New Revelations of Ongoing Use of Pegasus Software to Surveil Human Rights Defenders, Including U.S. Citizen
(Washington D.C., February 6, 2024) – The Department of Commerce should not delist NSO Group from its sanctions list, given evidence that the company is continuing to assist and enable abusive foreign governments using its Pegasus spyware to spy on activists and journalists, including a U.S. citizen who works for Human Rights Watch, said DAWN in a letter today to Secretary Gina Raimondo.
A new investigation by Citizen Lab and Access Now disclosed the ongoing use of NSO Group's Pegasus spyware in Jordan, targeting at least 35 journalists, activists, and human rights lawyers from 2019 to 2023.
"The new revelations documenting the use of NSO Group's Pegasus surveillance technology to spy on American and Jordanian activists clearly demonstrate that NSO Group has failed to to mitigate the misuse of its spyware even after the U.S. government sanctioned it," said Sarah Leah Whitson, DAWN's Executive Director. "The continued abuses that NSO Group has aided and abetted should require the Commerce Department to keep NSO Group blacklisted."
Commerce Department Sanctions
In November 2021, the Commerce Department added the Israeli cyber intelligence company NSO Group to its "Entity List" after deeming the company was acting against the national security and foreign policy interests of the United States by selling and maintaining software used to spy on government officials, journalists, activists, and others. Governments like the United Arab Emirates used Pegasus spyware to spy on Jamal Khashoggi, the founder of DAWN later killed by Saudi Arabia. According to the research group Forensic Architecture, the use of NSO Group's products has contributed to over 150 physical attacks against journalists, rights advocates, and other civil society actors, including some of their deaths.
The Commerce Department's final rule cited findings that NSO "developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." The "Entity List" is a blacklist that restricts NSO Group from receiving items subject to U.S. Export Administration Regulations, such as items related to national security, nonproliferation, foreign policy, short supply, and crime control. It also bans U.S. entities or agencies from buying or using NSO Group products, like Pegasus spyware, without a specific license, which is generally presumed to be denied due to the blacklist. This measure effectively limits NSO's ability to do business with, or provide services to, any U.S.-based entities, including government agencies.
The Commerce Department may consider removing NSO Group from the Entity List if it determines that it is no longer engaged in the activities that the Department deemed to be contrary to U.S. interests, in this case NSO Group's sale and operation of surveillance technology abused by its government clients. The End-User Review Committee (ERC), which includes representatives from the Departments of Commerce, State, Defense, Energy, and, where appropriate, other agencies, plays the leading role in this review process.
According to the agency procedure, NSO Group or a third party on its behalf can submit a request for removal from the Entity List. This request typically needs to include detailed information and supporting documentation demonstrating that the entity has stopped the activities that led to its listing and has taken steps to prevent future violations. The ERC then reviews the request for removal based on the provided evidence and the criteria set forth in the export regulations. While there is no information suggesting that the Commerce Department is considering delisting NSO Group, the company's lobbyists are aggressively seeking its delisting.
Failure or NSO Group to Remedy Abuses, Ongoing Misuse of Pegasus by NSO Group Clients
Following NSO Group's sanctioning and global media coverage of its abusive technology, NSO Group pledged to reform its operations and a change in the company's leadership. This led to the resignation of CEO-designate Isaac Benbenist and the announcement of plans to reform its usage policies to govern and restrict the deployment of its surveillance technology. These include pledges to sell its products exclusively to government intelligence and law enforcement agencies for the stated purpose of fighting crime and terrorism, vet potential clients based on their human rights records and legal frameworks, and embed contractual limitations to ensure the software is used lawfully, specifically prohibiting targeting activists and journalists. NSO Group claims it has "rejected over $300 million in sales opportunities as a result of its human rights review processes." Most significantly, NSO claims that it has an audit and compliance mechanism to oversee clients' use of Pegasus and the ability to terminate contracts and shut down systems if misuse is discovered. The company's own annual transparency and responsibility report highlighted NSO's contractual terms and described "how customer engagements can be terminated in the event product misuse is confirmed by our investigative processes."
