Seit April beleuchtet ein Untersuchungsausschuss im Europaparlament den Einsatz von „Überwachungs- und Spähsoftware“ wie Pegasus. Im Juni hat der Ausschuss das Unternehmen NSO eingeladen, das den Staatstrojaner Pegasus herstellt und verkauft. Für NSO sprach Chaim Gelfand, Chefjustiziar und Chief Compliance Officer der Firma aus Israel.
Leider gibt es von der Anhörung nur eine Video-Aufzeichnung, ein Download ist umständlich. Dazu gibt es ein Wortprotokoll, doch das ist nicht öffentlich. Wir veröffentlichen jetzt die Video-Datei und das offizielle Wortprotokoll.
Etwa 12.000 bis 13.000 Ziele pro Jahr
Das Parlament schreibt in einer Pressemitteilung, die Abgeordneten hätten den NSO-Vertreter „gegrillt“. Wir bezeichneten die Aussagen als „Litanei von Nicht-Antworten“. Tatsächlich sagte Chaim Gelfand zwei aufschlussreiche Dinge, die bisher wenig Beachtung fanden.
NSO gab zu, dass sie in der Vergangenheit „etwa 60 Kunden in 45 Ländern“ hatten, darunter 14 EU-Mitgliedstaaten. Derzeit hat NSO „weniger als 50 Kunden“, darunter zwölf EU-Länder. Diese Kunden greifen „etwa 12.000 bis 13.000 Ziele“ pro Jahr mit dem Staatstrojaner Pegasus an. Das bedeutet, Polizei und Geheimdienste setzen Pegasus alle 40 Minuten ein, um Smartphones zu hacken und zu überwachen.
Länder dürfen Pegasus diskutieren
Welche Länder Pegasus nutzen, wollte NSO nicht sagen. Laut Gelfand darf NSO diese Fragen nicht beantworten. Er sagte jedoch, dass die „Regierungen der einzelnen EU-Mitgliedsländer“ Auskunft über Pegasus geben dürfen: „Es geht um ihre Sicherheit, und sie können entscheiden, ob sie diese Frage diskutieren wollen oder nicht.“
Damit widerspricht NSO der deutschen Bundesregierung. Das Innenministerium hatte im Bundestag das Gegenteil behauptet: „Die Unternehmen wollen nicht, dass es offenbar wird, dass sie mit der Bundesregierung oder mit Sicherheitsbehörden des Bundes kooperieren. Wenn dies der Fall ist, dann beenden sie ihre Geschäftsbeziehungen mit uns.“ Diese pauschale Aussage hat NSO jetzt offiziell widerlegt.
Obwohl längst öffentlich bekannt ist, dass Bundeskriminalamt und Bundesnachrichtendienst Pegasus einsetzen, verweigert die Ampel-Regierung weitere Auskunft. Innenministerin Faeser will nicht einmal sagen, ob die mit Pegasus überwachten Daten vor Zugriff Dritter geschützt sind oder ob die Bundesregierung mit Pegasus gehackt wurde.
Bundestagsabgeordnete der Regierungsparteien FDP und Grüne fordern: „Die Bundesregierung muss dem Parlament Auskunft über den Einsatz von Pegasus geben.“ Mit der Erlaubnis von NSO hat sie eine Ausrede weniger. Wir haben den Vertrag zwischen BKA und NSO angefordert. Wenn wir die Antwort nicht bekommen, werden wir wieder klagen – wie beim Staatstrojaner FinFisher.
- Date: 2022-06-21
- Place: Brussels
- Institution: European Parliament
- Committee: Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware
- Chair: Jeroen Lenaers
Exchange with NSO
- Chaim Gelfand, General Counsel and Chief Compliance Officer, NSO
- Nicola Bonucci, Partner, Global trade and investigations & white-collar defence practices, Paul Hastings law firm (Paris)
The exchange of views opened at 15.06.
Chair: Dear colleagues, a warm welcome to you all at today’s hearing of our Committee of Inquiry on the use of Pegasus and equivalent spyware. We have interpretation in the following languages today: German, English, French, Italian, Dutch, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian.
Our first point on the agenda is the adoption of the agenda, and if there are no comments, I consider it adopted.
Then we move to the first part of this meeting, which is an exchange with NSO, the company that produces Pegasus, and NSO is represented here by Mr Chaim Gelfand, the General Counsel and Chief Compliance Officer, and Mr Nicola Bonucci from the Paul Hastings law firm in Paris. It’s a pleasure to welcome you here today.
As you know, our committee of inquiry has been set up to investigate the abuse of Pegasus and equivalent spyware in the Member States of the European Union. So our committee will not focus exclusively on the spyware that you produce at NSO Group, but as you probably can infer from the abbreviation of our committee of inquiry, Pegasus will be at the centre of our work. And I read with great interest also the first NSO Group transparency and responsibility report from June last year, because I think transparency and responsibility is exactly what we need today as well to make this hearing a success.
Let me highlight one sentence maybe from the foreword of this report, which says ‘we must hold ourselves to a higher standard and act with stewardship and transparency, taking into consideration the need for the sensitive balance between states’ obligations to ensure public safety and concern for human rights and privacy’.
Now I think that higher standard is exactly also what this committee will be looking for today, and I count on you also to show that commitment, also in answering the questions of our Members today.
Now, on practicalities, before we move into the substance of today’s meeting, I would like to ask you, dear colleagues, that all Members who want to take the floor in this first part of the meeting to indicate this during the contribution of Mr Gelfand so that we can complete the speakers’ list and keep an eye on the clock as well. We will use the ping-pong format so we get immediate answers to our questions. What I really ask you is to stick also to the speaking time to make sure all Members that so desire can take the floor.
Finally I would like to remind the colleagues and everybody who is following this hearing today about the PEGA Committee whistle-blower functionality. If you have any relevant information for the work of our committee that you would be willing to share, please do so and send it to the dedicated email address that you can find on the website of our committee.
Now, without further ado, and with an eye to the clock, I am very happy to pass the floor to Mr Gelfand for 10 minutes.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): On behalf of NSO, I want to thank the members of the committee of inquiry for having us here today. We are very appreciative of the opportunity to speak with you directly and would like to use this time to cover three main areas. First, we will provide the committee with information on NSO as a company, our technologies, goals and practices. Second, we would like to dispel certain rumours and misconceptions regarding our company and its technologies that have been prominent in the press and public debate. Third, we would like to share our goals and commitments for assisting the committee in its ongoing work.
Before we begin, we should note that there are limits to the information we can share with the committee and others. As you know, NSO is a private company providing export-controlled cyber intelligence technologies only and exclusively to government agencies for the purpose of preventing and investigating terrorism and other serious crimes. As a result, we are unable to share details about our customers, as well as the crimes prevented and criminals tracked and apprehended using our technologies, or trade secrets of the technology. This practice is imperative to protect the legitimate legal and operational needs for secrecy of cyber intelligence and law enforcement agencies. We are, however, committed to transparently sharing with you accurate information regarding our company and technologies.
We would like to begin with stating the simple truth that this technology has been conceived and designed to save lives worldwide. NSO was founded in 2010 and was developed in order to respond to the needs and requests from various law-enforcement agencies, including some from EU countries, to find a technological solution to gather intelligence from encrypted mobile devices. NSO was established with the ambition to make the world a safer place and has been doing so since day one.
Since its establishment NSO has set forth four principles to guide the manner in which it works. One: NSO only sells to governments. Number two: NSO will not sell to just any government. Number three: NSO does not operate the systems. And number four: a desire to be regulated by government regulators.
NSO’s products are licensed for sale with the approval of the Israeli Export Control Authority and provided exclusively to government, intelligence and law-enforcement agencies. The rapid development and widespread use of technology by terrorists and criminals has profoundly changed the ability of states to prevent and investigate terrorism and other serious crimes. Our products assist state authorities in addressing the ‘going dark’ problem, meaning the growing misuse of end-to-end encryption of applications by terrorists and criminals to conceal messages and plots when communicating through mobile devices. The only other option to conduct investigation in today’s world is through mass surveillance or backdoors to the devices of all users, which would be much more intrusive technology.
The technology like that developed by NSO is the only type of target-centric solution that is known. NSO is most well known for Pegasus, a cyber intelligence programme used by state law-enforcement and intelligence agencies to collect data from specific mobile devices during investigations.
Through the use of Pegasus, state authorities have and continue to thwart numerous terrorist attacks such as suicide bombings, and it has been instrumental in apprehending paedophiles and other serious criminals. NSO is fully aware of and committed to its own human rights responsibilities and the duties of its clients, and is determined that its products be used appropriately and lawfully. In light of this, NSO has made a fundamental commitment to voluntarily take steps to address these concerns, including by following the approaches described in the United Nations Guiding Principles on Business and Human Rights (UNGPs).
NSO is proud to be the first and, to our knowledge, the only company in the cyber industry effectively implementing policies towards complete alignment with the UNGPs. This includes adopting and implementing policies, procedures and internal human rights programmes, including human rights due diligence procedures, reviewing each credible allegation of misuse that is raised, conducting international investigations and engaging with all stakeholders.
Unfortunately, not all allegations made against NSO are credible. For example, we have identified many allegations that are false or contractually and technologically impossible. These allegations often rely on evidence and data that was not provided to NSO, preventing us from being able to verify or refute such claims, and thus introducing confusion that is detrimental to maintaining public confidence in these technologies.
I would like now to dispel a number of misconceptions that have surfaced in the press and public debate with respect to our company’s activities and technologies. A lot of information has already been presented to the committee and there are numerous allegations that simply are not true. In light of the allocated time, I cannot go through all of them, so I’ll focus on the main or most common misleading and/or incorrect allegations.
It is not true that NSO Group operates Pegasus and collects information about individuals. It is not true that Pegasus has greater technological abilities in its design. It is not true that NSO Group sells its technology to private companies. It is not true that all traces of Pegasus software vanish on devices. It is not true that NSO Group retains data and Pegasus creates a permanent and strong risk of massive security breaches comparable to encryption backdoors. And it is not true that the so-called 50 000 phone numbers list is a list of targets of Pegasus. I will address each of these misconceptions one by one.
Let me state unequivocally that NSO does not operate Pegasus, has no visibility into its usage and does not collect information about customers or who they monitor. NSO licence Pegasus solely to law-enforcement and intelligence agencies of sovereign states and government agencies, following both a careful and sector-leading pre-engagement due diligence process and approval by the Israeli Government.
Licences are limited in number and contracts are carefully crafted to permit only legitimate use. NSO does not have any knowledge of the individuals whom states might be investigating, nor the plots they are trying to disrupt. For obvious reasons, sovereign states normally do not and will not share this extraordinarily sensitive information with NSO or any other provider of similar technology.
Regarding the second misconception, first, Pegasus is not a mass-surveillance tool. The data is collected only from the mobile devices of pre-identified specific individuals suspected to be involved in terrorism and other serious crimes subject to judicial or other appropriate oversight. Pegasus is used with specific pre-identified phone numbers one at a time, and is similar in concept to traditional wiretap.
Second, Pegasus does not delete or edit data on a targeted device or allow for such deletion or editing. Pegasus is designed with intelligence and data-gathering capabilities and is incapable of impersonating a victim. It cannot be used for any other purpose.
