Dear Mr. Peel:

I am in receipt of your letter dated 1 March 2019. I acknowledge that you have stated your willingness to engage in a dialogue regarding NSO Group. However, your correspondence and due diligence process is seriously deficient as it fails to address the specific abuses of NSO Group’s spyware identified by Citizen Lab, as well as other research groups.

I remind you that Citizen Lab reporting provides an empirical basis for the conclusion that NSO Group’s spyware, Pegasus, has been used in an abusive manner and has targeted human rights actors, including journalists, political dissidents, and human rights defenders.

You Fail to Address Citizen Lab’s Empirical Evidence of Abuse

Remarkably, a mere two paragraphs out of your 11 page letter speak to evidence of abuse of NSO Group’s spyware and only to dismiss that evidence (and with it the meticulous, peer-reviewed research that supports it) with general statements about difficulties inherent in attribution.

We explicitly address attribution throughout our extensive reporting on Pegasus and take it into account in our technical methodology and through the consideration of alternative hypotheses. This approach is standard for the dozens of reports we have published on cyber espionage over the last decade. We still conclude with high confidence that we are examining abuses of NSO Group’s spyware. Moreover, other groups, including Amnesty International, have independently identified additional abuses of NSO Spyware and publicly replicated elements of our methodology. Researchers at Lookout Security have done the same.

Your approach indicates a disregard for the many cases of abuse of Pegasus identified in multiple countries over multiple years by multiple parties. You attempt to characterize Citizen Lab’s research as mere supposition or guesswork. However, our reports are peer-reviewed by experts within the cybersecurity industry and we are unaware of any public research disputing any of our findings.

You Contradict Statements Made by NSO Group’s Own CEO

I would like to highlight another element in your letter that raises doubts about your true commitment to honest dialogue. In order to cast doubt on evidence of abuses, you make a baseless statement that there is a disconnect between the number of licenses issued by NSO Group and the number of allegations against the company. This can easily be debunked. In fact, the numbers that we have published are consistent with public statements from Mr. Shalev Hulio, CEO of NSO Group.

In an interview published January 11, 2019, Mr. Hulio said: “In the entire world, there are today no more than 150 active targets.” Citizen Lab’s first hand reporting has documented 26 cases of what appear to be abusive targeting, where a target received an SMS and the spyware may or may not have been activated (24 in Mexico1, one in the United Arab Emirates, and one case of a Saudi activist in Montreal), and only one case of abuse where we can conclude with high confidence that the target clicked on the link and the spyware was successfully activated on the target device (i.e., an “active target”) over a period of three years.

Additionally, Amnesty International documented two cases of abusive targeting, reporting from Forbes discovered an additional case of abusive targeting, and reporting from Univision on an espionage scandal in Panama that involved reviewing contracts and other documents found 150 targets between 2012 and 2014.

To our knowledge, this is a complete accounting of all public reports of Pegasus spyware abuse. The total number of targets identified (from 2012 to present) appear to be entirely consistent with the volume of NSO Group’s operations, as described by Mr. Hulio. Additionally, Citizen Lab’s finding from our Internet scanning of at least 36 distinct Pegasus systems is also consistent with Mr. Hulio’s January 2019 statement that “[o]ver the past year, NSO has sold systems to dozens of countries across the world ‘on all continents except Antarctica.’”

We Ask That You Substantiate Your Claims of Due Diligence

I note in your correspondence a concern for human rights and “a commitment to robust transparency” within the commercial surveillance industry. With this in mind, I ask that Novalpina Capital and NSO Group provide Citizen Lab with information on a non-confidential basis so that we can meaningfully evaluate your efforts to address Citizen Lab’s reporting and your due diligence processes, as well as your undertaking to remediate past human right abuses and prevent future abuses. Specifically, I ask for the following:

  • All materials involving or prepared by the NSO Group investigative teams who are tasked with investigating potential misuse of NSO Group technology as described in your correspondence dated 1 March 2019.
  • The identity of all technical investigators employed by Novalpina Capital in their due diligence review of NSO Group that addressed Citizen Lab reporting on NSO Group’s Pegasus, as well as any materials or documentation generated or relied on by these technical investigators.
  • Any documentation or materials that you possess that identify concerns or errors in Citizen Lab reporting with specific references to the Citizen Lab report in question and the specific finding under review.

Without Novalpina Capitalor the parties that you hired to conduct due diligenceconcluding that Citizen Lab reporting is flawed and providing a substantiated basis to prove such a finding, it remains the case that you are purchasing a company implicated in serious human rights abuses and have decided to simply ignore this fact. It also remains the case that, without meaningful engagement with our research, your due diligence process will appear to many as nothing more than a superficial effort to check boxes and appease stakeholders concerned by NSO Group.

In conclusion, to summarily dismiss empirical research without citing any evidence is irresponsible and entirely incompatible with your stated concerns regarding human rights compliance. I look forward to receiving more information from you regarding my above-stated concerns.

Sincerely,

Ronald J. Deibert
Professor of Political Science
Director, Citizen Lab, Munk School of Global Affairs & Public Policy
University of Toronto

1. After posting this letter, our partners R3D brought to our attention that the contract entered into for Pegasus with the Mexican authorities also provided for 500 simultaneous targets.