However, there is no evidence that NSO Group has suspended, revoked, or ended its role in maintaining spyware to abusive governments despite ample evidence they have used the surveillance software for nefarious purposes. This includes continued licensing of Pegasus software after the implementation of U.S. sanctions against it in November 2021 to Saudi Arabia, the UAE, Bahrain, Jordan, Morocco, Mexico, France, Germany, and other countries documented to have misused the technology. Ongoing reports of misuse of Pegasus technology, including this week's revelations documenting Jordan's ongoing surveillance of journalists, activists, and political figures in various countries, indicates that NSO Group's reform efforts have been insubstantial.
For example, in January and April 2022, Citizen Lab and Front Line Defenders reported that phones belonging to four Jordanian human rights defenders, lawyers, and journalists were hacked by NSO Group's Pegasus spyware between August 2019 and December 2021.
However, it appears that NSO Group took no action to suspend or limit the use of the software by Jordan, leading to new cases of abusive surveillance including against a U.S. citizen, Human Rights Watch director Adam Coogle, as documented in the new Access Now/Citizen Lab report. "Between a hack and a hard place: how Pegasus spyware crushes civic space in Jordan". A substantial portion of the violations described in the report notably happened after the Commerce Department sanctioned the company in November 2021 and the NSO Group promised to reform.
It is important to emphasize that suspending the use of NSO Group software by abusive governments is well within NSO Group's capabilities. NSO Group's operating model gives it significant control over the Pegasus software even after its sale to governments. The company charges a substantial annual maintenance fee (17% of the total price) for clients who purchase its software, and has repeatedly stated that it can revoke use of the software at any time, all of which indicate a continuous relationship between NSO and its government clients. As part of its agreements with its clients, NSO Group embeds mechanisms in its software that allow it to control use of its software, and restrict or revoke access, underscoring its effective control over the use of Pegasus post-sale. This ongoing business arrangement, as well as NSO Group's own promises to monitor the use of its software, provide it with ample capacity to enforce compliance with its usage policies. However, evidence of Jordan's ongoing misuse of Pegasus demonstrates that NSO Group is not enforcing these policies.
"There is no justification to remove NSO Group from the blacklist because it is continuing the exact same abuses that led to its sanctioning in the first place," stated Raed Jarrar, DAWN's Advocacy Director. "Most recently, we now know that NSO Group failed to suspend or limit the Jordanian government's abusive use of its spyware, but instead continued to facilitate the abuse of its technology against journalists, activists, and political figures, including a U.S. citizen."
NSO Group Lobbyists Seek Delisting
Despite its continued abusive business practices, NSO Group is aggressively lobbying for removal from the blacklist, and in particular has cited the October 7 Hamas attack against Israel to justify its delisting. According to the Intercept, NSO Group lobbyist Timothy Dickinson, a partner at the law firm of Paul Hastings, has been leading an aggressive effort to reverse its blacklisting.
"Rather than spending millions to lobby U.S. officials to secure its delisting, NSO Group should actually undertake the reforms it promised: namely to stop abusive governments from using its spyware to spy on lawful civil society activists, including U.S. citizens," said Whitson. "It's really just unethical that people like Tim Dickinson can try to squirm out of a sanction against his client NSO Group for egregious abuses that have led to violence and even murder of journalists and are still being used unlawfully."
In its letter to the Commerce Department, DAWN urged the Department to maintain the sanctions against NSO Group, emphasizing the company's continued complicity in human rights abuses as it aids and abets the unlawful use of its spyware by abusive governments. DAWN argued that the underlying reasons for NSO's initial blacklisting, which includes supplying the spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers, remain valid and unremedied, warranting ongoing sanctions against the company to uphold human rights and prevent further abuses.