Somebody has to do the dirty work: NSO founders defend the spyware they built. CEO Shalev Hulio says he would ‘shut Pegasus down’ if there were a better alternative. From @lizzadwoskin and @shira_rubin
Two 20-something Israeli entrepreneurs who had been running a small customer service start-up for mobile phones were at a client meeting in Europe in 2009 when they received a visit from law enforcement officials.
The entrepreneurs’ first instinct was fear. Maybe they had done something wrong that they weren’t aware of, Shalev Hulio and Omri Lavie recalled in interviews this week with The Washington Post.
Instead, the officials made an unexpected request. The agents said the Israelis’ technology, which helped carriers troubleshoot their customers’ smartphones by sending them an SMS link that enabled the carrier to access the phone remotely, could be useful for saving people’s lives. Traditional methods of wiretapping calls were becoming obsolete in the age of the smartphone, the officers explained, because early encryption software blocked their ability to read and listen to the conversations of terrorists, pedophiles and other criminals. Would Hulio and Lavie be able to help them, by building a version of their technology that the officials could use?
More than a decade later, the cybersecurity company that arose out of that fateful conversation — the NSO Group, an acronym based off the first names of the three founders — is at the center of a global debate over the weaponization of powerful and largely unregulated surveillance technology.
This week, The Washington Post and a consortium of 16 other media partners reported that the company’s military-grade spyware was used in attempted and successful hacks of 37 smartphones belonging to journalists, business executives, and two women close to the murdered Saudi journalist Jamal Khashoggi.
Hulio’s journey — recounted to The Post in interviews with friends, investors, colleagues and Hulio himself — has been hailed over the years as an Israeli version of a Silicon Valley success story, a shining showcase of the potential of a tiny nation that boasts the highest per capita concentration of start-ups in the world, according to Startup Genome, a San Francisco-based research group. But NSO also demonstrates the more troubling side of that story, some experts say — the tale of a country too eager to make friends in a hostile region and too willing to take controversial actions in the name of survival, as well as the limitations of technology companies’ abilities to control the abuse of their products by their customers.
Hulio has acknowledged that some of NSO’s government customers had misused its software in the past — describing it as a “violation of trust” — and said NSO shut off five clients’ access in the past several years after conducting a human rights audit, and had ended ties with two in the last year alone. Hulio said he was bound by strict confidentiality agreements with law enforcement agencies that prohibit him from naming clients or describing their activities. He said he could not name the country or agency that initially approached him in Europe because it later became a client.
But two people familiar with the company’s dealings said the clients that have been suspended include Saudi Arabia, Dubai in the United Arab Emirates and some public agencies in Mexico. One of the people said the Saudi Arabia decision was a response to the Khashoggi killing, and two others said that Mexican agencies continue to use another NSO product designed to help first responders in search-and-rescue missions.
“There is one thing I want to say: We built this company to save life. Period,” Hulio said in a late-night interview Monday on a high-up floor of the company’s unmarked office tower in the upscale Tel Aviv suburb of Herzliya. “I think there is not enough education about what a national security or intelligence organization needs to do every day in order to give, you know, basic security to their citizens. And all we hear is this campaign that we are violating human rights, and it’s very upsetting. Because I know how much life has been saved globally because of our technology. But I cannot talk about it.”
Asked about the 37 attempted and confirmed hacks, he said: “If even one is true, it is something we will not stand as a company.” The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO Group, the consortium’s investigation found. Hulio said the company was still investigating the numbers provided by news outlets and that assertions of any link between the list and NSO were false.
In the first weeks after founding the company, in 2010, “before we’d even written a line of code,” Hulio said he and Lavie established three guiding principles that remain in place today. First, they would license only to certain government entities, recognizing that the technology could be abused in private hands. Second, they would have no visibility into the individuals targeted by customers after selling them a software license. The third, which Hulio said was the most important, was to seek approval from the export controls unit of Israel’s Ministry of Defense, an unusual decision because at the time the unit only regulated overseas weapons sales (Israel enacted a cyber law in 2017).
The three decisions were made, Lavie said, so that “we’d be able to sleep at night.” He said he and Hulio strongly believed it was not appropriate to have any direct knowledge of the internal national security matters of foreign countries. They also thought they weren’t equipped to make political decisions about whom to sell to.
In recent days, some Israeli political leaders have started to argue that the export controls rules that govern cybertechnology companies might have become too prone to political influence. Some of the countries where NSO had agreements, including Saudi Arabia and the UAE, are places where Israel’s last prime minister, Benjamin Netanyahu, sought to forge new alliances.