And third, Pegasus cannot be used to gather information broadly and does not penetrate computer networks, desktop or laptop operating systems or data networks. Regarding the third misconception, NSO Group sells its technologies strictly and exclusively to government and government agencies for the purposes of combating terrorist activities and crime.
Regarding the fourth misconception, while Pegasus is indeed hard to detect on a target’s phone, it has a built-in investigating capability in case a misuse is suspected. This is impossible to erase or manipulate. Those capabilities cannot be completely deleted and an audit trail log exists permanently with the ability to retroactively check whether or not a certain phone number was penetrated. NSO has been granted access by its customers to perform this type of investigation many times in the past when an allegation of misuse arose, which has led to NSO shutting down systems and terminating a number of contracts.
Regarding the fifth misconception, the data collected by customers is not stored in any cloud, and there are no backdoors to the system. There is no shared database of NSO customers, and the logs securely exist only on the servers of the customers.
Regarding the alleged list of 50 000 phone numbers, this is simply not possible. Indeed, the number of purported targets is entirely implausible based on the number of licences actually granted by NSO. The so-called list of targets, for which no details or source has been disclosed publicly, is not a list of Pegasus targets, nor has it been taken from the Pegasus system. This has even been acknowledged by several of the organisations that refer to the list. Prominent names given as examples drawn from that list have been verified as never having been a target subject to our technology.
I would like to end my remarks by reiterating NSO’s commitment to assisting the committee in its ongoing work. NSO believes that cooperation between our company and the committee can be fruitful in looking at concrete solutions to address human rights in our industry. As previously stated, as well as many law-enforcement agencies, we firmly believe that cyber intelligence technologies are necessary to address threats of terrorism and other serious crimes.
There is no other alternative that better addresses to equally legitimate public concerns security and privacy. Therefore we strongly reject any calls to ban these technologies or for a moratorium. That being said, NSO has called for, and continues to call for, the establishment of an appropriate international legal framework, sector-specific standards for states and companies, and guidelines to better determine criteria for legitimate end-users of crucial intelligence systems.
NSO is open to engage with all governments and other stakeholders, including civil society organisations, international organisations and the United Nations Special Procedures, and to enter into meaningful dialogue with a view to establish concrete solutions to promote respect for human rights by all.
Lastly, at the end of today’s meeting, and if the Chair allows, NSO intends to provide the committee with a position paper which outlines many of the points we have raised today. We thank you again for your invitation to join the committee today and look forward to answering your questions.
Sophia in ‘t Veld (Renew): Thank you Mr Gelfand, we would be very interested in your position paper and also your speaking notes for today. And I’m also looking forward to the reply to the written questions that I have sent to you, because clearly today there is not sufficient time to put all the questions and written questions will be very helpful. I’ll go very quickly through a handful of questions.
You say that the only purpose for which Pegasus can be used and is sold is fighting terrorism and serious crime. In that case, I would like to understand which cases of terrorism and serious crime were at stake when you sold Pegasus, for example, to the Hungarian and Polish governments? And whom did you sell Pegasus to when it was used to eavesdrop on the European Commission? And exactly how did that prevent terrorist attacks or serious crimes to be committed?
Then, I would also like to understand – you say you obtained export licenses from Bulgaria and Cyprus. They seem to deny that they have ever given you an export license. Can you explain the difference? And can you also explain why you are using Bulgaria and Cyprus in order to obtain export licenses rather than just licensing or getting export licenses from Israel?
Then, there is continuous ambiguity about whether or not you have access to the information. NSO keeps saying, no, we don’t have access to the information – although I thought I heard you say something about when you are investigating allegations of misuse, in that case, with the authorisation of the customer, you do get access. I’d like to hear a bit more about that. But a former employee of yours mentioned in an article in The New Yorker that NSO does have access to all the data of its customers. So can you clarify this discrepancy? Was that person lying or are you not telling the entire truth?
Then, on the structure and the operations of the company, I understand that the consequences of US blacklisting have been very severe for NSO, to the point that you got into financial trouble. So what does that say about the importance of your business with the United States and your Pegasus operations, the fact that being blacklisted with regard to one product hits your company so hard? And then we’ve read in the media about the potential sale of Pegasus surveillance technology or the codes, or parts of the company, even to either L3Harris or Thiel Capital – Thiel, Mr Peter Thiel, friend of Donald Trump and also owner of Palantir. Are you considering indeed selling your technology or parts of your company to either of these two companies? And can you say a little bit more about the reasons for that and what impact that will have on the blacklisting?
I’ll leave it at that for now.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Yes, I know you had sent the written request for written response over the weekend. I saw it yesterday evening and we will review that and try to see what we can get back to.
As I stated, I won’t be able to get into issues of specific customers that have been written about in the press or otherwise. But I can say when we sell the system to the customer – and this is what we’re saying, this is the reason we sell the system to the customer – the customer is committed to that reason, both contractually and in the end-use license that it has to sign and is provided to the Israeli Government, that the only and sole reason that it is purchasing the system is for the fight against crime and terror. If a customer uses it for reasons that are not related to the fight against crime and terror then we take it extremely, extremely seriously and investigate it, as we said. And when we find out if a customer has violated this in a systematic manner, the customer will be shut down and we will terminate the contract with that customer and no longer continue working with that customer.
Sophia in ‘t Veld (Renew): Have you done that with the Polish and Hungarian governments and whoever has bought Pegasus to spy on the Commission? Can you confirm that those licenses have been terminated?
Regarding the question on export licenses in Cyprus and Bulgaria, as you mentioned, we have companies that are located also in Cyprus and Bulgaria that deal with other technologies. They do not deal with Pegasus. Licences for export of Pegasus are only received from Israel and I think the response of the Bulgarian and Cyprus authorities were with regard to Pegasus. There are other intelligence items that do other things like locational finding and the like that are developed there and require export licenses as well to be sold. And those are the relevant companies there when they export and receive licenses from the authorities in those countries. But that is not related to Pegasus. I’ll jump over to the other question – I’ll get back to that in a second because this is connected – the structure of the company sometimes is looked at as confusing. In the past – I think it was a year and a half ago – we responded very broadly to Amnesty and that is public. We explained the whole structure – the structure as a result of various acquisitions that happened over the years and the way those companies were set up beforehand. We’re not trying to hide anything. We’re completely transparent as far as the structure and anyone who wants can look and see. We provided there a very detailed explanation of the structure of the company.
Regarding the access to information, we do not have access to the information. It is saved only on the customers’ sites. As I said, on their server, on the customer’s server that is located on the premises, on the customer’s site. There is also an audit log that is kept in an area of the server where the customer cannot access to delete any information there. In the event that it is required as part of an investigation to verify whether a certain phone number was targeted or not, we request access from the customer to that area of the system where we can then connect and verify whether a certain phone number was targeted or not. This is done as part of an investigation. Again, as I said, we have a unique process for whenever an allegation comes up to investigate the issue – investigating an allegation like this includes very often two parts. One, the factual question of was this person actually a target of the system? Because as I mentioned before, numerous reports that have come out and as I have mentioned here, we have stated this publicly before, about President Macron; the issues that came up about Jamal Khashoggi, questions of Jeff Bezos, the system was not used on those numbers. So in those cases, we have a first issue of the facts on the question of was the system used against the number.
Regarding the issue of the blacklist, the US Entities List affects the ability of the company to purchase any item that is subject to the export administration regulations of the United States. Those type of restrictions obviously have an effect on the company. And we are confident when we get into discussions with the US Government we will be able to explain to them, similar to what we’re explaining here about how the company works and why we think that the opposite is true, that the company is necessary for the security of the world and why we should not be on that list and that we will be removed from that list.
I can state that the company is always in various negotiations with different companies around the world regarding acquisitions. More than that is something that I can’t get into because it’s confidential information and if anything happens, obviously, things are made public at that time.
Bartosz Arłukowicz (PPE): Jestem z Polski i mam do pana kilka pytań. Powiedział pan, że sprzedajecie system Pegasus tylko i wyłącznie agencjom rządowym i rządom. W tym telefonie mam – dzięki pracy dziennikarzy śledczych z Polski – fakturę między prywatną spółką powiązaną z dawnymi systemami wywiadowczymi w Polsce czasów komunistycznych, fakturę między prywatną spółką a agencją rządową prawdopodobnie sprzedającą system Pegasus. Czy mógłby pan to wyjaśnić? Jak to się ma do tego, że pan mówi „sprzedajemy tylko rządom”, a dziennikarze śledczy w Polsce udowadniają, że prywatna spółka kupuje to z Izraela, a potem sprzedaje agencji rządowej?
Chciałem też pana zapytać – bo mówił pan, że sprzedajecie to tylko rządom, które walczą z terroryzmem i z wielkimi zagrożeniami – kiedy dowiedzieliście się i czy dowiedzieliście się, i skąd, o podsłuchiwaniu i szpiegowaniu Pegasusem szefa kampanii wyborczej w Polsce w roku 2019? Jego nazwisko to Krzysztof Brejza. Wiemy, że był szpiegowany systemem Pegasus, kiedy przewodził kampanii wyborczej do Parlamentu Europejskiego, w którym pan dzisiaj jest. Chcę pana zapytać, czy sprawdziliście, jaką działalność terrorystyczną prowadził były wicepremier Polski, który był według doniesień medialnych szpiegowany systemem Pegasus. Czy o szpiegowaniu szefa kampanii wyborczej w Polsce dowiedzieliście się w roku 2019, kiedy to miało miejsce według doniesień medialnych, czy dopiero po raporcie Citizen Lab w roku 2021? Czy wypowiedzieliście umowę licencyjną Polsce, polskiemu rządowi bądź jakiejkolwiek polskiej spółce?
I podstawowe pytanie: czy sprzedaliście ten system Polsce? Jeśli wypowiedzieliście umowę Polsce, to kiedy i na jakiej podstawie? Skoro pan twierdzi, że nie macie dostępu do gromadzonych danych, to na jakiej podstawie stwierdzacie, że system został nadużyty w sposób niewłaściwy? I w końcu, czy macie jakąkolwiek kontrolę nad tym, gdzie i jak wykorzystywane są dane i przeciwko komu przez waszych klientów, którzy ten system od was kupili?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, I cannot respond to specific questions about governments. I can and again, I invite the committee if they want to speak with the various governments in the various countries that are members of the EU. And many of them, I can say it in general, that many of them are customers.
Regarding the issue of sales to government agencies, what I am saying is that the government agencies are always the end user. The installation of the system is always at the government agency. There are sometimes commercial third parties that are involved in the transaction for reasons of security aspects. These commercial third parties will very often be in between as an intermediary between NSO and a government on the contractual side of things. They never receive the system itself, they do not have access to the system. They’re acting only on the commercial aspects and the system itself is installed by the end user and is only used by the end user. It’s installed by our company in the end user’s facility. And again, as I said, a private company can be involved sometimes in the commercial aspects of the sale as part of the marketing, but does not receive the system or access to the system. The end-user certificate is signed by the government and provided to the Israeli Government as a government-to-government commitment.
