In November 2021, the Biden administration added Israel’s NSO Group to the U.S. Commerce Department’s list of restricted business entities. Officially, this was because the organization had “engaged in activities contrary to the national security or foreign policy interests of the United States”, and the designation was part of “the White House’s efforts to place human rights at the center of American policy”. foreign policy, in particular by working to stem the proliferation of digital tools used for repressive purposes”. Indeed, more than 1,200 companies on the Entity List are prohibited from directly or indirectly obtaining items such as chips, software, or telecommunications equipment without explicit US government approval.
But does this decision really support human rights?
Sensationalism and exaggeration should not substitute for facts: sovereign governments and their authorized agencies have a universal need to acquire information for security purposes against the will and without the knowledge of its authors or holders. Liberal democracies have long enacted “exceptional access” laws, typically charging private network and platform operators with two types of actions. First, telephone companies, internet service providers and service providers must keep all communication records and metadata for a certain period and provide them to the competent authorities for future investigations. Second, they must assist or possess capabilities to perform “lawful interception”: covert wiretapping of the network for the proper authorities.
It does not work anymore. Embedded in the US mobile ecosystem for more than a decade, encryption of data and communications has rendered network-based intelligence gathering obsolete. Edward Snowden’s revelations of the National Security Agency’s network-based bulk collection methods predated end-to-end encryption (E2EE) and prompted the industry to tighten privacy features. Understanding the details is key to realizing the challenges intelligence and law enforcement agencies must overcome to accomplish their missions. E2EE of data at rest (iPhone or Android smartphones with security enabled) or data in transit (Signal, WhatsApp, iMessage) means network operators are blind to the content they carry; Peer-to-peer (P2P) communication applications mean people can converse without going through the Microsofts, Apples, or AT&Ts of the world. The disappearance of encrypted messages (think Snap, Wire, Signal) means that no traces of past communications remain on the devices of potential suspects.
To be successful, lawful interception must target endpoints (smartphones, cars, portable devices, security cameras, personal computers) rather than network hubs. This is an extremely difficult feat. Even a recent critical Atlantic Council report inadvertently acknowledged that high-level technical prowess is required to develop operational cyberintelligence capabilities. Therefore, effective digital intelligence gathering will remain far beyond the reach of all but a handful of nation states that may operate in the realm controlled by Apples and Googles. As always, governments look to the markets for solutions.
The Peace, War, and Social Conflict Laboratory at Texas Tech University has compiled a dataset of more than 1,700 private military and security companies (PMSCs) around the world, grouping them into five categories. NSO Group, a private Israeli company, is one of eighty-nine cybersecurity and intelligence-related SMSPs, legitimate companies operating in plain sight. More than half of them are in high-tech hubs in the United States (thirty-six) and the United Kingdom (fourteen).
NSO does not engage in espionage and certainly does not use force. It develops technologies and licenses solutions to sovereign law enforcement, intelligence and military agencies: only sixty customers in forty countries. Its flagship solution, Pegasus, is high on the wish lists of law enforcement and intelligence agencies around the world. Pegasus is like a traditional wiretap adapted to the modern mobile ecosystem: covert, targeted, persistent and accurate, and has repeatedly established intelligence superiority by providing relevant national security agencies with covert, remote and persistent access to combined criminal and terrorist masterminds. Additionally, NSO does not operate Pegasus, has no visibility into its usage, and does not collect information about its customers.
Naturally, no government official has ever testified to the superb value of Pegasus: it would directly jeopardize their own agency’s mission. Additionally, each agency can only deploy it against a handful of targets and only within its sovereign jurisdiction; the technical, financial and contractual architecture ensures these constraints.
Smear technology vendors for misusing their customers good tone. Unlike most of its competitors, NSO Group abides by the regulations of the Defense Export Control Agency of the Israeli Ministry of Defense. Additionally, internal compliance and human rights policies have led NSO to reject more than $300 million in sales opportunities and terminate contracts worth $100 million due to a alleged misuse.
Experts preach that the deliberate weakening of intelligence capabilities protects human rights, but they are wrong. Approaching the world as it is requires going beyond utopian visions. The Hobbesian state of nature is easy to decry from the comfort of North American prosperity, but it cannot be removed.
Denying advanced cyber intelligence tools to less capable countries results in human suffering for multiple reasons. First, crime and terrorism thrive and become pervasive, with ordinary citizens bearing the brunt of the violence. Second, security agencies lacking effective cyber intelligence tools inevitably resort to proven brute force. Rather than hacker jargon, this real force is truly brutal: think armed troops on the streets, raids, roadblocks, physical harassment and pre-trial detentions. Emergency powers allow law enforcement and national intelligence agencies to increase pressure to disrupt and uncover the bad guys. Inevitably, armed only with swords, the boots on the ground inflict collateral damage.
Even if insecurity leads to regime change, liberal democracy will not replace it. Instead, people frustrated by insecurity propel populist strongmen to power or look to radicals for salvation.
Private technology companies that develop and export advanced cyber intelligence technologies to relevant authorities are a force for good, including human rights. Responsible governments with better intelligence capabilities prevent greater human suffering: leaders can suppress their toxic insecurity; sovereign governments can better disrupt criminal and terrorist plots; the police don’t need to turn to real mercenaries to gain muscle. Innocent civilians gain a calmer and safer life. Unfortunately, if the Biden administration thinks that preventing states from acquiring advanced cyber-intelligence technology will improve human rights, it is dead wrong.
Lior Tabansky, Ph.D., is Research Development Manager at the Blavatnik Center for Interdisciplinary Cybersecurity Research, Tel Aviv University (TAU).