Israeli spyware firm NSO Group has ratcheted up its lobbying efforts to U.S. officials in recent weeks, seeking to capitalize on the current crisis in the Middle East. On Nov. 7, NSO sent a letter to the U.S. State Department requesting an urgent meeting with Secretary of State Antony Blinken, emphasizing “the importance of NSO’s technology” in the “ongoing fight against terrorists.” The letter touted the value of NSO’s Pegasus software, a notorious program that foreign governments have used to spy on U.S. diplomats, target journalists, and endanger human rights activists. NSO’s letter reflects the firm’s ongoing efforts to curry favor and evade accountability in the United States. Given NSO’s role in human rights abuses around the world, those efforts must fail.
In particular, NSO’s letter advances the company’s push for removal from the U.S. Department of Commerce’s “Entity List,” a blacklist that restricts the transfer of certain kinds of technology and information between the United States and foreign entities involved in “activities contrary to U.S. national security and/or foreign policy interests.” The Biden administration added NSO to the Entity List in 2021, citing a desire to “stop the proliferation and misuse of digital tools used for repression.” The designation has reportedly posed a serious financial threat to NSO, which underwent restructuring earlier this year. To obtain a reversal of the designation, the company enlisted a number of lobbyists and white shoe law firms to court Congressional representatives and administration officials, spending $1.5 million on lobbying in 2022 alone.
These lobbying efforts appear to have fallen flat with the Biden administration. In May, the White House issued an executive order prohibiting federal agencies from using spyware that has been linked to human rights abuses, which includes NSO’s products. When asked about NSO’s recent letter, one senior U.S. official told Politico that the administration “is not contemplating any changes” to NSO’s blacklist status – not least because “revelations of misuse” of NSO’s spyware have “continued unabated” since the executive order. Just last September, researchers reported Pegasus infections on the phone of an employee of a Washington, D.C.–based civil society organization and on the phone of journalist Galina Timchenko, head of the independent Russian news outlet Meduza.
These recent revelations follow years of reports linking Pegasus to spyware attacks “maliciously target[ing] government officials, journalists, businesspeople, activists, academics, and embassy workers.” Pegasus enables its operators to obtain near-total control of a smartphone, including access to contact lists, text messages, search histories, and GPS locations. The spyware can even turn on a smartphone’s microphone and camera, all without detection.
In the hands of repressive governments, Pegasus has dangerous implications for lawful dissent, freedom of the press, and democracy. Indeed, researchers and journalists have documented uses of the spyware against Thai activists, French cabinet ministers, and family members of Jamal Khashoggi, a journalist assassinated in the Saudi Arabian consulate in Istanbul, Turkey, among hundreds of other victims.
To hold NSO and its clients to account for these abuses, spyware victims have filed lawsuits around the world – including in the United States. The Knight First Amendment Institute, a nonprofit organization based at Columbia University where we work, represents journalists and other members of the Salvadoran news outlet El Faro in one such suit. Between June 2020 and November 2021, at least twenty-two people associated with El Faro were targeted with repeated Pegasus attacks, which intensified around the publication of major stories exposing criminal activity and human rights abuses by the Salvadoran government. The case, Dada v. NSO Group, seeks to hold NSO accountable for its role in those spyware attacks and to force it to disclose the client who ordered them. Apple and WhatsApp have also sued NSO in federal court, alleging that the firm deployed Pegasus through their U.S.-based infrastructure, thereby injuring their users and their businesses.
While NSO seeks to rehabilitate its image in the U.S. government, it scrambles to avoid accountability in U.S. courts. In Dada and the other cases brought against NSO in the United States, the firm has moved for dismissal on a number of grounds. Indeed, NSO goes so far as to argue that the very fact of its placement on the Entity List makes the United States an inconvenient forum for litigation. One court has rightly rejected that argument.
The cases brought against NSO and similar spyware companies represent a crucial step toward protecting the press and the public from the urgent threat of surveillance technology. But, despite preliminary victories, the outcome of these cases is still uncertain. In the meantime, governments continue to use NSO’s spyware to malicious and dangerous ends. It is therefore crucial that NSO remain on the Entity List, as the designation is among the few sanctions on the spyware company for its role in repressing free speech and other human rights around the world.