Governance & Risk Management , Privacy
Cyber-Intelligence Firm NSO Group Tries to Boost ReputationCritics Questions Whether Israeli Firm's Moves Will Have an Impact
Israel-based cyber-intelligence firm NSO Group, which has been accused of selling technology that enables governments to spy on citizens, is pledging to adopt human rights guidelines developed by the United Nations.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
But one critic of the firm argues that NSO needs to prove that it's actions are more than just a "whitewash" to smooth over controversies that have hurt its business.
NSO says it plans to adopt the United Nation's Guiding Principles on Business and Human Rights, a framework for ethical business behavior. In addition, the company has published its own human rights guidelines as well as rules to protect whistleblowers who have concerns about NSO's technology and how these products are used by governments and customers.
The company also says it plans to review its sales process as well as how customers use its technology to help ensure that its tools are used only to aid investigations of serious crime and terrorism.
"This new policy publicly affirms our unequivocal respect for human rights and our commitment to mitigate the risk of misuse," says Shalev Hulio, co-founder and CEO of NSO.
History of Controversy
In recent years, NSO has come under criticism for how its products, which include spyware and hacking tools designed for use by law enforcement and the military, have been used by governments against their own citizens.
In November 2018, for instance, Amnesty International requested the Israeli government revoke the firm's export license after NSO's Pegasus spyware was allegedly used to target some of its members. Israel has not taken any action on that request, the human rights advocacy organization says.
In May, Facebook issued a warning to users of its WhatsApp messaging app after NSO's Pegasus spyware was used to perform remote code execution against targeted phones. According to WhatsApp, the attackers were facilitated by "an advanced cyber actor" (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware )
In addition, NSO's software has been used to support government efforts against activists in Mexico and the United Arab Emirates, according to Citizen Lab, a research group within the University of Toronto. The group investigates the use of software exploits by governments with questionable human rights records to monitor activists and dissidents (see: Apple Fixes Zero-Day Flaws Used to Target Activist).
Reaction of Critics
NSO’s critics say the company still has a lot of work to do to clean up its reputation.
Siena Anstis, a senior legal adviser with Citizen Lab, took to Twitter to call out several problems that NSO still has, including a lack of disclosure over who buys the company's tools and whether governments that use NSO's service have a history of human rights abuses.
"Citizen Labs and Amnesty [International] research shows spyware is abused and deployed against human rights defenders, civil society and journalists. NSO Group has made no commitment to refusing to sell to states with records of such abuses," Anstis wrote on Twitter.
1/8 Transparency and independent oversight of NSO Group should be the two most critical parts of preventing human rights abuses. Both are absent from NSO’s "human rights policy".— Siena Anstis (@sienaanstis) September 10, 2019
In another response, Danna Ingleton, deputy director of Amnesty International Tech, argues that NSO needs to prove that its latest actions are far more than just a "whitewash" to smooth over controversies that have hurt its business.
"While on the surface it appears a step forward, NSO has a track record of refusing to take responsibility," Ingleton says. "The firm has sold invasive digital surveillance to governments who have used these products to track, intimidate and silence activists, journalists and critics."
NSO did not respond to a request for comment. In past statements, however, the company has claimed that it's software is designed for law enforcement use and that it cannot control how governments and other customers use the technology.
Meanwhile, U.S. lawmakers are considering legislation that would require American companies that sell offensive cyber weapons to other nations to notify Congress (see: Bill Would Help Congress Track Offensive 'Cyber Tool' Sales).
That provision was introduced after a Reuters report about the selling of offensive cyber technology to the United Arab Emirates, which then used these capabilities against militants as well as activists and journalists as part of an operation called Project Raven.