The NSO Group, a private Israeli Cyber security firm, responded to questions posed to it by ANI after media reports were published on July 17th by a consortium of news outlets that alleged a targeted, mass digital intrusion operation apparently for the purpose of surveillance by a number of nations on its citizens. The list of nations includes India and as per media reports journalists, members of the government, opposition and other eminent Indian citizens were targets of these 'spyware' attacks, using the NSO Group's software, 'Pegasus'.
Terming the media reports "an international conspiracy", authoritative sources within the NSO Group spoke to ANI on the recent revelations in the 'Pegasus Project', as termed by the media groups reporting on the alleged leaks.
(ANI Question) Have you been contracted to work with the Government of India in any capacity? Specifically, has the Pegasus software been purchased by GoI or any other entity associated with the GoI?
NSO Group: I cannot refer to any customer, the list of countries that we sell Pegasus to is confidential information. I cannot speak about specific customers but the list of countries in this story is totally incorrect some are not even our clients.
We only sell to governments and that to law enforcement and intelligence organizations of the Government. Due diligence is done, we subscribe to all UN guiding principles before and after selling. There are no abuses of any international systems.
(ANI Question) If that is the case, then how did you get all these Indian phone numbers in your system? The explanation is unclear on this, please clarify how these phone numbers came into your possession?
NSO Group: We are a technology company, we neither have numbers nor do we have data, that remains with the client who gets our technology. No, there is no server or computer with us where data is stored when our technology is given to a customer.
(ANI Question) The media report alleges that a forensic analysis was done of the phones affected by Pegasus, which confirmed infiltration by the software. What explains this?
NSO Group: Where is the proof? We are used to these accusations. No proof is given, they are relying on nothing. They approached us saying 50,000 targets of Pegasus was noticed. That is ridiculous! We sell the licenses, we know that this is an impossibility. What has come out in the reports so far is that out of 50,000 now they seem to be talking about 180, from 180 it has now come down to 37 and...now it seems in actuality its 12.
(ANI Questions) What about the phone numbers though, please explain that.
NSO Group: We have reason to believe that they used some service like HLR lookup, it's a free service. Anybody can login, put in a number and get all data, including name, number, roaming, location. It is possible there was a breach in some service provider similar to HLR lookup. And if they are saying 50,000, it could be a random list like some sort of vaccination list. We don't know how they got it but this is not from any of our systems. We are the first cyber company to comply with all human rights guidelines, we have only credible clients. We carry out open investigations, whenever a complaint comes in. In the past we have shut down sale or service, if there was any doubt. We are the only cyber intelligence company that has so many firewalls and have published a transparency report. The NSO group develops technologies that save lives. People who buy our services are in the business of preventing terrorism and catching criminals like pedophiles.
(ANI Question) In the list that has been published of countries affected by Pegasus, India is the only democracy mentioned. It has come as a shock to many of us...
NSO Group: The majority of our clients are Western democracies.
(ANI Question) Are you saying that then maybe your competitors engineered all this?
NSO Group: Initially it could have been a competitor but this is a lot of trouble to go for a tech company. This is clearly some international conspiracy. The entire idea of Pegasus is to fight terror and crime and those that buy these services are trying to break terror outfights that use end to end encryptions. Law agencies have no other way to fight terror other than use credible technology like ours which have several firewalls of regulation and human rights policies and verification processes.