ResearchTargeted Threats

Response to NSO Group on the Great iPwn Report

January 11, 2021

To Whom It May Concern: 

The Citizen Lab is in receipt of the correspondence from NSO Group dated 23 December 2020 in response to the Citizen Lab’s report titled “The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit” (referred herein as “The Great iPwn” report). The report describes the suspected use of NSO Group’s Pegasus spyware against 36 journalists with Al Jazeera and a journalist with Al Araby TV.

NSO Group’s request for additional information from the Citizen Lab

In its correspondence dated 23 December 2020, NSO Group writes that the company is treating the Citizen Lab’s The Great iPwn report as a “whistleblower claim” under the company’s internal policies. In connection with this, NSO Group has requested additional information regarding the targets of the spyware campaign. 

The Citizen Lab is a research institute based at the Munk School of Global Affairs & Public Policy at the University of Toronto. Because our research involves human participants, our research is subject to a research ethics protocol that is approved by the University of Toronto’s Research Ethics Board and strictly followed. The research ethics protocol applicable to The Great iPwn report requires that we keep research participants’ personal identifying information confidential. Your request for additional information regarding the spyware campaign detailed in the The Great iPwn report should be directed to Al Jazeera and Rania Dridi, who may be able to share further information. 

There is no reason to believe NSO Group takes its responsibility to respect human rights seriously and will undertake a thorough and transparent investigation

In NSO Group’s correspondence dated 23 December 2020, the company notes that NSO Group takes “such allegations with utmost seriousness and shall act in accordance with [NSO Group’s] investigative policies to fully review and handle them.” Further, it states that NSO Group “takes seriously its responsibility to respect human rights, and is strongly committed to avoiding causing, contributing to, or being directly linked to negative human rights impacts.” Finally, the letter expresses that NSO Group is “deeply troubled” by the contents of the Citizen Lab’s report and will be immediately reviewing this information and initiating an investigation “if warranted.”  

Despite these lofty statements, there is no reason to believe NSO Group will undertake a thorough or transparent investigation, or that the company takes seriously its responsibility to respect human rights. First, the company’s human rights and whistleblower policies are in and of themselves deficient. Second, NSO Group has yet to seriously engage with the Citizen Lab’s past research describing the human rights harms caused by NSO Group’s technology, further suggesting that the company does not take allegations of human rights abuse seriously. 

Deficiencies in NSO Group’s human rights and whistleblower policies

Significant problems have been raised regarding NSO Group’s internal human rights and whistleblower policies. These deficiencies were recently outlined by former United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Mr. David Kaye, in his amicus brief filed in the ongoing NSO Group v. WhatsApp litigation in the Ninth Circuit. 

Mr. Kaye noted that the company’s internal procedures and policies “evidently are far from effective to prevent abuses.” Mr. Kaye observed that “NSO is well aware of, and is alleged to provide support for, the malicious uses to which its technology is put” and that “[t]here is no indication that NSO (or any similar company) has taken ‘meaningful action,’ such as enacting effective ‘due diligence processes that identify and avoid causing or contributing to adverse human rights impacts through their own activities and that prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships.’” In short, the evidence shows that, “[t]o the contrary, NSO continues selling to—and then providing technical support to—repressive regimes.” 

The deficiencies identified by the former United Nations Special rapporteur, as well as by leading human rights organizations, further underline that NSO Group’s purported undertaking to conduct an investigation in relation to the findings stated in Citizen Lab’s The Great iPwn report is likely spurious. 

NSO Group’s repeated failure to engage with the Citizen Lab’s research findings

Finally, NSO Group’s repeated failure to seriously engage with and address the Citizen Lab’s prior research regarding the deployment of Pegasus spyware further suggests that NSO Group is not committed to a thorough and transparent investigation. Since 2016, the Citizen Lab has published numerous reports regarding the use of Pegasus spyware against human rights defenders, journalists, politicians, and other members of civil society. Despite these findings, NSO Group has failed to substantively engage or respond to the research presented by the Citizen Lab and other organizations. 

Best Regards, 

Professor Ronald J. Deibert, OOnt 

Professor of Political Science, University of Toronto 

Director, the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto