WhatsApp spyware: UK firm promises new 'respect for human rights' following allegations

A controversial Israeli cyber weapons company has agreed to establish new internal rules on ways it will protect human rights activists and journalists following multiple allegations that its technology was used to spy on dissidents and the media.

Its majority owner, Novalpina Capital, a UK private equity firm, has promised a “significant enhancement of respect for human rights” at NSO Group, whose Pegasus software was recently alleged to have infected phones through a glitch in the WhatsApp messaging software.

The announcement was made shortly after the Guardian revealed NSO Group’s ownership structure. Documents show Yana Peel, a human rights advocate, has a one-third stake in Novalpina Capital, which was founded by her husband Stephen Peel.

In a lengthy statement about the changes at NSO group, he said: “Novalpina is committed to do whatever necessary to ensure NSO’s technology is used only for its intended lawful purpose”.

Under the new proposed guidelines, Novalpina promised that NSO would aim to disclose “all information of relevance and importance” about the firm’s work, unless it was prohibited by law from doing so, risked public safety, national security, or employee safety, or if it needed to protect “legitimate commercial confidentiality”.

Novalpina also said this new governance framework will “be designed to reflect the need for particular attention to be paid to adverse human rights impacts on individuals at ‘heightened risk of vulnerability or marginalisation’”, including journalists and human rights defenders.

It followed multiple allegations that NSO has licensed its powerful surveillance technology, Pegasus, to authoritarian regimes and other governments that have allegedly used it to target journalists, dissidents and political activists.

The alleged targets include Omar Abdulaziz, a Saudi dissident based in Canada, who claimed in a lawsuit filed in Israel that Saudi spies used NSO software to hack his phone and access his conversations with Jamal Khashoggi, the Washington Post journalist who was murdered by Saudi government operatives last year.

The initial response to NSO’s announcement from activists and researchers who closely monitor the company was sceptical.

“You don’t do human rights by press release, and you don’t commit to openness by listing all the ways you reserve the right to not be open,” said John Scott-Railton, a senior researcher at the independent research group Citizen Lab, at the University of Toronto.

Scott-Railton said that, since taking over NSO, Novalpina had repeatedly made promises to do better, while simultaneously denying that there were problems.

“Since the denials seem not to be working, they are doubling down on promises. Unfortunately for them they have have already burned through a lot of credibility with civil society,” he said.

The researcher said he had two core concerns: that Novalpina’s “caveats” could make it easy for the company to avoid disclosing any new information, and that any decision to continue to licence NSO’s products to authoritarian regimes, or governments that allowed intelligence services to use the technology without oversight, virtually guaranteed that abuses would continue to occur.

NSO was taken over by Novalpina Capital in February, in a deal that reportedly valued the cyber weapons company at about $1bn. Novalpina owns about 70% while NSO’s Israeli founders hold the remainder, according to company records.

Novalpina was founded by Peel, a British businessman. But corporate filings in Luxembourg state that Novalpina is jointly owned by his wife Yana and his two co-founders.

The Guardian’s discovery of Yana Peel’s ownership was followed by her announcement she was resigning from London’s Serpentine Galleries, where she had been chief executive.

She blamed “misguided personal attacks on me and my family” for her decision.

In its statement, Novalpina said it wanted NSO to fully align itself with the UN’s guiding principles on business and human rights, and vowed to do within 90 days, without giving details of how this might be done.

The company has said it investigates allegations of misuse of its software but that it cannot comment on allegations because it cannot reveal the names of its clients.

Stephen Peel said: “The lawful, appropriate and responsible deployment of surveillance technologies such as NSO’s by government intelligence and law enforcement agencies is essential to address the serious consequences of what would otherwise be untraceable crime, terrorism, paedophile rings, human trafficking, drug cartels and the like.”

NSO Group has said in the past that its technology has been used to thwart terrorist attacks, but has declined to provide examples.

Last week, in the first statement it released, Novalpina credited NSO technology for disrupting plans for a terrorist attack at a crowded stadium in Europe. It also said that the Mexican government had credited NSO for assisting it in its 2011 arrest of the drug kingpin known as El Chapo.

But after initially publishing the statement on its website on Friday, it removed the press release. A new release was then posted on Novalpina’s website on Saturday, following an enquiry by the Guardian. The reference to El Chapo and the terror plot were removed.

Novalpina says that all NSO clients are vetted by an internal “business ethics committee”, which includes outsiders of “international standing”. But the company has repeatedly declined to identify them.