The FBI has confirmed purchasing NSO Group’s powerful spyware tool Pegasus, whose chronic abuse to surveil journalists, dissidents and human rights activists has long been established. It suggested its motivation was to “stay abreast of emerging technologies and tradecraft.”
The agency added in a statement Wednesday that it obtained a limited license from the Israeli firm “for product testing and evaluation only,” never using it operationally or to support any investigation.
But critics wondered why the premier U.S. law enforcement agency would need to pay for access to a notorious surveillance tool that has been extensively researched by public interest cyber sleuths if its interest was so limited.
“Spending millions of dollars to line the pockets of a company that is widely known to serially facilitate widespread human rights abuses, possible criminal acts, and operations that threaten the U.S.’s own national security is definitely troubling,” said Ron Deibert, director of Citizen Lab, the University of Toronto internet watchdog that has exposed dozens of Pegasus hacks since 2016.
“At the very least, this seems like a terribly counterproductive, irresponsible, and ill-conceived way” to keep abreast of surveillance tech, he added.
An FBI spokesperson did not say what the agency paid NSO Group or when, but The New York Times reported last week that it obtained a one-year license for $5 million, testing it in 2019. On Wednesday, The Guardian quoted a source familiar with the deal as saying the FBI paid $4 million to renew the license but never used the spyware, which infiltrates a target’s smart phone, granting access to all its communications and location data and converting it into a remote eavesdropping device.
In November, the U.S. Commerce Department blacklisted NSO Group, barring it from access to U.S. technology. Apple subsequently sued the company, calling it “amoral 21st century mercenaries.”
NSO Group has said Pegasus is programmed not to target phones with the +1 U.S. country code, but American citizens living abroad have been among its victims.
Deibert, of Citizen Lab, called for a congressional investigation. Sen. Ron Wyden of Oregon said in a statement that the U.S. public deserves greater transparency from its government about any “relationships with NSO and other cyber-mercenaries” and should know if its government “believes the use of these tools against Americans is legal.”
People hacked with Pegasus have included Uganda-based U.S. diplomats, Mexican and Saudi journalists, leading members of Poland’s opposition, the ex-wife of Dubai’s ruler and her British lawyers, Palestinian human rights activists and Finnish diplomats.
NSO does not identify its clients but says it sells its products only to state security agencies upon approval of Israel’s Defense Ministry. It says the products are intended to be used against criminals and terrorists.
[ Read: Google Says NSO Pegasus Zero-Click Most Sophisticated Exploit Ever Seen ]
The key parts of the FBI statement issued Wednesday, initially in response to a request from the Guardian:
“The FBI works diligently to stay abreast of emerging technologies and tradecraft — not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties. That means we routinely identify, evaluate, and test technical solutions and services for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands.”
“The FBI procured a limited license for product testing and evaluation only, there was no operational use in support of any investigation. Since our testing and evaluation is complete, and we chose not to proceed with use of the software, the license is no longer active. Accordingly, the software is no longer functional.”