Everything that the NSO Group has said so far on the allegations against Pegasus

While NSO CEO Hulio has gone on the offensive and disputed NSO’s connection with the leaked database of phone numbers, the Israeli firm has since said that it would no longer respond to any media enquiries on the allegations.

Israel-based NSO Group has repeatedly claimed that it supplies its Pegasus surveillance tool only to vetted governments for the purpose of addressing crime and terrorism. But recent revelations by Project Pegasus have shown evidence that some governments, including India’s, might be using the tool to target journalists, activists, opposition politicians, businessmen, among others.

Read: Pegasus Spyware: All The Latest Facts On Who Was Targeted, The Modus Operandi, And More

The NSO Group has been vehemently denying the allegations made by Project Pegasus but has also indicated that it will investigate serious allegations. Its CEO has also appeared in multiple interviews to address the issue. Here is a compilation of what NSO has said so far and where it stands in terms of investigating the allegations.

What has NSO said so far?

The following comments were made in two public statements put out by NSO Group on July 18 (the day the Pegasus Project news broke out) and on July 22 (titled “Enough is Enough!”), and in statements submitted to the media bodies that are part of Project Pegasus. Some of the statements made to media companies were made before the news went public.

Advertisement. Scroll to continue reading.

Full of wrong assumptions and uncorroborated theories: NSO stated that the report by Forbidden Stories is “full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the ‘unidentified sources’ have supplied information that has no factual basis and are far from reality.”

No factual basis: The group said that it checked the claims made by Forbidden Stories and found that the information obtained by them has “no factual basis, as evident by the lack of supporting documentation for many of their claims.”

Planned and well-orchestrated media campaign: In its latest statement, NSO Group called the revelations a “planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups.”

Leaked list is not related to NSO: Referring to the leaked list of 50,000 numbers alleged to be potential targets of Pegasus, NSO said:

• “NSO is not related to the list [of numbers], it is not an NSO list, and it never was.”
• “The list is not a list of targets or potential targets of Pegasus”
• “The numbers in the list are not related to NSO group”
•  “Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false”
• “The claims that the data was leaked from our servers, is a complete lie and ridiculous since such data never existed on any of our servers.”

NSO does not have access to customers’ data: “NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets,” NSO said.

Can obtain data of customers for investigative purposes: Although NSO does not have access to the data of its customers, it can obtain them for investigation purposes, and governments are obligated to cooperate, the group said, clarifying instances where NSO was able to confirm that some people were not potential targets.

Will investigate all credible claims and shut down the system if needed: NSO said that it will “continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, has done multiple times in the past, and will not hesitate to do again if a situation warrants.” NSO said in its transparency report published last month that it had terminated five clients following investigations of misuse since 2016.

Advertisement. Scroll to continue reading.

• No clarification if current claims are credible: None of the statements by NSO acknowledges if the evidence submitted by the Pegasus Project is “credible proof,” but its CEO has said the current allegations will be investigated (more below).

Can confirm some alleged targets are not targets: “We can confirm that at least three names in your inquiry Emmanuel Macron, King Mohammed VI, and Tedros Ghebreyesus — are not, and never have been, targets or selected as targets of NSO Group customers. All of the French and Belgian government officials or diplomats mentioned in the list, are not and never have been, Pegasus targets,” NSO said in a letter Washington Post.

Will not respond to media enquiries: NSO also said that it will not be responding to any more media enquiries on this “vicious and slanderous campaign” that has “complete disregard of the facts.”

Consideration of defamation lawsuit: “In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit,” one of the statements read.

Data obtained in the leak are overt basic information: NSO said that the data obtained by Project Pegasus are “from accessible and overt basic information, such as HLR Lookup services” and are “openly available to anyone, anywhere, and anytime.”

Exaggerated number of leaked phone numbers: “The alleged amount of “leaked data of more than 50,000 phone numbers” cannot be a list of numbers targeted by governments using Pegasus, based on this exaggerated number. The fact that a number appears on that list is in no way indicative of whether that number was selected for surveillance using Pegasus,” NSO said.

Leaked list not shared with NSO: “Forbidden Stories never shared the leaked list with NSO Group to allow it to verify or comment on the list,” NSO said in a statement.

Israeli government does not have access to data: “You falsely claim that the Israeli Government monitors the use of our customers’ systems, which is the type of conspiracy theory that our critics peddle,” NSO said in a statement to Washington Post.

Advertisement. Scroll to continue reading.

NSO is subject to various export control regimes: “NSO is subject to various export control regimes including the Israeli MOD, as similar to existing regulations in other democratic countries,” NSO told Washington Post.

Cannot identify customers due to contractual obligations: “Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as the identity of customers of which we have shut down systems,” NSO said.

Not associated with the murder of Jamal Khashoggi: NSO also said that it had previously investigated the claim that its technology was associated with the murder of Jamal Khashoggi, and found that its technology was “not used to listen, monitor, track, or collect information regarding him or his family members.”

Correlation does not equal causation: “Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client, or data collected by NSO Group software, were in any way connected to the journalist’s murder the following month. Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients,” NSO said.

NSO tech cannot be used to target US phone numbers: NSO said that its products “cannot be used to conduct cyber surveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with US numbers.”

NSO tech helped prevent crime and terrorism: “The fact is NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions, and suicide bombings. The technologies are also being used every day to break up pedophilia, sex- and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones,” the group said.

Advertisement. Scroll to continue reading.

What has NSO CEO Shalev Hulio said so far?

