NSO Group

Government and military officials fair targets of Pegasus spyware in all cases, NSO Group argues

Editor's Note: This article was updated 10:50 a.m. Eastern time, June 18, with comments from former U.N. official David Kaye and WhatsApp.

The manufacturers of the powerful commercial spyware Pegasus argued in a Friday court filing that it is appropriate for its global clients to target any high-ranking government or military official with the technology because their jobs categorically make them “legitimate intelligence targets.”

The statement is a revelatory admission from the typically tight-lipped Pegasus manufacturer, NSO Group, regarding who it believes can justifiably be targeted with its zero-click and all-seeing surveillance product. 

It surfaced in court documents related to a lawsuit WhatsApp has brought against NSO Group for allegedly infecting about 1,400 of its users’ devices with the technology. The hacks were discovered in 2019.

A former United Nations official overseeing the right to free expression said NSO Group’s comments go beyond their prior assertions and are more sweeping in their definition of who can legitimately be targeted by Pegasus. 

The official, David Kaye, pointed to a 2019 NSO Group letter sent to him while he was at the U.N. It said Pegasus is “intended to prevent acts of terrorism, large-scale drug trafficking, pedophile networks, and other serious criminal acts.”

In that same letter, NSO Group said that its contracts with clients “specifically demand that customers utilize our technologies as intended – to investigate and prevent crimes and terrorism.”  

Friday’s filing seems to suggest a broader purpose for Pegasus, Kaye said, pointing to NSO’s explanation that the technology can be used on “persons who, by virtue of their positions in government or military organizations, are the subject of legitimate intelligence investigations.” 

“This appears to be a much more extensive claim than made in 2019, since it suggests that certain persons are legitimate targets of Pegasus without a link to the purpose for the spyware’s use,” said Kaye, who was the U.N.’s special rapporteur on freedom of opinion and expression from 2014 to 2020.

NSO Group clients include or have included repressive regimes such as Hungary, the United Arab Emirates and Saudi Arabia. Pegasus technology was allegedly used to track journalist Jamal Khashoggi in the months before he was murdered by the Saudi government.

The Israeli company’s statement comes as digital forensic researchers are increasingly finding Pegasus infections on phones belonging to activists, opposition politicians and journalists in a host of countries worldwide. 

NSO Group says it only sells Pegasus to governments, but the frequent and years-long discoveries of the surveillance technology on civil society phones have sparked a public uproar and led the U.S. government to crack down on the company and commercial spyware manufacturers in general.

Debating legitimate Pegasus targets

Friday’s court filing centers on a fight between NSO Group, WhatsApp and digital forensic researchers from The Citizen Lab, whose experts helped research many of the Pegasus infections documented in the case. 

NSO Group wants The Citizen Lab to turn over information about additional victim identities and how it made its analysis.

The debate focuses on lists The Citizen Lab produced classifying Pegasus infections as affecting either top government and military officials — referred to in the filing as the VIP list — or civil society leaders. 

NSO says the list of individuals The Citizen Lab classified as VIPs includes 93 people the company describes as “high-ranking government or military officials.”

“The VIP list is almost entirely comprised of persons who, by virtue of their positions in government or military organizations, are the subject of legitimate intelligence investigations,” an attorney for NSO Group wrote in the filing. “All the VIPs are legitimate intelligence targets.”

The company accessed the lists through discovery because The Citizen Lab worked with WhatsApp to help identify and alert civil society victims when the hacks were first found in 2019. Not all of the approximately 1,400 total victims are identified or classified in the lists obtained by NSO Group, which is seeking the additional names and classifications.

An NSO Group spokesperson could not immediately be reached for comment on this story, but told Recorded Future News last week that it “complies with all laws and regulations and sells only to vetted intelligence and law enforcement agencies.” 

“Our customers use these technologies daily to prevent crime and terror attacks,” they said.

The company does not disclose its client list, but the spokesperson noted it doesn’t work with Russia or its allies. 

Opposition ‘VIPs’

NSO Group also appeared to suggest in court filings that opposition politicians can be legitimately surveilled with Pegasus. This assertion comes as Polish officials  investigate what they have described as a Pegasus-enabled coordinated campaign by the country’s former majority to track hundreds of opposition party politicians and those aligned with them.

“Citizen Lab appears to have drawn a distinction between politicians whose parties are in power (VIPs) versus politicians belonging to opposition parties (civil society),” the NSO Group lawyer wrote.

“For purposes of determining whether an individual was legitimately surveilled (eg, as part of an intelligence operation) using Pegasus, defendants submit that this distinction is unjustified and all senior political operatives should be classified as VIPs.”

Poland is far from the only country where Pegasus has targeted minority party officials and civil society leaders. In 2022, The Citizen Lab published a report documenting that Pegasus was used to target at least 63 Catalan government officials and activists following a 2017 bid for independence.

A spate of Pegasus infections targeting Indian journalists — whose most recent victims were made public in December by Amnesty International — is also cited by the NSO lawyer, who said that a “supposed” Indian journalist included on The Citizen Lab’s list was sentenced to life imprisonment for “sedition and waging war against the nation.” 

Calling the journalist and some others The Citizen Lab classified as civil society victims “criminals,” the lawyer suggests their inclusion on the list shows The Citizen Lab has “hugely overreached… in an effort to further its agenda that the use of Pegasus against civil society targets is widespread.”

The Indian government was found to have bought Pegasus from Israel in 2017. Multiple news reports have suggested that Indian Prime Minister Narendra Modi's government has used Pegasus to spy on and potentially even jail its critics.

A forensic analysis of a device belonging to imprisoned Indian activist and Modi critic Rona Wilson found evidence that it was infected with Pegasus between 2017 and March 2018. In June 2018 Wilson was arrested on terror-related charges.

'Lawfully targeted'

The Citizen Lab lawyer argued in the filing that NSO Group has no standing to compel it to turn over information on Pegasus targets or its analysis.

NSO Group is seeking a so-called letter rogatory to force disclosures from The Citizen Lab. 

Letters rogatory are typically used to obtain evidence if permitted by the laws of the foreign country involved in a lawsuit. NSO Group is based in Israel, The Citizen Lab in Canada and Meta, which owns WhatsApp, is in the U.S.

“The core rationale for defendants’ request — their disagreement with The Citizen Lab’s categorization of listed individuals — is irrelevant,” the digital freedom research institute’s lawyer asserts. 

In order to compel material from The Citizen Lab, NSO Group’s defense must show that individuals were “lawfully targeted by a U.S. law enforcement or intelligence agency,” the lawyer asserted.

The Citizen Lab did not respond to a request for comment.

A spokesperson for WhatsApp pointed to the company’s comments to the judge in the Friday filing, emphasizing that NSO Group relied only on public information from “questionable or biased sources” in challenging The Citizen Lab classifications of victims.

NSO Group illegally targeted WhatsApp’s systems and users with their spyware, “a pattern of abuse that cannot be tolerated by liberal democracies,” the spokesperson said via email.

In March, a California federal judge ordered NSO Group to turn over its closely guarded secret code as part of discovery in the years-long lawsuit, a decision seen as a major win for WhatsApp.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.