Two years after Khashoggi’s slaying, no accountability for spyware firm or Saudi government

Friday, October 2nd marks two years since Jamal Khashoggi, a Washington Post columnist and a prominent critic of the Saudi government, was brutally murdered inside the Kingdom’s consulate in Istanbul by a team of Saudi agents. Since then, a United Nations report has placed the blame for the “premeditated execution” squarely on the Saudi state, and raised urgent concerns about the “domestic and extraterritorial surveillance” and safety of Khashoggi’s close contacts. The global outcry over the murder spurred members of the U.S. Senate to take action, and it has boosted ongoing efforts in the E.U., the U.S. State Department, and elsewhere to ensure spyware firms take responsibility and do not profit from human rights violations. 

None of this has been enough. There has been no real accountability for Khashoggi’s slaying, and NSO Group — the company whose surveillance tools were allegedly used to target Khashoggi — has since been implicated in a series of egregious human rights violations. All around the world, authoritarian regimes are still using these tools to identify, surveil, and silence dissidents, journalists, and human rights defenders. And NSO Group — whose most notorious spyware, Pegasus, was found to have infected more than 100 devices of civil society targets — continues to profit from it. 

In this post, we look at what happened to Khashoggi, present a timeline of the human rights violations NSO Group has been implicated in — before and after Khashoggi’s murder — and detail efforts by civil society organizations and governments worldwide to hold those responsible accountable for what they did. We also reprise and renew our call for international organizations, governments, and the international community as a whole to investigate NSO Group and other companies (like Sandvine) that make money from tools that facilitate grave — and in many cases, democracy-destabilizing — human rights violations.

NSO’s alleged involvement in Khashoggi’s slaying 

NSO Group is an Israeli spyware company that was previously owned by the U.S. financial firm Francisco Partners, which has made headlines due to its involvement in Belarus internet shutdowns. NSO is now part of U.K.- based Novalpina Capital. 

According to research by the University of Toronto-based Citizen Lab, NSO sold its Pegasus spyware to the Saudis, who used it to spy on Khashoggi’s associates. Security researchers who examined the phone of Omar Abdulaziz, Khashoggi’s friend and also a known critic of the Saudi regime, discovered that it had been hacked. Abdulaziz and Khashoggi used the phone to exchange what they thought were private WhatsApp conversations about their plans for social media activism against the Saudi autocracy. A few months after the hack, on October 2, 2018, Khashoggi was assassinated at the Saudi Consulate in Istanbul. Abdulaziz has publicly implicated Saudi officials in Khashoggi’s murder, pointing to the hacking of his private conversations with Khashoggi as playing a key role in the assassination. 

Today, the Saudi government is reportedly one of NSO’s favorite clients; not only do they have a lot of money, they can operate without independent judicial oversight. Those targeted for surveillance using Pegasus spyware include a staff member at Amnesty International, Saudi human rights activist Yahya Assiri, Saudi political satirist Ghanem Almasarir, and the New York Times journalist Ben Hubbard, who is known for his reporting on Saudi Arabia and the Crown Prince Mohamed Bin Salman (MBS). 

Timeline: human rights violations using NSO spyware before and after Khashoggi’s murder

The evidence is abundant that NSO Group continues to supply tools that are used for human rights violations globally, often carried out with impunity. Here’s a look at the documented incidents of NSO targeting before and after Khashoggi’s assassination. 

The following infographic was generated via Infogram. Please check your privacy-enhancing browser extensions for the best viewing experience.

Justice for Khashoggi, not served

Extrajudicial execution is a crime under international law, which makes it subject to prosecution by any state claiming “universal jurisdiction.” However, as noted by the U.N. investigation on Khashoggi’s execution, in this case there have been few attempts to bring justice to those who planned and carried out the murder.

Senior Saudi officials implicated in Khashoggi’s execution are walking free, including MBS and the former royal advisor Saud al-Qahtani, notorious for terrorizing Saudi activists and political dissidents online. Instead, a Saudi court in a “parody of justice,” has issued sentences to eight low-level agents, ranging from 24 years in prison to the death penalty, which were later overturned or pardoned

Separately, Turkey kicked off a trial of a number of Saudi suspects for their role in the murder, and the Open Society Justice Initiative also filed a lawsuit under the U.S. Freedom of Information Act to demand at least disclosure of unreleased information on individuals involved in the execution.

In parallel with these developments, there have also been several attempts to hold NSO Group accountable for its involvement in human rights violations, in Saudi Arabia and beyond. So far, none have been successful, although several are still pending. 

In 2018, twin lawsuits against NSO were filed in Israel and Cyprus by a Qatari citizen and by Mexican journalists and activists who were all targeted by the company’s spyware. The lawsuits revealed documents and emails that challenge NSO’s repeated assertions that it is not responsible for any illegal surveillance conducted by governments. 

