Spyware maker is hijacking diplomatic efforts to limit commercial hacking, civil society warns

Civil society groups are warning that makers of spyware tied to human rights abuses are inserting themselves into diplomatic initiatives as a way to whitewash their reputations.

The backlash comes in the wake of a “transparency report” issued by the spyware maker NSO Group on January 7 that trumpeted the company’s participation in the Pall Mall Process — a diplomatic effort aimed at reining in the misuse of spyware products while recognizing the software is worthwhile when used appropriately to fight crime and terrorism. 

Launched in February 2024 under French and U.K. leadership, Pall Mall seeks to create a governance framework for so-called Commercial Cyber Intrusion Capabilities (CCICs), including spyware.

French and U.K. officials told Recorded Future News that they did not invite NSO Group to participate, and that companies making submissions are not necessarily respecting human rights.

Despite this, NSO Group held up its engagement with the Pall Mall Process as an example of its commitment to responsible governance of its zero-click Pegasus spyware. 

“As a regulated defense technology provider operating under stringent export licensing requirements, with an established human rights compliance program and a record of implementing safeguards, investigations, and enforcement actions, NSO contributes a practical, implementation-focused perspective,” according to the report, which glossed over a long record of human rights abuses without committing to any reforms to address them.

Civil society leaders scoffed at the company’s claims, pointing to many recent abuses of Pegasus to target members of civil society in repressive regimes like Serbia. In February 2025, Amnesty International found that Pegasus had been used to target two Serbian journalists. It was the third time in two years that Amnesty documented members of civil society had been targeted with Pegasus there.

NSO Group’s technology was also tied to the killing of journalist Jamal Khashoggi, a strong critic of Saudi Arabia’s leadership.

“NSO says they have an ‘established human rights compliance program,’” said John Scott-Railton, a digital forensic researcher at The Citizen Lab. “The evidence establishes one thing: Whatever their alleged policy, they still have no problem selling to autocrats even after an absolute mountain of scandals.”

The claim that NSO is subject to "stringent export licensing requirements" was disputed by the senior tech counsel at Access Now, Natalia Krapiva, who pointed out that Israel, which determines which countries NSO can sell Pegasus to, has approved sales to authoritarian regimes and dictatorships like Saudi Arabia, the United Arab Emirates, Azerbaijan, Serbia and Rwanda.

NSO also has been anything but transparent, Krapiva said, presenting no evidence documenting their enforcement activities or even a list of countries they have withdrawn from due to abuse.

And unlike NSO’s previous annual transparency reports, the latest iteration does not offer any details on how many customers the company declined to work with or stopped working with due to abuses of its products. It also does not say how many customers it has.

Victims have been left without recourse due to NSO roadblocks, Krapiva said.

“NSO has been frustrating investigations, discrediting victims and researchers and putting enormous resources into actively trying to avoid accountability and providing remedy to victims in U.S. and other courts," she said.

‘Responsible actor’

Officials involved in the Pall Mall Process stressed that spyware makers that offer submissions are not necessarily acting in ways that make them responsible actors.

An official with the French Ministry for Europe and Foreign Affairs, for example, emphasized that there is an ongoing French judicial investigation into Pegasus abuses.

“The facts are extremely serious,” the official said, requesting anonymity to be candid discussing a sensitive matter. 

Companies like NSO “expand the pool of state and non-state actors in a position to conduct offensive cyber operations,” the French official said. “Therefore, their capabilities are more likely to be used irresponsibly. We continue to express deep concerns on their potential risks for human rights and our national security.”

When asked about NSO’s contribution, a U.K. Foreign Office official said making a submission to the consultation “doesn't represent a formal commitment to the Pall Mall Process, nor participation in the initiative, nor any form of compliance, nor is it any indication of future involvement.”

“Responding to consultation does not imply that a state or a company is considered a responsible actor by the Pall Mall Process,” the official said.

A spokesperson for the NSO Group did not respond to multiple requests for comment.

‘Process abuse’

Scott-Railton, who has researched the use of Pegasus to target scores of civil society devices for years, called on Pall Mall leaders to “disqualify” NSO from future participation in the effort due to what he called its “process abuse.”

“The open consultation model means anyone can submit input, and there’s no clear mechanism to prevent bad actors from spinning their sending in some emails as governance validation,” he said. “The problem is that bad faith is the default setting for mercenary spyware companies and unless the process builds some firewalls and consequences, this may happen again.”

Elina Castillo Jiménez, the advocacy and policy advisor at Amnesty International’s Security Lab, said companies with NSO’s track record must be excluded until they have demonstrated a commitment to reform.

“Any government serious about regulating this industry in order to protect human rights will reject any opportunistic attempts by companies to try and rehabilitate their reputations with vague statements but without submitting themselves to proper legal oversight," she added.

Many of the participants want CCICs with a record of human rights abuses to participate in the process, however, in the hopes that real reform occurs.

Experts worry that participation guidelines designed by Pall Mall participants could push the most problematic vendors — like NSO — underground by creating clear lines between responsible and irresponsible practices. 

Observers also have been concerned that the vendors most involved so far are not the companies whose products have led to rampant human rights abuses. 

Vendors like NSO, whose products have repeatedly been used for transnational repression, should only be allowed to participate in Pall Mall if they are ready to commit to major reforms, civil society leaders say.

Rand Hammoud, the surveillance campaigns lead at Access Now, said Pall Mall leadership needs to set up “clear criteria for industry engagement … to protect the credibility of an initiative that depends on good faith participation.”

Additional reporting provided by Alexander Martin.