In response to requests for comment by Forbidden Stories, OCCRP, and the other participants in The Pegasus Project, NSO Group and a law firm retained by the company sent several replies.
In general, NSO Group strongly denies the journalistic consortium’s findings, which it describes as “uncorroborated theories” that rely on information that has “no factual basis” presented by an “unreliable” source.
NSO Group’s more specific responses are cited below:
The Source Data
The reporting for The Pegasus Project is based on 50,000 phone numbers believed to represent NSO Group’s customers selecting people for targeting with the Pegasus system. (For more information about the evidentiary basis for this finding, read OCCRP’s “About the Project” explainer.)
In its initial response, a law firm retained by NSO Group wrote:
“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes.”
The company then provided more detail:
“NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products. Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide.
“The sheer volume of numbers on this purported list … confirms that it cannot be a list of numbers targeted by governments using Pegasus. There simply are not that many numbers targeted by governments using Pegasus. Thus, Forbidden Stories’s assertion that it reviewed records of thousands of ‘targets’ of NSO Group clients is false.”
“As to your request to confirm the ‘existence of such data’, obviously we cannot do so, since even if they were customers’ data, we have no visibility nor access to them.”
In another follow-up, NSO added:
“You have put forward a flawed and speculative thesis the data list may have been used by third parties prior to a surveillance attempt, but that assertion (even if true) does not establish that the “use” was in fact attempted to be used as part of the surveillance attempt, that the attempted use was successful, or that the attempted or completed attempts produced the consequences theorized in your questions. It is beyond dispute that an attempt at surveillance is NOT the only utility of the data. It is also beyond dispute that the data has many legitimate and entirely proper uses having nothing to do with surveillance or with NSO, so there can be no factual basis to suggest (as your questions imply) that a use of the data somehow equates to surveillance.”
“NSO does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.”
In response to a technical report produced by Amnesty International, which is published along with this project and presents forensic evidence of Pegasus infections on dozens of analyzed phone numbers, NSO Group wrote:
“If you are relying on the ‘technical report’ for that purpose, that report is a compilation of speculative and baseless assumptions regarding the purported connection between what is described in the report and NSO Group’s technology. Specifically, your report depends on assumptions linking previous reports to NSO Group, which are in turn based on similar assumptions regarding even earlier reports, with no demonstrated linkage between the various layers of reports sufficient for a responsible journalist to publish these conclusions.”
NSO Group’s Clients
Sticking with a long-held policy, NSO Group declined to confirm or deny any of the client relationships suggested by the leaked data and other reporting:
“As we stated in the past, due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers.”
The company also said that it does not run the Pegasus software after it’s sold:
“NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.”
Cecilio Pineda’s murder
In response to a question about the use of NSO Group spyware against Cecilio Pineda, a Mexican journalist who was subsequently murdered, the law firm retained by the company wrote:
“Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client or data collected by NSO Group software were in any way connected to the journalist’s murder the following month. Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients.”
Jamal Khashoggi
In response to questions about the use of NSO Group spyware against friends and family members of murdered Saudi dissident Jamal Khashoggi, the company wrote:
“Our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation. … Forbidden Stories claimed that, in 2019, Saudi Arabia targeted a British human rights lawyer who represented “the fiancée of Jamal Khashoggi'' and a “Saudi Arabian human rights activist.” This allegation simply cannot be true because NSO Group can prove that such use of Pegasus is technically impossible.”
and
“We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in your inquiry.”
NSO Group’s Mission
The law firm retained by NSO Group wrote that the company’s products are a source for good and that the company takes allegations of abuse seriously:
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, done it multiple times in the past, and will not hesitate to do again if a situation warrants. This process is documented in NSO Group’s ‘Transparency and Responsibility Report,’ which was released last month.”
“The fact is, NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings. The technologies are also being used every day to break up pedophilia-, sex-, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones. Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”
Update, July 19, 2021:
After the publication of the initial set of stories in this investigation, NSO Group’s CEO, Shalev Hulio, reached out to The Washington Post to offer several additional comments.
He continued to dispute that the list of over 50,000 numbers used as a basis for this investigation represented targeting by NSO Group’s Pegasus software. He also said that most of the allegations made in the stories were untrue.
However, Hulio noted that NSO Group had terminated contracts with two clients within the last year because of concerns about human rights abuses. He described some of the revelations in the stories as “disturbing” and said he was “very concerned” about what he had read.
“We are investigating everything,” he said. “I believe that we need to check. If we check, we will find that some of this will be true.”
Update, July 21, 2021:
NSO Group has provided an additional response to what it described as a “well-orchestrated media campaign led by Forbidden Stories and pushed by special interest groups,” saying it will no longer respond to media inquiries.
“Enough is enough,” a spokesperson wrote, reiterating that the list of 50,000 phone numbers obtained by reporters is “not a list of targets or potential targets of Pegasus” and that “the numbers in the list are not related to NSO Group.”
“NSO is a technology company,” the statement continued. “We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.”
“NSO will continue its mission of saving lives, helping governments around the world prevent terror attacks, break up pedophilia, sex, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”
Separately, NSO Group related to OCCRP that its clients are “required under contract to provide [NSO Group] with audit rights in the event of any suspected misuse” of its software.
It described the list of countries believed by The Pegasus Project to be NSO Group clients as “inaccurate” without providing further details.
Asked whether the company purchases exploits from freelance hackers, NSO Group wrote that “R&D processes are proprietary information.”