Congressmen Ask FBI For More Details About Agency’s Brief Flirtation With NSO Group Malware

(Mis)Uses of Technology

from the not-the-best-bedfellows,-g-men dept

Shortly after it was becoming clear Israeli malware manufacturer NSO Group was a troubling company selling to troubling governments (but before its odiousness hit critical mass last summer), the FBI took a meeting with NSO and test drove a bespoke exploit. It was a variant of NSO’s uber-powerful Pegasus malware — one that bypassed NSO’s internal restrictions on targeting US-based phone numbers.

The product pitched to the FBI by NSO was called “Phantom.” It could target US phone numbers — something the FBI tested by buying a bunch of burner phones and deploying the provided malware to them. It all seemed to work just fine (and has now become a very interesting part of Facebook’s current lawsuit against NSO Group), but the FBI’s legal counsel seemed concerned turning phones into fully compromised listening devices might be more than courts would be willing to bless under existing wiretap laws that were written long before anyone foresaw the widespread use of powerful computers capable of being carried around in a person’s pocket.

Nonetheless, the FBI continued to pay for the licenses while it considered the legal and constitutional implication of the malware, ultimately shelling out $5 million for exploits it apparently never used. The fact that the FBI spent this much time and money trying to find some way to use NSO’s exploits has raised new questions. And a couple of Congressional reps are now demanding answers.

Two Republican lawmakers are pressing Apple and the Federal Bureau of Investigation to provide information about spyware made by the Israeli company NSO Group, according to letters obtained by CNBC.

Two Republican lawmakers are pressing Apple and the Federal Bureau of Investigation to provide information about spyware made by the Israeli company NSO Group, according to letters obtained by CNBC.

The letters, dated Thursday and signed by House Judiciary Committee Ranking Member Jim Jordan, R-Ohio, and subcommittee on civil rights Ranking Member Mike Johnson, R-La., come after The New York Times reported earlier this year that the FBI had acquired surveillance technology from the NSO Group.

The letter [PDF] wants to know why the FBI retained the malware for nearly two years if it never intended to use it. Going beyond that, the Congressional reps want all information related to the FBI/NSO partnership that may never have been fully consummated, despite spending $5 million on licenses.

Whether or not we, the people, will ever be made privy to these answers remains to be seen. But they are the sort of questions Congressional oversight should be asking and will possibly force the release of some information the FBI would rather not share with anyone — even the people it’s supposed to be answering to.

Here’s the information Reps Jim Jordan and Mike Johnson want the FBI to hand over:

All documents and communications between or among the FBI and the NSO Group, Westbridge Technologies, or any other NSO Group affiliate or subsidiary referring or relating to the FBI’s acquisition, testing, or use of NSO Group spyware;

All documents and communications referring or relating to the FBI’s decision to acquire
NSO Group spyware; and

All documents and communications referring or relating to the FBI’s or Justice
Department’s assessment of the legality of using Phantom against domestic targets.

The same reps also have some questions for Apple, which has begun notifying iPhone users it believes have been targeted by NSO exploits. But what they’re asking for here might be a bit more problematic, considering Apple’s main obligations are to its customers (rather than taxpayers and/or Congressional oversight.) On top of that, its efforts to detect NSO malware are ongoing and may be compromised by making some of this information public. From the letter [PDF] to Apple:

[P]lease provide the following information:

Apple’s ability to detect when a user of an Apple device has been targeted by Pegasus or Phantom;

The number of attacks using Pegasus or Phantom that Apple has detected, the dates of those attacks, the geographical regions in which Apple detected those attacks, and any other relevant information about those attacks; and

A staff level briefing about Apple’s communications, if any, with representatives of the Justice Department, Federal Bureau of Investigation, or any other U.S. Government entity about Pegasus or Phantom.

There’s a lot in this request that’s of public interest, especially where attacks have been detected and any information Apple might have on where these attacks originated. But it seems Apple would not be particularly willing to explain, publicly and in detail, how it detects these malware attacks.

We’ll see what these letters actually produce. They both carry the same deadline: St. Patricks Day, 2022. Whatever information does end up in the hands of the Judiciary Committee is unlikely to end the long run of bad news for NSO Group.

Filed Under: doj, exploits, fbi, jim jordan, malware, mike johnson, spyware, surveillance
Companies: apple, nso group