2. Critics weigh in on NSO's human rights plan
In signaling a human rights focus, the NSO Group is facing an uphill battle. That's in part because of the industry's history of subverting rights policies — like when Italy quietly gave Hacking Team a global license to circumvent international export standards on commercial spyware.
The big picture: If NSO is true to its word and genuinely wants to address human rights, it will need to overcome a history of friction with civil society groups that has created an antagonistic relationship where it needs collaboration instead.
What they're saying: The NSO human rights plan reads, "We are committed to ongoing dialogue with all relevant stakeholders ... including organizations promoting the rights to privacy, freedom of opinion and expression."
The other side: "Claims they’ve been dealing with civil society are light," said Danna Ingleton of Amnesty International. In fact, major human rights groups and NSO haven't agreed on preconditions to start meetings, which the groups require.
NSO's new human rights policy includes (as I reported on Tuesday):
- Commitments to align business policies with the International Bill of Human Rights, the International Labor Organization’s Declaration on Fundamental Principles and Rights at Work, and the UN Guiding Principles on Business and Human Rights.
- Promises to research potential clients and decline to sell to those with too many red flags.
- An external whistleblower program to identify misuse, providing a formal mechanism to contact the firm.
- A promise to engage with civil society groups.
Yes, but: Several human rights experts noted that the NSO Group is not taking public responsibility for abuses in the past, which the experts see as critical to the process of starting anew. NSO, however, might need to violate contractual confidentiality agreements in order to do this.
- The firm does acknowledge that it has terminated 3 contracts with clients in the past over product misuse.
The external whistleblower process does not address how to incorporate law enforcement into the process, which John Tye of Whistleblower Aid found odd.
- "[Y]ou should consult a lawyer and consider reporting the violation to an independent law enforcement agency or investigative body," he said via email.
- "It is strange that NSO Group's "External Whistleblowing Policy" does not imagine a role for independent law enforcement investigations."
- The NSO Group told Codebook that the whistleblower process was conceived of as being separate from the law enforcement process, and the company believes that law enforcement is the proper adjudicator for many complaints.
NSO doesn't have internal mechanisms to detect misuse, to the frustration of the experts we spoke to.
- For a problem to be investigated, a victim of wrongful surveillance would have to discover, analyze and report NSO's stealthy malware on their own — something that is by design unlikely.
- NSO argues that looking over the shoulders of intelligence agencies would be legally dubious, and hopes to screen out potential misusers before it sells its products to them.
The bottom line: The general sense among civil society groups is that if NSO is serious about protecting human rights, the company will need to demonstrate it through deeds, not statements.
Editor's note: This story has been updated to include NSO's responses to criticisms of the whistleblower process and the absence of internal mechanisms, and also to note that the requirement for preconditions in meetings between NSO and human rights groups comes from the groups' side.