Democrats call for possible action against NSO over Pegasus revelations

Democratic lawmakers in Washington have called on the Biden administration to consider placing NSO Group on an export blacklist and said recent revelations of misuse reinforced their conviction that the “hacking-for-hire industry must be brought under control”.

The statement by four members of Congress followed reports by the Pegasus project, a collaboration of 17 media organisations including the Guardian, which investigated NSO, the Israeli company that sells its powerful surveillance software to government clients around the world.

The leak at the heart of the Pegasus project contained tens of thousands of phone numbers of individuals who are believed to have been selected as candidates for possible surveillance by clients of NSO. The numbers included those of heads of state such as the French president, Emmanuel Macron, government ministers, diplomats, activists, journalists, human rights defenders and lawyers.

It includes some people whose phones showed infection or traces of NSO’s Pegasus spyware, according to examinations of a sample of the devices by Amnesty International’s security lab.

What is in the data leak?

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

What does the leak indicate?

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

What did forensic analysis reveal?

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.

Which NSO clients were selecting numbers?

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.

What does NSO Group say?

You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.

What is HLR lookup data?

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.

“Private companies should not be selling sophisticated cyber-intrusion tools on the open market, and the United States should work with its allies to regulate this trade,” the lawmakers said. “Companies that sell such incredibly sensitive tools to dictatorships are the AQ Khans of the cyber world. They should be sanctioned, and if necessary, shut down.”

They added that NSO had shown an “arrogant disregard for concerns that elected officials, human rights activists, journalists, and cyber-security experts have repeatedly raised”.

The statement represented a rare rebuke of an Israeli company by US members of Congress, who suggested that NSO Group should join the ranks of blacklisted companies like Huawei and Hikvision of China. Any decision to add NSO to what is known as the entities list, forcing it to comply with new export rules, would be made by the Biden administration’s commerce department.

The statement was released by four influential lawmakers: Tom Malinowski of New Jersey, Katie Porter and Anna Eshoo of California, and Joaquin Castro of Texas.

They also singled out authoritarian governments like Saudi Arabia, Kazakhstan, and Rwanda, which are believed to have used NSO spyware and “make no distinction between terrorism and peaceful dissent”.

Selling those governments spyware based on assurances of responsible use, the lawmakers added, was like “selling guns to the mafia and believing they will only be used for target practice”. NSO has said it reviews its customers’ human rights records before selling them spyware and that it has no visibility into how clients use its products after they are sold.

When NSO’s Pegasus spyware infects a phone, government clients can gain access to an individual’s phone conversations, messages, photos and location, as well as turn the phone into a portable listening device by manipulating its recorder.

The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.

The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.

Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.

The appearance of a number on the leaked list does not mean it was subject to an attempted or successful hack. NSO said Macron was not a “target” of any of its customers, meaning the company denies there was any attempted or successful Pegasus infection of his phone.

NSO has also said the data has “no relevance” to the company, and has rejected the reporting by the Pegasus project as “full of wrong assumptions and uncorroborated theories”. It denied that the leaked data represented those targeted for surveillance by the Pegasus software. NSO has said the 50,000 number is exaggerated and said it was too large to represent individuals targeted by Pegasus.

The company has also said that its government clients are contractually mandated to use Pegasus to target suspected criminals and terrorists and has said it would investigate any allegations of abuse.

Related: Response from NSO and governments

The statement by the US members of Congress nevertheless represents a potential looming threat to the company, including of possible congressional investigations or actions by the Biden administration.

Pointing to Pegasus project media reports, the lawmakers called for authorities to “investigate and assess the possible targeting of Americans”, including journalists, aid workers, diplomats and others, by the government clients using NSO’s Pegasus software, and said the federal government needed to determine whether US national security may have been harmed by deployment of the spyware.

NSO has said its spyware cannot be used by foreign government clients to target US-based phone numbers, which the company has said is “technically impossible”.

In a statement to the Guardian, the company said it had been “fully regulated since its first day” and strictly followed defense export law “in addition to its rigorous internal human rights due diligence processes”.

It added: “NSO welcomes discussions on regulations for its industry, including ones that include obligations to respect human rights.”