NSO Group, an Israeli company known for selling surveillance software (spyware) to governments across the world, has made a pledge this week to follow the UN's human rights framework and adopt measures to prevent customers from abusing its tools to do harm.
The company's move comes after it's been accused of selling spyware to oppressive regimes, which in turn, used it to spy on journalists, human rights activists, and political opponents.
NSO has always denied having any knowledge of these abuse while they were going on, and has always said it only wanted to sell surveillance technology to law enforcement authorities across the world.
However, multiple reports have linked the company's tools to incidents where its software had been installed on the devices of people who had not committed any crimes, other than criticizing governments or investigating incumbent officials. Amnesty International activists, journalists in Mexico, and Saudi dissidents have had phones infected with potent iOS or Android spyware that investigators linked back to the company.
NSO: Misuse extremely rare
In a press release on Tuesday, September 10, NSO officials admitted that some of their customers did abuse their tools in the past. In an email to ZDNet, an NSO Group spokesperson said the company found three cases of confirmed misuse of its technologies, which they moved to shut down.
NSO said misuse was "extremely rare," but they are now launching an initiative to fight off any future abuse. This initiave includes two main components.
The first is a Human Rights Policy, based on the UN's Guiding Principles on Business and Human Rights. The second is a Whistleblower Policy, a procedure through which outsiders can report cases of abuse.
The two moves are meant to quench some of the wave of criticism and bad press the company has been getting, and to put in place a set of rules for misbehaving customers.
Human rights groups yet to be convinced
But the company has a long way to go to change its image. For starters, it will have to convince Amnesty International and Citizen Lab, two human rights organizations that have exposed past cases where NSO tools had been used outside of legitimate crime investigations.
In a blog post yesterday, Amnesty International challenged NSO to "match words with action."
"NSO needs to demonstrate this is more than an attempt to whitewash its tarnished reputation," said Danna Ingleton, Deputy Director of Amnesty Tech.
"The NSO policy comes too late for the scores of activists targeted by abusive governments using the firm's spyware, including UAE activist Ahmed Mansoor who was sentenced to 10 years in prison in 2018," she added.
"Some NSO customers clearly cannot resist abusing spyware to erode democracy, and a stern warning is not going to change that," John Scott-Railton, Senior Researcher at the Citizen Lab, told ZDNet.
NSO says it has leverage over customers
But in an email to ZDNet, an NSO spokesperson said the company can and has the tools to enforce its new Human Rights policy and prevent future abuse.
"Our agreements require customers to fully comply with all national security and privacy laws and regulations, as well as specifically require that the products are used solely for fighting crime and terror and will not be used for human rights violations," the company said.
"In addition to our own review - both at the outset of licensing a product and reviews of existing contracts - our customers are required to notify us of any knowledge they may have regarding a misuse or potential misuse. We have an escalating set of remedies culminating in termination in case of misuse or refusal to co-operate in an investigation."
Furthermore, the company will also be heavily leaning on its Whistleblower Policy [PDF], which the company had created to set up a reporting channel for users or entities who spotted NSO surveillance tech being misused.
But some sources told ZDNet the document might be a boobytrap that may prevent whistleblowers from disclosing abuse outside of NSO. Once an abuse case is reported, the whistleblower can't talk about it to anyone.
In a phone call with ZDNet today, John Tye, a US lawyer specialized in whistleblower cases, recommended that any whistleblowers coming forward, regardless if they're reporting issues to NSO or any other company, should contact a trusted lawyer before doing anything first.
Surveillance industry under assault
NSO Group new interest in safegurding innocent victims from abusive customers can be explained by a series of recent events that have put the company and the entire surveillance tech business on guard.
For the past few months, pressure has been mounting against some surveillance vendors.
In May, Amnesty International petioned an Israeli court to revoke NSO's export license, the primary certification that allows the company to sell its products abroad, to foreign governments.
A month later, a UN surveillance expert urged the organization and governments across the world to impose a global ban on the sale of surveillance software. The UN expert named NSO Group as one of the bad apples of the surveillance world.
Similarly, fellow surveillance tech vendor FinFisher is having problems in Germany, where an investigation into its operations is underway, facing similar accusations of selling spyware to oppresive regimes.