Israeli spyware company NSO Group has stonewalled questions over whether it is operating legally, according to consultants acting on behalf of the controversial company’s owners.
Berkeley Research Group, the US consultancy that was last year put in charge of the private equity fund that owns 70 per cent of NSO, has told EU lawmakers that its inquiries about NSO’s “lawfulness” have been “ignored and/or frustrated by NSO Group’s management team”.
Concerns remain about “the historical management of the NSO Group” and “possible ongoing activities in relation to which [BRG is] being kept in the dark”, BRG’s lawyers wrote in a letter to MEPs.
BRG’s complaint is a further escalation of the controversy surrounding NSO, which was once a highly prized asset that Israel used as a diplomatic calling card, but is now facing lawsuits from Meta and Apple and has been blacklisted by the US.
NSO’s Pegasus software can infiltrate a smartphone and mirror its encrypted contents. It was last year found to have been used to target smartphones belonging to 37 journalists, human rights activists and other prominent figures.
The Spanish government said last week that Pegasus was used to hack the mobile phones of the country’s prime minister and defence minister in its first confirmed use against a serving head of government.
In the letter to MEPs sent last month, BRG’s lawyers said the consultancy had been “investigating the historical and ongoing management and conduct of the business of the NSO Group”, including its compliance with a US trade blacklisting, since August.
But that process has “stalled” because of NSO’s stance, the letter said. “Suffice it to say that investigations to date have raised many more questions than they answer,” the letter to MEPs said. It offered to share information with the politicians as they investigated Pegasus’s use.
NSO said it “complies with very strict legal and regulatory frameworks in every relevant area of operation”.
It said: “The company’s management operates under proper corporate governance, works closely with all duly appointed boards of directors and co-operates with any required statutory supervision.”
In March, the European parliament set up a committee to investigate the use of Pegasus and other surveillance spyware, saying it would look at “whether this use has breached EU law and fundamental rights”.
Sophia in ’t Veld, the Dutch MEP leading the probe, said the BRG letter raised questions that were “at the heart of the things we want to know” and that MEPs would discuss its contents with NSO.
“We need to know how they operate, what is the policy of selling their products to governments and non-government actors,” she said. “There is no clarity on how much access to information they have. We don’t know.”
The Israeli government has licensed the sale of Pegasus on the condition that it be used to defend against terrorism and serious crime.
When the US commerce department blacklisted the company last year, it said NSO had supplied software to foreign governments that had used it to “maliciously target” government officials, journalists, business people, activists, academics and embassy workers.
“When [the firm representing] your own owner is breaking the glass and contacting an investigative committee, it’s an extraordinary act,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. “To me, it underlines the fact that NSO is an out-of-control actor.”
BRG declined to comment. It has previously said in court filings that NSO is “valueless” to its private equity backers.
The letter to MEPs comes as BRG is under growing pressure. It took control of the €1bn Novalpina Capital private equity fund that owns NSO last year, after investors in the fund forced out Novalpina’s three co-founders over a fallout between the trio.
But BRG is facing a legal bid in Luxembourg to oust it from controlling the fund that owns NSO.