the Saudi embassy in Washington DC, and my colleague was instantly suspicious. The message came at a time when Amnesty International was campaigning for the release of six jailed activists in Saudi Arabia, and something didn’t feel right.
An analysis of the links in the message proved these suspicions to be well-founded. Amnesty’s Tech team found that clicking the link would have secretly installed potent spyware on the phone, obtaining total access to calls, messages, photos and GPS location. A closer look enabled us to trace the attack back to a secretive Israeli company: NSO Group.
NSO Group sells surveillance software to governments and has been linked to digital attacks on human rights activists all over the world. The attempt to spy on Amnesty was the final straw for us. Today I am providing evidence to support 30 plaintiffs taking legal action in Israel, petitioning the Ministry of Defence (MoD) to revoke NSO’s export license. As I have set out in an affidavit to the court, NSO’s software is a threat to activists and journalists all over the world. Digital rights group Citizen Lab has linked the company to attacks against civil society in Bahrein, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates. We cannot sit back and watch while NSO becomes a go-to for repressive governments.
Like many previously documented attacks, the message sent to Amnesty had all the hallmarks of Pegasus, a dystopian piece of NSO software which can gain control of a phone’s keypad, camera and microphone. Pegasus was the tool used to track Ahmed Mansoor, an Emirati human rights defender who is currently serving a ten-year jail sentence. Citizen Lab has also exposed Pegasus’s role in a spyware scheme targeting Mexican activists and journalists, including those investigating corruption and drug cartels.
It’s worth reiterating here that NSO itself states it only sells to governments. But governments, of course, are not necessarily more benign than cyber criminals, and some are significantly worse. By now, NSO surely knows what kind of hands its products end up in.
Last year the company came under new scrutiny following allegations its software was used to track murdered Saudi journalist Jamal Khashoggi – an accusation the company has denied. But despite the ever-growing pool of evidence, the Israeli government has continued to give NSO the green light to export its products. Specific details of how the export licencing works and what kind of security or ethics checks it entails are difficult to find. The process is shrouded in secrecy; but it is clearly not stringent enough to keep NSO’s products out of the hands of human rights abusers. We don’t know if NSO has been used by the Israeli government in the context of surveillance of Palestinians.
The Israeli MoD has ignored multiple requests from Amnesty and others to revoke the company’s license, which is why we’re providing evidence in this legal action.
If the world’s largest human rights organization, which has technology experts among its staff, can be targeted, it’s probably the tip of the iceberg when it comes to NSO’s reach. Attacks like the one on Amnesty also show just how brazen the international surveillance industry has become. Earlier this year, Citizen Lab researchers looking into NSO were reportedly targeted by private operatives, in what seemed to be an attempt to silence and intimidate them.
But this case also is about more than human rights work – it highlights the threat to privacy for all of us. Today it was reported that a vulnerability in WhatsApp could expose billions of users to attacks by NSO spyware. Amnesty has not yet been able to verify these reports but if true they exemplify fully our claim to the Israeli courts: NSO has gone rogue and the Israeli MoD holds no proper oversight, control or regulation.
While NSO is allowed to market and sell its products without proper oversight, it’s essentially growing into a private international intelligence agency guided solely by profit and seemingly accountable to no one. Its spyware is so potent that most people would never know if their phone or computer had been infected.
NSO has repeatedly denied that Pegasus has been misused to target human rights defenders. Since a change of ownership in February this year the company has been trying to clean up its image, buying Google search ads and launching a new website where it claims to take “a pioneering approach to applying rigorous, ethical standards to everything we do.” No further details are provided, which hardly lends credibility to the claims. For those whose safety is jeopardized by NSO’s reckless sales, this kind of platitudesisn’t enough. Our petition today is a first step which we hope will eventually put a stop to NSO’s web of global surveillance.