US lawmakers want to put NSO Group, 3 other spyware makers out of business with fresh severe sanctions
Export controls aren't enough, Dems say: Bring on the Global Magnitsky Act
Eighteen US Democratic lawmakers have asked the Treasury Department and State Department to punish Israel-based spyware maker NSO Group and three other surveillance software firms for enabling human rights abuses.
In a letter [PDF] signed by US Senator Ron Wyden (D-OR), House Intelligence Committee Chairman Adam Schiff (D-CA), and 16 others, the legislators urge Secretary of the Treasury Janet Yellen and Secretary of State Antony Blinken to apply sanctions to the NSO Group, UAE-based DarkMatter Group, and EU-based Nexa Technologies and Trovicor, under the Global Magnitsky Act.
The Global Magnitsky Human Rights Accountability Act was signed into law in late 2016 as part of the F17 Defense Authorization Act. It expands upon the 2012 Sergei Magnitsky Rule of Law Accountability Act of 2012 which was drafted specifically to punish Russian officials for the 2009 death of Sergei Magnitsky, a Russian tax lawyer who perished in a Moscow prison after investigating government fraud.
The Global Magnitsky Act, amplified under Executive Order 13818 [PDF] in December, 2017, authorizes the US President to restrict travel, freeze assets, and limit commercial transactions for those deemed responsible for serious human rights abuses or corruption. With administration approval, such sanctions would be implemented by the Treasury and State Departments.
NSO Group is alleged to have "provided hacking software to Saudi Arabia, the United Arab Emirates, Mexico, Morocco, Bahrain, and other governments, resulting in those countries hacking into the devices of journalists and human rights activists," the lawmakers' letter says.
Google's Project Zero on Wednesday published a technical analysis of the zero-click iMessage exploit said to have been developed by NSO Group and used to target a Saudi activist.
This state-of-the-art code forms virtual logic gates out of compressed JBIG2 image data to build a virtual machine that can search memory for values and perform arithmetic to achieve exploitation. This is done because its creators wanted a degree of dynamic scripting, none is available in the vulnerable environment, and so one is fashioned out of virtual AND, XOR, and NAND gates.
- American diplomats' iPhones reportedly compromised by NSO Group intrusion software
- Apple sues 'amoral 21st century mercenaries' NSO for infecting iPhones with Pegasus spyware
- NSO fails once again to claim foreign sovereign immunity in WhatsApp spying lawsuit
- US Dept of Commerce sanctions NSO Group, Positive Technologies, other makers of snoopware
DarkMatter Group, the lawmakers said, compromised the devices of human rights advocates and journalists on behalf of the United Arab Emirates. Nexa Technologies is said to have sold bulk internet monitoring technology to Egypt and Libya, leading to the arrest and torture of human rights advocates. Trovicor is said to have done the same for Bahrain.
NSO Group, along with Israel-based Candiru, Russia-based Positive Technologies, and Singapore-based Computer Security Initiative Consultancy Pte Ltd, were sanctioned last month by being placed on the Commerce Department's Entity List, which limits the export of hardware and software from the US to designated organizations or individuals unless approved by the Commerce Department. The application of the Global Magnitsky Act would represent a more severe set of sanctions – it could put those targeted right out of business.
NSO Group did not immediately respond to a request for comment. The spyware maker is reportedly close to defaulting on its debts, and is considering shutting down its Pegasus unit and selling the company.
Wyden et al argue that placing surveillance and intrusion software companies on the Entity List isn't enough.
"While this bold action by the Administration is certainly worthy of praise, export controls alone are unlikely to effectively deter these foreign firms," the letter states. "Their developers are located overseas, and they can certainly find foreign sources for the hardware and software on which they rely to develop and sell their products."
Export controls alone are unlikely to effectively deter these foreign firms
The lawmakers argue these surveillance firms depend on the US financial system and US-based investors to raise money so the Global Magnitsky Act's financial sanctions are necessary to punish them and to send a signal to the surveillance technology industry.
Private companies, advocacy groups, and individuals are also challenging companies that provide surveillance and intrusion software to clients that target civil society. Both Apple and Facebook's WhatsApp have sued NSO Group for facilitating online attacks on their respective customers. And last week, the Electronic Frontier Foundation (EFF) sued DarkMatter Group and three former executives on behalf of Saudi human rights activist Loujain AlHathloul for hacking her iPhone.
"Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses," said EFF Civil Liberties Director David Greene, in a statement. "The harm to Loujain AlHathloul can never be undone. But this lawsuit is a step toward accountability." ®
Updated to add
A spokesperson for NSO Group just told us: "NSO has chosen ethics upon revenues, and we strongly believe that our contribution to the global security, including United States' national interests, should have the opportunity to be presented.
"We have been closely regulated by the Israeli government, which means that there is a long list of prohibited countries and that we only sell to governments authorized by the State of Israel, for the sole purpose of preventing terror and crime."