As I stated before regarding the issues of the investigations, and I’ll repeat it again, we sell the system to save lives. We do not have access to the intelligence. Therefore the way that a suspicion comes up which results in us investing will almost always be either through our whistle-blowing, we also have – and anyone who wants is invited, we also have it on our website – we have a whistle-blowing email. We get reports either through the whistle-blowing email or things that are brought to our attention by NGOs or the media. Those are things that are the beginning of an investigation on our side. And then we will investigate to see that it was properly and correctly used. Again, those investigations are in-depth investigations. If a customer does not cooperate, then we’ll shut them down just for not cooperating with our investigation. This is a requirement under contract, and that is the way that we try to assure that these things are used correctly.
I’ll go and say more than that. I think, you know, and this is what we were calling for and we think that this issue is an issue that cannot only be dealt with by private companies. Our ability to go and investigate another government even though they have a contractual obligation to us is always going to be very limited. Only as a private company, any decision that we make as far as the legal status of the laws in that country, the way the country itself is following those laws are, you know, are the various different bodies independent of that? We’re a private company. We’re very limited in our ability to do that. Any other private company out there doesn’t even try to do it. We try because there is no government body that has taken that responsibility upon itself. If there would be such a government body that would take the responsibility upon itself, we think obviously that would be the best way to go forward with it.
Bartosz Arłukowicz (PPE): Bardzo przepraszam, panie przewodniczący, bardzo przepraszam. Albo my traktujemy poważnie nasze prace, albo będziemy błądzili wokół. Ja zadałem pytanie. Pan twierdzi: sprzedajemy tylko rządom, a teraz pan mówi: sprzedajemy spółkom prywatnym. Niech pan spojrzy: w tym telefonie mam fakturę na szkolenie między firmą Pegasus a prywatną spółką, która potem to sprzedała polskiej agencji rządowej. To szkolicie czy nie? Macie dostęp czy nie? Jak prowadzicie śledztwo, czy jest dobrze wykorzystywany, skoro nie macie danych?
I w końcu zadałem pytanie: czy odebraliście Polsce licencję? Czy wiecie, że w Polsce był podsłuchiwany i szpiegowany szef kampanii wyborczej, były wicepremier, szef największej organizacji przedsiębiorców i niezależny prokurator, który jest antyrządowy? Czy macie tę wiedzę? Proszę o odpowiedź.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said and I said again, the end user is always the government. We’re not selling to a private company that has access to the system. If they’re involved in a commercial aspect, yes, there could be a private company that is involved commercially in the transaction, but we know who the customer is. The third party cannot just go sell the system to anybody because we install the system by the end user, by the government end user at the end of the day. The third party is there only on the commercial aspects. And these third parties go through or own due diligence of third parties before they’re sold.
I said before, we investigate every credible case and we deal with the investigation that is done, I cannot and again, I repeat, I cannot because of various confidentiality and secrecy issues, I cannot get into specific questions regarding specific customers or specific cases.
Chair: I’m sorry, but we have a lot of Members that want to take the floor. I’m sure also the other members of our committee can follow up on questions that have not been answered and at the end of everybody’s rounds, if there are still questions that have not been answered, I’m happy to give the floor again. But we need to make sure also that all those Members that have requested the floor can take the floor and ask their questions. Ms in ‘t Veld has a point of order.
Sophia in ‘t Veld (Renew): Can you, as Chair, ask Mr Gelfand to either say that he is refusing to answer the questions, or answer the questions, because I’ve asked questions, my colleague, Mr Arłukowicz has asked very specific questions. And Mr Gelfand keeps repeating the same thing, and there seems to be a complete disconnect between reality and between what you’re saying.
So, Chair, I’m asking you, either we get answers or Mr Gelfand says, ‘I don’t want to answer that question’. Fine. OK, then we know where we stand. But this is like, you know, it’s an insult to our intelligence. Sorry.
Chair: Well, I mean, we have our guests here today with us. They have come here to answer the questions. If they are not answering the questions the way we want it, then I would say as a committee, we follow up on those questions. If at the end of this part of the hearing, some questions remain unanswered, I’d be happy to get back to them. But we also need to make sure that we follow the course of our agenda.
But I do take note, and you have also understood the message of our rapporteur, so it would be very helpful if there are concrete questions that they also follow up with concrete answers. And if indeed, you cannot or will not answer a specific question, please also make that known to our committee.
Ms Ernst, you have a point of order as well?
Cornelia Ernst (The Left): Only a very short question. Is it possible to send a list with open questions to NSO to get information, because we have so many questions and I think a lot of things are open, or however.
Chair: We’ll go through the list of the questions that all the Members have today. At the end, I am happy to also collect additional questions that have not been answered and send them to NSO collectively and request answers. And I am sure also NSO Group will be willing to accept that.
But now I feel we should move on with the agenda.
Sándor Rónai (S&D): Köszönöm szépen a szót és köszönöm a beszámolóját Gelfand úrnak, amiben elmondta, hogy az NSO cégcsoport a Pegazus szoftvert a terrorizmus elleni küzdelem céljából hozta létre. Nyilvánvalóan abból a célból, hogy terroristákat figyeljenek meg vele nemzetbiztonsági okokból. És ha a cég úgy találja, hogy egy tagállam, akinek eladták ezt a szoftvert, ezt nem megfelelően használja fel, az ügyet kivizsgálják és felbontják a szerződést abban az esetben, ha bebizonyosodik, hogy nem megfelelően, tehát illegálisan használták a Pegazus szoftvert. A magyar kormány 2021 év végén beismerte, hogy használta ezt a szoftvert, és az oknyomozó újságíróknak köszönhető, hogy kiderült, hogy nem terroristák ellen, hanem illegálisan újságírók, gazdasági szereplők és politikusok ellen használták fel a Pegazus szoftvert. Ezzel kapcsolatban lennének azok a kérdéseim, hogy van-e még továbbra is élő szerződésük a magyar kormánnyal? Amennyiben nincs élő szerződésük, akkor azt mikor és milyen okból bontották fel, illetve ha van arra lehetőség, hogy a magyar kormány újra szerződjön a NSO-csoporttal, újra megkösse ezt a szerződést?
Egy másik dolog, amit szeretnék kérdezni: Önök 2021-es átláthatósági jelentésükben többször hangsúlyozzák, hogy mennyire komolyan veszik az átvilágítási eljárásokat, mielőtt engedélyezik a Pegazus kémszoftver használatát, alkalmazását tagállamok és állami ügynökségek számára. Az átvilágítási eljárás során az alapvető emberi jogok és a jogállamiság tiszteletben tartását is fontos szempontként kezelik Önök, mint az NSO-csoport. Magyarország esetében köztudott, hogy évek óta jogállamisági problémák vannak. Az Európai Parlament és az Európai Unió ezt nagyon komolyan veszi. Az a kérdésem, hogy meg tudná-e erősíteni nekünk, hogy Magyarország esetében végeztek-e átvilágítási eljárást? Ha igen, akkor annak mi volt az eredménye? Ha nem, akkor miért nem végezték el ezt az átvilágítást? És még egy utolsó kérdés: miután kiderült, hogy a magyar kormány újságírók, ellenzéki politikusok és gazdasági szereplők, ügyvédek és civil szervezetek szereplői ellen vélhetően illegálisan használta ezt a szoftvert, utána megvizsgálták-e, hogy a magyar kormány jogszerűen használta-e fel, a szerződésüknek megfelelően használta-e fel ezt a szoftvert? Ha igen, hogyan, és ha nem tették ezt, akkor milyen okból nem tették ezt? Konkrét kérdéseket tettem fel, legyen szíves konkrét válaszokat is adni ezekre! Köszönöm szépen.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, I will repeat and I think we said it also before we were invited, that with respect to issues regarding specific customers, I cannot get into specific customers. I will answer in general and I can use the reports that were in the press regarding Hungary maybe as an example to try to explain how we work in these investigations and what things we are doing.
First of all, every customer that we sell to goes through the due diligence review in advance. And very often, if concerns are raised regarding the rule of law – because what we’re looking at is also the rule of law, also the specific laws that are in place in that country – we use international standards that have graded countries as far as their human rights record as a basis for determining the risk level of the country. When we begin the due diligence process, we then gather information regarding the due diligence process, regarding the country itself, the human rights aspects in the country from various public sources that we can gather information from and then make a determination about a country before we make a decision to sell to that country.
I obviously will say that working based on publicly available information is never going to be 100% clear and clear-cut about a specific country. At the end of the day, we as a company have to make a determination if we feel that when we’ve gone through the reviews and we have the export license to sell to that country, if we still feel that it’s a sufficiently safe country from the rule of law to sell this type of system to. And any country that we’ve decided to sell to has been approved in this manner.
Sándor Rónai (S&D): Please stop. Stop this storytelling. I’m going to continue in Hungarian.
Akkor azt kérdezem, hogy legyen nagyon világos, akkor én is ilyen rébuszokban próbálok kérdezni, Önök, Ön rébuszokban válaszolnak. Ha egy adott ügyfél, egy tagállam vizsgálata zajlik, akkor Önök például, amikor egy adott tagállam – Önök számára ügyfél – ellen jogállamisági eljárás zajlik az ő tágabb környezetében, így az Európai Unióban – direkt nem mondom Magyarország példáját, mert Ön csak ügyfélként fog rájuk hivatkozni – tehát ha egy tagállam ellen jogállamisági eljárás folyik, és folyamatosan elítélnek egy tagállamot különböző jogállamisági kritériumok alapján, akkor Önök számára az miért jelent biztonságos országot? Miért jelent Önök számára garanciát? Ez a kérdésem. Köszönöm szépen.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, I said …
Sándor Rónai (S&D): No, not ‘again’. It was a new question, so please.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): We have not said that we have determined recently that Hungary is or is not a secure country, and we will not tell the country that we have determined it is not secure. Obviously, we do take into account public information, which includes this type of information.
Sophia in ‘t Veld (Renew): Sorry, you did consider it secure because you sold the stuff to them.
Chair: Colleagues, let’s keep a little bit of order in the meeting. I understand there is frustration, but it doesn’t help us if we all start posing questions in a chaotic fashion. So you have the concrete question, we’ll have a concrete answer please.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, and I said, I’m talking about today and when we’re looking at the country today, obviously we take into account everything that is going on regarding the country today. As I said, we at the end of the day are selling a product to a customer after we have export licenses, after we are doing an additional process. Do I say that we’re always learning and improving our processes? Yes, we’re always learning and improving our internal processes and countries that we sold to in the past we may not sell to in the future. Those are the decisions that are making, and that’s how a compliance procedure advances itself.
Again, I think that we ourselves obviously are always struggling to make these decisions because we’re working in a place where we are the only company with this type of technology that is even dealing with these issues and trying to deal with them. We think that there’s a lot that has to be done, that’s why we again call for more of an international standard and not to be to be doing this based on our own aspect.
As I said before, if the targeting of a journalist is done in a manner that is illegal and is done just to track him as a journalist, our company will view that extremely, extremely strongly, and we will not continue working with a customer that was targeting a journalist illegally.
Chair: We have had three speakers now, it’s almost an hour under way. I’m available till tomorrow morning if need be, but I’m afraid not everybody and also our interpreters are not. So in order to have this meeting also finish at a decent hour, please try to stick to the allocated time slots, because otherwise it will just only go at the expense of other colleagues who also have questions. And I do invite colleagues also to follow up on questions that they also find interesting and that have not been answered before so we don’t need to do it all individually.
