Note: This is our second joint open letter to Novalpina Capital, co-owner of the surveillance technology firm NSO Group. You can read the first here.
cc: NSO Group
cc: Francisco Partners
Dear Mr. Peel,
We welcome Novalpina Capital’s affirmation of the UN Guiding Principles on Business and Human Rights (UNGPs) and the UN-supported Principles for Responsible Investment. We are encouraged about your commitment to ensure NSO Group operates in accordance with the UNGPs, including through “robust transparency in line with those Principles,” and we urge you to respect and deliver on that commitment. Surveillance technology firms should robustly embrace the UNGPs and its provisions on transparency, accountability, and remedy.
Surveillance technology interferes with the human rights to privacy and to freedom of opinion and expression when it is used in a manner not prescribed by law, is not strictly necessary to meet a legitimate aim, or is not deployed in a manner that is proportionate to that aim. To date, the surveillance industry remains an opaque, reckless, and often defiant business sector, lacking leadership in respecting human rights and addressing harms. This includes NSO Group’s previous owner, Francisco Partners, which rebuffed efforts at outreach, seemingly ignored or dismissed peer-reviewed academic work, and failed to respond to public letters. This blatant disregard for any public engagement and accountability must stop.
We appreciate your stated commitment to constructive dialogue and provision of some additional detail concerning Novalpina’s acquisition of a majority stake in NSO Group and due diligence undertaken prior to the deal. However, the undersigned organisations remain concerned on several points, as articulated in full in the attached Appendix.
Prior to setting a meeting, we request that Novalpina Capital respond in writing regarding, at a minimum, the following critical issues:
Acquisition details. You stated in your letter that you would not be able to disclose certain information related to the company and acquisition because the acquisition had not yet closed. In light of this we request information on the timeline of the acquisition, including the anticipated date of closing, and when we might expect additional details regarding corporate structure, governance processes, and operating procedures.
Statement regarding targeting of civil society. It is concerning to the undersigned organizations that Novalpina Capital made no statement regarding the targeting, by private investigators, of civil society who were investigating, reporting on, or involved in legal actions against NSO Group, as requested in our February 18 letter. Please indicate your position on such targeting.
Documentation of due diligence and investigation of reports of misuse. We support Citizen Lab in its call for Novalpina Capital to provide concrete documentation regarding its due diligence and other efforts to address reports of misuse. Our approach is complementary and in coalition with them. As Citizen Lab’s Director notes, you have not provided any evidence to support the claim that the organization’s conclusions or research are flawed. We request that you provide such documentation in support of your assertions. Please include details on the steps Novalpina Capital takes to identify and address potential and actual human rights impacts of its activities, products and services, including those of its portfolio company NSO Group.
Public commitment to cooperate with official investigations in Mexico. Novalpina Capital made no mention of its commitment to cooperate with ongoing investigations regarding abuses associated with NSO Group’s spyware in Mexico. Please indicate your position on this request.
We also welcome any additional response you may have at this time to the concerns raised in the Appendix.
Committee to Protect Journalists
Human Rights Watch
R3D: Red en Defensa de los Derechos Digitales
Reporters Without Borders
Robert L. Bernstein Institute for Human Rights, NYU School of Law and Global Justice Clinic, NYU School of Law*
*Communications from NYU clinics and institutes do not purport to reflect the school’s institutional views, if any.
➠ Original requests of the NGO Coalition and Novalpina Capital’s response
We lay out below the original requests contained in our February 18 letter, reactions as to whether Novalpina Capital satisfied these requests in its March 1, 2019 letter, and further questions raised by the Novalpina Capital letter:
- Confirm an immediate end to the sale or further maintenance of NSO Group products and services to governments that have been accused of intentionally infringing human rights through communications surveillance;
Novalpina Capital did not take a position on whether NSO Group would proactively refuse to supply its products to governments accused of intentionally infringing human rights through communications surveillance. Rather, it asserts the company’s reliance on its Business Ethics Committee (BEC), “a key Committee of the NSO Board,” for review of its sales. The letter provides no indication of clear and consistent human rights-based benchmarks or policies applied to company sales and services, or examples of instances where NSO Group has refused to supply a product or suspended a sale agreement based on human rights concerns. Indeed, nothing in the letter counters the impression that decisions of the BEC are entirely subjective, non-transparent, and lacking in any oversight.
Additionally, it is unclear from your letter whether or not any of the NSO Group board members also sit on the BEC. If this were to be the case, we would be concerned about the conflict of interest this represents. Without publicly stating who sits on the BEC, explaining the BEC’s methodology and criteria for making decisions, naming a single BEC member with expertise in human rights, or committing to establish independent oversight of the company’s approach to human rights, it is impossible for civil society to have trust in the BEC or the board generally.
