PEGA Committee of Inquiry

NSO Group Opening Statement

June 21, 2022

 

Thank you, Mr. Chairman.

On behalf of NSO, I want to thank the members of the Committee of Inquiry for having us here today.  We are very appreciative of the opportunity to speak with you directly, and would like to use this time to cover three main areas.  First, we will provide the Committee with information on NSO as a company, our technologies, goals and practices.  Second, we would like to dispel certain rumors and misconceptions regarding our company and its technologies that have been prominent in the press and public debate.  Third, we would like to share our goals and commitments for assisting the Committee in its ongoing work.

Before we begin, we should note that there are limits to the information we can share with the Committee and others.  As you know, NSO is a private company providing, export controlled, cyber intelligence technologies only and exclusively to government agencies, for the purpose of preventing and investigating terrorism and other serious crimes.

As a result, we are unable to share details about our customers, as well as the crimes prevented and criminals tracked and apprehended using our technology or trade secrets of the technology. This practice is imperative to protect the legitimate legal and operational need for secrecy of sovereign intelligence and law enforcement agencies.

We are, however, committed to transparently sharing with you accurate information regarding our company and technologies.

  1. Company Overview

We would like to begin with stating the simple truth that this technology has been conceived and designed to save lives worldwide.

NSO was founded in 2010 and was developed in order to respond to the needs and requests from various law enforcement agencies, including some from EU countries, to find a technological solution to gather intelligence from encrypted mobile devices. NSO was established with the ambition to make the world a safer place and has been doing so since day one.

 

Since its establishment, NSO set forth four principles to guide the manner in which it works: (1) NSO only sells to governments; (2) NSO will not sell to just any government; (3) NSO does not operate the systems; and (4) a desire to be regulated by government regulators.  NSO’s products are licensed for sale with the approval of the Israeli Export Control Authority and provided exclusively to government intelligence and law enforcement agencies.

The rapid development and widespread use of technology by terrorists and criminals has profoundly changed the ability of states to prevent and investigate terrorism and other serious crimes.

Our products assist state authorities in addressing the “going dark” problem i.e. the growing misuse of end-to-end encryption applications by terrorists and criminals to conceal messages and plots when communicating through mobile devices.

The only other option to conduct investigations in today’s world is through mass surveillance or backdoor to the devices of all users, which would be a much more intrusive technology.

The technology developed by NSO is the only type of target centric solution that is known.

 

NSO is most well-known for Pegasus, a cyber intelligence program used by state law enforcement and intelligence agencies to collect data from specific mobile devices during investigations.

Through the use of Pegasus, state authorities have and continue to thwart numerous terrorist attacks such as suicide bombings, and has been instrumental in apprehending pedophiles and other serious criminals.    

NSO is fully aware of and committed to its own human rights responsibilities and the duties of its clients, and is determined that its products be used appropriately and lawfully.  In light of this, NSO has made a fundamental commitment to voluntarily take steps to address these concerns, including by following the approaches described in the United Nations Guiding Principles on Business and Human Rights or “UNGPs”.

NSO is proud to be the first and, to our knowledge, the only company in the cyber industry effectively implementing policies towards complete alignment with the UNGPs.  This includes adopting and implementing policies, procedures and internal human rights programs, including human rights due diligence procedures, reviewing each credible allegation of misuse raised, conducting international investigations, and engaging with all stakeholders.

Unfortunately, not all allegations made against NSO are credible.  For example, we have identified many allegations that are false, or contractually and technologically impossible. 

These allegations often rely on evidence and data that was not provided to NSO, preventing us from being able to verify or refute such claims, and thus introducing confusion that is detrimental to maintaining public confidence in these technologies.

  1. Dispelling Misconceptions

 

I would now like to dispel a number of misconceptions that have surfaced in the press and public debate with respect to our company’s activities and technologies.

A lot of information has already been presented to the Committee and there are numerous allegations that simply are not true.  In light of the allocated time I cannot go through all of them, so I will focus on the main and/or most common misleading and/or incorrect allegations:

  1. It is not true that NSO Group operates Pegasus and collects information about individuals;
  2. It is not true that Pegasus has greater technological abilities than its design;
  3. It is not true that NSO Group sells its technologies to private companies;
  4. It is not true that all traces of the Pegasus software vanishes on devices;
  5. It is not true that NSO Group retains data and Pegasus creates a permanent and strong risk of massive security breaches comparable to encryption backdoors; and
  6. It is not true that the so-called 50,000-phone numbers list is a list of targets of Pegasus.

