When NSO Group, purveyor of the spyware Pegasus, told Human Rights Watch it would investigate the targeting of Lama Fakih, Middle East and North Africa director, we had good reason to be skeptical.
Despite claims that NSO Group has internal processes to root out misuse of its technology, human rights groups have long documented the failure of those processes to reveal abuse and lead to accountability for unscrupulous government clients.
NSO’s response to the targeting of Fakih fits this pattern. Human Rights Watch first wrote to NSO in January 2022 with a complaint and supporting evidence that Pegasus was used to target Fakih.
After committing in January to conduct an “initial assessment” to determine whether an investigation was in order, on June 27, 2022, Chaim Gelfand, NSO’s vice president for compliance wrote: “This issue has been investigated to the best of our ability based on the information provided to us. We have not seen evidence that Ms. Fakih’s number, provided below had been targeted using the Pegasus system by our existing customer’s.”
Gelfand’s unhelpful response simply highlights the weaknesses of NSO’s internal processes.
One interpretation of NSO’s response could be that a former client targeted Fakih – but the company does not publish a list of government clients that have been terminated. Another explanation could be that NSO relied on incomplete information because its investigations depend on client cooperation.
NSO Group has provided conflicting statements on its ability to ensure clients are not abusing its technology. In a June 2020 correspondence with the UN Special Rapporteur on Freedom of Opinion and Expression, NSO claimed it “monitors and reviews the due diligence of all entities that use its technologies both on an ongoing and periodic basis.” But in the same letter, NSO said its assessment “depends on cooperation of the user” and without that, it is “limited to reviewing available metadata, which fails to provide detailed insights and does not provide sufficient data to allow one to determine if there was misuse.”
At a recent hearing of a European Parliament Committee of Inquiry on Pegasus, Gelfand testified that if a customer does not cooperate with an investigation, NSO will suspend and then terminate the client: a claim that is impossible to verify. When it terminates a contract, NSO loses access to the data needed for investigations, he said, which would prevent it from conducting meaningful investigations.
NSO’s empty response following Human Rights Watch’s full cooperation underscores that the company cannot be counted on, and may not even have the ability, to investigate itself. Until spyware is more robustly regulated and subject to mandatory human rights safeguards, there needs to be an immediate moratorium on the sale, export, transfer, and use of surveillance technology.