Róża Thun und Hohenstein (Renew): Nic nowego nie powiem, gdy stwierdzę, że najbardziej istotne są warunki, na jakich udziela się licencji Pegasusa, i ograniczenia w jego wykorzystaniu, to, jak weryfikowano korzystanie z tego oprogramowania przez ten podmiot, który otrzymał licencję, jaki był rygor nieprzestrzegania warunków licencji. Teraz, żeby wejść w szczegóły, dołączę do tego, o co pytali koledzy. Powiedział pan, że Pegasus jest używany do chronienia życia, więc dlaczego przez tyle lat był używany do prześladowania, nękania, podsłuchiwania niewinnych ludzi i to bez reakcji ze strony NSO?
Po drugie, mówi pan, że ci klienci, którzy są skonfliktowani z prawem, że ich sprawdzacie, że oni nie mogą kupić od was licencji. A więc ja jednak chciałabym powtórzyć to pytanie: kto i jak sprawdzał dzisiejsze rządy Węgier i Polski? Jakim cudem te rządy w ogóle przeszły u was przez taki test? Przecież to jest sprawa znana na całym świecie, że te rządy mają konflikty z prawem. A jeżeli zorientowaliście się później, że są takie konflikty, czy udało się wam kiedykolwiek powstrzymać jakieś podsłuchy, takie np. jak te, o których mówił poseł Arłukowicz? Kiedy zrywaliście te kontrakty, z jakimi krajami zostały one zerwane? A poza tym, jeżeli zrywacie taki kontrakt, to na podstawie czego? Skoro nie gromadzicie tych danych, to skąd wiecie, że podsłuch nie był używany zgodnie z przeznaczeniem?
I może, żeby nie przedłużać, ostatnie pytanie, które chciałabym panu zadać, to dlaczego nie może pan dać nam odpowiedzi na te konkretne pytania, które tutaj są zadawane przez koleżanki i kolegów, skoro bardzo łatwo było się panu zorientować, o co będziemy pytać, bo to są tematy, które przewijają się przez prasę, nie tylko europejską, które są szeroko dyskutowane i wiadomo, że my poszukujemy na nie odpowiedzi? Dziwię się bardzo, że przy każdym takim pytaniu mówi pan, że konkretne pytania nie są w pana gestii czy że nie może pan na nie odpowiedzieć. Uprzedzam już teraz, że zadamy je na piśmie i będziemy tych konkretnych odpowiedzi od pana oczekiwać.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, the system is sold to protect lives. Any technology can be misused by the user in a bad fashion, whether we’re talking about a hammer or a knife or any technology.
Róża Thun und Hohenstein (Renew): But what control? So excuse me, but we are asking about control and we have been asking about it, I am the fourth speaker now, and each of us asks about the control.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, as I said, we do the review in advance. We check the governments. We check the rule of law in those governments and we’re checking it against international standards. And if we made a determination at the period of time to sell to a certain customer at that period of time it was deemed by us to have adequate rule of law, we will then, if things change, we go over and we review it periodically. If things change, then we can stop working with that customer if something happens. And as we said, we can only investigate when an issue comes up and is made known to us through an allegation that is raised either by a whistle-blower or through the media, because we do not have access to the information. We’re not sitting on the system and seeing the information. The end users are the ones who are using the system. They are the ones who are using it. So when we get those complaints, we investigate them, we review them. And yes, we will shut down systems for those people who have been misusing.
Regarding what you are asking about replying to the questions, we made it very clear also in advance when we were discussing our appearance here that these are issues that cannot be discussed regarding the identity of customers. That was something we made very clear before we even came here today. So that is an issue. As I said before, that is something that unfortunately I cannot answer. And I think, again, I think the various countries who are using it can be approached and asked about that. It’s their security issues that are at stake and they can decide to discuss the issue or not.
Saskia Bricmont (Verts/ALE): I think we are surely interested in your position paper and your speaking points, but I think it will have to provide a little bit more information, also on the following points.
Could you provide us information about the investigations that have been led and the contracts that have been terminated and the number of whistle-blower cases that have been brought to your knowledge and that have been followed up by investigation and a contract termination? What do you do with clients that do not respond to your inquiries’ requests? This is also interesting for us because you say those countries could reply to us. Of course they could, but you are leading inquiries and when you do not receive responses, what do you do then?
The third information we would like to receive is that what evidence can you bring us to prove that contracts have been terminated after abuse has been confirmed? Because so far it is just based on what you are telling us. Also, if – and obviously we will not receive this answer about the end users and the countries you have sold the software to – if you cannot communicate to us this information then you are not fully cooperating with our inquiry committee, I think. But what do you propose to ensure transparency and oversight? We need an answer if you do not provide us with the list of related countries.
Could you please also give us the contracts? Give us copies of the different types of contracts that you are using? Maybe you can just drop the names of the countries because I don’t want to get an answer that you cannot provide us information because the end users is mentioned.
Also, with the software, what kind of services do you provide to your clients? Because we’ve been told that it’s very technical, very difficult to use. It requires human resources and financial resources that obviously the Member States do not have. So what kind of services exists in your offer?
Following up on the previous questions, I see in your own reports, transparency reports, that there is a scoring of the countries from 100 to 0. While the table sets out that countries from above 60 to below 20 are ranked, what score has, for instance, a country like Belgium? What score has Spain, Poland, Hungary? Could you provide us with that scoring? And for countries with a score below 20, there seems only to be a presumption for ‘no go’. So what could be the circumstances where a sale nevertheless takes place with a country with such a low score? Because I read in the conditions and you mentioned it, the respect of the rule of law and political stability, although with related countries, Poland, Hungary, we know, obviously, that there are issues at stake with the rule of law… I’m almost done, Chair!
More broadly, what is your response to the misuse of Pegasus in the related countries? I don’t want names. I want your response. What is being done considering that governments have been misusing the software and have been targeting civil society? And are there inquiries open on the related cases?
Chair: I’m sorry, colleagues, but if every Member takes twice the amount of time allocated, we will only be taking away time of other colleagues. So please respect also the other colleagues that want to take the floor.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I can say since I’ve been in the company for the past two and a half years, I have conducted over 25 investigations. Some of them are still ongoing. Some of them have been completed. I can state that we’ve terminated contracts with over eight customers over the past several years. Some of these have occurred since the Pegasus papers came out around a year ago and which we’ve investigated and that has led to the termination of contracts with more customers.
As I said before, and I repeat again, any customer that does not cooperate with our investigation of an allegation will be terminated at that moment that they do not cooperate. We first suspend the system. If they still do not cooperate after the suspension, then the system will not be reopened.
Regarding evidence, again, I have said this before when I said, it obviously would have been maybe easier for us, rather than sitting up here and saying that there are some issues that I can’t respond to, not to have come at all, but we wanted to be here and to be able to respond to the things that we can respond to. But there are things that we cannot respond to. And again, evidence on these issues is something that is going to be hard to provide.
I can give you copies of the contracts we use. That is something that we have no problem providing. We’ve made it public in the past and we can provide it again. That is obviously something that we are happy to do. When it comes to evidence, I think again, if there was an international body that would be sitting in the manner that we could discuss with it, not in a public forum like here, it would be something that would be obviously easier to be able to provide more evidence to such a body.
Regarding the services that we provide, each customer, when they get the system, receives a basic training on the use of the system. It’s a training of a few days. All training activity is done on test devices. There’s no targeting of actual phones during those training activities.
After that, we provide ongoing software support. Like other software companies, we have a service centre where if there is a technical problem with the system, they can raise a question and we help with the technical issues of the system, software problems with the system, bug fixes, providing upgrades and the like, but nothing more than that.
I do not remember the scoring off-hand. I can provide that to you. I have no problem providing the scoring. Again, it’s a combination of different scoring from different international indices. If I remember correctly, this again is grosso modo, the scoring for Belgium is around 80; I think for Spain around 75 and I think Hungary around 65. Poland also around 64, 65 if I remember correctly. Saudi Arabia is much lower on the list, I could say probably around 30. What we said about what we had printed then in our transparency report regarding the score of 20, we have since raised that bar following our investigations. Again, as I say, compliance is an ongoing improvement process. We have raised the bar of the countries we are going to work with and will no longer work with countries at that level. We are again, as I said, as much as our technology is cutting edge, so too is the compliance in this area cutting edge, and we’re learning also and trying to learn to improve. We’re not going to sit here and say that we as a company don’t think we could have done things differently in the past, that everything was always 100% perfect. I think we’re trying to learn, we’re trying to improve and we’re always raising the bar, we’re always putting ethics over revenue. And the amount of money that this has cost us in contracts that we have not entered is huge. The number was in our transparency report was written as USD 300 million. It’s been a lot more since then.
Contracts that we’ve terminated. This is the fact – we as a company have passed over huge amounts of revenue because we’re trying to do the right thing. Again, I’m not going to sit here and say we’ve never made mistakes. That’s not something I’m going to say. But on the other hand, this technology needs to be there. This technology saves lives. The Minister of Privacy here in Belgium has come out and said that if you provide backdoors, it’s like telling everyone or even those who are not criminals to leave their back door open so the police can sometimes execute a search warrant if they have it, as opposed to the police getting in through the door when they need to, when they have a search warrant. This is the idea of the system. This is what it’s sold for to be used with judicial approval, to be able to conduct surveillance when it has to be conducted.
Gilles Lebreton (ID): Monsieur le Président, tout d’abord, merci Monsieur de votre présence. Vous nous avez expliqué que votre société NSO ne délivre le logiciel espion Pegasus qu’à des États et uniquement à des fins de sécurité nationale.
Alors je ne vous cache pas que ce qui me surprend, c’est que pour vous livrer à ce commerce, vous entreprenez de noter les États et je trouve assez étrange qu’une simple société privée note les États. En outre, une fois que vous avez contracté avec eux, vous exercez une surveillance et donc vous vous érigez, là encore simple société privée, en tant que tutrice, en quelque sorte, d’États souverains et, à mes yeux, tout cela est extrêmement étrange.
Mais ce qui m’a intéressé dans votre exposé, c’est que vous soulignez que tout ce système repose sur des contrats que vous concluez avec vos clients, c’est à dire avec les États. Et moi, je serais extrêmement intéressé, en tant que juriste, de pouvoir consulter un exemplaire de ce contrat. Donc, bien sûr un modèle type sans rien révéler de confidentiel sur tel ou tel de votre client. Mais ce modèle type, je le voudrais vraiment pour l’examiner et je pense que ça pourrait m’éclairer sur le fonctionnement de votre société. Donc est-ce possible d’avoir ce contrat type?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Yes, as I said before, we are happy to provide an example copy of our contracts. We will send it over. I can send it over together with responses to the questions, since I understand that there’s a desire to send us additional questions. We will be able to send that over.
There may have been an additional question there, it was a bit hard for me to hear the translation. Is there something else you had?
Chair: The question is mainly on making available the contracts so we can also have a look at them in this committee, so that is the commitment you’ve made.
