Science

Concerns raised over secretive spyware company's rumoured sale

NSO Group sells spy software that has been used to target activists and journalists — but will the company's potential buyer care?

NSO Group's software has been used to target activists and journalists, which has alarmed researchers

An Israeli woman uses her iPhone in front of a building housing the NSO group, whose government-grade spy software has been used to target activists and journalists, among others. (Jack Guez/AFP/Getty Images)

A prominent digital rights group is sounding the alarm after reports that a controversial developer of government-grade spy software may be up for sale.

The University of Toronto's Citizen Lab, whose researchers have authored multiple reports on the the misuse of spyware developed by a company called NSO Group, sent a letter to the company's rumoured buyer on Tuesday with a list of questions and concerns.

"We urge you to carefully consider the human rights and ethical implications of an investment in a spyware company such as NSO Group," reads the letter, which is addressed to the board of directors of investment firm Blackstone Group, and signed by Citizen Lab director Ron Deibert.

Citizen Lab researchers have found that spy software developed by NSO Group has been used to target a human rights activist in the United Arab Emirates, and journalists investigating corruption in the Mexican government, among others.

Reuters reported over the weekend that Blackstone was offering $400 million US in exchange for a 40 per cent stake in the Israeli-based company, citing a report by the country's Calcalist business newspaper. Blackstone counts former Canadian prime minister Brian Mulroney among its directors.

NSO Group is currently owned by another investment firm, San Francisco-based Francisco Partners, which purchased a majority stake in the company for $120 million in 2014, and considered selling that stake the following year.

"These firms may have limited experience acquiring companies that do offensive cyber, that sell zero-days, or that sell spyware," said John Scott-Railton, one of Citizen Lab's senior researchers and a lead author on its NSO group reports. 

"Although they have carefully crafted statements committing them to responsible investment ... these may predate the gold rush towards investing in companies offering offensive capabilities," he said.

The million-dollar target

Citizen Lab has published five reports during the last year that detail the improper use of spyware developed by NSO Group, and has asked whether Blackstone has considered the risks of investing in the company.

More generally, the researchers have also asked Blackstone whether it has "any specific policies or ethical guidelines concerning investments in firms such as NSO Group that sell zero-day exploits and surveillance technology." 

CBC News has asked Blackstone for comment on the letter, and will update this story if we hear back.

In Citizen Lab's first report on NSO Group spyware from August 2016, researchers uncovered efforts to target an iPhone belonging to UAE-based human rights activist Ahmed Mansoor.

The attack relied on three zero-day exploits — a term used to refer to secret software vulnerabilities that have not been previously disclosed or patched by the software's manufacturer. Citizen Lab researchers noted that a similar chain of exploits had been sold for $1 million in 2015. 

And in recent months, Citizen Lab has detailed similar attacks in Mexico targeting journalists, lawyers, activistsscientists, opposition party politicians, and international experts investigating a missing persons case.  

In each case, the targets received messages containing links that, if clicked, would infect their devices with the NSO Group's spy tool.

An NSO spokesperson told Motherboard last year that its agreements with clients "require that the company's products only be used in a lawful manner."

ABOUT THE AUTHOR

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at matthew.braga@cbc.ca. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.