The Israeli cybertechnology firm NSO Group Technologies has been under international scrutiny for some time now, after its name was linked to a large number of reports of persecution of human rights activists and journalists around the world. The scrutiny also followed a number of investigative reports, which have revealed that its clients include regimes known for harsh treatment of their citizens.
Recently Facebook, which owns WhatsApp, filed a suit in California against the Herzliya-based company for allegedly using its advanced Pegasus system to hack the phones of 1,400 targeted individuals through their WhatsApp accounts.
NSO’s founders, Omri Lavie and Shalev Hulio, have tended to justify their activities through a number of explanations. Among the company’s claims is that it is not privy to how its clients use its system, and that in any event, it is used solely to defend against terrorism and serious crimes.
But Facebook’s lawsuit against NSO reveals details that call the company’s explanations into question. An unusual document attached to the lawsuit – a 2015 contract between NSO’s representative Infralocks Development Limited (or IDL) and the government of the African country of Ghana – sheds light on the capabilities of the Pegasus system and the close relationship between the company and its clients.
Meticulous screening, but where does the system end up?
According to NSO, its products are sold only to intelligence and law enforcement agencies after careful screening. The company stated in part that its products “assist its clients in their war on terror, pedophilia and serious crimes,” adding that “any other use of the company’s products is forbidden and invalid.”
But the contract attached to the lawsuit governs a transaction worth millions of dollars between a local company representing NSO in Ghana and that country’s National Communications Authority. The authority doesn’t deal with law enforcement, making it unclear why it needed an advanced offensive cybertechnology tool.
- Facebook sues Israel's NSO Group over alleged WhatsApp hack
- No Israeli government involvement in NSO's alleged Whatsapp hack, minister says
- Revealed: Israel's cyber-spy industry helps world dictators hunt dissidents and gays
According to the documents submitted by Facebook, the contract was indeed signed between the authority and IDL, meaning that apparently NSO wasn’t a direct party to it, but the documents also include an agreement to supply support that was signed between the Israeli company and its local representative, IDL.
The initial questions on the matter were raised when Ghana’s auditor general became aware of the transaction, which led to legal proceedings against senior officials at the authority and against the CEO of IDL for allegedly “conspiring to cause financial loss to the state.”
After the deal was disclosed, the media in Ghana reported that the real client for the NSO system was Ghana’s National Security Council Secretariat, ostensibly a logical customer. But the system was never delivered to either the communications authority or the NSCS. Instead, as was revealed in court testimony, it ended up at the private home of Baba Kamara, a senior adviser to Ghana’s president.
Kamara is one of the 20 wealthiest men in Ghana, and at the time, he was serving as national security adviser even though he had previously been the subject of a bribery investigation. Kamara said that he knew about the purchase of the system but hadn’t ordered it and didn’t know what it was for, even though it was put in his house. According to the testimony of police inspector Michael Nkrumah, the “airway bill” for the system was addressed to Kamara’s office.
Nkrumah, whose testimony was widely quoted in the Ghanaian media, said Kamara had told police that the transfer to his home was at the behest of Salifu Osman, a deputy at the NSCS at the time – the only member of the council involved in the deal and the only member of the agency who stood accused. According to Kamara, Osman had approached him because he was looking for a place to store the system.
The head of the NSCS at the time testified at the same trial that the system was not on the council’s inventory list and that he hadn’t approved the order. His successor said the same.
For his part, the agency’s current deputy director, Duncan Opare, testified in court in February that, according to the agency’s records, the National Security Council Secretariat never sought to purchase the equipment for use by the NSCS for and on behalf of the state.
NSO told Haaretz that the company’s system had never been installed in any private home. It should be noted that some of the Ghanaian media reports said the system had been “installed,” even if the writers stated clearly that it had never been operated from the home, but only stored there.
The fact that the system was put in the home of a person who has said he had nothing to do with it, as well as statements by senior NSCS officials, raises questions as to which agency the NSO had actually agreed to transfer its technology to.
NSO not privy to content its clients collect, but what happens when they ask for help?
NSO claims that, while it develops offensive cybertechnological tools, it doesn’t operate them itself. “The company does not deal with collecting intelligence and is not exposed to the intelligence its clients collect,” it said.
There is logic to the claim. The company itself doesn’t decide whom to hack, and deals with the marketing of complete hacking and spying systems that are easy to operate.
But cybersystems of the type NSO sells are complex and, because their use is classified, there aren’t many service providers who can assist in operating them. That’s why, when technology companies sell large and complex systems, particularly to organizations, they also offer a support package.
And in fact, the contract between IDL and the communications authority in Ghana details the different support options offered by NSO around the clock. These range from support by email to remotely connecting to the client’s system, whether to provide updates and patches or to deal with problems during ongoing work. This raises a number of questions regarding the kind of information NSO is privy to, even if the content shouldn’t be of interest to company staff.
The contract doesn’t restrict human rights violations
NSO claims that it ascribes great importance to the way its system is used. “We regard any use of our products that isn’t aimed at fighting terror or crime as misuse, and we forbid this through our contracts,” the company said. “If we identify improper use, we act accordingly.”
But the contract uses general language that can be interpreted a few ways. It states, for example: “The System Provider shall provide the End-User a limited, exclusive, non-transferable ... license to use the System solely for the End-User’s internal use and for the purposes that it is intended for,” while another clause states: “This Agreement shall be governed, construed and enforced in accordance with the laws of the Republic of Ghana.”
Haaretz asked NSO what steps it takes if its equipment is misused and if it has ever halted service to a client that misused its technology. The company refused to respond to the questions.
NSO also chose not to respond to the specific details of the allegations in Facebook’s lawsuit, saying it had not officially received the legal document. Facebook claimed that NSO has received the lawsuit.
Who ensures that promises are kept?
Following mounting criticism this past year, in September, the company announced the formation of an oversight committee that is to ensure that it meets the United Nations’ requirements for human rights oversight. “We are the first company in the cyber and security field to adopt the UN policy,” the company said.
But NSO already had a business ethics committee. The new committee is designed to replace it. Haaretz asked NSO how long the previous committee had been operating and what it had done during that period. Haaretz also asked if there is a legal document defining the authority of the new committee, to whom the committee is to report, who its members will be and how they will be chosen.
No clear answers to these questions were received. The company chose not to provide concrete details regarding the new committee’s work and instead issued a general response stating that “The plan deals with mechanisms for approving transactions, the commitments required from customers, training and dealing with deviations. The policy will be supported by a variety of internal procedures and operating rules, including allowing outside parties to contact the company through a system to be established to investigate complaints.”