Exchange of Views with NSO

• Chaim Gelfand, General Counsel and Chief Compliance Officer of NSO, Israel
  
• Nicola Bonucci, Nicola Bonucci, Partner in the Global Trade and Investigations & White Collar Defense practices at Paul Hastings law firm, Paris

Hearing: Stocktaking of EU spyware providers

• Edin Omanovic, Privacy International
• Stephanie Kirchgaessner, The Guardian
• Ben Wagner, TU Delft

The PEGA committee held an exchange of views with the representatives of the NSO Group. It was followed by a hearing on Stock-taking of EU spyware providers to hear experts on the current landscape of spyware providers in Europe.

The exchange with Chaim Gelfand, scheduled for an hour and a half, ends up spanning one extra hour. The NSO representative begins with four simple „truths“ about NSO and Pegasus that have circulated regarding its use by law enforcement agencies. The company sells its software only to governments and only to certain governments, does not operate the systems itself, and otherwise complies with the regulations of the states in question.

He added that states are forced to respond to terrorism, and the use of encryption also forces the authorities to do so. Pegasus is a balanced solution, backdoors in communication are much more intrusive. Pegasus has helped to uncover numerous crimes. The company respects human rights and follows due diligence programs.

The company is according to Gelfand confronted with numerous false reports, which are now being countered: it is not true that NSO collects and stores data, the company does not have any data on the target persons, and there are no backdoors. Pegasus is only sold to governments and not to private individuals. Is difficult to detect Pegasus, but possible, if abuse is suspected; not all traces of the software would disappear from devices, also it could not add data to phones. A circulating list of 50,000 phone numbers does not consist of devices intercepted with Pegasus; this given number of targets is completely implausible compared to the number of licenses sold. However, there is an audit log file which has to be handed over by customers upon request. Licenses are limited. Pegasus is not an instrument for mass surveillance. It is only used against terrorists and serious criminals, says Gelfand.

The NSO representative offered to work with the Parliament, civil society organizations and other stakeholders to clarify the situation.

Afterwards, the question and answer session with the MPs begins, but many of them are answered only with excuses. It is not possible to talk about individual customers who are contractually obligated to NSO to use the software only to fight terrorism and crime, says Gelfand. If this is violated, the contract becomes null and void. Whether this was done with the Polish and Hungarian governments is not confirmed by him.

It is not possible to intercept individual phone numbers without the permission of the customer, Gelfand answered a series of questions from MEP and rapporteur Sophie in `t Veld. First, a log file is used to check whether a person was affected. This was checked for Jamal Ahmad Khashoggi with negative results. Then it is asked why the person was intercepted, although he or she is a journalist or human rights activist, who can also commit crimes. If the customer is not cooperative, cooperation is terminated. US blacklisting affects NSO, which want to find solution with US government and explain that the software is important for security. Gelfand confirms steadily negotiations about buyout possibilities, but reports about such intentions of L3 Harris are not commented.

In response to Polish MEP Bartosz Arłukowicz’s allegation that invoices were found suggesting that Pegasus was sold to private parties, NSO representative Gelfand says that commercial third parties sometimes initiate sales. However, these parties never receive the system itself and have no access to data. The contract is concluded only between governments, i.e. the customer with the Israeli government. The fact that a Polish lawyer was tapped is not commented. Gelfand does not talk about individual cases because of business secrets, it says instead.

Gelfand does not answer the question of Hungarian MEP Sándor Rónai about contracts with his government and problems with the rule of law there, in that opposition members, journalists, lawyers and NGO members were wiretapped. There are also no details about any screening process for human rights compliance. Instead, the NSO representative explains the procedure when countries are screened. For this purpose, publicly available information is used. It is then assessed whether the country respects the rule of law. When Rónai points out that the EU also criticizes the rule of law in Hungary, Gelfand again evades the issue. However, he said that he no longer cooperates with clients who have illegally spied on a journalist.

In response to specific questions from Polish MEP Róża Maria Gräfin von Thun und Hohenstein, it is said by Gelfand that any system can be misused, just like a hammer. They check the companies before a sale according to international standards, this assessment can change – for example, after complaints – and then the cooperation is to be terminated.

Since two years, NSO has conducted 25 investigations and terminated contracts with 8 customers, he says in response to a question from Saskia Bricmont. There is no answer to the number of whistleblower reports. Evidence that contracts were terminated he will not provide to public; but redacted copies of contracts could be handed out. When customer buys a system, there are several days of training on test equipment. A service center can be called for technical problems. Regarding the classification of countries on tables between zero and one hundred, Gelfand explains that Belgium is at about 80, Spain at about 75, Hungary as well as Poland at about 65, Saudi Arabia much further down, at about 30. In the meantime, the bar is raised, there is no more cooperation with countries with a score of 20 or more. People are learning, and not everything NSO has done has always been one hundred percent perfect. Ethics is more important than merit.

In response to a question from MEP Beata Kempa, Gelfand said that several thousand lives have been saved with Pegasus. Concrete information, for example, on operations against pedophilia or terrorism, is not received by NSO, but feedback from customers is. No intelligence service in the world would allow companies like NSO access to the data of intercepted persons.

MEP Cornelia Ernst asks about remote access. This can only be used for maintenance, says Gelfand. Shut down is also possible via it if the customer does not cooperate, the license is terminated via it, he said. He does not give an estimate of the number of competitors, but NSO knows them and is a player themselves. There are some from Western countries, but also from China and Russia. The criteria to whom to sell are changed. The best way to regulate is at the international level to prevent proliferation, for example. The NSO representative does not want to answer the question of the number of export licenses, because the Israeli government is responsible for this, so inquiries should be made there. However, several of them have already been rejected, which is also reported in the press. In November, the number of countries receiving licenses was greatly reduced.

In response to MEP Carles Puigdemont’s question as to how it can be proven that the software has saved human lives, Gelfand refers to the Human Rights Charter, according to which human rights can also be restricted for security purposes. If this happens incorrectly, an investigation will be initiated and, if necessary, the cooperation will be terminated. Gelfand repeats here what has already been said by him several times. Victims can also come forward, and this has already been looked at. From the point of view of law enforcement, however, systems like Pegasus are necessary. For example, there are major problems caused by encryption, he says, which is now also widely available to private individuals. The law enforcement agencies had said so explicitly, accordingly. The committee chairman Jeroen Lenaers urged for an answer to the question whether abuse is also checked. According to Gelfand, there is an annual review, which also looks at the rule of law or a possible coup d’état; it is also possible to proceed proactively if there is relevant information. In the last year and a half, there have been clients where review procedures have been agreed upon. NSO is not kept up to date on this, but meets regularly with the customer.

MEP Karolin Braunsberger-Reinhold asks whether NSO also buys exploits. Gelfand responds that the company is primarily committed to research and development, is constantly improving systems, and uses everything that is available if it is legal to do so. On compliance, it says it regularly talks to employees and customers. Last year there was a case of the Pegasus Papers, which resulted in a large number of complaints. Currently about 20 ongoing investigations, in addition to the whistleblower hotline, which received 25 tips. Of these, 5 were credible.

The number of 50,000 intercepted phone numbers is again denied when asked by MEP Hannes Heide; about the actual amount he gives the figure from last year of „12-13,000 targets“. He said that there were 60 customers in 45 countries, and now there are 50, where the software is installed directly on servers. The company is very cautious about taking action against journalists, says Gelfand, but has itself filed a case against an Israeli newspaper that falsely reported that NSO could delete audit logs on customers‘ servers. Whether the commissioner Didier Reynders or the Spanish prime ministers and defense ministers have anything to do with terrorism, since NSO software is only used in these cases, is answered evasively by Gelfand. The software is distributed to save lives. It needs a serious suspicion for the employment, he says.

Also question of the MEP Moritz Körner to the number of the EU customers Gelfand does not have these ready, he says, it is however more than 5. How many contracts in the EU were dissolved, he must also submit on a later stage. Asked again about exploits, Gelfand again evades with reference to business secrets. He also answers whether vulnerabilities have ever been purchased by saying that everything that is legal is used.

In response to a question from MEP Hannah Neumann, the NSO representative said that cooperation had already been terminated with one or more EU countries, and that the number would be provided later. He does not answer whether Saudi Arabia and the UAE went through the due diligence process. Asked again about exploits, whether they are bought or discovered by Gelfand himself, he is silent because Gelfand is not a technician. Asked about possible regulation, he answers with something similar to non-proliferation agreements for nuclear weapons. Then it would be possible to check continuously by means of audits whether the countries keep to the rules.

MEP Giorgos Georgiou asks if rule of law procedures in Poland are not reason enough to withdraw the license, this is ignored. He does not answer whether sales were made to Cyprus and the country acted as a reseller. But such a practice would violate Israeli export licenses.

Polish MEP and journalist Radosław Sikorski asks how to find out if he was a target. Gelfand replies that one could contact the company as a whistleblower. Whether NSO is proud to have investigated journalists is not answered.

Poland’s MEP Łukasz Kohut points out that relatives and families are also affected by the digital spying. Gelfand again refers to the terms of the contract and that violations would be prosecuted by NSO. He does not say how many people were intercepted in Poland and who the operator there was. Law enforcement agencies are also subject to rule of law procedures, he said, which technology that can also be used to do something bad cannot.

