A recent investigation by Haaretz newspaper uncovered the firm’s sophisticated surveillance tool “Pegasus” was offered to authorities in Saudi Arabia last year.
Two weeks ago, Amnesty International Israel submitted an urgent request to the Israeli Ministry of Defence, demanding that NSO Group’s defence export licence be revoked in light of an attempted cyber attack on an Amnesty staff member via NSO’s spyware.
But this week, the Israeli Defence Ministry refused to revoke the firm’s licence, causing Amnesty International to consider seek legal action.
“We thoroughly reject this inadequate response. The mountain of evidence and reports on NSO Group and the sale of its spyware to human rights-violating regimes is substantial proof that NSO has gone rogue”, said Molly Malekar, Programs Director of Amnesty International Israel.
“The Ministry of Defence must answer for their failure to properly regulate NSO Group as they are in charge of controlling Israeli Defence Export.
“By continuing to approve of NSO Group, the Ministry of Defence is practically admitting to knowingly cooperating with NSO Group as their software is used to commit human rights abuses.”
In June this year, an Amnesty International staff member was targeted by a sophisticated surveillance campaign, in what the organization suspects was a deliberate attempt to spy on its staff by a government hostile to its work.
“Amnesty International will not stand idly by as companies such as NSO Group profit from selling their invasive Pegasus software to repressive states around the world”, said Danna Ingleton, Deputy Director of Amnesty International Tech.
”NSO Group’s software has been used to attack Amnesty staff and fellow human rights defenders globally. As the Israeli Ministry of Defence refused our request to revoke the export licence, it is clear that we now need to take additional legal steps to expose the truth and seek accountability for the attack against us.”
Targeting of Amnesty International staff
In June this year, an Amnesty International staff member received a suspicious WhatsApp message in Arabic. The text contained details about an alleged protest outside the Saudi embassy in Washington D.C., followed by a link to a website. Investigations by Amnesty International’s technology team revealed that clicking the link would have installed “Pegasus”, a sophisticated surveillance tool developed by the Israel-based company NSO Group.
The WhatsApp message was sent to Amnesty International in a week when the organization was campaigning for the release of six women’s rights activists detained in Saudi Arabia. The link, if clicked, would have allowed the Pegasus software to infect the user’s smartphone, tracking keystrokes, taking control of the phone’s cameras and microphone and accessing contact lists.
Amnesty International’s investigation also discovered that another Saudi Arabia rights activist, who later publicly identified himself as Yahya Asiri, received a similar malicious message.
In a statement to Amnesty International, NSO Group said that their product “is intended to be used exclusively for the investigation and prevention of crime and terrorism” and that any other use violate their policies and contracts.
Connection to NSO Group and suspicious websites
Further investigations by Amnesty International revealed that the domain link in the message belongs to a large infrastructure of more than 600 suspicious websites which had been previously connected to NSO Group. Amnesty International is concerned that these could be used to bait and spy on activists in countries including Kenya, Democratic Republic of Congo and Hungary, in addition to the Gulf.
Pegasus was also used to target the Emirati award-winning human rights defender Ahmed Mansoor, who has been in prison in the United Arab Emirates since March 2017.
Background
While law enforcement agencies in many countries have used secret surveillance in relation to national security objectives, Amnesty International is concerned that in many cases surveillance is being carried out in a manner contrary to international human rights law. Tools like Pegasus are especially problematic from a human rights law perspective as they are so deeply invasive.
As laid out in the UN Guiding Principles on Business and Human Rights (UNGPs), companies also have a responsibility to respect human rights wherever they operate in the world.