The origin of the Israeli NSO Group, which is behind the WhatsApp snooping incident in India, is rather mundane. Two high school friends, Shalev Hulio and Omri Lavie, from northern Israel started a company in 2008 to allow cellphone firms to gain remote access for maintenance.
By 2011, the pair saw more lucrative opportunity elsewhere. Using the same technology, they launched the early version of Pegasus – for mobile surveillance.
Now, the NSO Group represents a growing trend of new-age defence contractors – internet mercenaries, as The New York Times called them. From The Washington Post columnist Jamal Khashoggi’s murder to surveillance of rights activists, from Saudi Arabia to India’s Bhima-Koregaon, Pegasus is flying across the world.
Through Pegasus – the name of a winged horse in Greek mythology – government agencies can collect data from smartphones without a trace. That includes phone calls, GPS location, contacts, passwords, calendar entries and any data transmitted over apps like WhatsApp and Skype. For an intelligence officer, that is the equivalent of a kid in a candy store.
By 2013, the NSO Group got its first client – the Mexican government. To crack down on the drug cartels, Mexican agencies paid the company about $77 million.
As The New York Times reported, the NSO Group is selling its software to governments on every continent except Antarctica. While NSO offers several services, Pegasus is the duck that lays golden eggs.
WhatsApp Tuesday filed a lawsuit against NSO Group, whose spyware Pegasus was used to target around 1,400 users globally during a two-week period in May. That included several Indian journalists and human rights activists.
Facebook is no champion of privacy. The lawsuits are part of a larger strategy – one that allows Facebook to divert attention and improve its image. Facebook would like to retain monopoly over surveillance. And one can’t rule out a larger geopolitical calculus at play.
Surveillance is as ancient as humanity itself, it existed in ancient Rome as it did it during Hitler’s rule. However, these recent events shed light on how easy it has become in the digital age and how lucrative it is for the authorities.
While Android phones are the easiest to exploit for data, the NSO Group has a near-global monopoly on exploiting Apple’s iPhones. Spyware can infiltrate a phone and turn it against you through a simple WhatsApp call, even if you do not pick up the call, reported University of Toronto’s Citizen Lab.
Rise and rise
Over the years, the NSO Group’s value kept rising. In March, the NSO Group’s co-founders raised money to buy back a majority stake in the company at a valuation of $1 billion. The London private equity firm Novalpina Capital backed the deal — whose investors include Oregon state employees’ pension fund and Alaska’s sovereign wealth fund. The NSO Group finished 2018 with a revenue of $250 million.
The firm has launched a charm offensive. A new website, spending on Google adverts, giving interviews to TV channels – the NSO Group is doing it all. In September, it even launched a fresh “human rights policy and governance framework”.
Unit 8200 – global incubator of spy tech
The NSO Group’s founders come from Unit 8200 – Israel’s elite defence force. It is also the Israel Defence Force’s largest military unit. According to Peter Roberts, a senior research fellow at Britain’s Royal United Services Institute, “Unit 8200 is probably the foremost technical intelligence agency in the world.”
Unit 8200 plays a significant role in Israel’s “startup machine”, with its graduates going on to build leading technology companies such as Checkpoint. Cybersecurity is Israel’s selling point now. The country has more than 450 firms with more than $10 billion in exports a year.
The global mobile hacking market is pegged at $12 billion. The NSO Group rented its services for a monthly subscription of $650,000 for every 10 targets in 2016. The Saudis paid the NSO Group $55 million to track 150 phones.
It had a “solid 20% growth in product bookings,” according to reports.
The NSO Group and its competitor, the Emirati firm DarkMatter, best exemplify the gold rush to privatise spying. Dark Matter’s “Karma” tool has similar capabilities as Pegasus.
The problem arises when state powers go too far. Enemy of a particular politician does not mean enemy of the state. The list of victims is long with a report tracking Pegasus’s software to more than 45 countries.
Jamal Khashoggi was a journalist. Not only was his privacy violated using NSO tools, but he was also hacked to death in a Saudi embassy.
In India, the problem is particularly vexing. First, we lack an appropriate legal doctrine. We have low-tech laws for high-tech problems. While privacy has been recognised as a fundamental right, there are no data protection and encryption laws. Moreover, unlike the US FISA Court, India has no secret court to regulate eavesdropping for national security.
Second, it is bad enough that we end up misusing these tools, it becomes worse when we exclusively rely on foreign vendors to do so. Barring the DRDO-funded NETRA, there is no serious effort to invest in indigenous technologies. Unlike Israel, we do not even have appropriate laws to allow such startups to legally exist.
In the garb of improving our national security, we are only worsening it. The foreign vendors know what India is spying on. And that’s the problem with hiring digital mercenaries – they can reveal all for a price, even to friendly neighbours.
India’s way forward
Cyber offensive is a necessary tool, and no stone must be left unturned to further national security. However certain reforms are needed.
First, cyber offensive companies should be categorised as private defence contractors. Second, India should have a phase-wise system to wean off from foreign technologies. Third, there needs to be an urgent debate on “global moratorium” on sale of spyware. Fourth, a code is a weapon, and buying and selling it needs to be looked at as acts of aggression. Fifth, we need to revisit the notion of sovereignty in the digital era. Sixth, there needs to be a regulator whose permission is needed to purchase and deploy such tools. Seventh, the vendors should have stricter policies on ultimate use of their weapons.
Meanwhile, the Indian IT ministry is waiting for a response from WhatsApp on which Indian agency used Pegasus.
Note: At the time of publishing, the founders of the NSO Group or those in know had not responded to a request for a comment or statement.
The author is a lawyer and writer. He’s an expert on issues of national security, technology, geopolitics & foreign affairs. Views are personal.