Beata Kempa (ECR): Dziękuję, panie przewodniczący. Ja mam kilka pytań, ale może zacznę tak: ponieważ ten raport jest bardzo ciekawy, chciałam zapytać, co do przejrzystości i odpowiedzialności, ten raport, zwłaszcza w zakresie praw człowieka, powstał w momencie, kiedy na świecie zaczyna być głośno o firmie i o dość sztandarowym produkcie. Możemy sobie wyobrazić, że dla działalności firmy z takiej branży korzystna jest poufność i generalnie cisza. Chciałam więc zapytać, na ile ten raport jest podyktowany rzeczywistą troską o pryncypia? I chciałam, po prostu, szczerej odpowiedzi. W związku z tym również, czy macie państwo dane, ile przestępstw udało się wykryć? Ile uratować osób dzięki skuteczności państwa oprogramowania?
Drugie pytanie: grupa NSO deklaruje przywiązanie do wartości praw człowieka i demonstrujecie państwo swój etyczny kodeks i procedury bezpieczeństwa. Na jakim etapie działalności firmy postanowiliście państwo się zająć tymi sprawami, czy sprawdzacie, jakie procedury w zakresie wykorzystywania tego typu urządzeń wobec obywateli mają dane państwa, i czy również bierzecie to pod uwagę?
Wreszcie następne, bardzo ważne pytanie: niektóre podane w raporcie informacje na temat możliwości oprogramowania Pegasus, zwłaszcza dostępu producenta do informacji operacyjnych pozyskiwanych przez użytkowników oprogramowania, dość istotnie różnią się od opinii prezentowanych przed tą komisją przez wielu ekspertów, a także przedstawicieli wielu organizacji. W szczególności wątpliwości budzi informacja, że Pegasus może być stosowany wyłącznie do pojedynczych urządzeń mobilnych. Raczej popularna jest teza, i to taka dość publicystyczna, że może być stosowany do wielu rodzajów urządzeń oraz że nadaje się również do pozyskiwania danych, a nawet aktywnego działania w sieci urządzeń. Podobnie kwestia rzekomego braku dostępu producenta do danych operacyjnych: według informacji prezentowanych przez ekspertów jest to raczej mało prawdopodobne.
I chcę zapytać o techniczne gwarancje dla użytkownika Pegasusa. Czy i jakie ma on gwarancje, że ma wyłączność na gromadzone dane operacyjne i że na przykład producent oprogramowania lub inne służby nie użyją oprogramowania do ataku pod fałszywą flagą, to znaczy do szpiegowania określonych urządzeń, które obciążają konto użytkownika? Jakie mamy gwarancje? Dziękuję, a resztę prześlemy na piśmie.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Regarding accountability and transparency, again, we take this very seriously. We are not trying to hide. This is not something that we did because someone forced us into putting out a transparency report. We think it’s the right thing to do.
I joined the company to lead the compliance issue and to try to make it even more transparent than it was even beforehand. I joined after you saw what the company’s values were and that they had always put forth this idea regarding the information as the only information we have regarding crimes is information that our customers have provided us from time to time on issues that they have done and lives that they have saved, and rings of paedophiles that they have captured using the system. These are not statistical data that are gathered, but rather things that we are told. So we know that many thousands of lives probably have been saved using the system. But I can’t put a number to it. Someone stops a terrorist attack. You can never know exactly how many lives were saved by that. But we know that they’ve saved lives of terrorist attacks that were stopped in places where there were a lot of people.
We understand this even more so by the number of customers that are looking to use the system, who do use the system, especially in countries like those that are members of the European Union.
The fact that these law enforcement agencies, intelligence agencies keep coming back and wanting to use the system I think is the best proof that they see this is something that is essential to them to be able to protect the lives of their citizens.
We are in the process of conducting more impact assessments on the issues of human rights fighters and journalists to try to better see what other additional protections can be put into the system from the system side, from the compliance side, what other steps we can we can put in place to deal with those issues even more so. This is something, as I said, compliance is an ongoing activity of improving ourselves and we are looking always how to improve it.
Regarding issues that came up by other people who have spoken here, again, I can say unequivocally this is a target-centric focus on one cell phone. The way it operates is that you have put in a certain phone number of a target, and it targets that phone and that phone alone. It cannot be operated on the networks. It cannot be operated as mass surveillance. This is a target-centric technology.
Doubts can be raised as far as what operational information we have access to, I think it is clearly evident that it’s common sense that no intelligence agency would allow a private company access to this type of information. We do not have access to it. We would not be allowed to have access to it. And we do not have the ability to know what is going on, again, except for the specific audit log when we get permission from a customer to enter it.
Regarding the question of how it is properly used, if I understand correctly, you’re trying to understand how we make sure that the system is sitting by the end user, the system, the operators have to log in using the password and biometrics to log into the system. If the system is disconnected and moved to someplace else, this would raise alarms in our service centre and would we would know that something was wrong. And therefore we don’t think it is technologically feasible to be able to move the system to someone else. And this is in addition to the fact that the end user has signed a certificate from government to government stating that it is the sole end user and that it will not re-transfer the system as is acceptable when it comes to export-controlled items. So it’s also guaranteed that way.
Cornelia Ernst (The Left): Thanks a lot for your contributions. And we will send you also a list of additional questions. Let me start with some technical questions.
First of all, is there a direct connection of the servers of the customer using Pegasus to NSO? And are systems maintained through it? And what data can NSO view through it? And can the system be shut down remotely? And how does NSO gets the file that records which numbers are being attacked by the customers that those customers are obliged to give you? This is a first complex, please, you have to answer on that.
The second point is witnesses here in the committee have reported that you believe there are about 30 vendors worldwide that market spyware like Pegasus. Can you confirm this number and say a little bit more about this point?
The third is, if you look in the media, such as Forbidden Stories, they have documented that authoritarian governments are also behind Pegasus surveillance. And this is a debate also on this point we have to discuss. Spyware was also sold there and you deny that in your report. And we have spoken otherwise about Saudi Arabia. And you said there is a points system and Saudi Arabia is on point 13. Can you explain what does it mean and what are the these criteria? Maybe you can answer to that, and very general, can autocracies use your products? Is it possible in general? Can you say yes or not?
So and I would like also know a little bit more in how many cases where export license is not granted, and roughly how many countries did this affect and what are the main reasons?
And my last point is the EU Commission has stated that it contacted you after it becomes known that Pegasus was being used against opposition figures and Members of the European Parliament. Can you confirm that? And what is the state of play in the discussion with the Commission?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Regarding the first question about the direct maintenance connection to NSO, as I said, we provide software maintenance aspects, so there is some sort of connection to certain parts of the systems that allow the provision of this maintenance, but it is not access to the data. There’s no access to that, as I stated, it’s only to the audit log when we get permission from the customers as part of the investigation proceedings.
The ability to shut down the system remotely can be done in two main manners. The main manner which we have used in most situations is with the consent of the customer. And then it is even though again it’s against their will, but they understand for their security needs it is better to do this in an organised fashion and to allow us to shut down the system in an organised fashion by entering their system and then connecting, entering the license part of the system and removing the license, which no longer allows the system to be active. In situations where a customer is not willing to grant access, so it can be disconnected from its ability to communicate with the external world. And if they’re unable to communicate outside, so the system will not be able to continue being used to target additional new phones.
Regarding the number of competitors, again, not all competitors are public and known. This is information that changes very often. Obviously, like any business, we conduct competitor research to try to understand what is out there. But we as a company do not have, you know, we’re one player out there and we’ve somehow turned into the poster boy of the industry – and even gotten our name on the name of the committee – but I can’t give an actual number of how many competitors there are out there. There are some competitors from Western countries. There are other competitors that we know less about, and they’re probably governments both from Russia and China. Obviously, a lot of these, especially those that are not from Western countries, are not putting in place any sort of compliance and aren’t subject to any sort of regulation. But I don’t have a number that I can put out there.
Regarding the criteria of who we sold to, and again, as I said, we have changed our criteria, we are always learning, but I can say again, we do a review and the review is specific to the end user. So when we’re selling to a government, it’s not just the country, it’s the specific end user and the oversight that they have and what they have in place. And we’re looking at that. And again, as I said before, and I think this is the best way is not to leave it up to us as companies, because I think as a company, you know, (a) we’re very limited in our abilities in the compliance world, even though we try and we’re trying to do the best possible, but we think that the best way is international regulation, which would be similar to a non-proliferation type of agreement, where countries would have to agree to how they’re using the system, would have to sign up, there would be international ability to oversee this. This is what we’ve called for in the past. We call for it here again. We think that this is the best way for this to be handled.
Regarding the number of export licenses that have been granted, the granting authority obviously is the Israeli Government. And I’m not a spokesperson for the Government, obviously. So, you know, that is a question that would have to be posed to the export authorities. But they have they have refused numerous licenses in the past. I can say what was in the press, and just repeating what’s in the press without confirming it, that in November they reduced significantly the number of countries that they’re willing to give export licenses to in this manner, or that are exempt from receiving marketing licenses for in this manner if we make it accurate. I hope I replied to all of your questions.
Carles Puigdemont i Casamajó (NI): Monsieur le Président, Monsieur Gelfand, vous avez répété que votre logiciel a aidé à sauver des vies. Cela a été une constante de votre intervention. Vous devez vous efforcer d’être plus crédible pour nous aider à comprendre comment le fait d’espionner des avocats, des journalistes, des activistes, des parents d’activistes, des politiciens élus, peut être considéré comme sauver des vies. Ici, on essaye aussi de sauver des vies, mais malgré tout, certains d’entre nous ont été espionnés. Je ne sais pas si Pegasus aide le monde à être plus sûr, en revanche je suis convaincu qu’il aide le monde à être moins libre, et ici on parle surtout de droits fondamentaux et de liberté, nous ne sommes pas concernés par la question de la sûreté, c’est la question des libertés qui nous préoccupe.
Vous avez dit que si un client ne respecte pas les règles, alors vous arrêtez le contrat. Si vous n’avez pas l’accès ordinaire à l’utilisation de ces logiciels, comment pouvez-vous savoir si un de vos clients a fait un mauvais usage de ce logiciel? C’est parce que ce client vous l’a avoué? C’est à lui de vous dire: „Oui, j’en ai fait un mauvais usage, s’il vous plaît, suspendez ma licence“? Pour que nous puissions vous croire, pourriez-vous nous dire comment ça se passe exactement? Vous avez dit que vous avez suspendu huit contrats dans les dernières années. Pourriez-vous préciser combien de contrats ont été suspendus parce que vous n’avez pas eu la réponse ou parce que vous avez eu la preuve qu’ils en ont fait mauvais usage et comment avez-vous réussi à le prouver? Que diriez-vous à une victime? Que peut faire une victime? Peut-elle s’adresser à cette autorité à laquelle vous avez vendu le logiciel et lui dire: „Vous avouez m’avoir espionné“? Est-ce que vous pouvez présenter une plainte contre NSO, ou puis-je aller les voir directement? Que puis-je faire? Où est ce qu’on peut aller directement ? Et finalement, une question très concrète parce que vous avez jeté le soupçon que la majorité des accusations sont des fausses. Est-ce que vous croyez que ce qu’on appelle le „Catalangate“, c’est un faux?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, if the system is used to target anyone in a manner that is not meant to save lives and is not a balance of the fundamental rights, and again, the fundamental rights, if I’m talking about International Bill of Rights, I’m talking about mainly Article 19 and Article 17. The fundamental rights have limitations when they are needed to be violated for safety and in accordance with both the procedural and substantial terms that are set out under international law.
