NSO Group’s Pegasus spyware: how we got here and what now

Earlier this month, the news broke that an unknown assailant used NSO Group’s Pegasus spyware tool to target the phones of nine U.S. State Department employees. This breach is only the latest in a series of revelations on hacks into the personal devices of journalists, human rights defenders, lawyers, and high-level government officials across the world. The spyware firm’s tools have enabled authoritarian regimes and other bad actors to strip away their victims’ privacy and violate their rights, with few restraints, while the company profits.

To evade accountability, NSO has long claimed to have control of who uses its spyware, meanwhile arguing that it doesn’t have insight into what clients do with it. But now, after years of research, reporting, and global activism, as well as the brave efforts of victims coming forward, we are securing tangible victories in the fight against NSO and spyware worldwide. Like other countries, the U.S. is finally stepping up to curb use of NSO’s technology that violates human rights. 

The fight so far

For years, Access Now has worked with global and regional partners, and the victims of Pegasus spyware around the world, to ring the alarm on the human rights abuses NSO’s technology enables. Through our 24/7 Digital Security Helpline, we have witnessed how spyware damages civil society globally. In 2016, we called out NSO’s co-founders as surveillance villains. In 2017, we worked with the Canadian research center Citizen Lab in a campaign to convince investor firm Blackstone to drop its planned acquisition of NSO. In 2020, we and our partners filed an amicus brief before the U.S. 9th Circuit Court in support of WhatsApp’s lawsuit over Pegasus-enabled hacks. 

This year, following the Pegasus Project revelations, we joined the global civil society campaign to halt spyware sales, transfer, and use until international rules are in place. In addition, we co-authored a letter to the U.N. Human Rights Council asking for immediate action on NSO. More recently, we joined a letter to the European Union demanding the government impose targeted sanctions against the company. 

We’re proud to be a part of the collective effort to defend people from relentless spyware attacks. But the battle isn’t over yet.

What’s happening now

Pegasus victims deserve justice, and to prevent further human rights violations perpetrated in the dark, we need accountability. After years of NSO facing no real consequences for well-documented abuses of their products, it has been a gratifying few weeks. 

On November 3, the Biden administration added NSO and another surveillance firm, Candiru, to its blocked Entity List for violating U.S. national security. This creates huge barriers for U.S. companies to do business with them — a move so consequential that it has reportedly pushed NSO to the brink of financial collapse, leading the firm to consider shutting down Pegasus and selling the company in its entirety. 

The following week, the U.S. 9th Circuit Court moved the WhatsApp lawsuit against NSO forward and accepted the joint amicus brief Access Now filed with partners, paving the way for legal consequences. Two weeks later, Apple launched its own lawsuit against NSO for facilitating surveillance of iOS users and damaging their devices.

The good news doesn’t stop there. Earlier this month, at the flagship Summit for Democracy, the Biden administration announced the “Export Controls and Human Rights Initiative” — a long-overdue plan for the U.S. and allies to develop human rights-based export controls on the sale of surveillance and hacking tools to regimes accused of abuse. On December 15, a group of U.S. lawmakers started calling for targeted sanctions against NSO and other spyware firms for facilitating the “disappearance, torture, and murder of human rights activists and journalists.”

What the U.S. needs to do next

The world is outright rejecting the idea that private companies like NSO should create and sell spyware designed to violate people’s rights.  As we’ve noted, we support an immediate global moratorium on the sale, transfer, and use of surveillance technology until international rules are in place to prevent abuse. As the U.S. catches up, the Biden administration can use this momentum to further the cause by: 

  • creating new U.S. Securities and Exchange Commission (SEC) rules that require robust due diligence and regular reporting by firms providing goods or services with surveillance capabilities to governments, in line with leading efforts in the E.U. that avoid “voluntary standards”;
  • ensuring that NSO and other spyware or censorship tech companies do not access U.S. investors’ funds, including through potential IPOs, through SEC regulations some U.S. lawmakers have recently called for,  to protect non-securitized capital from funding their activities;
  • imposing sanctions on NSO clients, owners, and affiliates, and warning investors of potential risks;
  • adding NSO ’s other entities and holding companies, including Q Cyber Technologies, to the Entity List; 
  • holding regular consultations with civil society to inform the “Export Control and Human Rights Initiative” and identify future additions to the Entity List and sanctions regimes; 
  • protecting strong encryption and encouraging development of more end-to-end encrypted products and services;
  • funding civil society and security technologists to better monitor and circumvent spyware; and
  • requiring tech companies to show due diligence and take concrete measures to avoid supporting spyware tools and related technologies.
Keep the pressure on

One thing is clear: civil society’s collective push for accountability is working. More government leaders are listening, and stakeholders around the world are finally taking the threats that Pegasus spyware poses to global human rights and national security seriously. 

That said, the spyware problem is much bigger than NSO. The Biden plan for human rights-based export controls recognizes this, but world leaders can do more. Governments across the globe need to stand together to halt the largely unregulated use of censorship and surveillance technology, protect the human right to privacy, and move forward with policy to prevent private companies from selling software designed to dehumanize individuals and undercut democratic rights and freedoms. NSO should serve as an example of what happens when you profit from violating human rights.