Novalpina Capital also did not commit to ending further support for NSO Group products and services to governments that have been accused of intentionally infringing human rights through communications surveillance. The letter states that the company could end support to governments based on “proven misuse of NSO’s technology,” as established through a process undertaken with “the permission of the end-user organisation under investigation.” A process requiring “proof” of misuse that depends on the cooperation of a government client may make it difficult, if not impossible to actually investigate those claims. Therefore, we are unclear as to whether this is an adequate safeguard when the end-user is accused of misusing the technology. Please elaborate on how this policy is enforced in practice.
- Commit to fully engaging with relevant investigations into abuses associated with NSO Group’s spyware in Mexico, and publicly outline what steps will be taken to cooperate with investigations to provide accountability and remediation;
Novalpina Capital did not reference alleged abuses associated with NSO Group’s spyware in Mexico or any cooperation with ongoing investigations. Instead the company said it did not find “anything to substantiate the misuse allegations.” It would be helpful to specify what allegations were being referenced and how the company made those determinations.
- Detail what human rights due diligence steps were taken ahead of making the decision to proceed with the acquisition, report publicly on what risks were identified through any such due diligence process and how they were addressed;
Novalpina Capital provided some information concerning the due diligence it undertook in deciding to proceed with an acquisition of NSO Group. However, we view the steps taken as described by Novalpina Capital as inadequate to address human rights concerns. In particular:
- Prior to entering into any business relationship, including pursuing an acquisition, companies have a responsibility to carry out robust human rights due diligence, which, under the UNGPs, should take place “as early as possible in the development of a new activity or relationship, given that human rights risks… may be inherited through mergers or acquisitions” (Commentary, Principle 17). Yet Novalpina Capital did not provide adequate information to show that due diligence was undertaken.
- Novalpina Capital has failed to consult with civil society experts and affected stakeholders prior to entering into a purchase agreement, despite the serious and widely publicized concerns about NSO Group’s human rights record. Novalpina Capital’s letter asserts that its due diligence process was informed by the UNGPs, yet Principle 18 states that human rights due diligence should “involve meaningful consultation with potentially affected groups and other relevant stakeholders.” This is a crucial component of the process, and the fact that it did not take place before the acquisition was publicized undermines Novalpina Capital’s credibility regarding its commitment to identifying and addressing human rights concerns.
- Novalpina Capital has not publicly disclosed the steps the company took to identify and address potential and actual human rights impacts associated with the activities of NSO Group before buying shares in this company, including publishing a list of risks and actual abuses identified. These are key transparency measures that the UNGPs encourage companies to take.
- We are concerned that the individuals you highlighted among the ‘external advisers’ have existing relationships with Novalpina Capital. Prof. Dr. Gerhard Schmidt of the ‘legal compliance team’ mentioned in your letter is reportedly a non-executive chairman and director at Novalpina Capital Group S.à.r.l.; and Dr. Günter Schmid, who performed corporate governance due diligence, is reportedly on the supervisory boards of Olympic Entertainment Group AS and Odyssey Europe AS, as well as on the management board of Odyssey Europe Holdco S.à r.l. – entities owned by Novalpina Capital.
- Disclose additional information about the new corporate structure, including what percentage of shares of NSO Group Novalpina Capital now owns or controls; the precise terms of this deal; NSO Group’s new corporate structure; and the membership of NSO Group’s board of directors, executive leadership, and management team.
We acknowledge Novalpina Capital’s statement that, pursuant to agreements undertaken in furtherance of the acquisition, it cannot disclose certain information concerning the acquisition prior to its closing. Please inform us when we can expect to receive the information requested, as well as the anticipated date of closing.
- Describe its position on the human rights impact of NSO Group’s technology, and how it plans on mitigating the risks made evident by NSO Group’s past failures and preventing abuses in the future;
We appreciate Novalpina Capital sharing context on the thinking behind its decision to invest in NSO Group, and the human rights impacts of NSO Group’s technology. We also appreciate Novalpina Capital’s description of its plans to mitigate the human rights risks associated with NSO Group’s products and services going forward, including by undertaking a human rights impact assessment. However, we still have concerns about the adequacy of these plans (see discussion below).
- Provide details about the membership and deliberations of NSO Group’s Business Ethics Committee, and the standards against which they evaluate potential or past business;
Novalpina Capital provided limited details about NSO Group’s Business Ethics Committee. We have highlighted our concerns regarding the BEC in the discussion of request 1, above. Novalpina Capital did not provide information regarding the human rights or other standards (if any) against which the BEC evaluates potential or past business.
- Issue a statement condemning the targeting, by private investigators, of civil society who were investigating, reporting on, or involved in legal actions against NSO Group;
Novalpina Capital has not made a statement regarding the use of private investigators to target civil society when they were investigating, reporting on, or involved in legal actions against NSO Group. Novalpina Capital’s silence on this matter undermines the credibility of Novalpina’s claims that it will address human rights and is troubling to this NGO coalition. Please indicate your position on such targeting.