And when any system is used in an incorrect manner, and if I can give some examples of how an investigation is conducted, so yes, we’ve had customers that did not did not cooperate or some that began cooperating and then stopped cooperating in an investigation. And we shut them down. We’ve had other cases where we were in discussions with the customers, and while we were in discussions with the customers, they gave an explanation of why they thought the use of the system was legitimate. After hearing that explanation we said that from our understanding that use does not meet the requirements of international law and therefore we shut down the system for those customers, if there was a situation we reviewed and they did not go through the necessary procedure, receive the necessary warrants for the use of the system, obviously if it’s anything more than a one-time mistake that has been dealt with by the authorities there internally, because that can happen, but if it’s more than that, we will shut down the system. And we have.
A victim can approach us. As I said before, we have a whistle-blower site. We receive complaints. We look into those complaints. And again, those whistle-blowers can lead to us taking action against our customers based on that.
The fact of the matter is, at the end of the day, the view of law enforcement is that they need these type of systems to be able to get over the problem that pretty much at the end of the day is created by big tech. Big tech has put forth encryption, which is great for privacy for everyone out there. But at the end of the day, this encryption, which till several years ago was military-level encryption, is in the hands also of nefarious actors, and law enforcement in those cases needs the tools to be able to conduct investigations into those areas. These are what we’ve been told by law enforcement. These are the requests the law enforcement has put to us and that’s what our technology comes to handle.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): The due diligence that we do before we enter into a contract is repeated on an annual basis for each customer. So we’re going to review again at that point. Have there been changes in the rankings, in the information that is relevant regarding that customer for better or for worse, regarding the rule of law in the country? And that will go into the question of whether we will continue to provide services to that customer or we will cut it off even proactively if something has not come up.
In addition, any sort of report with respect to a change in the country’s rule of law, whether it’s a coup or if it’s large protests that are coming up in the country, will lead to an automatic suspension until such time that we can determine if that situation has not changed and that the system should not fall into the hands of someone who has not gone through due diligence.
The third aspect that we have started putting in place recently, pretty much over the past half a year with certain customers, is an audit procedure that we have agreed to with some customers, where even though we’re not going to be privy to the investigations that they have, we will sit down with the people in charge of oversight of that customer on a periodic basis to understand from their reviews of that customer, have they been using the system in accordance with the local laws, have they seen any situation where the system has been used in a manner that would be against international human rights law or their local laws?
Chair: I guess it’s more about the due diligence of the country in general than of the use of the system. But I’m sure there’s other questions that we want to ask as well.
So it’s 16.30. We have concluded the first round of speakers. There are many Members that would like to raise additional questions to whom I would also like to give the floor. We informed our guests in the next panel that we might run a little bit late, which we could have expected. But I would like to ask colleagues who take the floor now to try to restrict to one minute so we really get our all our questions in.
Karolin Braunsberger-Reinhold (PPE): Herr Vorsitzender! Meine zwei Fragenkomplexe: Entwickelt die NSO-Gruppe ihr gesamtes Hacker-Know-how selbst, oder kauft sie auch sogenannte zero-day vulnerabilities extern ein, also Sicherheitslücken, die der breiteren Cybersicherheitsgemeinschaft noch unbekannt sind? Was können Sie uns zum Prozess sagen, wie die NSO-Gruppe Sicherheitslücken ausfindig macht? Und zweitens: In Ihrem Bericht heißt es auf Seite 25: „Die NSO ermutigt sowohl interne als auch externe Stakeholder, Bedenken über Fehlverhalten zu melden. Beschwerdemechanismen des Unternehmens ermöglichen sowohl vertrauliche als auch anonyme Meldungen.“ Meine Frage an Sie dazu lautet: Wie viele solcher Beschwerden gab es im letzten Jahr, und welche Konsequenzen haben Sie daraus gezogen?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Regarding the first question of vulnerabilities, as a company we are first and foremost a research and development company. So we will use every legal means that exists to try and improve our system and improve the technology. So pretty much everything that is out there in the basket of availability to improve the technology and is legal, we will use.
Regarding the external and internal complaints, again we’re calling out for complaints both from the aspect of our external whistle-blowers and internally, we’re also talking both to employees and the customers. The operators of the customers are also told about our whistle-blowing possibilities. If an operator thinks that their government is using the system in a wrong way they have the ability to also provide us with an anonymous whistle-blower complaint.
Obviously over the past year with the Pegasus papers, so looking at those also as complaints, there was a large number of complaints regarding a large number of countries. And that’s why I indicated before that we’re conducting over 20 current investigations into those matters. In addition, through the whistle-blower hotline, we’ve probably received 25 complaints over the past year. Out of those 25, five of them or so were credible complaints that were that led to an initial investigation into them with a customer.
Hannes Heide (S&D): Did I get it right that so far 50 000 phone numbers have been targeted by Pegasus? There was the amount of 50 000.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): That is incorrect.
Hannes Heide (S&D): That is incorrect. How many?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, the number that came out, 50 000 numbers, was what was a number that was reported by Forbidden Stories as far as their report on the Pegasus papers. And I made clear in my opening statements that is not a list of Pegasus targets.
From the general statistical information that our systems have collected we’ve seen over the past year the number of targets throughout all customers in a given year is approximately 12 000 to 13 000 targets through all the customers together in a whole year.
Hannes Heide (S&D): Would you tell us, are you able to tell us, how many customers your company did have, and how many you have actually?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): The total number of customers that we have had in the past was around 60 customers in 45 countries. That number has gone down. It is currently under 50 customers.
Hannes Heide (S&D): As you have told us that you sell the software only to governments, is it possible that colleague Arłukowicz has a bill to a private company, which he is telling us, is it possible, yes or no?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, there can be a private company that was involved in the commercial aspects of the transaction. Software is only provided to the government end user directly. We are always installing the software directly by the government end user. We have our controls over it so that they can use it in accordance with their local laws. But it’s not going to ever be – and never has been – provided to a private company.
Hannes Heide (S&D): You also mentioned that Jeff Bezos was not targeted by your software. If anybody reports a newspaper, that it was your software – and I have read already reports like this, do you take legal action against the author?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As a company we are very, very careful in any legal action that we take against reporters. We think it is wrong, the whole issue of investigative reporters – even if they’re reporting something that is wrong, we do not think it is correct that legal action should usually be taken.
We have filed one suit, a public suit in Israel, against a newspaper in Israel on one specific issue that was blatantly wrong regarding a false statement that says we have the ability to delete the audit logs by customers and customers can delete the audit logs. That is the only issue that we’ve filed a suit against.
Hannes Heide (S&D): Would you tell us how many users, how many customers you have shut down already? The amount?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): (Start of speech off-mic) … than eight, I don’t know.
Hannes Heide (S&D): Thank you, so my last question is, you say you fight terrorism and serious crime. And just to get Commissioner Reynders and the Prime Minister of Spain and the Defence Minister of Spain under the suspicion that they have to do with serious crime or even with the fight against terrorism, that they’re connected to terrorism, what criteria would make you accept that these people are targeted by the software of your company?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, we provide technology that is used to fight… the purpose that we’re providing it for is to save lives and to fight terrorism and serious crimes. Obviously, there would be a very high bar of any end user that targeted such a target would have to show that there was a serious suspicion of criminal activity.
Again, there have been situations in some countries, my country included, where even high-level people have been suspected of corruption or been tried for corruption. But I don’t know, again, without getting to specific cases, it would be a very, very high bar that someone would have to show to show that this type of action was legitimate.
As I said, we would take it extremely seriously in all other cases where someone would not reach that high bar. I can say that the one thing that would limit any ability to investigate such a claim would be the fact that if the customer had been already shut down prior to the fact of the claim coming up, because as I said before, to be able to investigate a claim, we would need access to a customer system. And if the customer was already terminated before the allegation came up, we would not be able to investigate further allegations against that former customer again.
Róża Thun und Hohenstein (Renew): Which customer was it? Do you know?
Chair: Look, Mr Heide took the ping-pong. Listen, this is not a marketplace where we can shout the questions. We have a lot of colleagues that asked for the floor. They will get the floor first. Like I said at the beginning already, if there are unanswered questions, I’m happy to give the floor at the end. But other members also have the right to ask their questions.
Moritz Körner (Renew): Thank you for being here with us. I understand numerous times that you will not go into specific customers, but you mentioned numbers, so I will go into numbers. How many Member States of the EU use Pegasus or other NSO products? Can you give us a number? That’s not a question on a specific customer, it’s just a number. Many times you mentioned numbers now. I want to know how many Member States use your products.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I don’t have the number off-hand. If I can take a…
Moritz Körner (Renew): OK.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I will say it is more than five but for the actual number I would have to come back.
Moritz Körner (Renew): You will come back with that concrete number and now then I will directly ask on two other numbers. How many investigations? Because you mentioned 25 investigations. How many of these were Member States of the European Union and how many contracts were terminated within the European Union? Maybe you know that out of maybe the contacts terminated within the European Union, maybe you know that off the top of your head?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I’ll have to get back with all the answers.
Moritz Körner (Renew): OK, but because you mentioned numbers, I think it’s clear that you cannot say that is into specific contracts.
Then I have two other questions.
Coming back to also what a colleague already asked, she asked to what extent your products rely on exploiting software and zero-day vulnerabilities. And you said something like you’re doing research and development and everything that is out there you use. I conclude and I want to also have a single ‘yes’ or ‘no’. That means that you are using, exploiting software and you are using zero-day vulnerabilities. Yes or no?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I will not confirm things that deal with trade secrets, as I said, but I’m not going to deny it either, I’m just saying we use anything that’s legal we’re going to use to try to develop the software.
Moritz Körner (Renew): Has the NSO Group purchased such software?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, we use everything that is legally available, so that’s internal development and anything that would be legal to do.
Hannah Neumann (Verts/ALE): It’s actually much better to do the ping-ponging, and I promise you I will have fewer questions than Mr Heide. So the first one, because I mean, you’re coming to a European Parliament committee, so you shouldn’t be surprised by this question: Have you ever terminated a contract with an EU Member State? Yes or no? We can get the numbers later, but have you ever terminated one contract with an EU Member State?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): We have terminated contracts with EU Member States. But to get into again exact numbers …
(Ms Neumann cut off the speaker)
Hannah Neumann (Verts/ALE): That’s fine. Thank you. Next question. If a country does not give you permission to audit, is that a reason for you to terminate a contract? Yes or no?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I stated before, if they do not allow us to do the audit and do not participate and provide us with the information we need in our investigation, yes, that is a reason to terminate a contract.
Hannah Neumann (Verts/ALE): Has that ever been the case in the European Union?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Not that I recall offhand, but I’d have to double-check that.
Hannah Neumann (Verts/ALE): Okay. And we would very much appreciate it if next time you come back to a European Parliament committee, you can answer questions specific to the European Union. Two questions that go beyond the European Union: Have the United Arab Emirates and Saudi Arabia ever gone through your due diligence check and have they passed it?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, I’m not going to respond to questions regarding specific potential customers.
Hannah Neumann (Verts/ALE): Given that the UAE and Saudi Arabia have been using Pegasus software, who are legitimate actors to issue warrants in these countries according to your checks?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, I repeat it again, I’m not going to respond to questions regarding specific customers.
