The Citizen Lab is in receipt of the correspondence from NSO Group dated 23 December 2020 in response to the Citizen Lab’s report titled “The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit” (referred herein as “The Great iPwn” report). The report describes the suspected use of NSO Group’s Pegasus spyware against 36 journalists with Al Jazeera and a journalist with Al Araby TV.

NSO Group’s request for additional information from the Citizen Lab

In its correspondence dated 23 December 2020, NSO Group writes that the company is treating the Citizen Lab’s The Great iPwn report as a “whistleblower claim” under the company’s internal policies. In connection with this, NSO Group has requested additional information regarding the targets of the spyware campaign.

The Citizen Lab is a research institute based at the Munk School of Global Affairs & Public Policy at the University of Toronto. Because our research involves human participants, our research is subject to a research ethics protocol that is approved by the University of Toronto’s Research Ethics Board and strictly followed. The research ethics protocol applicable to The Great iPwn report requires that we keep research participants’ personal identifying information confidential. Your request for additional information regarding the spyware campaign detailed in the The Great iPwn report should be directed to Al Jazeera and Rania Dridi, who may be able to share further information.

There is no reason to believe NSO Group takes its responsibility to respect human rights seriously and will undertake a thorough and transparent investigation

... First, the company’s human rights and whistleblower policies are in and of themselves deficient. Second, NSO Group has yet to seriously engage with the Citizen Lab’s past research describing the human rights harms caused by NSO Group’s technology, further suggesting that the company does not take allegations of human rights abuse seriously.

Deficiencies in NSO Group’s human rights and whistleblower policies

Significant problems have been raised regarding NSO Group’s internal human rights and whistleblower policies. These deficiencies were recently outlined by former United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Mr. David Kaye, in his amicus brief filed in the ongoing NSO Group v. WhatsApp litigation in the Ninth Circuit...

NSO Group’s repeated failure to engage with the Citizen Lab’s research findings

Finally, NSO Group’s repeated failure to seriously engage with and address the Citizen Lab’s prior research regarding the deployment of Pegasus spyware further suggests that NSO Group is not committed to a thorough and transparent investigation. Since 2016, the Citizen Lab has published numerous reports regarding the use of Pegasus spyware against human rights defenders, journalists, politicians, and other members of civil society. Despite these findings, NSO Group has failed to substantively engage or respond to the research presented by the Citizen Lab and other organizations.