On New Year’s Eve, NSO Group—the Israel-based company behind the Pegasus spyware, one of the world’s most sophisticated cyberweapons—quietly released a new transparency report.
The 27-page document is carefully worded—even apologetic—and is intended to demonstrate resilience, progress, and responsibility to further strengthen the company’s human rights compliance program. It claims the company has “opened 19 investigations into allegations of potential product misuse,” which resulted in the “suspension or termination” of six customer accounts. The document even has a dedicated section on journalists, a significant group among as many as 50,000 people worldwide who’ve been targeted by Pegasus, a list that also includes activists, heads of state, and other public figures in more than 50 countries.
NSO Group’s new transparency report—its first in more than two years—arrives amid an apparent push by the spyware vendor to revamp its tarnished image and reverse US regulations that have damaged its business. To achieve its goal, the cyber-intelligence firm is conducting a multimillion-dollar lobbying campaign that attempts to position the company’s spyware as essential for global security.
While an NSO spokesperson tells WIRED that the report “underscores the company’s ongoing commitment to human rights and adherence to ethical standards, while enabling its clients to keep the public safe,” those who have investigated the company’s practices express skepticism about its claims.
“It’s not a transparency report in any meaningful way,” says David Kaye, a University of California, Irvine law professor who has scrutinized the company’s policies as the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression. “It mainly repackages preexisting defenses and statements that NSO Group has put forward to promote its work and brand itself within the commercial spyware sector.”
NSO Group has only published one other transparency report, in June 2021, which civil society largely regarded as a missed opportunity to provide meaningful information about the alarming human rights impacts of its products. The latest transparency report arrives after several bumpy years for the company. In the aftermath of the 2021 Pegasus revelations, the United States government placed the spyware vendor on an Entity List in November 2021, meaning it cannot receive American investment without specific government approval. Subsequently, the company reportedly went into financial freefall, narrowly avoiding defaulting on $500 million in debt. According to Bloomberg, NSO management considered selling the business.
In August 2022, then CEO Shalev Hulio stepped down, naming COO Yaron Shohat as a successor while laying off 100 employees. Following a forced restructuring by its lenders, cofounder Omri Lavie emerged—via the Luxembourg-based Dufresne Holdings—as NSO’s new owner in May 2023. Amid this upheaval, US president Joe Biden issued an executive order, in March 2023, that prohibits federal departments and agencies from using commercial spyware. In June 2023, the White House issued a warning to US firms interested in acquiring NSO assets on the grounds that doing so could pose a counterintelligence threat to the US government.
Then Hamas attacked Israel. Since then, NSO has been in a position to tangibly demonstrate the value of tools like Pegasus in conflict situations. According to press reports, the cyber-intelligence firm has volunteered—along with Candiru, an NSO competitor that’s also blacklisted by the US—to help Israel’s security services track people kidnapped by Hamas.
“People from the government—both in Israel and outside of Israel—now understand much better why they are needed,” an insider with direct overview of NSO’s operations reportedly told Axios in November.
By seizing that opportunity, NSO appears to be trying to rebrand itself as being on the side of the “good guys,” make inroads with the Biden administration, and ultimately reverse the ban on its products. To succeed in its image-rehabilitation efforts, the spyware vendor has enlisted multiple public affairs consultancies and law firms, including government relations firm Chartwell Strategy Group and law firms Paul Hastings LLP, Steptoe, and Pillsbury Winthrop Shaw Pittman, according to lobbying disclosure documents. In the past three years, NSO had also enlisted the services of Bluelight Strategies and Cherie Blair’s Omnia Strategy in the UK.
“NSO Group engaged multiple firms, which is not uncommon but can be a reflection of the complexity of its influence efforts,” says Anna Massoglia, a researcher at the nonprofit OpenSecrets, which tracks US political spending. According to an OpenSecrets analysis of Lobbying Disclosure Act and Foreign Agents Registration Act filings, NSO has spent a total of $3.1 million in lobbying Washington since 2020. Of that, at least $897,000 was spent in 2023 alone, with payments for the final months of the year still being reported.
The lobbying efforts have primarily focussed on pro-Israel Republicans—but not exclusively. “Foreign agents working for NSO Group have also recently reported contacting officials at the Executive Office of the President and Congress as part of these efforts,” says Massoglia.
On November 7, Paul Hastings LLP sent a letter on behalf of NSO to request an urgent meeting with US secretary of state Antony Blinken and other State Department officials, emphasizing that “the ongoing security situation in Israel and the Middle East—and worldwide—once again highlight the necessity and urgency of employing cyber intelligence technology.”
So far, NSO’s efforts to fall back into Washington’s good graces appear to have had little effect. “Despite their pressure, these campaigns have only had varying influence,” says Steven Feldstein, a senior fellow at the Carnegie Endowment for International Peace. “The harms from spyware are well known, and there are only so many ways companies can spin the benefits of software that is inherently intrusive and rights-violating.”
According to a senior Biden administration official who spoke to Politico in November, any changes to the US government’s sanction policy on NSO Group are unlikely. “Without a change to this rule, NSO’s future [US] market potential is very, very constrained,” says Feldstein. Still, NSO needs to invest in lobbying, public relations, and transparency exercises to carry on doing business globally.
“NSO’s business model depends on chasing new customers and proliferating spyware for profit. That’s the growth model, and it will inevitably put spyware in the hands of abusers. And they show no signs of abandoning it,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has been instrumental in exposing NSO Group’s products. “By the way, the last time NSO published a transparency report, it was followed by years of abuse scandals.”
While in the US, the Entity List “has sent shivers to larger spyware companies regarding potential consequences for bad behavior,” Feldstein says that there are ways to get around it, such as by working exports through Europe and other countries with more lax export control rules. For example, Cyprus is the only member of the EU that does not participate in the Wassenaar Arrangement, a multilateral export control regime signed by 42 countries that aims to control the sale of arms and technologies including spyware.
Weak legislation at the EU level also allows spyware to spread. The European Media Freedom Act (EMFA), which passed a preliminary vote in December, clearly states that EU member states may deploy spyware under certain conditions. Digital rights defenders have stressed that the retention of the national security exemption in the provisional agreement text enables EU governments to potentially deploy spyware against journalists outside the protective framework of EU law.
“EMFA is not perfect, but it at least tries to limit the deployment of such tools,” EU lawmaker Hannah Neumann tells WIRED. She adds that many members of the European Parliament’s inquiry committee on spyware, of which she was also part, “were frustrated” that the European Commission has not put forward a legislative proposal on how to fix loopholes.
Worth an estimated $12 billion as of 2022, the global spyware industry is likely to continue to do everything it can to stay in business. “As pressure has grown to curtail spyware companies, this has caused them to push even harder to maintain their markets,” says Carnegie’s Feldstein.
Even if high-profile firms like NSO Group were put out of business—admittedly an unlikely outcome—this would still not shut down the spyware market. Feldstein believes that this would instead hasten decentralization and increase opportunities for boutique firms to fill in the gap. “As long as the demand and money are there,” he says, “firms will seek these contracts.”