Hannah Neumann (Verts/ALE): On the question of exploits, because you need exploits as a way into mobile phones, how many of these exploits do you buy on the free market in terms of percentage and how much are coming out from your internal work as NSO?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, I’m not a technician. I do not know the answer to that question.
Hannah Neumann (Verts/ALE): One last question then I’m done, Mr Chair. Thank you very much. You said yourself that this whole issue of regulation should not be dealt with by a private company. I have to say, I agree. What is the kind of regulation that you think we as politicians should put in place for this spyware to be regulated properly so that the burden is no longer on you?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I would think the best thing would be something similar to what maybe is done with other weapons, some sort of non-proliferation agreement, where there is specific standards of what is required to be able to use this. Only countries that would sign up and agree to follow those set of rules would be countries that would be considered as legitimate purchasers of this type of system, and that this body would also have the ability to continue an ongoing audit of whether those countries are following what they signed up to and are following the rules that they signed up to. And therefore, in that manner, you would have both the rule of law aspects put in place and you would have the audit aspect in place and …
(Ms Neumann cut off the speaker)
Hannah Neumann (Verts/ALE): And what should these standards consist of?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, I have my own personal opinions on this issue. But I think it’s something that exactly what politicians have to decide on the basis of the rule of law, international law, looking at what is the substantive and procedural requirements for using software. I think this technology, as I said, is needed. Others have said it is needed. I think it is there to stay. And I think that it has to be looked at in a way that reviews the technology and puts in place safeguards that allow its use in the right cases, but punishes those who use it in the wrong cases.
Chair: I’m allowing for a lot of flexibility, because I also think that a little bit of flexibility helps us to get to good answers and questions. So I’m happy to do that. But we also have to have a little bit of self-discipline in order to let other speakers in this room also take the floor.
Γιώργος Γεωργίου (The Left): Δείξατε πολλή ευελιξία και πολλή ευγένεια στη διάρκεια της συζήτησης. Πάντως, κύριε Gelfand, εγώ δεν θα ήθελα ποτέ να ήμουν στη θέση σας, διότι δεν έχετε απαντήσει σε πάρα πολύ κρίσιμες ερωτήσεις.
Θα επαναλάβω δύο: είπατε ότι πουλάτε μόνο σε κρατικές υπηρεσίες μιας χώρας αυτό το λογισμικό. Σας λέει ο κύριος Arlukowicz ότι υπάρχει διαπίστωση ότι στην Πολωνία αυτό το λογισμικό έπεσε στα χέρια ιδιωτικής εταιρίας. Αυτό δεν είναι λόγος για να το αφαιρέσετε από την Πολωνία και από τις κρατικές υπηρεσίες, στις οποίες το έχετε δώσει;
Δεύτερον, σας είπε ο συνάδελφος από την Ουγγαρία ότι η Ευρωπαϊκή Επιτροπή, που είναι η μόνη αρμόδια να κρίνει αν ένα κράτος μέλος είναι κράτος δικαίου ή δεν είναι, έχει κινήσει διαδικασία επί παραβάσει σε βάρος της Ουγγαρίας. Δεν συνιστά αυτό λόγο για να το αφαιρέσετε αμέσως από την Ουγγαρία;
Και τρίτον, απαντήστε μου σας παρακαλώ, έχετε πουλήσει αυτό το λογισμικό στις κρατικές υπηρεσίες της Κύπρου; Ή διαμέσου της Κύπρου, μιας ευρωπαϊκής χώρας, σε άλλες ευρωπαϊκές χώρες, για να ξεπεράσετε την ανάγκη να σας δώσει άδεια η κυβέρνηση του Ισραήλ, γεγονός που συνιστά εμπόδιο; Και εάν το έχετε κάνει, έχετε εξετάσει κατά πόσον το νομικό καθεστώς της Κύπρου επέτρεπε να το πράξετε αυτό;
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, as I replied before, I said there could be a commercial invoice with a commercial company because a commercial company can be involved on the commercial sides, but is not the end user and will never receive the system. These commercial end users, again, as I said, go through a due diligence process, but the end user is the one who we will install the system by.
Regarding the question of who uses – if at all – the system in Cyprus, we cannot respond to that. Regarding whether something was sold through Cyprus, I’ve made it clear before that we have never sold and we never will sell Pegasus through Cyprus. It would also not be legal from an Israeli export-control standpoint in that manner to bypass Israel because any export, even other technology, would require licenses.
As I said before, there are companies located both in Bulgaria and Cyprus that deal with different technology, not Pegasus, with other technologies that provide intelligence services with other abilities, location abilities and the like. Those are exported. They are developed in Bulgaria and Cyprus and exported from those countries, receiving licenses from those countries.
Radosław Sikorski (PPE): Mr Gelfand, you said that ‘a victim can approach us’. Well I’m approaching you now. How am I supposed to know that I’m a victim of a secret surveillance program? I’m wondering what you will do about this? And the reason I think I might be a victim is that your software has been found on the phones of a solicitor to the former Prime Minister and head of the opposition, an opposition Member of the Parliament in Poland, opposition agricultural workers’ union, opposition employers’ union, an author of a book about the Interior Minister and the head of the electoral campaign of the main opposition party. Do you see a pattern here? I do. And are you proud of having made money from targeting the Polish opposition?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As for the first question, as I said, anyone, if someone suspects that they were targeted, they can approach us through the whistle-blower manner and if they want to provide access to a phone, there are technical steps that can be done to check a phone.
Radosław Sikorski (PPE): The purpose is so that you don’t have access to my phone, OK? You can check your own systems whether you’ve targeted my phone.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, as I’ve said before, we do not have access to the information. If there’s a credible reason to suspect something, we take it extremely seriously and investigate it and we look into it. And including situations like those that you raised before are going to be dealt with in the most severe manner. Those are not things that are going to be taken lightly and they are looked into and reviewed. And in the case when it comes out that there has been a misuse of the system, as I said before, we’ve done it before and will continue to do it again, we will take action. We will terminate contracts.
Radosław Sikorski (PPE): I’ve just sent you a test, we’ll see.
Łukasz Kohut (S&D): Powiedzmy sobie wprost: ofiarami bezprawnej inwigilacji waszym oprogramowaniem – Pegasusem ‒ byli konkretni ludzie, nie terroryści, nie przestępcy w Polsce PiS: prokurator Ewa Wrzosek, senator Krzysztof Brejza, mecenas Roman Giertych, ale ofiarami byli także pośrednio ich rodziny i ich znajomi, w których życie władza weszła bezwzględnie z butami.
Zatem cztery konkretne pytania, let’s play the ping pong. Po pierwsze, ilu ludzi w Polsce było podsłuchiwanych Pegasusem?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Any use of the system – I repeat this again and again, any use of the system that is used in a manner that violates human rights, when it is not for the saving of lives in a manner that is legal and in accordance with the conditions of the contract, is a violation, and we will review severely and we will handle it like we’ve handled it in the past.
It is true that even when legitimate surveillance is done, it has, whether we’re talking about use of a technology like this, whether we’re referring to the use of traditional wiretap, or whether we’re referring to the use of a search warrant in a house, so there is always going to be other information there, and therefore, law enforcement has in place and has to have in place protocols for the manner in which they handle this to minimise, to the extent possible, any additional trampling of the rights of the innocents that are involved. This is something that has to be in place by governments, it’s not something technology itself can deal with. The technology is in itself like any other technology meant to do good, but can be used also to do bad. And therefore, as we said, there has to be use of the regulations to be able to use these in the correct manners.
Łukasz Kohut (S&D): Nie jestem do końca zadowolony z tej odpowiedzi, ale prosiłbym jeszcze o informację, kto się kryje za polskim operatorem Pegasusa o nazwie „Orzeł Biały”. Czy jest to polski rząd? I czy to jest właśnie ten operator, czy właśnie „Orzeł Biały” zhakował telefon komisarza Unii Europejskiej Didiera Reyndersa i innych wysokich rangą urzędników Komisji Europejskiej? To wszystko. Dziękuję bardzo.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said before and again, I can only repeat it again, I cannot respond to questions regarding specific customers.
Salima Yenbou (Renew): Monsieur le Président, en français, on a une expression qui dit „Quand c’est flou, c’est qu’il y a un loup“. Et là, du coup, c’est très flou. Donc, on est à une meute.
Première question, je vais revenir sur le terrorisme. J’aime bien les définitions et savoir de quoi on parle. En fait, le terrorisme a bon dos pour justifier tout et n’importe quoi un peu partout. Et les définitions, du coup, fluctuent au gré de ce qu’on veut combattre. Quelle est la définition du terrorisme que NSO retient?
Deuxième question, il y a des ONG palestiniennes qui ont été espionnées par un État – que je ne citerai pas, puisqu’on ne doit pas citer d’État – avant qu’elles soient classées comme terroristes par ce même État. Alors, est-ce un critère pour retirer la licence ou est-ce considéré comme de la prévention?
Comme j’aime les définitions, depuis tout à l’heure j’écoute, ce que je comprends de la responsabilité, c’est que NSO vend et gagne de l’argent à partir de Pegasus, que c’est aux lanceurs d’alerte de faire le contrôle et aux institutions de réguler. Est-ce qu’on a la même définition de la responsabilité? En tout cas, ce n’est pas la mienne.
Et dernière question, je ne comprends pas pourquoi, alors même que vous dites que Pegasus sert à la lutte anti-terroriste et sauve des vies, selon les critères de droit international, pourquoi est-ce qu’on n’aurait pas la liste des gouvernements avec qui vous continuez de travailler et celle avec qui vous avez rompu le contrat, puisqu’il n’y a rien de répréhensible dans le fait de lutter contre le terrorisme?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Regarding the definition of terrorism, you’ll see the exact definition it’s in the contract that we said we will provide, so you’ll be able to see the exact definition that we have there for terrorism. But it is a clear act of threat of use of violence against persons or institutions. There is a definition that is unequivocal about that, and it is part of the contract itself.
Regarding the responsibility, as I said before, I think the responsibility of businesses regarding what is expected of businesses is set out in the UNGPs which we have adopted and are following and improving ourselves and following those guidelines. The responsibility of states is also set out there. Obviously, the way the UNGPs are working, it’s not one is primary and one is secondary, we are not trying to run away from our responsibility, we are trying to meet that responsibility.
At the end of the day, though, we are limited also in the information we have. Again, we take steps to find that balance between the security and privacy issues that dictate that we should have less access to information on one hand, and on the other hand, ability to provide information and protect.
Regarding the issues of the governments, the governments in their fight against terrorism have to use – it itself is obviously not something that is hidden. The manners and means and tools they use, it is their desire to keep hidden. We as a company say that we cannot be the ones to divulge that. But if they want to come forward with it, that is their right as a government end user.
Diana Riba i Giner (Verts/ALE): En primer lugar, ha comentado en algún momento el tema de las euroórdenes. ¿Es posible espiar un terminal fuera de la jurisdicción del cliente que ha comprado Pegasus?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): The use of a system has to be done in accordance with the national laws of the user and international law as a whole – both of those, that is the expectation of the use of the system.
The issue of extraterritorial use of systems like this is a complex one. Various countries have laws that allow, in certain situations – and I’m talking about countries here in the European Union who have laws that do allow for certain organisations to act, also extraterritorially, but we’re providing a system and it is the responsibility of the customers who are buying the system to follow the relevant laws in those areas as far as what can be done and what cannot be done outside of their own jurisdictions.
