Why is this Israeli firm targeting group that exposed its Pegasus spyware?

The Israeli firm NSO Group—which developed the notorious Pegasus spyware allegedly used by authoritarian governments worldwide to extract private data from the phones of political opponents, journalists and activists through a WhatsApp security vulnerability—has been repeatedly going after the research organisation that exposed its cybercrimes five years ago.

The Israeli firm has demanded that Citizen Lab, a University of Toronto-based organisation that studies information control, should hand over “every single document” about its Pegasus investigation from 2019.

NSO insists that Citizen Lab must reveal how it “conducted its analysis” that led it to identify over 100 cases of abusive targeting of politicians, human rights defenders and journalists in at least 20 countries in Africa, Asia, Europe, the Middle East, and North America.

NSO claims it sells Pegasus only to governments and militaries for the purpose of tackling crime and terrorism.

Battleground: WhatsApp

WhatsApp identified and quickly resolved a “vulnerability” in its system back in May 2019. The bug allowed cybercriminals to inject commercial spyware into phones via WhatsApp by simply ringing the number of a target’s device.

WhatsApp also identified NSO as the spyware developer that took advantage of the bug in October 2019.

It was only then that Citizen Lab entered the fray and volunteered to help WhatsApp identify cases in which the suspected targets of this attack were “members of civil society, such as human rights defenders and journalists”.

Subsequently, WhatsApp went to court against NSO, alleging that the spyware developer sent Pegasus to about 1,400 devices worldwide.

The lawsuit alleged that NSO’s malware was designed to infect phones and computers for “conducting surveillance of specific WhatsApp users”. The Israeli firm developed its malware in order to access messages and other communications after they were decrypted on target devices, it said.

For its part, NSO insists the clientele for its proprietary spyware is “strictly” limited to government clients and that its sales meet the Israeli government’s export regulations.

But Citizen Lab argues that the number of cases in which NSO’s technology is used to target civil society members “continues to grow”.

The US Department of Commerce blacklisted NSO in November 2021 based on “evidence” that it sold spyware to foreign governments that used the same to “maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers”.

Its tools also enabled foreign governments to conduct “transnational repression” to target overseas dissidents, journalists and activists to silence dissent, it said.

Discovery: arrow in NSO’s quiver

The notorious Israeli firm has so far mounted at least two legal attacks on Citizen Lab, demanding access to its raw work relating to the 2019 investigation.

NSO has already obtained “thousands of documents” produced by Citizen Lab through Meta, WhatsApp's parent firm, as part of “discovery”.

Discovery is a formal process that allows two parties locked in a legal battle to obtain relevant documents from each other to prepare their cases.

However, the Israeli firm seems hell-bent on getting direct access to proprietary information held by Toronto-based Citizen Lab.

In March, NSO moved a motion in US court for the issuance of a “letter rogatory”—a judicial request to a foreign court—so that Citizen Lab could be made part of the discovery process.

The US judge denied the motion, saying it’d be “duplicative of discovery already obtained” from WhatsApp.

But NSO's failure to drag Canada-based Citizen Lab into a potentially long and expensive legal battle in the US didn’t stop it from trying its luck once again.

The lawyers of NSO went back to court, insisting the documents that WhatsApp shared in discovery about Citizen Lab’s investigation were “incomplete and inadequate”.

Why? Because the documents furnished by WhatsApp didn’t reveal—to the satisfaction of the Israeli malware developer—how Citizen Lab conducted its analysis and came to its damning conclusions.

In other words, NSO wants the group of researchers to simply reveal the technology that they used to catch the malware and trace it back to the Israeli firm.

The obvious but unstated objective for NSO is apparently to collect as much information as possible to develop an even more malicious code next time for targeting unsuspicious human rights activists and journalists around the world.

Third time’s the charm?

US media outlet The Intercept reported earlier this week that the judge turned down NSO’s request in her latest order, saying it was plainly “overbroad”—a legal term meaning a discovery request not sufficiently restricted to a specific subject.

It’s yet to be seen if NSO resorts to a third attempt at forcing Citizen Lab to surrender its raw information.

The Israeli firm can still get what it has long wanted by somehow proving in court that the specific individuals who were categorised by Citizen Lab as civil society targets were, in fact, carrying out criminal or terrorist activities.

Citizen Lab’s lawyers pointed out that it would roll back “years of progress” and “severely chill” the laboratory’s forward-looking initiatives.

“The Citizen Lab is obligated under its research ethics protocol and its agreements with research subjects… to maintain the confidentiality of subjects’ information,” the lawyers said.