NSO Group Attempting To Distance Itself From Damaging Leak By Offering Up Contradictory Statements And 'Nothing To Fear' Platitudes

from the not-so-fun-when-you're-the-one-being-scrutinized-by-outsiders dept

This truly is a pleasure to observe. Israeli malware merchant NSO Group — the purveyor of powerful spyware capable of turning a target’s phone into a spy agency’s plaything — is playing a whole lot of defense after leaked data seen by a number of journalists and activists appears to confirm that NSO’s customers are targeting… activists and journalists. (And world leaders, religious leaders, NGO employees, and friends and relatives of all of the above…)

While the origin of this data remains unclear, it appears to be related to NSO and its customers. And although NSO claims to be very selective about who it sells this powerful spyware to, its customers include governments of questionable character, including Saudi Arabia, United Arab Emirates, Mexico, Kazakhstan, and Uzbekistan.

This has thrust Shalev Hulio, the CEO and co-founder of NSO Group, into the limelight. He’s clearly unprepared to be there. His statements and responses to questions are, at best, contradictory. At worst, they’re nothing more than deflections that aren’t going to persuade anyone that the allegations made by several news agencies and rights groups are false.

Here’s Hulio’s attempt (in an interview with Calcalist) to explain that the list of 50,000 phone numbers couldn’t possibly have anything to do with NSO Group:

According to Hulio, “the average for our clients is 100 targets a year. If you take NSO’s entire history, you won’t reach 50,000 Pegasus targets since the company was founded. Pegasus has 45 clients, with around 100 targets per client a year. In addition, this list includes countries that aren’t even our clients and NSO doesn’t even have any list that includes all Pegasus targets – simply because the company itself doesn’t know in real-time how its clients are using the system.

So, Hulio claims agencies only target a few people every year and that he knows this because “the company itself doesn’t know in real-time how its clients are using the system.” If the company doesn’t know what customers are doing, it’s pretty tough to claim definitively that they aren’t targeting more phones than NSO thinks they are or that they aren’t violating their agreements with NSO by pursuing “off-limits” targets like journalists and heads of state.

It is possible NSO knows how many targets each customer has, but this information suggests it’s pretty easy to exceed the “100 clients a year” Hulio insists governments aren’t exceeding.

In 2016, The New York Times reported that NSO Group charged $500,000 to set a client up with the Pegasus system, and then charged an additional fee to actually infiltrate people’s phones. At the time, the costs were reportedly $650,000 to hack 10 iPhone or Android users, or $500,000 to infiltrate five BlackBerry users. Clients could then pay more to target additional users, saving as they spy with bulk discounts: $800,000 for an additional 100 phones, $500,000 for an extra 50 phones, and so on.

Here’s another seemingly-contradictory statement from NSO, as provided to Forbidden Stories, which was instrumental in breaking news of this data leak:

NSO does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.

There’s some word salad towards the end that means a whole lot of nothing, but pay attention to the opening of this statement: “NSO does not have insight into the specific intelligence activities of its customers.” If this is true, there’s no way NSO can definitively claim the leaked phone number list has nothing to do with its customers. And it also can’t seriously claim that it cuts off customers who abuse the product to target individuals that aren’t terrorists or criminal suspects.

This isn’t the end of the flailing. Shalev Huilo also has conspiracy theories about the origin of the list currently in the news.

“I believe that in the end it’s either Qatar or BDS or both,” he said. “In the end it’s always the same entities. I don’t want to sound cynical now, but there are those who don’t want [Israel] to import ice cream or export technologies.”

Hulio is referring to Ben and Jerry’s recent decision not to sell its ice cream in Israeli-occupied territories following years of BDS campaigns. Hulio also said that he doesn’t think it’s a coincidence that the investigation about his company dropped around the same time that another Israeli surveillance company, Cellebrite, is being challenged by digital rights group while attempting to go public, and the publication of an investigation about Candiru, yet another Israeli surveillance company.

“It’s just illogical that this is all happening at once,” he said.

Most of the time, coincidences are just that: coincidences. Far more rarely than people claim, coincidences aren’t coincidences, but rather evidence of a conspiracy. In this case it’s the former, an actual coincidence. And Hulio knows that because even he can’t connect enough dots to narrow this down to a single perpetrator.

And the flailingest thing of all is this statement by Hulio, which echoes the statements made by government spy agencies when they’re caught with their surveillance pants down:

“The people that are not criminals, not the Bin Ladens of the world—there’s nothing to be afraid of. They can absolutely trust on the security and privacy of their Google and Apple devices.”

Oh really? Then all these journalists and activists who have been targeted by NSO spyware are the “Bin Ladens of the world?” That’s a bullshit response, especially when Hulio admits it can’t control or even monitor its customers’ use of the malware it sells them. Given the number of human rights violators it sells to, people who are not criminals or Bin Laden-alikes still have plenty to be afraid of.

Filed Under: , ,
Companies: nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSO Group Attempting To Distance Itself From Damaging Leak By Offering Up Contradictory Statements And 'Nothing To Fear' Platitudes”

Subscribe: RSS Leave a comment

This comment has been flagged by the community. Click here to show it.

That One Guy (profile) says:

Let's just finish that self-serving argument shall we?

‘Innocent people have nothing to worry about regarding the malware we sell to whoever pays us therefore if someone like a journalist is targeted then they must not be innocent.’

If he really wants to make that argument then I say he should put up or shut up, give the public the same amount of access to his personal devices that his software grants to his clients and let everyone see just how little he have to hide due to how innocent he is, with a refusal to do so seen as an admission that he’s got a lot of very bad stuff he doesn’t want the public to see.

ECA (profile) says:

Just for fun

Lets ask.
HOW stupid do you have to be, NOT to think that SOMEONE could hack their program to DO anything they wanted?
Are these folks the only SMART people?

Then there is the idea that SOMEONE hacked the net of the hacker? Or someone inside Gave out the info?
How in hell does the company know anything about the USE of their own program?
Pay NGO for their prog, that goto another hacker to crack it, and change a few things to make it work all the time and NOT report back to NGO. WOW, not hard is it?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...