Today a court hearing in Tel Aviv, Israel, will begin what could be a defining point in the development of corporate spyware, as a judge considers whether to revoke the export license of NSO Group.
A rising name in the cybersecurity space, NSO Group came to the public’s attention in 2019 as the maker of spyware that can be used to view encrypted WhatsApp messages of individual targets.
When news first broke of the spyware, the mainstream news’ focus was largely on the shock that WhatsApp – often somewhat incorrectly regarded as the ultimate in communications security – was possible to hack. But slowly the bigger, more shocking aspect seeped into the public consciousness: that this wasn’t the work of some hacking group, but a corporate entity selling the product to governments.
So the world was introduced to the idea that not all government cybersecurity efforts are defensive, and some will be targeted at their own citizens. Corporate-made spyware has entered the public consciousness, with NSO Group as its poster child.
NSO Group hearing: Amnesty takes aim
To the surprise of no one, the reaction to NSO Group has not been exactly positive. Many have reacted with concern that its spyware, known as Pegasus, is not just being used to thwart terrorists and catch criminals, but also as a tool for repression by governments with less-than-ideal human rights records.
It’s one thing to use such a tool to find people intent on committing harm, but quite another to turn it against activists and journalists.
Amnesty International has been a leading voice in the campaign against the company, and it is the reason NSO Group faces a court hearing today.
“NSO continues to profit from its spyware being used to commit abuses against activists across the world and the Israeli government has stood by and watched it happen,” said Danna Ingleton, deputy director of Amnesty Tech.
This is not the first court case against NSO Group. WhatsApp owner Facebook announced it was suing the company back in October. But Amnesty’s current approach is deeply tactical in its wider mission to stop the company.
“The best way to stop NSO’s powerful spyware products reaching repressive governments is to revoke the company’s export license, and that is exactly what this legal case seeks to do,” said Ingleton.
Today’s hearing will see a judge in Tel Aviv’s District Court hear arguments as to why NSO Group should have its export licence revoked. It follows months of delays as Israel’s Ministry of Defence sought to block the case on national security grounds.
Even now, it may be held behind closed doors, limiting the scrutiny that can be applied to it – something that Amnesty is heavily opposed to.
“It is overwhelmingly in the public interest and for press freedom that this case is heard in open court,” said Ingleton.
“The Ministry of Defence must not be allowed to hide behind a veil of secrecy when it comes to human rights abuses.”
Deciding the future of corporate spyware
Regardless of what happens in the NSO Group hearing, corporate spyware will, of course, continue to exist and develop. But how it is regulated and used could be significantly impacted by the outcome.
In many respects, this industry – which largely operates behind closed doors and without the scrutiny that NSO Group has seen – faces a similar moral quandary to the arms industry. If you make a product with the potential to cause harm, should you be selective to who you sell it to?
In the defence industry, history has ultimately determined that the answer is yes, and there are restrictions on companies in this space. But this doesn’t stop morally questionable deals going through, such as the UK selling weapons to Saudi Arabia, which continued until a legal ruling forced the practice to cease, at least temporarily.
There are no comparable restrictions for corporate-made spyware, although NSO Group does say that it takes “all reasonable steps to prevent and mitigate the risk of misuse” of its products as part of its Human Rights Policy.
If this case ultimately rules in Amnesty’s favour, it is likely that it will move this issue up the global agenda, and ultimately increase the level of regulation on the industry.
NSO Group itself will likely appeal, while other companies will look to fill the gap its departure from the export market creates.
If the case, however, goes in NSO Group’s favour, particularly if it is heard behind closed doors, it will likely sink from public consciousness again, giving greater license to companies making spyware and other offensive cybersecurity tools to further develop their capabilities.
Amnesty and others will, of course, continue to fight, and regardless of the outcome, this will certainly not be the last we hear of this issue.