First Annual Report Highlights Extensive Safeguards Against Misuse of Technology, Outlines Internal Governance and Compliance Processes
June 30, 2021 (Tel Aviv) – NSO Group, the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies, today released its “Transparency and Responsibility Report,” marking a historic first-foray by a significant industry leader into the public conversation about the interplay between public safety and security, and the preservation and protection of human rights.
The Report, for the very first time, discloses essential facts and insights regarding the NSO Group’s position on ethical and responsible international business conduct and its governance framework. The Report provides an outline of the company’s guiding principles, and a full accounting of its ongoing and ever-evolving efforts to assure that its products are used only as they were always intended – to save lives through the prevention of serious crime and acts of terror, as well as through search-and-rescue, data analytics, anti-drone technologies, and other closely related missions and applications.
This first-of-its-kind Report features comprehensive descriptions of NSO Group’s Compliance and Human Rights policies, and the procedures, processes and practices the company has developed in the course of the last several years to enhance, strengthen and formalize these policies, as well as the day-to-day implementation of these policies and safeguards throughout the company’s entire cycle of interaction with its government customers.
The Report includes full accountings of the structures and goals of each of NSO Group’s internal committees, overviews of the company’s internal and external policies, interactions with external legal and human rights advisors, descriptions of the NSO Group product marketing and sales life cycle, and the remedies and enforcements to be implemented should a company-driven, comprehensive investigation determine that one of its products has been misused by a state customer.
All of the processes outlined in the Report have been devised with one central goal in mind: To ensure the proper use of NSO Group’s products by its customers through the implementation of integrated steps to mitigate and prevent violations of human rights.
“We are the first out of the gate in our industry with information that is as comprehensive and revealing as the data contained in this first yearly Report,” said NSO Group Founder and CEO Shalev Hulio. “This Transparency and Responsibility Report illustrates for the first time, and in deep detail, how NSO Group strives to guarantee that our products are used as intended – safely, effectively and ethically, and it further describes what options are available to us if we find that one of our customers has acted in bad faith, despite our extensive vetting process, by using one of our tools to monitor the electronic communications of someone who falls outside a prescribed investigative scope.
“It’s not simply enough for us to say that we take instances of misuse seriously. Here, we outline the range of options available to us if this happens, to include completely shutting down a customer’s access to our systems, as a situation may warrant, and as we have done out of necessity in the recent past,” Hulio said.
NSO Group only licenses its most well-known software product, Pegasus, to select approved, verified and authorized states and state agencies, specifically to be used in national security and major law enforcement-driven investigations. NSO Group does not operate the Pegasus system, and Pegasus can only be deployed by its government operators against one mobile phone number at a time, much like a traditional wiretap. The tool is not designed for, nor can it be used in any manner, for mass surveillance.
NSO Group conducts deep due diligence processes on prospective Pegasus licensees to assess the risks of misuse well before any sales agreement is reached, and its standards for customer vetting far exceed the export control requirements of many sovereign states, including most members of the European Union. The company has taken concrete and specific steps, in accordance with international standards driven in part by adherence to the United Nations Guiding Principles on Business and Human Rights, and the Organization for Economic Cooperation and Development , to address and mitigate the human rights risks associated with the use of its products.
NSO Group does not and will not license Pegasus to potential nation-state customers that, following its human rights-focused due diligence process, it believes have inadequate country-level protections in place to confidently prevent product misuse, or where the rule of law creates an unduly high risk of misuse. In line with this commitment, the company has, to date, passed on more than $300M worth of inbound business opportunities.
“We have initiated dialogues with international institutions, in the hope that further engagement among leading companies, state agencies and civil society organizations will help establish rules of responsible conduct for our industry,” said NSO Group General Counsel Shmuel Sunray. “We actively support efforts to create standards and mandate further transparency across the cyber intelligence world.”
The Report provides deep insight into how NSO Group works diligently to balance the tensions between the duties of states to protect their populations from physical and criminal threats with their obligations towards freedom of expression, the right to privacy and other human rights. This first annual Report presents NSO Group’s progress to date, and honestly assesses current and future risks and challenges, many of which are wholly unique to the cyber intelligence sector.