Response from NSO and governments

What the Israeli technology firm and governments have said in response to the Pegasus project

NSO’s response to the Pegasus project

The following is an edited summary of statements issued by NSO Group and their lawyers, Clare Locke, to the Guardian and other media organisations.

NSO Group firmly denies false claims made in your report, many of which are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.

NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products.

The alleged amount of “leaked data of more than 50,000 phone numbers” cannot be a list of numbers targeted by governments using Pegasus, based on this exaggerated number. The fact that a number appears on that list is in no way indicative of whether that number was selected for surveillance using Pegasus. NSO is not related to the list [of numbers], it is not an NSO list, and it never was. It is not a list of targets or potential targets of NSO’s customers. Forbidden Stories never shared the leaked list with NSO Group to allow it to verify or comment on the list.

Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide. It is also beyond dispute that the data has many legitimate and entirely proper uses having nothing to do with surveillance or with NSO, so there can be no factual basis to suggest that a use of the data somehow equates to surveillance.

NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets yet [its customers] are obligated to provide us with such information under investigations. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems.

As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi. We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in your inquiry. We previously investigated this claim, which again, is being made without validation.

Forbidden Stories repeatedly imputes human rights abuses – including alleged murder and torture – to NSO Group based on alleged conduct by NSO Group’s clients and unsupported logical leaps.

Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client, or data collected by NSO Group software, were in any way connected to the journalist’s murder the following month. Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients.

We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with US numbers. It is technologically impossible, and reaffirms the fact that your sources’ claims have no merit.

NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, has done multiple times in the past, and will not hesitate to do again if a situation warrants. This process is documented in NSO Group’s “Transparency and Responsibility Report”, which was released last month.

The fact is NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings. The technologies are also being used every day to break up paedophilia, sex- and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.

Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.

Government responses to inquiries from the Pegasus project

Rwanda

Rwanda does not use this software system, as previously confirmed in November 2019, and does not possess this technical capability in any form. These false accusations are part of an ongoing campaign to cause tensions between Rwanda and other countries, and to sow disinformation about Rwanda domestically and internationally. This is libel, and enough is enough.

The questions related to ongoing terrorism trial of Paul Rusesabagina and his 20 co-accused have been extensively addressed by the court. For any future inquires related to cybersecurity, please contact the National Cyber Security Authority (NCSA).

Hungary

We are not aware of any alleged data collection claimed by the request.

Hungary is a democratic state governed by the rule of law, and as such, when it comes to any individual it has always acted and continues to act in accordance with the law in force. In Hungary, state bodies authorised to use covert instruments are regularly monitored by governmental and non-governmental institutions.

Have you asked the same questions of the governments of the United States of America, the United Kingdom, Germany or France? In the case you have, how long did it take for them to reply and how did they respond? Was there any intelligence service to help you formulate the questions?

Morocco

Moroccan authorities do not understand the context of the request by the international journalist consortium Forbidden Stories asking for answers and clarifications from the Moroccan government about the digital surveillance tools of the NSO Group.

We remind you that the unfounded allegations already published by Amnesty International and relayed by Forbidden Stories have already been the subject of an official response by the Moroccan authorities, who categorically denied such allegations.

The Moroccan authorities have, since 22 June 2020, been awaiting material evidence from Amnesty International, which has been incapable of proving any relationship whatsoever between Morocco and the aforementioned Israeli company.

India

India is a robust democracy that is committed to ensuring the right to privacy to all its citizens as a fundamental right. In furtherance of this commitment, it has also introduced the personal data protection bill 2019 and the information technology (intermediary guidelines and digital media ethics code) rules 2021, to protect the personal data of individuals and to empower users of social media platforms.

The commitment to free speech as a fundamental right is the cornerstone of India’s democratic system. We have always strived to attain an informed citizenry with an emphasis on a culture of open dialogue.

However, the questionnaire sent to the government of India indicates that the story being crafted is one that is not only bereft of facts but also founded in pre-conceived conclusions. It seems you are trying to play the role of an investigator, prosecutor as well as jury.

