from the it-takes-six-weeks-to-count-higher-than-10 dept
European lawmakers wanted answers after months of investigations and reporting made it clear exploit developer NSO Group was involved with some seriously shady customers. Facing lawsuits, sanctions, and the Israeli government’s belated attempt to ensure NSO didn’t continue to generate bad press in perpetuity, the EU began asking questions.
For some reason, NSO didn’t have answers. A cutting-edge tech company responsible for some of the most clever phone hacks ever sold to government agencies somehow couldn’t provide a straightforward answer to a simple question. When asked how many EU members NSO sold its products to, its lawyers could only say “at least five” and promise to come back later when they finally managed to track down this apparently extremely elusive information.
NSO Group has returned with a more accurate answer. It seemingly takes about six weeks to count higher than five but NSO has put in the time and effort to ensure EU lawmakers have something more than the vague (and obviously low) estimate the company previously decided to provide in lieu of actual data.
The EU legislators were tasked to know the identity of NSO customers in Europe at present and were surprised to discover that most of the EU countries had contracts with the company: 14 countries have done business with NSO in the past and at least 12 are still using Pegasus for lawful interception of mobile calls, as per NSO’s response to the committee’s questions.
In response to the legislators’ questions, the company explained that at present NSO works with 22 “end users” security and intelligence organisations and law enforcement authorities in 12 European countries.
This answer was provided during the EU Committee’s visit to Israel, during which they spoke directly to NSO personnel, who were apparently able to deliver a more accurate count of countries. This count includes two former customers, but NSO apparently refused to divulge which countries are no longer welcome to use its malware.
Perhaps it feels like it shouldn’t out former customers just in case it’s able to sell to them again once the heat dies down. Or maybe it didn’t feel like providing a more detailed list because one member of the EU Committee was a Catalan legislator whose phone was targeted by NSO’s Pegasus malware.
While this revelation arrived much faster than, say, the FBI’s fourth year of silence on its miscount of encrypted phones in its possession, it’s still much slower than the near-immediate delivery of information NSO and its lawyers definitely had access to when questioned by EU legislators in June. The only conceivable reason for this delay was damage control by NSO, which likely had to tell European customers it would be divulging this information but would do what it could to keep their names out of the news.
I’d love to see exactly when two countries went from “current” to “former” customers. And I wouldn’t at all be surprised if the sudden termination of their contracts correlate with the EU Commission’s investigation.