The FBI Definitely Wanted NSO Group Malware For Investigative Use Despite Its Earlier (Non)Denial
from the unexpected-show-of-restraint dept
An earlier report from the Times stated that NSO Group had arrived at FBI headquarters in 2019 to allow the agency to test drive a version of its Pegasus malware, one that allowed it to target US phone numbers. According to NSO, Pegasus, in its original form, is incapable of targeting US phone numbers, a concession NSO made while selling its malware to human rights abusers around the world.
The initial set of documents obtained by the Times gave the impression that this was nothing more than an NSO sales call, one hoping to make inroads in a nation less associated with human rights abuses than NSO’s existing customer base. To its credit, the FBI handled this carefully, buying up dummy phones to target and ultimately deciding against purchasing the bespoke malware (dubbed “Phantom”) because it raised too many constitutional concerns.
But new documents obtained by the New York Times show it was the FBI courting NSO, rather than the other way around. It definitely wanted to target Americans with this powerful, zero-click malware.
The F.B.I. informed the Israeli government in a 2018 letter that it had purchased Pegasus, the notorious hacking tool, to collect data from mobile phones to aid ongoing investigations, the clearest documentary evidence to date that the bureau weighed using the spyware as a tool of law enforcement.
The F.B.I.’s description of its intended use of Pegasus came in a letter from a top F.B.I. official to Israel’s Ministry of Defense that was reviewed by The New York Times.
The FBI already had a license for Pegasus in 2018, months before NSO Group showed up with a version that could target US phone numbers. Since the FBI is a (self-proclaimed) anti-terrorism agency, it could have deployed Pegasus to target foreign phones. So far, no documentation has surfaced that suggests the FBI deployed the unaltered Pegasus spyware. But the fact that it made the purchase prior to the NSO’s visit demonstrates a powerful interest in fully compromising phones of investigation targets.
It turns out $5 million in tax dollars can buy a whole lot of nothing. The FBI ditched both Pegasus and its US equivalent, Phantom, without ever having used them in investigations. At least that’s what FBI Director Chris Wray told Congress:
During a congressional hearing in March, the F.B.I. director, Christopher A. Wray, said the bureau had bought a “limited license” for testing and evaluation “as part of our routine responsibilities to evaluate technologies that are out there, not just from a perspective of could they be used someday legally, but also, more important, what are the security concerns raised by those products.”
“So, very different from using it to investigate anyone,” he said.
Maybe so. But then again, this newly released public record punches a couple of holes in the narrative created by the FBI’s first document release. There’s no reason to believe this is the end of the story. And, at the very least, it shows the FBI is willing to spend millions to find some way to work around constitutional protections and expand its domestic surveillance capabilities.