NSO Group, an Israeli surveillance company whose spyware has been peddled to authoritarian governments around the world, has been sanctioned by the U.S. Commerce Department. The new restrictions, which the agency announced in a press release Wednesday, will limit the degree to which American firms can provide parts or services to NSO — a decision that could seriously hobble the vendor’s business.
NSO is best known for its commercial malware “Pegasus,” a product that can infiltrate smartphones and silently pilfer their contents — from text messages to voice calls to photos. The company also sells a creepy “zero-click” exploit, the likes of which apparently requires no phishing and is said to take advantage of security flaws inherent in iPhones and Android devices to compromise them. In September, it was reported that some 1.65 billion Apple devices had been vulnerable to NSO’s malware for a period of several months.
After an ongoing outcry from human rights activists over the company’s business practices, NSO was added Wednesday to the U.S. Export Administration Regulation (EAR) “Entity List” — an inventory of foreign companies that have been deemed as working “contrary to U.S. national security and/or foreign policy interests” and are therefore subject to certain trade restrictions.
Also added were Israeli spyware firm Candiru, a Singapore cyber firm called Computer Security Initiative Consultancy, and Russia-based Positive Technologies, which is said to have ties to Russia’s intelligence agencies and criminal hacking activities.
The new restrictions mean that U.S.-based companies will need to acquire a special licence from the government if they want to provide services or sell products to these companies. Hypothetically, this could seriously hurt NSO’s business, as Motherboard points out that numerous large American tech companies — including “Amazon, Dell, Cisco, Intel, and Microsoft” — have provided support to the spyware firm in the past but will now face new hurdles if they wish to do so in the future.
The new restrictions do not prevent NSO from selling its products to U.S. police agencies and intelligence services, however, Motherboard reports.
While NSO has perpetually insisted that it only sells its products for the purposes of fighting terrorism and traditional law enforcement, ongoing reports have shown that controversial governments — from Saudi Arabia to the United Arab Emirates to Mexico — have used its malware to monitor and surveil a range of targets, including political dissidents, journalists, human rights attorneys, business leaders, and politicians. In statements made to the press Wednesday, NSO continued to defend itself and said that it hopes to overturn the decision.
“NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed,” the company told the Wall Street Journal in a statement.
“Today’s action is a part of the Biden-Harris administration’s efforts to put human rights at the centre of US foreign policy, including by working to stem the proliferation of digital tools used for repression,” the commerce department said Wednesday in its statement.
The White House seems to finally be on the same page as privacy and civil liberties activists who have lobbied the federal government for years to do something about the alleged abuses carried out by NSO’s clients.
The decision follows on the heels of the “Pegasus Project,” a large, collaborative effort by human rights groups and media outlets to show the extent of NSO’s global reach and odious influence. Launched earlier this year, the project was based around an anonymously-sourced list of some 50,000 phone numbers, the likes of which represent “potential targets” of surveillance by NSO’s spy products. The list has been found to contain not only the mobile numbers of journalists and human rights activists but also world leaders — including presidents and prime ministers, such as French leader Emmanuel Macron.
In Wednesday’s announcement, the Commerce Department accuses NSO and the other blacklisted companies of having “acting contrary to the foreign policy and national security interests of the United States,” declaring that the firms have “enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent.”
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organisations here and abroad,” said U.S. Secretary of Commerce Gina M. Raimondo in a statement.