Headquarters of the NSO Group: The wall of silence did not last long
AMIR COHEN / REUTERS
Worldwide reporting on the Pegasus surveillance software triggered the storm of indignation that could be expected: Heads of state and government from the Chancellor to French President Emmanuel Macron, civil rights activists and the media around the world are outraged by the uncovered use of the surveillance software against their own kind.
The countries that bought and used Pegasus are outraged because they are now being pilloried for it.
But nobody is as outraged as the developers of Pegasus themselves, the NSO Group from Israel.
What the media involved in the project are reporting can be summarized as follows: The customers of the NSO Group, including India, Mexico, Saudi Arabia and Hungary, apparently wanted to use the Pegasus surveillance software to spy on foreign heads of state, opposition members in their own country, investigative journalists and human rights activists .
The starting point of the research is a list, the source of which is not yet publicly known, and which contains 50,000 telephone numbers that are at least potential Pegasus targets.
The media have been able to determine the names of around 1000 numbers.
Amnesty Internation carried out IT forensic examinations of 67 of the corresponding smartphones; the experts said they found traces of a successful or attempted Pegasus infection on 37.
It is "malicious", says NSO.
Not the Pegasus mission, mind you, but the “well orchestrated media campaign”.
This is what it says in an entry that the company published on its website on Wednesday, headed "Enough is enough!"
There it says: "Due to the complete disregard for the facts, NSO hereby announces that it will not answer any further media inquiries on this topic."
NSO considers itself "responsible" and "careful"
The self-imposed blackout did not last 24 hours.
On Thursday, NSO co-founder and CEO Shalev Hulio gave an interview to the magazine Forbes, which is not involved in the Pegasus project, in which he repeated the previous standard reaction of NSO.
It says that the list of 50,000 cell phone numbers has nothing to do with NSO and Pegasus and that the number is simply "crazy" because NSO only has 40 to 45 customers with an average of 100 destinations.
This is initially unproven information, but in order to refute it, the project Pegasus partners would have to reveal the source of the list.
On the other hand, Hulio flatly claimed in the interview that not a single one of the 37 smartphones examined by Amnesty had been infected with Pegasus.
A remarkable statement where his company repeatedly emphasizes that it cannot actively look into the data of its customers and therefore does not know what they are doing with Pegasus. But according to Hulio, it can subsequently request the customer to hand over log files, including the targeted cell phone numbers, if it conducts an investigation for misuse of the technology.
According to NSO, this has already been done earlier and, for example, ended business relationships with a customer in 2020 because the customer had targeted “a protected person”. This is what it says in the company's first "Transparency and Responsibility Report" published at the end of June. NSO also investigated the cases described as part of the Pegasus project, and the 37 numbers mentioned were not in the log files, says Hulio. However, he has made no particular effort to prove this and refute Amnesty.
While NSO could give a more detailed look into Pegasus, but of course does not want to, it is exactly the other way around with the reporting media and the IT forensic experts involved: They want to, but cannot provide more evidence. Only traces of Pegasus can be found on the examined smartphones - but not a piece of the software itself.
For Erste, everything boils down to the question of credibility: Are NSO's logs really as “forgery-proof” as it is in the transparency report, is NSO really “responsible” and “careful” with Pegasus, as the transparency report promises? That would mean that the technical experts from Amnesty and the Canadian Citizen Lab have not just made mistakes now, but have been making a number of errors since 2016 when analyzing software artifacts, networks and servers that they attribute to NSO.
In the event that one of NSO's two lines of defense does collapse, a spokesman drafted a third shortly before the start of the mini press boycott.
It says that the customer should be held responsible for the use of Pegasus, not the developer.
In his words: "If I were a car manufacturer and a drunk ran over someone else in one of my cars, you would not turn to me, but to the driver."
The NSO Group is a company that cannot rule out or prevent the misuse of its most famous product.
Which compares its customers with drunk drivers and their destinations with accident victims.
And with all this there is no doubt about your business model.
Maybe it would be wiser if she didn't say anything for a while.