Controversial Israel-based spyware company, NSO Group, has introduced a new human rights policy to complement its business practices — an unparalleled measure for the global spyware industry.
While NSO Group says the policy “embeds relevant human rights protections throughout [its] business and governance systems,” critics, including Amnesty International and U of T’s The Citizen Lab at the Munk School, have argued otherwise.
NSO Group’s track record
NSO Group is a cyber-intelligence company that sells technologies for monitoring communications of various targets. Earlier this year, it was partially acquired by Novalpina Capital LLP, a private equity fund based out of the United Kingdom.
According to its website, NSO maintains that it sells its technology to governments because “terrorists, drug traffickers, pedophiles, and other criminals have access to advanced technology and are harder to monitor, track, and capture than ever before.”
However, the company has also faced backlash for its practices. Research conducted at U of T’s Citizen Lab — an interdisciplinary research organization exploring digital surveillance, censorship, and cyberattacks — has discovered that NSO Group’s spyware, Pegasus, was used to target activists, journalists, and members of civil society in countries such as Mexico, Saudi Arabia, and the United Arab Emirates.
Most recently, in May, reports surfaced that NSO software was used to allegedly spy on a lawyer through a vulnerability in WhatsApp. The lawyer — who remains anonymous due to fears for their safety — was involved in a civil lawsuit against NSO.
In June, David Kaye, the United Nations’ Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, called for a freeze on selling and using spyware until “human rights-compliant regulatory frameworks are in place.”
In his announcement, Kaye said, “The private surveillance industry is a free-for-all.”
Following Kaye’s call, researchers at Citizen Lab released a statement about the harmful consequences of the commercial spyware industry.
“In light of the concerns raised by the Special Rapporteur reports, companies like Novalpina Capital LLP… must take responsibility for the harms caused by the surveillance technology manufactured and sold by NSO Group,” wrote the researchers.
“Such a step would mean respecting international human rights treaties and, as a starting point, complying with the moratorium demanded by the Special Rapporteurs.”
A new policy
NSO Group’s new policy, announced on September 10, is intended to align the company’s practices with the United Nations Guiding Principles on Business and Human Rights. The aim is to help the company identify possible risks for human rights abuses and work to prevent misuse of its products.
When the company announced the new policy, co-founder and CEO of NSO Group Shalev Hulio said that the policy “publicly affirms our unequivocal respect for human rights and our commitment to mitigate the risk of misuse.”
“With this new Human Rights Policy and governance framework, we are proud to further enhance our compliance system to such a degree that we will become the first company in the cyber industry to be aligned with the Guiding Principles,” he added.
Alongside the human rights policy, NSO also announced a new External Whistleblower Policy and three new senior advisors.
The advisors — United States Governor Tom Ridge, former French Ambassador to the United States Gèrard Araud, and former Assistant Secretary at the United States’ Department of Homeland Security Juliette Kayyem — are set to support the company in its partnerships with governments.
The response
In the wake of the policy announcement, advocates and researchers have grappled with the question: can spyware and human rights work in tandem?
In an email to The Varsity, Citizen Lab Senior Legal Advisor Siena Anstis wrote that the policy “does not inspire confidence.”
“It’s easy to put words to paper, but we still have no real information on how the company will be transparent regarding its business practices or what types of oversight and accountability structures are in place to ensure real implementation of the ‘human rights policy,’” Anstis wrote.
“Without transparency or accountability, the policy is meaningless.”
When asked if NSO’s human rights policy would spark similar policies in the industry, Anstis wrote that “it’s hard to predict whether other companies in this industry are going to follow suit.”
However, she noted that “it certainly wouldn’t be challenging for other spyware companies to engage in the same level of tokenism.”
In a public proclamation, Deputy Director of Amnesty Technology Danna Ingleton also criticized NSO Group in response to the policy.
“The company needs to demonstrate [that this reformed policy] is more than an attempt to whitewash its tarnished reputation,” she said. “It doesn’t get to pick and choose when it should respect human rights — all companies have this responsibility anyway.”
Ingleton called for more government regulation for the spyware industry.
“Governments also need to act,” she said. “There needs to be tougher legal requirements on respecting human rights for the spyware industry, which time and time again has trampled on the rights to privacy, freedom of opinion and expression.”
Anstis further advocated for tightened regulation in the spyware industry.
“In addition to pushing for reform,” she said, “the public should be calling for more transparency on when and how their governments deploy this technology and the safeguards in place to ensure it is not abused.”
Disclosure: Kaitlyn Simpson previously served as Volume 139 Managing Online Editor of The Varsity, and currently serves on the Board of Directors of Varsity Publications Inc.