“It’s crazy to think that NSO wouldn’t share sensitive national security information with the government of Israel,” said one former senior U.S. national security official who has worked closely with the Israeli security services and, like others, spoke on the condition of anonymity to candidly describe intelligence operations. “That doesn’t mean they’re a front for the Israeli security agencies, but governments around the world assume that NSO is working with Israel.”
Though NSO is a private company, U.S. officials have long suspected that some information it collects is also viewed by the Israeli government, said a current U.S. official familiar with the matter.
U.S. intelligence agencies don’t use NSO’s products, current and former U.S. officials said.
The information NSO products can mine is the same, though, that the world’s intelligence agencies gather from their targets.
The company’s Pegasus surveillance tool can penetrate cellphones and steal emails, call records, social media posts, user passwords, contact information, pictures, videos, sound recordings and browsing histories. All of this can happen without a user even touching her phone or knowing that she has received a mysterious message from an unfamiliar person.
The Israeli Defense Ministry reviews and must approve the license of NSO’s products to foreign governments. The founders of NSO are former members of Israel’s elite Unit 8200, which conducts electronic surveillance and is analogous to the U.S. National Security Agency.
A spokesperson for Israel’s Ministry of Defense said that “Israel does not have access to the information gathered by NSO’s clients.” The company also denies that there is any Israeli government access.
The laws governing surveillance of journalists and civil rights activists are far stricter in the United States and many European countries than in the Middle Eastern nations where NSO has licensed its products and generated considerable controversy. The company has publicly acknowledged that in some instances, its clients have used NSO tools to monitor individuals who fall outside the scope of what the company has deemed appropriate use — legal surveillance of criminals, including terrorists.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to a list of more than 50,000 phone numbers concentrated in countries known to surveil their citizens and also known to have been clients of NSO Group. The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.
The two nonprofits shared the information with The Washington Post and 15 other news organizations worldwide that have worked collaboratively to conduct further analysis and reporting over several months. Forbidden Stories oversaw the investigation, called the Pegasus Project, and Amnesty International provided forensic analysis but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked.
The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers, as well as several heads of state and prime ministers. The purpose of the list could not be conclusively determined. An attorney representing NSO told The Post in a letter that NSO had “good reason” to believe the list consisted of publicly accessible “look-up” services unrelated to NSO clients.
A senior European intelligence official said that since 2019, his country had confirmed that about 1,400 people in 20 countries had been spied on using NSO software.
“In some countries it was also used to target journalists, human rights activists, politicians and businesspeople,” the official said.
The official acknowledged that NSO tools can “be crucial in the fight against organized crime and terrorism,” but he said that incidents of foreign governments using the software, particularly NSO’s Pegasus tool, to monitor journalists and human rights activists had sullied the company’s reputation in his country.
“It is difficult for us to justify the need for such tools if the news about the abuse of using software like Pegasus, for targeting civil society and journalists, is increasing,” the official said. “Israelis also know it’s not the best [public relations] for their own democracy when such a software is used by repressive circles in some countries.”
The license of NSO’s products is regulated by government authorities in three countries from which it exports: Bulgaria, Cyprus and Israel, where NSO has its headquarters. In Israel, the Defense Ministry, which runs the Defense Export Controls Agency, can restrict the licensing of the company’s surveillance tools and conducts its own review of the human rights records of countries that NSO wants to turn into customers, according to Israeli government records as well as interviews with people knowledgeable of the process. In that respect, NSO’s surveillance technology is regulated like a weapon under Israeli law.
NSO executives have said they only license their products to countries that use them for lawful surveillance purposes, such as monitoring suspected terrorists, drug dealers and other criminals.
The company says it reviews potential customers according to its human rights policy, which it wrote to align with United Nations guidance to businesses on how to protect human rights.
“We license our product only to vetted and legitimate government agencies for the sole and exclusive use in preventing and investigating serious crime, including terrorism,” the company’s policy states.
In response to questions from The Post about officials’ belief that NSO shares information with Israel, the company said in a written statement: “We vehemently deny the suggestions that the Israeli Government monitors the use of our customers’ systems, which is the type of conspiracy theory that our critics peddle. Such claims are part of the salacious narrative about NSO Group that has been strategically concocted by several closely aligned special interest groups, among them your ‘anonymous officials’ who say they ‘assume’ something is taking place.”
In an interview following publication of some of the Pegasus Project’s findings, NSO’s co-founder and CEO, Shalev Hulio, disputed that the more than 50,000 phone records were connected to the company or its products.
Hulio said he was “very concerned” about what he read in the news articles produced by the Pegasus Project. “Every allegation about misuse of the system is concerning me. It violates the trust that we’re giving the customer. … We are investigating everything.” Hulio added that NSO has terminated contracts with two of its customers in the last 12 months because of concerns about human rights abuses.
The spokesperson for Israel’s Ministry of Defense said the country regulates the exports of products like NSO’s in accordance with Israeli law. “Policy decisions take into account national security and strategic considerations, which include adherence to international arrangements. As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counter terrorism.”
The spokesperson added, “In cases where exported items are used in violation of export licenses or end use certificates, appropriate measures are taken. Israel does not have access to the information gathered by NSO’s clients."
In NSO’s first-ever Transparency and Responsibility Report, published in late June, the company said it had refused to do business with certain countries that “have inadequate country-level protections in place to confidently prevent product misuse, or where the rule of law creates an unduly high risk of misuse.”
Without identifying the countries it has turned down, NSO said that from May 2020 through April 2021, it rejected about 15 percent of potential new opportunities to license its Pegasus surveillance tool over “human rights concerns that could not be resolved.” To date, NSO has turned down more than $300 million in sales opportunities as a result of its internal review processes, the company said, which are separate from the Israeli government’s review.
But once a country has gotten a license for or obtained NSO’s products, the onus is largely on that government to ensure the software is used in accordance with the country’s own laws governing surveillance, which vary widely.
“The issue is there’s always this fine line between what are responsible uses of the tools they produce and who are responsible users of those tools,” said Michael Daniel, who served as President Barack Obama’s cybersecurity coordinator on the National Security Council and is now the president and CEO of Cyber Threat Alliance, a nonprofit group founded by security companies to improve information-sharing about threats to computer networks.
Current and former U.S. officials said that since Israel reviews and grants export permission for NSO’s products, the Israeli government knows who NSO’s clients are. The relationship between NSO, as well as other Israeli technology firms, and the country’s military and security services is much tighter and arguably more symbiotic than parallel private sector-government connections in the United States, current and former officials said.
A former member of Israel’s security services said young Israelis who perform their compulsory military service in the intelligence branches see their training the way Americans view college. The government is developing their technological skills with the expectation that they will go to work in the private sector or start companies — but there is also an understanding they will maintain close relationships with the military and the security services, the former official said.
NSO’s relationship to the government of Israel doesn’t make it inherently less trustworthy, analysts said.
“I think it really depends on the person’s perspective,” said Daniel. “I think some do view that relationship with suspicion. Others see it as a mark of competence and that they know what they’re talking about.”
Daniel noted that Israeli technology companies are widely regarded among experts as making some of the best computer security products in the world.
Ultimately, he said, it’s up to governments to decide whether companies should provide the kinds of tools historically available only to countries’ spies.
“There needs to be further international work on what we consider legitimate business models in this area. Where do we want to put the line?”
John Hudson and Craig Timberg contributed to this report.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.