Hi Quartz members,
Is your phone spying on you? The short answer is yes. When you use apps or the internet on any smartphone, you leave behind a trail of information that advertisers use to track what you buy, where you go, and who you talk to—often without your knowledge or explicit consent.
But last month, 37 people found out their phones were extra spying on them. An investigation coordinated by media outlets and nonprofits from around the world revealed that Israeli technology firm NSO Group sold malware to authoritarian governments, who used it to hack into the phones of journalists, human rights activists, and lawyers.
Those 37 numbers were part of a leaked list of 50,000 numbers that the consortium believes are actual or desired targets of NSO’s clients. The list includes presidents and prime ministers, the family members of opposition leaders, and even clergymen. NSO Group rejects those findings, telling Quartz that the list is not “of targets or potential targets,” that the numbers on it “are not related to NSO Group,” and that “any claims to the contrary are false.”
But this isn’t the first time we’re hearing about NSO Group. The company’s software, Pegasus, was also accused of playing a role in the 2018 murder of Washington Post reporter Jamal Khashoggi. And in 2019, Facebook sued NSO (pdf) for allegedly infecting 1,400 phones to gain remote access to their owners’ WhatsApp accounts.
This latest scandal puts NSO Group back in the hot seat, along with the under-regulated world of hackers-for-hire.
A brief history of NSO Group
2010: Herzliya-based NSO Group is incorporated in Israel. Its name stands for founders Niv Carmi, Shalev Hulio, and Omri Lavie.
2014: California-based private equity firm Francisco Partners buys a majority stake in NSO Group for $130 million.
2016: The Citizen Lab at the University of Toronto reveals that a human rights activist from the UAE was targeted by “a chain of zero-day exploits that would have remotely jailbroken [his] stock iPhone 6 and installed sophisticated spyware.” NSO Group is thrust into the spotlight.
2018: Saudi activist Omar Abdulaziz, a contact of Khashoggi, sues NSO in Israel, alleging that Saudi authorities hacked his phone with Pegasus and stole information that “contributed in a significant manner to the decision to murder Mr. Khashoggi,” per The New York Times.
2019: In February, NSO Group founders Hulio and Lavie buy out Francisco Partners with financing from London-based private equity firm Novalpina Capital and US financial advisors Jefferies Group. Eight months later, Facebook and WhatsApp sue NSO Group in California.
2021: Israeli media reports that NSO is planning to go public in Tel Aviv.
NSOpen secret
NSO Group was founded, according to its owners, to fix a 21st-century problem: Encrypted communication apps were making it harder for law enforcement agencies to track criminals.
According to an interview they gave The Washington Post, Hulio and Lavie, who at the time sold software that could gain remote access to a phone with its owner’s consent, were asked by “law enforcement officials in Europe” to do the same thing without the owner knowing it happened. This led them to create Pegasus, which the founders told the Post is named after Greek mythology “because…the software was like a Trojan horse sent through the air to people’s phones.”
Because Pegasus is so powerful, NSO Group must get the approval of the Israeli Ministry of Defense before selling the software to any foreign governments. Observers say that under former Israeli prime minister Benjamin Netanyahu, Pegasus sales closely tracked the ups and downs of his diplomatic ambitions: According to the Financial Times, “Israel has wooed Gulf countries such as the UAE, Bahrain, and Saudi Arabia into improving bilateral relations, by offering clandestine security cooperation against shared regional enemies.”
NSO Group downplays criticism by noting that all of its potential clients are vetted by an internal committee (pdf, p. 2), which ensures their plans for Pegasus are “methodical, appropriately targeted, limited in reach and scope, and…directed at legitimate criminal or terror group targets.” An NSO spokesperson says the company does “everything in our power” to prevent misuse.
But even NSO concedes its track record isn’t perfect. In its first transparency report (pdf) this year, the company acknowledged that, “On occasion, customers may not meet their obligation as states to protect human rights and adhere to their contractual obligations.” In NSO’s estimation, “allegations of misuse amount to less than 0.5% of the instances in which the Pegasus system was used.”
NSO by the digits
750: NSO Group employees
60: NSO clients (it doesn’t disclose who they are)
55: Countries NSO Group says it will not sell its software to (it doesn’t disclose which)
$1.5 billion: NSO Group’s estimated value
$2 billion: Estimated value of NSO Group’s planned IPO
$300 million: Overall value of the business NSO Group claims it has turned down due to human rights concerns
$50 million: Asking price (in cryptocurrencies) for stolen Pegasus code on the Darknet
A no good very bad month
Since July’s massive investigation revealed that some governments who purchased Pegasus to “catch terrorists and drug dealers” actually used it to target dissidents and the media, NSO has been under a microscope.
July 18: The Pegasus Project—a collaboration between 17 media outlets, Amnesty International, and Paris-based nonprofit Forbidden Stories—is published.
July 21: In a statement entitled “Enough is Enough,” NSO Group denies all allegations made in The Pegasus Project and vows to ignore “media inquiries on this matter.”
July 22: Israel forms a commission to review NSO’s activities and the defense ministry’s process for granting the company export licenses.
July 26: Four Democratic lawmakers call on NSO and similar companies to “be sanctioned, and if necessary, shut down.” Their statement is also labeled “Enough is Enough.”
July 28: Israeli defense minister Benny Gantz travels to Paris to discuss Pegasus with French defense chief Florence Parly and says “Israel is investigating the allegations thoroughly.” An unnamed NSO employee tells NPR that the firm has “temporarily suspended” some of the clients named in the Pegasus Project, pending an investigation. (NSO won’t disclose which.)
The likely victims
The Pegasus Project only had access to 67 physical phones attached to some of the 50,000 numbers on the leaked target list allegedly belonging to NSO’s clients. Of those, 37 had been infected by Pegasus.
We don’t know how many of the remaining numbers were attached to infected phones, but here are some of the recognizable names from the list, which hasn’t yet been made public.
🇫🇷 French president Emmanuel Macron
🇮🇳 Indian opposition leader Rahul Gandhi
👸🏽 Princess Latifa, the daughter of the sheik of Dubai
⛰️ Former president of the Tibetan government-in-exile Lobsang Sangay
🇸🇦 Hatice Cengiz, Khashoggi’s fiancee
🗒️ At least 180 journalists from 21 countries
Keep learning
- Shalev Hulio’s 60 Minutes interview with Lesley Stahl is a master class in how to talk a lot while saying nothing at all.
- The Guardian’s five-part podcast series takes you backstage into the months-long Pegasus Project investigation.
- Quartz India explains what Indians have to fear from NSO Group.
- In 2019, Israeli newspaper Haarez warned of “the dark side of Israeli innovation.” Just two years later, it was “the far-reaching dark side of Israeli high-tech.”
- Edward Snowden knows a thing or two about government cyber-surveillance. “This is an industry that should not exist,” he tells The Guardian of NSO Group and its competitors.
Thanks for reading! And don’t hesitate to reach out with comments, questions, or companies you want to know more about.
Best wishes for a secure end to your week,
Annabelle Timsit, geopolitics reporter (and privacy enthusiast)