Offering to be a “constructive participant,” Israeli surveillance firm NSO Group has reportedly voiced “strong support” for the creation of a global framework to regulate powerful spyware like its own scandal-hit Pegasus program.
In a letter to the United Nations, dated September 30, the company – which is mired in a multi-national spying controversy – reportedly called for an “international legal framework” to prevent the abuse of technology that allows governments to snoop on personal phones and devices.
NSO Group also suggested the UN take the lead in instituting international rules to monitor the booming private-sector surveillance industry. In particular, the company recommended that firms in the sector be required to implement human rights compliance systems.
The letter, seen by AFP, was seemingly in response to a warning from UN human rights experts who in August called the surveillance technology and trade sector a “human rights-free zone” and urged a global moratorium on the sale of such technology until “robust regulations” were in place.
That warning came after a leaked list of as many as 52,000 phone numbers in July revealed the extent of surveillance by NSO Group’s customers using the now-infamous Pegasus flagship malware. Roughly a tenth of these targets were reportedly spied on using the program, which granted users access to calls, messages, photos and files, and allowed them to secretly turn on the target phones’ cameras and microphones.
The people reportedly presumed to have been placed under digital surveillance included business executives, religious figures, academics, journalists, NGO workers, trade union and government officials, including even cabinet ministers, presidents and prime ministers.
News of the malware’s existence was first made public by Amnesty International and Forbidden Stories, a French investigative outlet, and reported by a collection of partner news outlets. Among those accused of using the Israeli malware are the governments of Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates (UAE).
In its letter, the NSO Group said it took allegations “extremely seriously” and claimed to have launched an immediate internal investigation, with company chairman Asher Levy saying the accusations of the misuse of Pegasus to target journalists and activists were “naturally very concerning.”
However, according to AFP, the company continued to reject the bombshell media reports, claiming they were full of “serious shortcomings and material inaccuracies” and said the “number of purported targets” was “entirely implausible” given the number of licenses granted.
Levy said NSO Group had previously “terminated customer relationships” as a result of its human rights investigations and suggested the UN offer guidance on “which states to consider as not having an acceptable track record of respecting international human rights.”
An unnamed source reportedly close to the firm told the news agency, however, that NSO Group had limited ability to verify whether its software was abused by government clients.
“Sitting over the shoulder of a customer and seeing who they are targeting is something that we cannot do,” the source told AFP. Another unidentified source told the agency that the company had rejected “hundreds of millions of dollars” from some 55 countries and that it vetted clients for ethical concerns.
Despite asking for the “opportunity” to be a “constructive participant,” NSO Group is still feeling the fallout of the revelations. Last month, digital rights group CitizenLab publicized a vulnerability that allowed the company to implant Pegasus malware onto virtually every iPhone, Mac, and Apple Watch device.