I will address each of these misconceptions one by one.

  1. Let me state unequivocally that NSO does not operate Pegasus, has no visibility into its usage, and does not collect information about customers or who they monitor. NSO licenses Pegasus solely to law enforcement and intelligence agencies of sovereign states and government agencies, following both a careful and sector-leading pre-engagement due diligence process and approval by the Israeli government.

Licenses are limited in number and contracts are carefully crafted to permit only legitimate use.

NSO does not have any knowledge of the individuals whom states might be investigating, nor the plots they are trying to disrupt.  For obvious reasons, sovereign states normally do not and will not share this extraordinarily sensitive information with NSO or any other provider of similar technology.

  1. Regarding the second misconception: First, Pegasus is not a mass surveillance tool. The data is collected only from the mobile devices of pre-identified specific individuals, suspected to be involved in terrorism and other serious crime, subject to judicial or other appropriate oversight.  Pegasus is used with specific, pre-identified phone numbers, one at a time, and is similar in concept to a traditional wiretap.  Second, Pegasus does not delete or edit data on a targeted device or allow for such deletion or editing.  Pegasus is designed with intelligence and data gathering capabilities and it is incapable of impersonating a victim.  It cannot be used for any other purposes. And third, Pegasus cannot be used to gather information broadly and does not penetrate computer networks, desktop or laptop operating systems or data networks.
  2. Regarding the third misconception – NSO Group sells its technology strictly and exclusively to governments and governmental agencies for the purposes of combatting terrorist activities and crime.
  3. Regarding the fourth misconception – while Pegasus is indeed hard to detect on a target’s phone, it has a built-in investigative capability, in case a misuse is suspected. This is impossible to erase or manipulate.  Those capabilities cannot be completely deleted, and an “audit trail log” exists permanently, with the ability to retroactively check whether or not a certain phone number was penetrated.  NSO has been granted access by its customers to performed this type of investigation many times in the past, when an allegation of misuse arose, which has led to NSO shutting down systems and terminating a number of contracts.  
  4. Regarding the fifth misconception –   The data collected by the customers is NOT stored in any cloud, and there are no backdoors to the system.  There is NO shared database of NSO’s customers, and the logs securely exists only on the servers of the customers.
  5. Regarding the alleged list of 50,000 phone numbers – this is simply not possible. Indeed, the number of purported targets is entirely implausible based on the number of licenses actually granted by NSO. The so-called ‘list’ of targets – for which no details or source have been disclosed publicly – is not a list of Pegasus targets nor has it been taken from the Pegasus system. This has even been acknowledged by several of the organizations that referred to the “list”. Prominent names given as examples drawn from that list have been verified as never having been targets subject to our technology.

 

III. Commitment to Assisting the Committee

I would like to end my remarks by reiterating NSO’s commitment to assisting the Committee in its ongoing work.

NSO believes that cooperation between our company and the Committee can be fruitful in looking at concrete solutions to address human rights in our industry.

As previously stated, as well as many law enforcement agencies, we firmly believe that cyber intelligence technologies are necessary to address threats of terrorism and other serious crimes.

There is no other alternative that better addresses two equally legitimate public concerns: security and privacy. Therefore, we strongly reject any calls to ban these technologies or for a moratorium.

That being said, NSO has called for and continues to call for the establishment of an appropriate international legal framework, sector-specific standards for states and companies, and guidelines to better determine criteria for legitimate end users of crucial intelligence systems.

NSO is open to engage with all governments and other stakeholders, including civil society organizations, international organizations and the United Nations Special Procedures, and to enter into a meaningful dialogue with a view to establish concrete solutions to promote respect for human rights by all.

Lastly, at the end of today’s meeting, and if the Chair allows, NSO intends to provide the Committee with a position paper, which outlines many of the points we have raised today.  We thank you again for your invitation to join the Committee today, and look forward to answering your questions.

Key Messages

  • Lives saved across the world
  • The manner that modern intelligence gathering works
  • Alternatives
  • Mass surveillance v. target centric
  • Calling for international regulations
  • We are the responsible vendor – we are doing the right thing. Our system is working
  • We are not the only company/ poster boy of the industry
  • Every technology can be misused
  • Not operating the technology
  • Even during investigation, we cannot see the data collected
  • Living in a dangerous world, these types of technology are needed
  • Unique compliance and Human Rights governance
  • BigTech – they are the problem
Annual Transparency & Responsibility Report – Read The Report That Highlights The Safeguards Against Misuse of Our Technology, And Outlines Internal Governance and Compliance Processes