18 June 2019

Dear Yana and Stephen Peel,

We write to you in light of recent reporting indicating that you both own a stake in Novalpina Capital LLP. As Yana Peel has recently expressed that she believes criticism of NSO Group is “misinformed,” we thought it appropriate to specifically draw Ms. Peel’s attention to the matters outlined below.

Citizen Lab is concerned about a recent statement issued by you (Novalpina Capital LLP) regarding NSO Group. In this statement, you write that Novalpina Capital LLP intends to unveil a new governance framework at NSO Group within 90 days. You promise that this governance framework “will bring NSO Group in full alignment with UN Guiding Principles on Business and Human Rights.

You have a record of silence regarding abuses

Since you announced your intention to acquire a majority stake in NSO Group in February 2019, Citizen Lab and numerous other human rights organizations have sent multiple letters to Novalpina Capital LLP and NSO Group seeking specific answers regarding a number of concerns, including at least 31 reports of abusive targeting.1 These questions remain largely unanswered, although you have sought to call into question Citizen Lab’s peer reviewed, empirical research upon which most of these cases are based. Your silence regarding the critical issue of abuses using NSO Group’s technology casts doubt on your credibility when you assert that NSO Group will be aligned with the UN Guiding Principles on Business and Human Rights.

You regularly assert confidentiality to avoid addressing specific abuses

You further state that NSO Group would “…aim to disclose all information of relevance and importance unless it is expressly prohibited in law from doing so or it cannot do so for reasons of public safety, national security, risk of employee harm or to protect legitimate commercial confidentiality.” Yet, Novalpina Capital LLP and NSO Group regularly assert such prohibitions on disclosure to avoid providing substantive answers regarding the use of Pegasus spyware to target human rights defenders, civil society activists, journalists, and others.

For example, in your correspondence to Citizen Lab and other human rights groups dated May 15, 2019 and in response to Citizen Lab’s further requests for specific answers to our peer-reviewed reporting on spyware abuses, you offered a highly circumscribed response regarding how NSO Group had addressed allegations of abuse of its technology.

Notably, instead of providing concrete and verifiable details regarding these investigations or addressing in any substance Citizen Lab’s reporting, you wrote that “[t]he underlying information relating to such investigations is highly confidential, with disclosure explicitly prohibited under national security legislation.” You further noted that it was “unlawful to make such information available to any individual without the appropriate security clearances; onward disclosure to civil society groups or the wider public is therefore not possible.”

Your continued failure to disclose essential information and detail how past abuses will be remediated is incompatible with the UN Guiding Principles on Business and Human Rights

Novalpina Capital LLP and NSO Group’s position regarding disclosure, as detailed above and in your recent statement, is inconsistent with the UN Guiding Principles on Human Rights. For example, under Guiding Principle 21, business enterprises should report formally on how risks of severe human rights impacts are being addressed and “[p]rovide information that is sufficient to evaluate the adequacy of an enterprise’s response to the particular human rights impact involved.” Under Guiding Principle 22, where business enterprises identify that they have caused or contributed to adverse human rights impacts, they “should provide for or cooperate in their remediation through legitimate processes.”

Based on what we have read to date, we can only conclude that Novalpina Capital LLP and NSO Group remain intent on preventing access to sufficient information that would allow a meaningful evaluation of the company’s response to the human rights impacts of its business operations. You appear intent on keeping private details of how past abuses and wrongs will be remediated, despite the requirements of the UN Guiding Principles on Business and Human Rights and your own acknowledgment that there have been at least some cases of misuse of NSO Group’s technology.2

Citizen Lab, human rights groups, and spyware victims have all asked NSO Group and Novalpina LLP to answer straightforward questions about indisputable evidence of abuse cases. Your failure to offer a meaningful and substantiated response can only lead us to conclude that your statements about human rights compliance conceal an inability, or unwillingness, to take the problem seriously.


Professor Ronald J. Deibert, OOnt

Professor of Political Science, Munk School of Global Affairs & Public Policy

Director, the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto

1. Specifically, reporting has uncovered at least 25 human rights defenders, journalists, and parliamentarians targeted in Mexico; an Amnesty International employee; Saudi activists Omar Abdulaziz, Yahya Assiri, and Ghanem Al-Masarir; award-winning Emirati human rights campaigner Ahmed Mansoor; and a UK lawyer representing plaintiffs in a case against NSO Group.
2. In your correspondence dated May 15, 2019, you noted that “[i]n a very small number of cases where it could not be substantiated to NSO’s satisfaction that the targeting was conducted with due lawful authority or was otherwise consistent with the ethical requirements stipulated in the end-user licence agreement, the company initiated procedures to prevent the agency involved from deploying NSO technology in the future.”