The NSO Group insists that it only sells its software to governments to use to combat terrorism and major crime, and that they sign agreements to that effect.
The entire story hinges around a "leaked" list of 50,000 phone numbers that is supposedly a list of potential targets for the spyware. All the reporting from 80 reporters from 17 newspapers who have investigated this story for months is based on this list.
As of today, there is no evidence that this list has anything to do with NSO Group or Pegasus.
Amnesty, Forbidden Stories and the dozens of reports of the story have been remarkably vague about the origins of this list. The entire investigation makes the assumption that the list is linked to the NSO Group - something that the company strenuously denies, and which makes no sense if you actually think about it. Why would the NSO Group keep a list of the targets used by the countries? Wouldn't they want to keep that list as secret as possible?
Even more incredibly, why would the governments using Pegasus pool their lists of targets on the same database, whether maintained by NSO Group or not?
It literally makes no sense that anyone would maintain such a list.
Amnesty's cybersecurity team, backed by experts at the University of Toronto, checked the mobile phones of a small percentage of the people said to be surveilled by the software and found about half of them had evidence that Pegasus was installed on their phones - 37 out of 67 checked from a "leaked" list of 50,000 phone numbers.
The NSO Group founder and CEO Shalev Hulio told Calcalist, "Around one month ago we received the first approach from an information broker. He said that there is a list circulating in the market and that whoever holds it is saying that the NSO servers in Cyprus were hacked and that there is a list of targets there and that we should be careful. We looked into it. We don't have servers in Cyprus and don't have these types of lists, and the number doesn't make sense in any way so it has nothing to do with us. He insisted that it does. We were later approached by two different clients who said that brokers have come to them claiming that they have a list related to NSO. We eventually received some screenshots of the list the brokers managed to get a hold of and based on that we understood that this doesn't look like the Pegasus system, certainly on the server, and that this is an engineered list unrelated to us. We looked over it with the clients and it slowly became clear to us that it is an HLR Lookup server and has nothing to do with NSO. We understood that this was a joke."
HLR is a global database of cellular phone numbers. Anyone can get information from commercial vendors of HLR data - including the location of the phone.
It makes no sense that anyone would compile a list of phones that Pegasus is installed on.
Here's what does make sense:
It makes perfect sense that someone would compile a list of phone numbers of prominent government officials and reporters. If someone simply compiled a list of prominent people and their mobile phone numbers, and then linked that to their HLR data, it would be very valuable indeed, mostly for underhanded purposes.
It makes sense that governments that acquired Pegasus legally are using it for illegal or potentially illegal purposes against prominent investigative reporters and political opponents. There is no way to stop that, except for NSO to pull the license when abuses are discovered - and NSO has done exactly that a number of times.
It makes sense that Israel allows NSO to export the software to Arab governments (and others like India) that Israel wants to have closer ties with, even if they have dodgy human rights records, and that they are using it in ways that it is not licensed for. That sort of behavior can be criticized but it is the sort of decision literally every government makes.
It is also very possible that Pegasus, which is just software, has been leaked to unauthorized users to be used illegally. I don't see how NSO could stop that from happening - while normal software might check in with a central server to ensure that it has a valid license, by its very nature Pegasus wouldn't do that because the check itself would reveal its presence.
If there is an underground trade in Pegasus - which seems highly likely given how it can be used - then one can expect that the software has been installed, or attempted to be installed, on the phones of many prominent political players and reporters - people that would be on existing lists.
That would explain why the leaked list would have the phone numbers of some people with verified Pegasus installations or installation attempts. It would also explain why so many of the leaked phone numbers do not have Pegasus installed, a major flaw in the story that has been papered over with the wild guess that the list is of "potential Pegasus targets."
Similarly, Pegasus may have been reverse engineered and recreated to get around any controls the NSO Group may have put into the software itself to protect its own intellectual property.
It furthermore is likely that the NSO Group is aware that its software is being used in ways that it is not licensed for, just as the manufacturers of weapons know that they sometimes get stolen or used illegally despite the efforts of lawyers to ensure that the sales/license agreements are as ironclad as possible. The NSO Group would not admit publicly that there is a lucrative underground trade in its software, because it is a security company and that would hurt its reputation. But criminals and rogue states are always trying to obtain weapons and weapons technology illegally, and cyberweapons are at least as desirable as guns or stealth airplane designs - with the added benefit that once obtained, they can be reproduced for free.
The Pegasus Project and its journalists are acting irresponsibly in reporting this story as if the linchpin to the story itself - the leaked list - is associated with NSO Group. That part is unlikely in the extreme, and the reporting itself is careful not to directly link this list with NSO, instead relying on innuendo.
One can understand why journalists are jumpy at finding out that their names and phone numbers are on some sort of list of targets. That doesn't give them the right to make accusations that have no evidence, and moreover for them to be so opaque about the source of the leaked list - clearly the weak spot in the story itself. And many stories have been based on the idea that the list itself is definitely linked to NSO Group and not a more general list of phone numbers of prominent politicians and critics.
The desire to place blame on NSO, and on Israel itself for allowing the software to be exported, is more wishful thinking than real reporting.
There is definitely a market in spyware, and it is certainly being used in ways that violate human rights. That is a real story and that it what the story should have been from the start. Instead, it has become just another reason to bash Israel.