Considering the fact that answers to the queries posed have already been in public domain for a long time, it also indicates poorly conducted research and lack of due diligence by the esteemed media organisations involved.

Government of India’s response to a right to information application about the use of Pegasus has been prominently reported by media and is in itself sufficient to counter any malicious claims about the alleged association between the government of India and Pegasus.

India’s minister of electronics and IT has also spoken in detail, including in the parliament, that there has been no unauthorised interception by government agencies. It is important to note that government agencies have a well-established protocol for interception, which includes sanction and supervision from highly ranked officials in central and state governments, for clear stated reasons only in national interest.

The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever. In the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian state. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian supreme court.

This news report, thus, also appears to be a similar fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.

In India there is a well established procedure through which lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the centre and states. The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act, 1885 and section 69 of the Information Technology (Amendment) Act, 2000.

Each case of interception, monitoring, and decryption is approved by the competent authority ie the union home secretary. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

There is an established oversight mechanism in the form of a review committee headed by the union cabinet secretary. In case of state governments, such cases are reviewed by a committee headed by the chief secretary concerned.

The procedure therefore ensures that any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.

The governments of the United Arab Emirates, Dubai, Saudi Arabia, Azerbaijan, Bahrain, Kazakhstan and Mexico did not respond to requests for comment.

  • This article was updated to reflect further comment from NSO Group, received after publication.

The GuardianTramp

Related Content

Article image
Pegasus: NSO clients spying disclosures prompt political rows across world
Concerns that phone-hacking software may have been used to spy on political opponents spark fury

Nina Lakhani, Michael Safi, Dan Sabbagh, Shaun Walker, Stephanie Kirchgaessner and Hannah Ellis-Petersen

20, Jul, 2021 @9:31 AM

Article image
How does Apple technology hold up against NSO spyware?
The iPhone maker says it is keeping pace with malware, but the Pegasus project paints a worrying picture

Stephanie Kirchgaessner and Alex Hern

19, Jul, 2021 @11:00 AM

Article image
Fifty people linked to Mexico’s president among potential targets of NSO clients
Numbers of 15,000 Mexicans including politicians, journalists, judges, activists and teachers appear in leak

Nina Lakhani in Mexico City

19, Jul, 2021 @4:00 PM

Article image
Israel to examine whether spyware export rules should be tightened
Commission to review claims NSO’s Pegasus was misused by customers to target journalists and activists

Peter Beaumont and Philip Oltermann

22, Jul, 2021 @3:45 PM

Article image
Dalai Lama’s inner circle listed in Pegasus project data
Indian government, which hosts the Tibetan leader, suspected of being NSO client that selected numbers

Michael Safi

22, Jul, 2021 @11:00 AM

Article image
Modi accused of treason by opposition over India spyware disclosures
Indian prime minister under fire after phone numbers of political rivals appear in data leak

Hannah Ellis-Petersen in Delhi and Michael Safi

19, Jul, 2021 @5:33 PM

Article image
Hotel Rwanda activist’s daughter placed under Pegasus surveillance
US-Belgian citizen Carine Kanimba has been leading effort to free her father after forced return to Kigali

Stephanie Kirchgaessner

19, Jul, 2021 @4:00 PM

Article image
Huge data leak shatters lie that the innocent need not fear surveillance
Our investigation shows how repressive regimes can buy and use the kind of spying tools Edward Snowden warned us about

Paul Lewis Head of investigations

18, Jul, 2021 @6:53 PM

Article image
Revealed: murdered journalist’s number selected by Mexican NSO client
On 2 March 2017, Cecilio Pineda Birto made a broadcast about alleged corruption. Hours later he was dead

Nina Lakhani in Ciudad Altamirano

18, Jul, 2021 @4:28 PM

Article image
Key Modi rival Rahul Gandhi among potential Indian targets of NSO client
Leak suggests Indian opposition leader among hundreds selected for possible surveillance by Modi government

Michael Safi

19, Jul, 2021 @11:00 AM