In interviews with Washington Post (July 20, July 22),  Calcalist, and an appearance in Israel’s 130FM radio reported by Times of Israel, NSO CEO Shalev Hulio said:

Will investigate allegations: Hulio said the company intended to investigate the allegations regarding Pegasus and would terminate the contracts of clients who misused the tool. “Every allegation about misuse of the system is concerning me. It violates the trust that we give customers. We are investigating every allegation … and if we find that it is true, we will take strong action,” he said. “If even one is true, it is something we will not stand as a company,” Hulio told the Washington Post referring to the 37 attempted and confirmed hacks submitted by Amnesty International.

Journalists, activists off-limits: “I’ll give you a simple statement: Journalists, human rights activists, and civil organizations are all off-limits,” Hulio told Calcalist. Hulio admitted to Washington Post that some of the reported allegations such as surveillance of journalists were disturbing. “The company cares about journalists and activists and civil society in general,” he said.

Disputes that the leaked list is from NSO: Hulio maintained the same stance on the issue as the company and disputed that the list was connected to NSO.

“Around one month ago we received the first approach from an information broker. He said that there is a list circulating in the market and that whoever holds it is saying that the NSO servers in Cyprus were hacked and that there is a list of targets there and that we should be careful. We looked into it. We don’t have servers in Cyprus and don’t have these types of lists, and the number doesn’t make sense in any way so it has nothing to do with us. He insisted that it does. We were later approached by two different clients who said that brokers have come to them claiming that they have a list related to NSO. We eventually received some screenshots of the list the brokers managed to get a hold of and based on that we understood that this doesn’t look like the Pegasus system, certainly on the server, and that this is an engineered list unrelated to us. We looked over it with the clients and it slowly became clear to us that it is an HLR Lookup server and has nothing to do with NSO. We understood that this was a joke.” – Hulio told Calcalist

50,000 number does not add up: “The average for our clients is 100 targets a year. If you take NSO’s entire history, you won’t reach 50,000 Pegasus targets since the company was founded. Pegasus has 45 clients, with around 100 targets per client a year,” Hulio told Calcalist.

Wife of Saudi journalist Jamal Khashoggi not target: Hulio told Calcalist that the company checked with its 45 clients over a week and said that “there are no traces of Pegasus on her phone because she was not a target.” “Perhaps she was the target of something else and appears in HLR searches. But what has that got to do with NSO?” he added.

Advertisement. Scroll to continue reading.

Amateurish investigation: “I do not want to play the victim here and say we are being harassed, but I really think this is an amateurish investigation, despite all these media outlets. There is a list that the people who wrote the research have, but we do not know to whom the list belongs,” Hulio told 103FM radio.

List includes countries that are not clients: “This list includes countries that aren’t even our clients and NSO doesn’t even have any list that includes all Pegasus targets – simply because the company itself doesn’t know in real-time how its clients are using the system,” Hulio told Calcalist.

Cannot share details on client activities: Hulio said that he can neither name clients nor describe their activities because he was  bound by strict confidentiality agreements with law enforcement agencies. “All we hear is this campaign that we are violating human rights, and it’s very upsetting. Because I know how much life has been saved globally because of our technology. But I cannot talk about it,” he told the Washington Post.

Will not serve countries that violate human rights: “If there is a country that you know is a country that violates human rights, doesn’t value human life, tracks journalists, even if not through our tools — these are countries that we do not want to work with, and that is why we stopped working with them,” Hulio told 103FM radio.

Majority of clients in Europe: “The 45 countries with which we work are in Europe. There are 90 countries with which we chose not to work. There are companies that base their entire business model on selling to countries which NSO has disconnected or doesn’t sell to because they know it will be easier for them to sell there,” Hulio told Calcalist.

It will always be my word against theirs: “It will always be my word against the evidence and their words. How can you prove something that didn’t happen? You want us to take you to the clients to conduct a search so that you can search the number yourself and see that this never happened?” Hulio told Calcalist.

Advertisement. Scroll to continue reading.

Three guiding principles of NSO: According to Huli0, the company established these three guiding principles even before they wrote code:

1. License only to certain government entities because it can be abused in private hands
2. Company would have visibility into the individuals targeted by customers after selling them a software license
3. NSO would seek approval from the export controls unit of Israel’s Ministry of Defense

Cybersecurity industry should be regulated by a global body: Hulio told the Post that the situation would be better,  if the cybersecurity industry were regulated by a global body and if the Israeli goverment stopped selling its cybertechnology to countries that violate NSO agreement.

Will shutdown Pegasus if better alternative is found: “If somebody says, I found a better way to get criminals, get terrorists, get information from a pedophile, I will shut down this company. I will shut down Pegasus completely,” Hulio told Washington Post. “We are selling systems to prevent crime and terror, and ultimately what alternative do law enforcement, intelligence and police have when acting against pedophiles?” he told Calcalist.

Somebody has to do the dirty work: “It’s horrible. I am not minimizing it. But this is the price of doing business. … This technology was used to handle literally the worst this planet has to offer. Somebody has to do the dirty work,” NSO co-founder Omri Lavie told Washington Post.

More reading on Pegasus

• A Guide To The NSO Group’s Pegasus Spyware In India
• Members Of Parliament React To Pegasus Spyware Controversy Amidst Monsoon Session
• ‘Illegal And Deplorable’: How Pegasus Spyware Targets In India Are Reacting
• Amazon Web Services shuts down infrastructure linked to Pegasus vendor NSO Group
• A decade-old Bill had proposed to regulate surveillance by govt agencies; this is what it said
• Pegasus spyware: How do we rein in State surveillance? Here’s what experts had to say