MEP Salima Yenbou criticizes the vague answers. A definition of terrorism is given by NSO in the contract with the customers, in which it is about the use of force, Gelfand says. The responsibility of a company is stated in the UN Guiding Principles on Business and Human Rights. The company strives to maintain a balance between freedom and security.

In response to a question from MEP Diana Riba i Giner, Gelfand said that the extraterritorial use of Pegasus must be in accordance with international law. Various EU states have laws for this. These would have to be followed. Victims would not be able to determine who spied on them. NSO could try to determine which country is responsible based on the number in an audit, but this would be difficult. Licenses work as follows: Customer gets specific number of targets, these are usually numbers in single or double digits that can be intercepted at the same time. One checks this against the measures in question, including the size of the country or type of authority.

The Israeli government first issues a marketing license and then individual export licenses, Gelfand responded to MEP Eva Kaili. Certain phone numbers can be excluded from interception by a regulatory authority, and NSO can do this as well. He said that one will always comply with the applicable law, even if the GDPR, for example, requires it. He does not say whether there will be permanent access to audit logs.

Hungary’s MEP Anna Donáth wants to know if NSO will request a review of export licenses issued by the previous Israeli government. Gelfand says this must be initiated by the current government. But NSO is looking for solutions that are more proactive.

French MEP Anne-Sophie Pelletier wants to know whether her country’s MPs are terrorists. The answer is that the vast majority of politicians are not criminals, of course, but it is possible, according to Gelfand. If there were a large number of such targets, this would indicate abuse. Contracts were then suspended until measures were taken.

In response to questions from Jeroen Lenaers, Gelfand said that human rights could not be measured in money. Poorly rated countries could not pay more to be able to use Pegasus after all. Controls and standards have been raised, especially after reports of Forbidden Stories last year. They also do not sell more products to high-risk countries. 5 licenses means 5 phones can be tapped simultaneously, he said.

Is NSO willing to go through the reported cases with Citizen Lab and Amnesty International, when they say Pegasus is only used legally, asks Sophie in `t Veld. This question has many facets and involves many considerations, they will look into it. Gelfand does not deny a future cooperation, but NSO knows its limits, for example to confidential data of the customers.

Edin Omanovic is confused and impressed by the NSO speech. There are said to exist restrictions on customers, yet the technology is sold to Saudi Arabia or other countries where people are burned alive. Just because something is controlled doesn’t mean human rights are protected. Intelligence interests override the protection of human rights. The fact that trade secrecy is referenced is a problem because the companies can’t be held accountable there.

A 2016 study cites over 500 companies that produce various types of surveillance technologies. Among them are spy applications such as Pegasus, but also IMSI catchers, interception systems on the Internet or for satellite communications, biometric systems, SIGINT or digital forensics to read devices. These types of technologies need to be regulated differently, and it is unclear whether they are being used correctly. As for what can be considered the wider „spyware“ eco-system, Omanovic cites companies such as mSpy, NSO Group, Zerodium, BlackCube, or Welund, and argues it is important to differentiate between them. These are located in countries such as Israel, the United States or the European Union. Other companies specialize in developing exploits. In addition, there are often third parties who are paid for hacking. It is necessary to distinguish between companies and others that also sell hardware and those that only sell spy software.

Among the companies offering mercenary spyware, Omanovic names from Israel Candiru, Cyberbit, Quadream, Paragon, NSO Group and Interionet, from the U.S. Boldend/ Raytheon, from the U.K. BAE Systems and 7 Technologies, from Italy Memento Labs, RCS Lab, Cy4Gate and from Spain Mollitiam. The expert rates as inactive eSurv and Hacking Team from Italy and Wolf Inteligence, FinFisher and DigiTask from Germany. „They sell a full spectrum of tools ranging from spyware to techniques which take advantage of vulnerabilities in telecomms networks, to spy on people anywhere, to huge internet monitoring tools which sweep up internet traffic on a nationwide level“.

As a way out, Omanovic suggests that the EU should use all possible sanctioning options against the companies, such as the USA does. The EU Commission should enact appropriate legislation and audit procurements. All member states must report on exports. Control authorities must check decision-making processes, and the public must know who is responsible. Manufacturers and sellers of phones should extend the lifespan of their software and patch it regularly, because otherwise the devices are vulnerable even without sophisticated exploits. EU states would have to better scrutinize exports to non-EU countries, especially in the autocracies on the periphery of Europe. Civil society there must be supported. If the states do not react, this is a threat to everyone’s security. This also undermines European interests. This problem is serious and does not concern just one company. We are witnessing a mercenary industry.

