FBI acknowledges it tested NSO Group's spyware
The Washington Post February 2, 2022
The FBI tested Pegasus spyware made by the Israeli company NSO Group for possible use in criminal investigations, even as the FBI and Justice Department were investigating whether the NSO software had been used to illegally hack phones in the United States, people familiar with the events have told The Washington Post.
Justice Department lawyers at the time discussed that if the FBI were actually to deploy the tool, it could complicate any subsequent prosecution if the department brought charges, according to the people, who spoke on the condition of anonymity because of the matter's sensitivity.
In a statement to The Post, the FBI confirmed that it had tested the spyware but stressed it had not been used "in support of any investigation."
The FBI statement is the first official confirmation that a U.S. law enforcement agency has tested NSO spyware. The development was first reported by the New York Times.
"The FBI works diligently to stay abreast of emerging technologies and tradecraft - not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties," the statement said. "That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only."
Pegasus is NSO's most well-known spyware, breathtakingly potent in its ability to covertly scoop up an iPhone or Android phone user's calls and text messages, pictures and whereabouts. NSO says it's for use only against bad actors such as gangsters and drug lords, but investigations by civil society groups have uncovered its use by foreign governments to track activists, journalists, lawyers and their families.
The Israeli firm has repeatedly said Pegasus cannot be used to target U.S. phones or devices assigned a +1 U.S. number. But NSO appears to have created a workaround - a separate product called Phantom - to enable American law enforcement to monitor U.S. devices, according to documents obtained by the tech news site Motherboard in 2020.
According to the Times, NSO Group made a presentation of Phantom's capability to the FBI in 2019 to show that the spyware "could hack any number in the United States that the F.B.I. decided to target."
The Times also reported that the bureau ran up $5 million in fees to NSO and renewed a contract for the Pegasus software. The FBI declined to confirm those details.
NSO Group declined to comment for this story.
According to the Times, the FBI decided not to deploy the spyware last summer, around the time The Post and an international journalism consortium published a multipart investigation that found Pegasus had been used to attack the phones of journalists, human rights activists and politicians around the world.
The company has promised to investigate abuses of its system and cut off clients who violate NSO rules.
Authorities in Britain, France and Israel have since opened their own probes into the use of the spyware in their countries. WhatsApp, a subsidiary of Facebook's parent Meta, and Apple have sued NSO over its use of their software to plant Pegasus, and the U.S. government has blacklisted NSO for activities contrary to U.S. interests. The company now faces financial peril.
As part of the Pegasus Project investigation, The Post reported that NSO began pitching U.S. intelligence and police officials on its hacking tool as early as 2014 and in 2019 hired several well-known U.S. political figures to help clean up its reputation. But while NSO acknowledged in a statement to The Post last summer that it had retained "top U.S. counsels" to help support its "lifesaving mission," it declined to name its government customers or answer questions about its pursuit of contracts inside the United States.
Other agencies in the United States have acknowledged being approached by NSO. Police departments in San Diego and Los Angeles told The Post last year that they had been pitched but that the license was too expensive. The Drug Enforcement Administration, according to emails revealed through a Freedom of Information Act request and first reported by Motherboard, also found the program too expensive.
The agencies declined to offer details on the pitches, but public records show they were sent brochures boasting that Phantom could "remotely and covertly [extract] all data from any smartphone" and fill "a void in law enforcement data gathering ability." The brochure was distributed by a company calling itself NSO's North American branch.
The use of NSO spyware by the FBI arguably would have been lawful since wiretap laws generally provide such authority, experts say. Erez Lieberman, a former federal prosecutor in New Jersey who has prosecuted criminal hackers, said he would support the use of such a tool "as long as it's done with court approval and internal oversight by the FBI, which makes it very different from its use by some of these other regimes."
Lieberman noted that a decade ago when he was still a prosecutor, law enforcement officials feared the rise of strong encryption on mobile devices was undercutting their ability to intercept criminals' communications. "There has to be a tool for law enforcement to prevent crime," said Lieberman, now a partner at the law firm Linklaters. "The question for us all is what do we find acceptable?"
But others noted that had the FBI used NSO tools and that use had become public, the move probably would have been controversial. Human rights organizations have long highlighted the use of Pegasus by authoritarian governments to monitor their opponents, and the software was used to target associates of Washington Post contributing columnist Jamal Khashoggi before he was murdered by Saudi operatives in Turkey in 2018.
"This is extremely troubling and raises basic questions about whether Americans' constitutional rights are being sufficiently protected as the FBI explores or uses hacking tools," said John Scott-Railton, senior researcher at the Citizen Lab, an affiliate of the University of Toronto's Munk School of Global Affairs and Public Policy. Citizen Lab reports in 2016 were among the first to claim Pegasus had been used to hack journalists and dissidents in countries with troubling human rights records.
In November, the U.S. Commerce Department placed NSO on its Entity List, a designation - in some cases seen as effectively a "death penalty" for companies - that curbs the firm's access to American technologies. NSO has used the servers of American companies such as Amazon Web Services to distribute the malware, WhatsApp charges in its lawsuit against NSO.
The Commerce Department designation came after Apple began notifying users, including 11 employees of the U.S. Embassy in Uganda, that their iPhones had been attacked with Pegasus. Apple also has filed suit against NSO.
"By design, NSO's spyware creates a breathtakingly invasive and disproportionate access to a person's current and past digital life," Scott-Railton said. "It's time for the U.S. government to be much more transparent about the use of such contractors and what ethical oversight is involved. Democracies and dictatorships shouldn't share a hacking toolbox."
In the spring of 2019, WhatsApp discovered that its platform had been hacked by unknown actors who deployed Pegasus to some 1,400 phones and devices. At least one number that was targeted had a Washington, D.C., area code, the company said in court documents.
The company brought the matter to the Justice Department, according to people familiar with the matter. In October that year, WhatsApp sued NSO in federal court in San Francisco, alleging the firm's spyware was used against victims in 20 countries during a two-week period from late April to mid-May in 2019.
What WhatsApp "didn't appear to know" when it filed its lawsuit, the Times's report said, was that the "attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the FBI of Phantom."
Asked to comment on that report, WhatsApp said: "In all circumstances, our priority is to defend our services from threats that would harm people's ability to safely communicate with one another. We will continue our efforts to hold NSO accountable for their attacks against journalists, human rights activists, and government officials in violation of U.S. law. The spyware industry must be prevented from undermining the privacy and security of people in the U.S. and across the world."
The Washington Post's Drew Harwell, Dana Priest and Craig Timberg contributed to this report.