They say they're fighting crime and terrorism, that they're on a life-saving mission, and that they're helping governments preserve public safety. They say they're in the business of fighting for human rights. Private spyware companies developing surveillance software for governments and law enforcement will spin it any which way to make themselves appear to be the true champions of humanity and the defenders of justice the world needs.
But the Pegasus revelations took a sledgehammer to that facade.
What spyware companies like NSO Group are really doing is fueling a global assault on fundamental human rights, civil liberties, and democracy itself.
When you deploy military-grade surveillance tools to oppressive government regimes with well-known histories of human rights abuses, this is what happens – your tools get weaponized against the very people your company purports to want to protect.
The global spyware industry is a shadowy, largely unregulated space that operates under a shroud of secrecy (to an extent because government agencies are often the industry's primary consumers). It's an industry that, according to Edward Snowden, shouldn't even exist. I tend to agree.
At the very least, something needs to be done to regulate the industry and stop these companies from contributing to government-led human rights abuses because it's become clear that companies like NSO Group are incapable of policing themselves.
How diligent is NSO Group's vetting process, really?
NSO Group claims it does extensive due diligence in thoroughly vetting the government agencies it licenses its software to.
Yet, somehow, government agencies in Azerbaijan – where the internet is heavily censored and where journalists, bloggers, politicians, and activists are routinely imprisoned and allegedly beaten by police for speaking out against the government – managed to pass NSO Group's "thorough" vetting process.
The Saudi Arabian government – which has a long and well-known history of human rights abuses, including against women and children – was given the green light by NSO Group to use its Pegasus spyware.
In the UAE – where scores of dissidents, academics, journalists, activists, and lawyers remain indefinitely imprisoned in squalid, overcrowded, and unhygienic surroundings, while allegedly being subject to torture and lacking adequate medical care – the government was granted a license to use NSO Group's Pegasus spyware as well.
All of this, obviously, calls into question NSO Group's vetting process. It is inconceivable that NSO Group couldn't have foreseen its Pegasus spyware being so flagrantly misused by some of the government agencies to which it sold its most controversial product.
But, even so, oppressive governments that are well-documented abusers of fundamental human rights were granted licenses by NSO Group to use the company's spyware. Somehow, these governments were able to pass NSO Group's "Human Rights Due Diligence Procedure." This procedure is a five-step process vaunted in the company's "Transparency and Responsibility Report" that includes an "initial risk assessment", "due diligence", "risk classification", "review and approval", and "additional mitigation where warranted."
According to the Transparency Report, the procedure includes input from the company's compliance team, general counsel, employees, management committee, as well as the board of directors' Governance, Risk and Compliance Committee.
How could these governments have possibly obtained licenses to use Pegasus?
Now, a rational human being would probably believe that such a seemingly robust and extensive vetting process would successfully filter out corrupt government agencies that are likely to abuse the company's products.
Indeed, NSO Group rather self-righteously boasts that it has rejected over $300 million in opportunities as a result of its due diligence procedure. How honorable, but one has to wonder how government agencies in Azerbaijan, Saudi Arabia, and the UAE slipped through the net. Perhaps it's because NSO Group doesn't actually abide by its own stated ethical principles. Or maybe the company picks and chooses which repressive regimes to do business with as it suits its bottom line.
Either way, the NSO Group's operation smells incredibly fishy. It really doesn't appear that the company truly has human rights interests at the top of its list of priorities.
Let's consider a couple of the statements included within NSO Group's Transparency and Responsibility Report.
According to the report, one of the key aspects of the company's Human Rights Policy includes:
A thorough evaluation throughout our sales process of the potential for adverse human rights impacts arising from the misuse of NSO products, including the past human rights performance and governance standards of the country involved.
The report also lists some of the "most salient human rights risks" associated with NSO Group's products. The first of which is the following:
The potential misuse of our products against people and groups that act to promote or protect human rights in a peaceful manner ("human rights defenders"). These include: (i) journalists; (ii) members of civil society organizations; (iii) lawyers; and (iv) political parties, candidates and supporters.
Based on these two statements, and considering how "thorough" NSO Group's vetting process is purported to be, government agencies in Azerbaijan, Saudi Arabia, and the UAE should have had no business acquiring licenses from NSO Group to use the Pegasus spyware. Anyone with but a cursory understanding of how government agencies in these countries treat their citizenry could see that.
