The Citizen Lab has sent an open letter to Francisco Partners requesting an update on our March report concerning Sandvine, as well as the reported interest in a sale of NSO Group to Verint Systems, and Francisco Partners’ investment practices more generally. Verint has reportedly offered Francisco Partners approximately USD $1 billion in Verint stock and assumed debt in order to acquire NSO Group, an advanced commercial spyware vendor. If such an acquisition were to take place, Verint Systems would reportedly own NSO Group and operate that entity alongside its existing divisions, while Francisco Partners would become the largest shareholder in Verint.
This letter requests a follow up to correspondence Citizen Lab sent to Francisco Partners in February after we discovered the apparent use of the products of its portfolio company, Sandvine, to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt. Additionally, it highlights research which demonstrates reported misuses of NSO technology against UAE human rights activist Ahmed Mansoor and lawyers, journalists, public health advocates, international investigators, and civil society actors in Mexico. It concludes with a call for Francisco Partners to more fully incorporate human rights and corporate social responsibility policies and practices in its investments.
As we write in the letter:
“We at the Citizen Lab anticipate that if Francisco Partners were to take meaningful, concrete steps in this direction, the firm would receive a positive response and important insight from civil society. Unfortunately, the mere expression of generic sentiments as contained in your February 20 correspondence, with unsubstantiated references to ‘business ethics’ and ‘social responsibility,’ does nothing to address the serious human rights impacts of the products and services of your portfolio companies. Transparent action and adoption of concrete benchmarks for progress are required. We encourage you to open a public dialogue around human rights and the cyber security and surveillance industries to begin this process.”
Citizen Lab reports on the abuse of NSO Group’s spyware
The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender
Bittersweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links
Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware
Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware
Reckless III: Investigation Into Mexican Mass Disappearance Targeted with NSO Spyware
Reckless IV: Lawyers For Murdered Mexican Women’s Families Targeted with NSO Spyware
Reckless V: Director of Mexican Anti-Corruption Group Targeted with NSO Group’s Spyware
Citizen Lab report on the abuse of Sandvine’s PacketLogic devices
Dipanjan (DJ) Deb
Co-Founder and Chief Executive Officer
One Letterman Drive
Building C – Suite 410
San Francisco, CA 94129
Via e-mail: deb [at] franciscopartners.com
One Letterman Drive
Building C – Suite 410
San Francisco, CA 94129
Via e-mail: Kowal [at] franciscopartners.com
May 29, 2018
Dear Mr. Deb and Mr. Kowal,
We are writing to follow up on Francisco Partners’ February 20, 2018 correspondence to Citizen Lab, and the issues raised in Citizen Lab’s March 9, 2018 report titled “BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?” This letter also concerns the firm’s reported interest in a sale of NSO Group to Verint Systems, and Francisco Partners’ investment practices more generally. This open letter will be posted simultaneously on the Citizen Lab website.
1. Use of Sandvine’s PacketLogic Devices in Turkey and Egypt
As you know, we initially contacted Francisco Partners on February 12, 2018. At that time, we alerted you to our research findings regarding the apparent use of Sandvine PacketLogic devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt, which raised significant human rights concerns. Following the release of our report, Francisco Partners indicated that “its portfolio firms ‘operate in accordance with applicable law and strict ethics policies and practices, which include the protection of human rights,’” and that Francisco Partners “has asked Sandvine to investigate the accusations and take appropriate action in line with business ethics policies.”
Over two months have passed since Francisco Partners made those statements, and we are now seeking a status update. Has Sandvine undertaken the aforementioned investigation? If so, has it reported back to Francisco Partners regarding the results? What action has been taken, by both Sandvine and Francisco Partners, to address the human rights impacts of the use of Sandvine products in Turkey and Egypt? Given the significant public interest in these matters, will either Francisco Partners or Sandvine publicly report on the results of any investigation?
2. NSO Group and Verint Systems
Recent news reports indicate that Francisco Partners is now considering a sale of its portfolio company, advanced commercial spyware vendor NSO Group, to Verint Systems. Verint has reportedly offered your firm approximately USD $1 billion in Verint stock and assumed debt in order to acquire NSO Group. If such an acquisition were to take place, Verint Systems would reportedly own NSO Group and operate that entity alongside its existing divisions, while Francisco Partners would become the largest shareholder in Verint.
Francisco Partners is reported to have bought NSO Group for $110 million in 2014. In a mere four years, the valuation of NSO Group has apparently increased to $1 billion, a climb of $890 million — a significant return on investment. At the same time, over the course of those four years, Citizen Lab and other groups have reported on serious incidents of misuse of NSO Group’s spyware. Reported misuses include targeted attacks against human rights activist Ahmed Mansoor, who is currently on trial in the United Arab Emirates after over a year in detention; and the misuse of spyware in Mexico to target lawyers, journalists, public health advocates, international investigators, civil society actors, and even a minor child. While commercial spyware may be sold to governments for the purpose of surveilling criminals and terrorists, it is now well documented that government entities that operate where rule of law and stringent due process are lacking will simultaneously use such tools against political targets, in violation of their internationally-recognized human rights. Such surveillance has substantial and detrimental impacts on innocent people, including chilling effects on their freedom of expression, infringement of privacy and due process rights, and imprisonment.
These parallel trajectories suggest that concern for human rights has thus far had little impact on the market for advanced commercial spyware. Spyware companies have continued to engage in questionable sales and practices, with executive leadership espousing an “I don’t want to know” position on product abuse. Clients have continued to purchase from these companies, despite the costly disclosure of common spyware infrastructure, indicators, and/or exploits that has resulted from reckless, politically-motivated targeting by certain end users. And investors, including your firm, have continued to invest in companies with track records of product misuse in violation of human rights, reaping massive financial returns. Yet just as in other sectors, it is only a matter of time before the law and mounting evidence of harm will begin to catch up with the surveillance industry.
3. Human Rights and Corporate Social Responsibility Considerations in Francisco Partners Investments
Francisco Partners is in a unique position. It has the power to correct these troubling trajectories — to “do well and do good” by establishing robust rights-respecting standards for itself and its investment companies. The acquisition of NSO Group by Verint, which would give Francisco Partners significant leverage over a major international cyber security company, could provide a critical opportunity for development and integration of transformative human rights-focused policies and processes in the surveillance technology market. This framework could build on the UN Guiding Principles on Business and Human Rights, and incorporate real transparency and accountability mechanisms. As a first mover in this market to advance human rights, Francisco Partners could distinguish the offerings of its portfolio companies and potentially help drive their sales, while spurring other companies to improve their own standards. Identifying and mitigating human rights risks may also help Francisco Partners and its portfolio companies avoid the reputational and financial harm that could result from legal or regulatory action in response to surveillance abuses.
We at the Citizen Lab anticipate that if Francisco Partners were to take meaningful, concrete steps in this direction, the firm would receive a positive response and important insight from civil society. Unfortunately, the mere expression of generic sentiments as contained in your February 20 correspondence, with unsubstantiated references to “business ethics” and “social responsibility,” does nothing to address the serious human rights impacts of the products and services of your portfolio companies. Transparent action and adoption of concrete benchmarks for progress are required. We encourage you to open a public dialogue around human rights and the cyber security and surveillance industries to begin this process.
We appreciate your timely response to our questions regarding Sandvine, and we welcome your reactions to the additional issues we have raised.
Ronald Deibert, OOnt
Professor, Political Science Department, University of Toronto
Director, Citizen Lab, Munk School of Global Affairs, University of Toronto