The big business of illegal snooping

The TLDR: So far, the story of the spyware Pegasus has focused on targets and their snoopers—who and when. But the bigger story is how a tech company put a dangerous product in the hands of governments and their agencies—with the active support of the Israeli government. This is a whole new kind of public-private partnership that poses a clear and present danger to human rights. 

Say hello to NSO

Origin story: Shalev Hulio and Omri Lavie are childhood friends, and used to be part of Unit 8200—a cyber spy agency. This is a secretive unit of the Israeli Defense Forces (IDF), and which has produced the country’s biggest tech super stars. Much like their former colleagues, Lavie and Hulio decided to do a tech startup. Their first venture MediaAnd—a product placement tool—bombed due to the 2008 recession. The second, CommuniTake, showed promise. It allowed the tech support of a telecommunication company to take remote control of a customer’s device. And that’s when intelligence agencies started paying notice, according to Lavie:

“We were approached several times by intelligence agencies and asked, ‘Can you do it without [the user’s] permission?’ So we lied and we said, ‘Sure’. We didn’t understand at the time that this was considered one of the holy grails of the industry.”

Point to understand: This was a “holy grail” because until then intelligence agencies had to intercept messages while they were in transit from one device to another. But the rise of end-to-end encryption—where the message cannot be read except by the sender and receiver—posed a huge problem for this method. However, CommuniTake directly accessed the device instead: “agencies could simply pirate the phone itself, bypassing encryption and giving them all of the information they needed and more.”

The birth of NSO: Unwilling to let go of this brilliant opportunity, the two buddies got a third founder on board: Niv Carmi, a former intelligence operative of the spy agency Mossad. And they recruited their then CEO Yair Pecht—who served in the IDF’s elite Mamram computer unit. And the two worlds of spies and tech meshed together to create NSO—for Niv, Shalev and Omri. Carmi handled the tech and Hulio and Lavie the business—though Carmi would leave NSO later. 

Up, up and away!

Birth of Pegasus: Responding to popular demand, NSO developed a spyware tool called Pegasus—which “offered a plug-and-play spying solution for intelligence agencies and police forces that couldn’t afford to develop their own tools.” The official goal was to help them fight crime, be it terrorism, money laundering or drug trafficking. Within a year, riding the coattails of Pegasus, NSO went from upstart startup to cybersecurity giant. As an exec of a rival firm said, “When we were selling our solutions for hundred of thousands of dollars, NSO Group managed to negotiate million dollar contracts. We were already behind in a sense.”

Finding clients: NSO soon cultivated what Lavie calls the “very fine art” of marketing to foreign governments:

“Companies in the emerging cyberwarfare field cannot just go to trade fairs or rely on publicity and hope customers will come. Like conventional defence companies, they rely largely on private agencies that transact business for products on commission.”

In 2012, they landed their first big client, the government of Mexico—which allegedly paid $32 million to help fight drug cartels. In 2014, the Mexicans used Pegasus to track and arrest none other than Joaquín Guzmán aka ‘El Chapo’. But a 2017 investigation would reveal that the Mexican government—which by then had spent a whopping $80 million—was also using Pegasus to spy on human rights activists, political rivals and journalists, some of whom turned up dead. The latest Pegasus Project revealed 15,000 such numbers on the global database of potential targets.

Sweet rewards: US-based venture fund Francisco Partners bought NSO for $120 million in 2014—the same year that Pegasus helped nab El Chapo. Now, the company had lots of money to invest in refining its spyware. Where it had once relied on the user to click on malicious links to take over their phone, NSO moved to ‘zero click’ attacks—where just a missed call on WhatsApp or text on iMessage is sufficient to hijack your phone. And it is very unapologetically not a defensive tool, but an offensive weapon aimed at a specific target. Lavie says to the Financial Times:

“It’s like laying a trap in the forest versus setting a sniper gun for a bear. If you’re laying a trap, you’re hoping for your bear to wander out but if you’re sitting in a bush waiting for a specific bear, once you see it you can actually act on it.”

Point to note: None of the bad press has deterred NSO from getting funding or clients. Lavie and Hulio bought back the company from Francisco Partners in 2019 with investments from Novalpina Capital, a London-based private equity firm. At the time of the transaction, NSO was valued at $1 billion. According to a 2021 report, it has 60 customers in 40 countries. Fifty-one percent of its clients are intelligence agencies, 38% law enforcement agencies and 11% military.

Maintaining deniability: A big part of NSO's spiel is that it doesn’t know what its clients do with Pegasus. As Lavie makes clear:

“In some countries we’re not even allowed to know where the building is, where [the product] will be installed. Not only are we not allowed in the building, we don’t even know where the building is – it could be in another city.”

And all its promises to investigate the misuse of its technology—including recent statements about the Pegasus Project—usually lead nowhere. How can you investigate that which you do not know?

Quote to note: When asked about his clients, Lavie joked: “I don’t want to be beheaded.” 

A very Israeli firm

Login

Complaints, suggestions or just wanna say hi? Talk to us at talktous@splainer.in