Banning surveillance technology is difficult, say lawyers, but safeguards and protections could be built in, for example when children or journalists are involved. There are very obvious cases that can be prevented. Also, there is a research industry into which a lot of money flows, including programs like Horizon Europe, which can be adressed.

Stephanie Kirchgaessner emphasizes that she also has German citizenship and is therefore an EU citizen. She first came across Pegasus in 2018 after the murder of Jamal Ahmad Khashoggi. While there is no evidence that he was targeted by mercenary spyware, we know that his phone was tapped when he spoke to a friend in Canada, as were other relatives and friends of the slain. NSO claims this has nothing to do with his murder. However, this is a pattern of wiretapping friends of a target to learn their plans.

The journalist has closely followed the reporting on NSO Group, how its software has been used against opposition members. With the exception of France, all EU countries are to her knowledge said to have been customers of the company. Although it is said that it is only used against serious criminals and terrorists, we know that it has been abused, for example against dissidents of autocratic regimes, so they cannot be safe anywhere in the world. For journalists, this means a chilling effect, for example by infecting sources, which journalists may then shy away from. But these are an essential part of journalism.

In 2019, 14,000 Pegasus users were targeted, including about 100 civil society members. In 2020, the Guardian revealed the operation against three Catalan politicians, presumably it was domestic espionage. Contrary to Kirchgaessner’s expectations, this did not cause earthquakes, perhaps because there was little sympathy for the victims.

Last year, the Guardian, along with other media, published the Forbidden Stories, including many uncovered cases involving journalists or opposition figures. It was about wiretapping of tens of thousands numbers of mobile devices in change like India, Rwanda, Morocco, UAE, Mexico, Saudi Arabia. NSO has repeatedly denied having anything to do with these phone numbers. However, in Mexico and India in particular, Pegasus was found to be used for domestic political espionage. Much to Britain found out, suggesting UAE involvement. A dissident from that country was targeted. Downingstreet had also been attacked. In Saudi Arabia very high number of violations. Citizen Lab was able to document that there were many other attacks in Spain, against MPs and members of civil society. Pegasus does not work against US numbers, but US citizens have been spied on with it.

There needs to be a debate around the software, Kirchgaessner said, which is not just about stopping terrorist attacks. It’s about the lack of accountability. But the fact that we’re talking about it now is a good start. The big tech companies also need to get on board to implement technological options against mercenary spyware.

Ben Wagner credits the great work of journalists and researchers, without whom we wouldn’t be sitting here today. Exactly ten years ago he spoke about a report on surveillance in the EU Parliament, at that time it was about the EU’s foreign policy and the damage that surveillance software does abroad in the EU. To regulate surveillance, there is the Dual-Use Goods Regulation, but it is insufficiently implemented. However, the US has gone much further with blacklists, among other things.

With the surveillance industry, we risk becoming victims ourselves. Only when politicians were attacked was there debate about it. We have unleashed an industry that we Europeans did not want to regulate, and now we are feeling the consequences. If we look at the publicly funded, global surveillance ecosystem, we see how extensive and broad it is. Pegasus and many other aspects discussed here are only a small part of the problem. We are talking about taxpayer money paid exclusively to spy companies.

If we look at the next ten years, Wagner says that if we allow this kind of software, not only Mr. Kashoggi but also the French president will be attacked. Anyone can be a potential terrorist in this way. There needs to be rules from governments. NSO’s clients should also be invited to the EP; where is the Polish Minister of the Interior, the German police? It is not just about a foreign company solving problems that were also created within the EU.

It is true that we have short-term security advantages when mercenary spyware is used. But in the long term, we have a publicly funded ecosystem that is inadequately regulated, which leads to enormous problems, because it can be abused, as examples Wagner also cites election campaigns. So we need guidelines that are issued by authorities, not companies. We also need legal remedies for victims who have been attacked, so that they can be compensated. Companies would have to become more transparent.

As possible solutions, Wagner names that no EU money should be used for spying software. Surveillance must be treated like pollution, he says, so it should not be invested in, or only in very limited circumstances. Also needed are mechanisms to prevent purchase, for example through high prices or (penalty) fees. Victims could be compensated from a fund created in this way. Control of dual-use goods would need to be strengthened. European programs, such as International Partnerships (INTPA), that support this would need to be supported. We need to limit the amount of surveillance technology traded and purchased with non-EU countries to ensure that it does not return to Europe and be used there, Wagner concludes. „We’ve unleashed an industry that we have not been sufficiently willing as Europeans to regulate“. „Sooner or later this will be misused, whether it’s in election campaigns, whether it’s in so-called corruption cases“.

See here the stream of today‘s hearing.