- Provide data on which export licenses NSO Group has received from Israeli and other government authorities, and commit to regular transparency reporting on export licensing data;
Novalpina Capital provided some background information on NSO Group’s compliance with export control regulations, which we appreciate. It did not, however, provide data on the company’s export licenses. The letter also notes that “the very large majority of contracts . . . require an export license . . . .” This statement gives us cause for concern: are there contracts entered into by NSO Group that do not require an export license, and if so, on what basis? Further, your response states that NSO Group’s products are also licensed by non-Israeli government authorities, including in Bulgaria. We ask that you detail which countries provide NSO Group with export licenses, whether and how human rights considerations are applied to export license applications in these countries, and whether NSO Group requires a license to export to an authority in an EU member state from Bulgaria. Finally, Novalpina Capital did not commit to regular transparency reporting on NSO Group export licensing data.
- Provide details on end-use agreements that NSO Group has in place with its clients protecting people from arbitrary surveillance, if any, and what steps the company takes to monitor their compliance. If no end-use agreements are in place, provide information about how NSO Group ensures its products are not misused against human rights defenders, journalists, and other members of civil society.
Novalpina Capital stated that NSO Group maintains contracts with end-users that include compliance obligations and prohibitions against use of the technology in a manner that violates human rights. However, the company did not provide examples of these contracts. Please provide the relevant contractual provisions in full, as well as any provisions that may rely on or modify them, for avoidance of any ambiguity. It is also unclear whether standard-form contractual provisions may be modified pursuant to negotiations with clients; please provide clarification on that issue. Finally, Novalpina Capital did not provide information on how NSO Group monitors compliance with these provisions in the absence of a claim or suspicion of misuse; please inform us of what due diligence NSO Group carries out, either through regular audits or other processes, in order to monitor compliance with these provisions.
➠ Novalpina Capital’s emphasis on ‘substantiation’
Novalpina Capital’s March 1, 2019 letter relies on the notion that ‘substantiation’ of concerns surrounding NSO Group’s human rights impact is a prerequisite to action. Citizen Lab has written separately to you regarding this issue, and we support the points made in the Citizen Lab letter. Additionally, we note that Novalpina Capital’s March 1 letter did not explicitly deny that NSO Group technology was utilized in the many incidents reported by Citizen Lab, Amnesty International, and others. Rather, the letter states: “We found no indication that the process followed by the company to investigate alleged misuse of its technology was partial or otherwise flawed, nor anything to substantiate the misuse allegations” (emphasis added). We request that you provide detailed clarification on the thresholds at which Novalpina Capital considers an allegation substantiated and a misuse to have occurred.
While Novalpina’s letter states that misuse allegations are not substantiated, it goes on to note that Novalpina Capital in fact identified three investigations that “led to NSO deciding to terminate a contract.” Were these investigations related to human rights impacts at all? If they were, this would be evidence of existing concerns around potential human rights impacts of NSO products. Please clarify.
Additionally, we consider problematic the statement that Novalpina Capital “will address the requirement for remediation (including for any substantiated historic abuses) as stipulated under the [UN Guiding] Principles” (emphasis added). However, the UNGPs’ approach to remedy does not require that those concerned over a company’s human rights impact substantiate a human rights abuse prior to seeking remedy – which in many situations would be an impossible standard to meet. As noted in the commentary to Principle 22, “Operational-level grievance mechanisms for those potentially impacted by the business enterprise’s activities can be one effective means of enabling remediation . . .” (emphasis added). Commentary to Principle 29 further clarifies that operational-level grievance mechanisms “need not require that a complaint or grievance amount to an alleged human rights abuse before it can be raised, but specifically aim to identify any legitimate concerns of those who may be adversely impacted.”
As described in full in the Citizen Lab letter, peer-reviewed research has established the targeting of numerous peaceful civil society actors, including journalists, activists, lawyers, and others, with Pegasus spyware. This targeting, whether or not infection occurs, prima facie infringes on these individuals’ rights to privacy and freedom of opinion and expression. Such targeting should indicate to NSO Group that some of its clients are not deploying NSO products in compliance with international human rights law, or in a manner that is “proportionate and targeted, operating within robust and clear legal frameworks,” as Novalpina Capital’s letter states. NSO Group’s continued service to clients that have engaged in such targeting is concerning, especially in the absence of evidence that human rights due diligence has been undertaken or evidence to show that any human rights impacts linked to its products have been addressed.
Novalpina Capital’s letter also seems to raise the standard for action on human rights impacts to a very high threshold. For example, the company states that it will act on “instance[s] in which it were proven that human rights abuse was facilitated by the misuse of NSO’s technology.” Such an approach would set an extremely high bar, requiring proof that a Pegasus infection took place and was utilized by a government to engage in separate and distinct human rights violations, even though the targeting of individuals with this software would itself constitute a violation under international human rights law.