On November 3, 2021, the U.S. Commerce Department added NSO to a federal blacklist which bars the private company from purchasing any type of American technology. It cited concerns over the abuse of the phone-hacking tool to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world and concerns NSO was engaging in activities contrary to U.S. national security or foreign policy interests.
The high-profile sanctions, which could impact future sales and limit the company’s ability to work internationally, come three months after the Pegasus Project investigation by a journalistic consortium led by the non-profit group Forbidden Stories revealed how government customers who purchased the technology from NSO have used it to spy on at least 180 journalists in 20 countries.
IPI had previously highlighted the serious threats to privacy and journalistic safety posed by Pegasus spyware and documented abuses across the world, from Mexico and India to Saudi Arabia and the United Arab Emirates, and called for global regulation.
“NSO Group and its Pegasus spyware should have been blacklisted by the international community long ago when serious rights abuses were first identified”, IPI Deputy Director Scott Griffen said. “These U.S. sanctions are a welcome signal that companies like NSO should no longer be allowed to profit off the sale of intrusive surveillance tools to some of the world’s most repressive regimes, who are bound to use them to monitor critics and suppress dissent. This should act as a catalyst for other democratic countries, as well as the European Union, to swiftly follow the U.S. in backlisting NSO and other private firms like it which develop and sell such technology to autocratic countries without appropriate oversight or vetting.
“This is also an important moment to note the vital work of all those involved in the Pegasus Project who exposed the global scale of this surveillance, as well as the teams at Citizen Lab and Amnesty International who have long raised the alarm and carried out analysis of mobile phones to identify Pegasus infections. Despite their work, we still don’t know the true number of government agencies around the world that currently use, or have previously deployed, Pegasus and how many journalists have been illegally spied on. The current figures may represent just the tip of the iceberg. This reflects a failure of the international community to regulate surveillance technology to ensure it is not abused by governments at the expense of civil liberties. Until an appropriate regulatory framework is achieved, we continue to call on states around the world to agree to a global moratorium on the sale and transfer of spyware technology.”
NSO Group claims its technology is sold only to government intelligence and law enforcement agencies and is meant to be used solely for the purpose of fighting terrorism and tracking down serious criminals. It said it has cancelled the contracts with government customers after rights abuses came to light and that it has a stringent review process for which states it sells to. However, human rights groups have long criticised the lack of transparency about its vetting process and purchases and a lack of appropriate action to mitigate and redress rights abuses when they occur.
When a phone becomes infected with Pegasus, it can monitor SMS, calls and encrypted chats, collect passwords for social media accounts, turn on the user’s microphone or camera and access maps to trace the user’s location, travel history and home address. There is no immediate indication that a phone has been infected and it requires a forensic analysis to identify traces of the spyware.
An NSO spokesperson told media: “NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed. We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based on the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.”