Citizen Lab reports on the abuse of NSO Group’s spyware
Bittersweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links
Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware
Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware
Reckless III: Investigation Into Mexican Mass Disappearance Targeted with NSO Spyware
Reckless IV: Lawyers For Murdered Mexican Women’s Families Targeted with NSO Spyware
The purchase of a $400 million stake in spyware company NSO Group by Blackstone Group LP has reportedly fallen through.
We do not know why the deal failed, or what Blackstone Group’s due diligence process may have uncovered. Blackstone did not respond to the open letter we sent them about the deal, which outlined a range of troubling business and human rights risks surrounding NSO Group. Reports of the deal attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.
However, Citizen Lab researchers and partners R3D, SocialTic, and Article19 have been investigating the misuse of NSO’s spyware for over a year, and have uncovered a pattern of abusive uses and due diligence failures in three countries (Mexico, Panama, and the United Arab Emirates), two of which now have active investigations (Mexico and Panama). The most recent discovery, showing that NSO’s spyware was used to target lawyers for slain Mexican women, was published just two weeks ago on August 2nd, 2017.
Here is an ongoing list of concerns over the misuse of NSO’s Technology:
Targeting of an Award-Winning Human Rights Activist
Targeting of Public Health Campaigners and a Federal Scientist
Targeting of Journalists, Families, and Anti-Corruption Advocates
Targeting of Political Leadership
Targeting of Forensic Investigators
Targeting of Lawyers for Slain Women
Systematic Abuse in Panama
Reporting and investigation by organizations including R3D, SocialTic, Article 19, and Privacy International—as well as dozens of media outlets internationally—have uncovered additional details that suggest a lack of due diligence and/or a failure of know-your-customer policies on the part of NSO Group, and possible legal violations by NSO Group’s customers.
Collection and Sale of Known Software Vulnerabilities and a Failure to Responsibly Disclose
Services provided by NSO Group include the sale of so-called “zero day” exploits, which enable the remote infection of commercially available electronic devices. These exploits make use of undocumented vulnerabilities in commercial software and operating systems developed by companies that serve consumers worldwide, such as Apple Inc. Instead of responsibly disclosing information about these vulnerabilities to software companies, however, NSO Group sells solutions which exploit them to customers in United Arab Emirates and elsewhere. These zero-day exploits were used to target the abovementioned individuals, and failure to disclose their existence may have left upwards of hundreds of millions of users at risk.
When researchers at Citizen Lab, in collaboration with security firm, Lookout Inc, discovered a set of three zero-day exploits used by NSO Group, Apple Inc. was forced to urgently develop and deploy a security update for the approximately one billion users of Apple iOS and OS X operating systems. Google Inc. has conducted its own investigation into this issue, referring to NSO Group’s Android technology as both “malware” and “spyware.” Lookout Inc. has also separately investigated NSO Group’s technology targeting Android devices.
Investigations and Calls for Investigation
In light of the serious human rights concerns raised by the use of NSO Group technology, a number of international bodies have called for investigation, and at least one investigation is presently ongoing:
Calls for Investigation