These are some of the most heavy-handed and corrupt governments on the planet when it comes to abusing the human rights of human rights defenders like journalists, lawyers, activists, and politicians. Yet they still made it through the vetting process. The only way that makes sense is if NSO Group doesn't actually practice what it so loftily preaches.
The global spyware industry needs to be regulated rigorously
NSO Group can't even play by its own rules, and it's unlikely other companies like it can, either.
This is exactly why we need this industry regulated.
Regulating the spyware industry is quite the tall order, however, when it's the governments themselves that are using these sophisticated spyware products the most. And it's all too true that when a government gains such extraordinary powers over its citizenry (especially when it comes to surveillance), those powers become extremely difficult to wrest from the clutches of the governments wielding them.
The Pegasus revelations, however, should be a wake-up call, the tipping point where governments around the world finally take meaningful action to reel in the spyware industry from the murky waters in which it resides.
But what, exactly, is it that needs to be done?
First and foremost, as others (including Edward Snowden) have suggested, governments around the world need to put a moratorium on the global spyware trade. Commercial malware companies like NSO Group are making it incredibly simple and affordable for governments to spy on their citizens, and in a much more invasive manner than ever before.
If this continues without abatement, the situation is bound to spiral out of control to the point where everything we do on our phones will be monitored by the government. All the calls we make, all the messages we send, all the pictures we take will be monitored – everything. Our microphones and cameras will be accessed at will by the government without our control or knowledge, and our exact locations tracked. This is our future if the spyware industry is not reined in.
NSO Group is quick to point out that Pegasus is not a mass surveillance tool, that it is designed to be a targeted surveillance tool. But that doesn't matter one bit when anyone of us can be targeted at any moment. The only information the government needs is your phone number – and with what essentially amounts to a push of a button, you're targeted.
We don't need that... we don't need any of that.
Governments need to ban the trade of global spyware until there is actual transparency in the industry and until effective rules are established to regulate it and ensure our human rights are not threatened. Then, and only then, should any sort of moratorium on the industry be lifted.
We need accountability
Of course, appropriate industry regulations must also include mechanisms that hold spyware developers like NSO Group accountable for how their software products are deployed around the world. If such mechanisms had been in place, I'd bet that Azerbaijan, Saudi Arabia, and the UAE never get their hands on Pegasus in the first place.
NSO Group makes it a point to wash its hands of how its clients use Pegasus while trumpeting how ethically it vets potential customers. But, ultimately, it's the spyware companies that are developing the malware being abused by their clients. If they're not properly vetting their clients, then they need to be held accountable for how their products are being abused by the government agencies to which they license them.
Part of that accountability needs to include rights for individual victims of spyware to take legal action against the companies and governments involved in violating their fundamental human rights.
Smartphone manufacturers also need to step up
Finally, it's also going to be up to smartphone manufacturers to step up and build their products in a way that properly protects users against threats like Pegasus. There is no reason whatsoever that any government should be able to obtain full access to everything on an ordinary citizen's smartphone, including encrypted communications.
Nowhere on earth should that be allowed to happen. Yes, these spyware tools are incredibly sophisticated and constantly evolving – we've seen what they're capable of already – but smartphone manufacturers need to stay a step ahead of the spyware industry and ensure the security of their products remains airtight and exploitable vulnerabilities are sufficiently addressed.
We've only just caught a glimpse of what the global spyware industry is capable of. The Pegasus revelations shone a light on the shadowy underworld of the industry and supplied the wake-up call that governments around the world (hopefully) need to finally take action to put a stop to the human rights abuses being perpetrated through the use of tools like Pegasus.
Spyware companies like NSO Group need to be held accountable for their role in stoking the flames and profiting off these abuses. Governments need to be held accountable for their misuse and abuse of these tools.
What's happening is a threat to democracy and a direct assault on our fundamental rights to privacy. If appropriate action isn't taken against this assault, and governments fail to contain the industry and punish any entity that abuses these tools, the situation will get out of control quickly.
We need rules here. We don't want to live in a world where the global spyware industry operates unabated without a leash – I can tell you that right now.