That same year, Omar Abdulaziz also filed a suit in Israel against NSO, accusing the company of infecting his phone to spy on his conversations with Khashoggi. According to the court papers, the plaintiff’s lawyers intend to argue that the hacking “contributed in a significant manner to the decision to murder Mr. Khashoggi.”

Between 2018 and 2019, Amnesty International led a campaign to revoke NSO’s export license in Israel, first by attempting to make the Ministry of Defense revoke the license, and then by filing an action in Tel Aviv District Court. Both attempts were unsuccessful.

Another Saudi dissident, Ghanem Almasarir, brought a legal case against the Saudi government in 2019 for targeting him with NSO’s Pegasus. Like Khashoggi, he has been a vocal critic of the Saudi regime and the royal family.

The most recent and perhaps the most promising case against NSO was filed in the U.S. by WhatsApp for targeting the tech company’s California servers to deliver Pegasus spyware to over a thousand customers’ phones, in violation of WhatsApp’s terms of service, as well as U.S. and California law. The California District Court has ruled to allow the case to go forward, but NSO is now appealing to the U.S. 9th Circuit Court arguing that it should escape liability as it was simply following foreign governments’ orders to infect users’ devices with spyware. If NSO loses the appeal, the case will move into the discovery stage, which is promising to reveal much-needed details about NSO’s operations and the extent of its knowledge of abuses perpetrated with the help of its spyware, including potentially the targeting of Khashoggi. 

Reports indicate that NSO has also been under investigation by the U.S. Federal Bureau of Investigation in relation to possible hacks of U.S. residents and companies as well as suspected intelligence-gathering on governments. However, the status of this investigation is currently unknown.  

NSO’s attempts to whitewash its appalling human rights record

Since Khashoggi’s murder, NSO has not only continued making profit from facilitating human rights violations around the world, but has also used these funds to recruit famous international experts as senior advisors to improve its public image. For example, NSO successfully recruited former U.S. Department of Homeland Security (DHS) official and Harvard professor Juliette Kayyem, former DHS Secretary Tom Ridge, and a former French diplomat Gerard Araud, though all three of them have apparently backed out from working with NSO and have been quietly removed from the company’s website. NSO is likely to continue its search for respected experts in the field of cyber security, diplomacy, and international law as advisors who can help to whitewash its appalling human rights record and escape accountability.

NSO also attempted to take advantage of COVID-19 to improve its reputation, despite continued abuses, by developing a contact tracing app to monitor and predict the spread of the disease. The app was fraught with multiple privacy issues, including its database being found unprotected and without a password. The development of the app appeared to be more of an excuse for NSO to expand into mass surveillance than a genuine effort to help combat the coronavirus pandemic. 

It’s time for real action

In the past two years, Access Now has made multiple calls to condemn NSO’s illegal surveillance practices, including the likely targeting of Khashoggi. On the two-year anniversary of Jamal Khashoggi’s murder, we renew our calls, which are more urgent than ever:

  • Demand accountability for those involved in Khashoggi’s murder, including any companies or government officials that participated in surveiling Khashoggi and his associates leading up to his death. 
  • Demand meaningful and independent investigation of surveillance activities linked to NSO Group, including those directed by its clients, and accountability for human rights abuses facilitated by these activities around the world.
  • Call for a moratorium on the trade of surveillance technology until robust human rights safeguards are in place to regulate such invasive tools.
  • Call on governments to implement strong export controls, including mandatory human rights impact assessment in due diligence processes, and mandatory transparency and disclosure criteria. 
  • Call on governments to develop and enforce a strong accountability framework to ensure companies are not profiting off the sale of surveillance tools and other abusive technologies to clients sporting a track record of human rights violations. 
  • Call on remaining members of NSO Group’s advisory board to terminate their association with the company.
  • Call on all companies to put human rights at the center of their decision-making processes, not just through ethics policies and prominent experts on their advisory boards, but by:
    • Creating a robust human rights policy that iterates the company’s commitment to respecting human rights according to the U.N. Guiding Principles on Business and Human Rights;
    • Refraining from providing invasive tech tools to governments with a record of human rights abuses;
    • Undergoing regular human rights due diligence and impact assessments, including reviews by independent, expert third parties, to identify and prevent the human rights risks that arise from their tools and services;
    • Ensuring full transparency in their arrangements and processes, including by publishing transparency reports on government requests for user information and enforcement of the company’s policies; 
    • Making their methodology public, based on best practices, and open to critique; and
    • Consulting with civil society, impacted communities, and other critical voices in the design and implementation of the processes.
  • Call on companies and governments to ensure effective legal remedies are available for victims of targeted surveillance. 

In June 2020, Omar Abdulaziz was officially warned by the Canadian police that he is a “potential target” of the Saudi regime with “credible information about a possible plan to harm him.” It should not take another assassination for international organizations and governments to curtail the proliferation of development and export of surveillance technologies used by governments to commit human rights violations.