Pegasus makers face EU grilling. Here’s what to ask them

Spyware victims, meet spyware-makers.

A key group of European Parliament members will Tuesday afternoon get their first shot at quizzing representatives of one of the most notorious spyware makers out there: the Israeli firm NSO Group.

The hearing is the climax of lawmakers’ work in an inquiry committee set up in March, aptly called the PEGA Committee, after NSO’s most famous hacking tool, Pegasus. The inquiry followed revelations that the spyware is widespread in Europe and has been used against some of the bloc’s most prominent leaders, including Spain’s Prime Minister Pedro Sánchez, and political groups in Spain, Poland and Hungary.

The list of victims spans political groups, journalists, lawyers and activists — and even some members of the European Parliament (MEPs).

After weeks of political pressure, NSO Group drafted its General Counsel Chaim Gelfand and external lawyer Nicola Bonucci to defend the firm’s troubled reputation.

So what should lawmakers ask the world’s most notorious spyware-maker’s top lawyers Tuesday? We had a crack at some suggestions:

Who are your clients?

NSO Group has been shy to give up its client list. We know it’s primarily used by government authorities but knowing which exactly will be a focus for MEPs grilling the company.

In Europe, Poland and Hungary have confirmed they’re clients, but there are thought to be others too. An NSO founder previously told the New Yorker that “almost all governments in Europe are using our tools.” Researchers at Citizen Lab suspect Spain of having used the tech on scores of Catalan politicians and the Spanish government itself launched an investigation into the conduct of its intelligence agency. Luxembourg and France have both pushed back on reports that they’ve bought the spyware.

Forcing the company to give up a list of government — and, whisper it, private sector — clients would help crack the black box that the spyware firm and its competitors operate in.

Which EU capitals facilitate your sales?

NSO Group representatives have previously said that they’ve been granted export licenses for their tech from Cyprus and Bulgaria. Both of these governments have denied doing so. Questions remain as to whether these and other countries granted licenses to NSO subsidiaries with names that aren’t immediately linked to NSO Group.

Documents shared with members of the inquiry committee and seen by POLITICO show how NSO Group set up a sprawling corporate structure with obscure-sounding subsidiaries in multiple countries in Europe and beyond.

NSO Group is made up of over 30 subsidiaries and units — with names like CS-Circles Solutions and Westbridge Technologies — across Israel, Luxembourg, Cyprus, Bulgaria, the United States, Hong Kong and the United Kingdom. That’s according to a company structure shared with MEPs by investment firm Berkley Research Group (BRG), which took over management of NSO Group in the summer of 2021.

Bulgarian and Cypriot officials previously did not respond to POLITICO’s requests to clarify whether NSO subsidiaries were granted licenses in Europe. MEPs would do well to clarify this with NSO itself.

Do NSO Group employees get access to the data?

NSO Group has given conflicting reports on whether its employees actually get access to the data harvested using their tech. It has downplayed its role in the hacking by arguing it merely sells the software tools but doesn’t have control over or access to its use cases.

But previous investigations into other spyware vendors like the Italian company Hacking Team showed many spyware-makers do maintain access to the spyware products once they’ve sold them and provide customer support after the sale.

If NSO employees based outside of Europe do indeed get access to data, that would raise questions as to whether the transfers of data adhere to the EU’s strict privacy requirements.

Have you purchased software vulnerabilities?

The more cyber-savvy lawmakers will want to press the firm on where the company gets its hacking exploits from.

NSO Group’s tools are sophisticated and can compromise smartphones in ways that users barely notice. The ways it exploits glitches in smartphone software begs the question whether the firm develops all its hacking know-how in-house or also purchases so-called zero-day vulnerabilities — glitches that were unknown to the wider cybersecurity community — from other sources.

Getting a glimpse of the murky supply chain of hacking software like Pegasus would be somewhat of a holy grail to European lawmakers trying to police and regulate this market.