https://www.accessnow.org:443/is-nso-groups-infamous-pegasus-spyware-being-traded-through-the-eu/

Is NSO Group’s infamous Pegasus spyware being traded through the EU?

This post was co-authored with Madeline Libbey, Access Now Policy Intern.

When sophisticated surveillance systems are sold and used effectively without constraint, it puts civil society, free expression, and our democracies in the crosshairs. The brutal murder of Saudi journalist Jamal Khashoggi remains a grim reminder of the vulnerability of those speaking out for human rights. In the European Union, there are export controls designed to prevent sales of these kinds of systems to certain countries with troubling human rights records. The question is, how well are they working?

At the end of August, Access Now sent a second letter to International Trade Control in Bulgaria, the public authority which oversees applicable export controls and relevant licensing, to request additional information and an investigation into export licenses that have reportedly been issued by Bulgarian and Cypriot authorities to NSO Group — as NSO co-owner Novalpina Capital’s founding partner, Stephen Peel, suggested in his 1 March 2019 letter to Access Now and other civil society groups. NSO Group is the notorious spyware firm that sells technology that has repeatedly been linked to violations of the human rights of individuals around the world. 

Upon learning of the licenses reportedly issued by Bulgarian and Cypriot authorities to NSO Group, we have written to request transparency regarding the type and scope of licenses that were issued and ask that an investigation be conducted to review compliance with the EU’s export controls regime and its requirements. Cyprus recently responded to our first letter in which we made a similar request, stating that they have never issued export licenses to NSO Group. Now, after our second round of outreach, Bulgaria has provided a similar response.

However, as we remain concerned that the Bulgarian and Cypriot authorities have indeed issued licenses to NSO Group (or its affiliates), we’ve reached out directly to Novalpina Capital, which has controlling ownership in the company, to corroborate the response the authorities provided to us. We want to know the types of products, facilities, and affiliates that may have been licensed in these EU countries, and we think this should be public information. 

Our outreach aims to gain additional insight into how export controls authorities of EU member states approach licensing for targeted surveillance products and services such as those made and traded by NSO Group. This type of surveillance technology is often used to disproportionately target vulnerable members of civil society — human rights defenders, activists, dissidents, and journalists, among others.

In June of this year, David Kaye, the UN Special Rapporteur on Freedom of Opinion and Expression, published a new report at the UN Human Rights Council in which he examines the private surveillance industry, weighing the sales and export of spyware against the human rights obligations imposed on states and companies. After a thorough examination of the industry and the often detrimental impacts it has on human rights, the report recommends a global moratorium on the export and use of targeted surveillance technology such as NSO Group’s Pegasus spyware. Rapporteur Kaye’s recommendation aligns with Access Now’s call for a “presumptive prohibition on all government hacking” in our 2016 paper, A Human Rights Response to Government Hacking, as well as the UN General Assembly’s consensus resolution in fall of 2018, “recognizing States should refrain from employing unlawful or arbitrary surveillance techniques, which may include forms of hacking”.

Accountability for the human rights violations that surveillance technology facilitates remains out of reach. In response to civil society pressure, Novalpina Capital engaged a law firm to produce NSO Group’s first Human Rights Policy, released this week. Access Now is analyzing the policy, measuring it against best practices and business and human rights standards. Regardless of what its particular merits or flaws turn out to be, any such policy is necessary, but not sufficient, to ensure respect for human rights and remedy for infringement. Governments around the world must act to protect our human rights and prevent abuse of these rights by industry, especially in sectors that are as dangerous and toxic as surveillance technology. 

As the EU and other international actors contemplate a stronger regulation of the trade of surveillance tools, it is essential that civil society continues to work together to highlight how the proliferation of such technologies impedes our work, endangers our communities, and threatens our rights and freedoms.

Additional information:

Access Now to Bulgaria and Cyprus: don’t give NSO Group license to profit from human rights violations

Access Now NSO Group archives

Help keep the internet open and secure

Subscribe to our action alerts and weekly newsletter

Your info is secure with us.