Diana Riba i Giner (Verts/ALE): De acuerdo, gracias. Otra pregunta es: ¿es posible para la víctima identificar cuál es el cliente que le está espiando?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): When we’re conducting an investigation, the main thing, as I said, the only way to conduct an investigation on a specific number to verify the facts is for us to understand what is the target country that is suspected of targeting the various victims? Because as I said, the information is saved on each country’s system. The audit log is on their system.
You’d have to know which country to approach to request access to the system. In some situations when suspicions have come up, there are fingers pointed at specific customers and we can try to verify the information from those customers. Without that information, it’s going to be very hard for us to be able to investigate. But when we have that information, that’s how we begin the investigation.
Diana Riba i Giner (Verts/ALE): Cuando se usa el sistema de intervención de NSO, ¿cómo gana acceso al dispositivo a intervenir?
Y, un tema más técnico: ¿necesita romper medidas de seguridad del fabricante del dispositivo o del fabricante de aplicativos informáticos instalados en el teléfono? Es un tema muy concreto, pero el otro día estábamos en una audiencia hablando concretamente de esto.
Por último, antes de que responda, en la información que nos enviará de los contratos, ¿hay la información de que una licencia es un teléfono móvil? O sea, ¿qué productos se pueden coger, por ejemplo, o cuánto tiempo los tienes? Porque no nos salen los números. Si hay cincuenta países y hay unos 13 000 casos, según nos ha dicho, ¿es que cada Estado compra diferentes licencias?
Si esta información está en los contratos, ya nos llegará por escrito. Es solo saber cómo funcionan exactamente este tipo de contratos, cuántas licencias hay, cuánto cuestan y cómo funcionan; si una licencia es un solo espionaje o son diferentes y si es de un móvil o diferentes móviles.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): So the way the licensing works is that a customer receives a specific number of concurrent targets that they can target. Those numbers are usually single-digit to low double-digit numbers, obviously depending sometimes on what a customer requests, but also it is going to be reviewed from us to make sure that that number seems to be consistent with the issues at stake in that country, the size of that country, obviously the size of the country is going to matter, the size of the responsibility of the specific government agency. Is it an agency that has broad responsibility for fighting crime? Is that an agency that is dealing with a specific issue? The numbers are going to be determined taking into account those things as part of the due diligence process.
But at the end of the day, the system is sold with – the defining aspect is going to be the concurrent number of licenses, the concurrent number of phones that can be targeted at any given period of time.
Eva Kaili (S&D): So I understand you function basically under Israeli law, so I was wondering if it’s G-to-G allowed from Israel to export to non-democratic countries such software?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Under Israeli law, this is an export-controlled item and therefore we are required to receive export licenses. The Israeli system is a dual system where you first have to get a marketing license and only afterwards you get an export license. So there are two stages of review by the Israeli Government.
As far as which countries the Israeli Government decides to give licenses to, that would be an issue that, since I’m not a spokesman for the Israeli Government, I will not be able to answer.
Eva Kaili (S&D): And is it possible to have geoblocking by design? Because I understand that you wouldn’t sell to a non-democratic Arab country software from Israel that can be used against Israel, is that correct?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): The technology exists to be able to block things based on geography, yes.
Eva Kaili (S&D): So this means by design? The EU could ask you to not target EU numbers if we would want that? Did you do that with UK and US numbers?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I’m saying it would be technologically possible to do that. And obviously the decision on that issue is going to be a decision which can come either from a regulator and then it’s going to be a question of a diplomatic decision by a regulator, or it can be a decision made by a company if it is felt that that is what is necessary by us. We can make that determination if we feel that that is what is necessary to best protect human rights in that situation, without overly affecting the legitimate needs of law enforcement to be able to conduct their activity.
Eva Kaili (S&D): (Start of speech off-mic) … normally I know technology is neutral, but in how you use it is legal or illegal. But basically under GDPR I don’t see any room to use that, because if we wanted to end-to-end encryption, we would have done it by law. So basically it cannot function under European law.
So this means by design, if we request specific standards, you can comply and geoblock specific numbers and also limit the numbers that a country has access to, so per licence you can limit the number, I understand it is 200 numbers per licence, correct?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said before, the numbers are usually single-digit or low double-digit numbers. So that number that you stated is much higher than what we would provide to a customer.
Regarding the legal discussion on GDPR, again, I don’t think this is the forum to get into a full discussion on GDPR. I personally would think that I have a different view on that, but obviously if the European Union would make a determination that any use of this type of software would be in violation of the GDPR, obviously it would have to be something the company would have to take into account, because we are always going to make sure that our software is following the law. Again, I think if that determination was made, it would seriously have a bad effect on the ability of EU law enforcement to conduct their activity. But that, again, is not a decision that we should be involved in.
Eva Kaili (S&D): You said 12 000 numbers, 60 people, companies or governments, so I figured 200 numbers per Member State. That’s how I got the number 200. You say it’s less, so I think we should come back to that.
But a final thing: by design you can make sure that when you terminate the contract, the audit logs are not deleted. So you can still have access, because if you can revoke access to your software, this means you can constantly have access to these audit logs if you decide to do that. So if that would be possible, and then if not, I understand that competition is there. So if competition does it, are they better than you? Are they somehow different than you that you would like to manage something extra that you could share with us?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Regarding the number, again, I said the numbers are concurrent licenses, I think that may have led to some confusion in the calculation.
As far as our ability to what is done after termination of the license, after termination of the license we no longer have any connectability with the system of the customer, so therefore we will no longer be able to conduct an investigation into the audit logs that were kept by that customer, because the system was terminated.
As far as competitors, again, I don’t really have a response to that, but I think the ones who should be asked that are our customers, I don’t think our company should be commenting on if it’s better or worse than others.
Anna Júlia Donáth (Renew): It’s going to be really hard to ask your customers, because they’re as responsive as you are regarding these issues. However, I would like to ask about the future, as obviously you are not that much willing to answer questions regarding the past, but for sure we’re going to get those answers either/or.
You mentioned that each contract with your clients needs approval by the Israeli Government. Are you planning the revision of those contracts, which were approved by the previous government, and nowadays – our question to you – misused the software, I mean, of course, you said it’s alleged issues. However, there are quite many proofs nowadays. So my question is that are you planning to revise those contracts, those European contracts, without naming and shaming your client, that’s under the questions nowadays. And we want to really get the answers. Are you planning to revise the contracts?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): I would just split the issue between the Israeli Government and us as a company. Because, again, decisions of the Israeli Government are decisions that they make and they review what they review and they can decide as far as export licenses or not. We’re not privy to their decision-making process.
As far as what we do, as I said, in any situation where a credible allegation has come up, we will review the customer so that’s also reviewing the contract. If it’s not a question of allegation on a yearly basis, we’re reviewing the contract with each customer and it’s going to go through a review again if there are other changes in the situation as in previous years, yes, we are always ongoing in reviewing the contracts.
Anna Júlia Donáth (Renew): (Start of speech off mic) … because you have mentioned that NSO is looking for new tools and how you can help journalists who are unfortunately becoming victims nowadays and so on and how to prevent it for the future. And I think, on behalf of all of us, we can say that you can start with terminate reveal your clients in case of misuse, because you said that Pegasus was made to stop terror and to save lives. But nowadays terror has multiple other forms than just bombs and killing people.
So our advice is to please help us in this inquiry committee to do our jobs in order to protect the victims. Because you can never know who is going to be your next possible clients, as governments are changing.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): So as I said, in those situations, we make it very clear that if there is a violation, what I’m talking about, we will terminate contracts we have and we will continue to terminate contracts in any case like that. We’re trying to find solutions that are also more proactive in customers that do continue to work to make certain in more manners that there shouldn’t be a possibility to target. Obviously, it is not always easy to draw the line without affecting legitimate investigations. Now, obviously, this issue is also one of the things that you will be able to read more about in the position paper that we will make available after this is over.
Anne-Sophie Pelletier (The Left): Monsieur le Président, je vais reprendre peut-être aussi un peu les questions de mes collègues, mais ce n’est pas grave.
Première question, vous venez de dire que dès que vous avez des allégations crédibles, vous revoyez vos contrats. Quelle est votre définition des allégations crédibles?
Deuxième question, vous nous avez dit que votre logiciel était là pour sauver des vies et contre le terrorisme et la criminalité. J’aimerais bien savoir en quoi des opposants politiques, des journalistes, et des députés, par exemple de mon pays, sont des criminels, des terroristes ou autre chose que votre logiciel peut aider à surveiller?
Troisième question, quand vous dites que vous essayez de trouver des solutions avec vos clients, quand vous voyez qu’il n’y a pas de surveillance légitime et que votre client l’a utilisé à des fins qui ne sont pas réglementaires, quelles solutions essayez-vous de trouver?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): The issue of credibility as far as a report is obviously going to be dependent on a bunch of issues. It’s going to depend on where the report’s coming out from. It’s going to depend what type of information we have that allows us to investigate. Is it just a general statement regarding the name? Is there anything else that is connected to it? As I said before, to do a full investigation, we will need more than that.
We will first then do an initial investigation where we will take a deeper dive again, through what is available publicly regarding a potential target to see if there are things that maybe are raised publicly that can act as an explanation of why this may have been a legitimate target. Obviously and clearly, the vast majority of journalists, human rights activists, politicians are not criminals. That does not mean that there can never be a situation where any one of these people could be legitimately targeted. But obviously, if it’s being done in bulk in a large manner, that would be something that would be completely investigated and that would be very difficult, I think, for a government to clearly define that a whole large list of journalists were legitimate targets.
The steps we have taken when we’ve discovered something that’s not legitimate has been shutting down systems, sometimes shutting down the system until there is a revision of the laws or a change in the country. But those are the steps that can be taken when we see that there has been a misuse of the system. This is something that, as I said, again, something that has been done in the past, and we will do it again in the future in any time that this comes up.
Chair: Four quick, concrete questions from myself. Is it correct that what we’ve heard as well, that we talked about the scoring is correct, that you also adjust the pricing scheme of the contracts based on the scoring of a certain country as a customer?
Is it true that because of the financial struggles, also after the blacklisting by the US, that you are now proposing to sell more products to elevated-risk countries, which was reported as well?
Three, to follow up on the point that Eva Kaili made, and you said there was some miscommunication maybe, but if you have numbers in there, the single digits or the low double digits, but you still refer to 12 000 to 13 000 annual targets. How does that exactly work? How do we get to 12 000 to 13 000 targets with such low numbers per country?
And fourthly, you have access to the licensing part of the software from a distance. You have access to all sorts of other parts of the software to do maintenance. How difficult would it be from a technical point of view for you with the capabilities that you have to also have access to the main data in the system – whether you do it or not – but how difficult would it be to have access?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Regarding the pricing, no, human rights issues are not something that can be negotiated by price. Obviously, any compliance system is looking at the broader aspect of a company’s activity and is always going to be making a business decision, taking into account risk. But there’s no way that a country can say, OK, you know, I have a low score, I’ll pay more and therefore I’ll get the system. That is not something that is ever going to be discussed.
And the same goes for the other question. As I said, our compliance over the past year has been constantly, at least since I’ve been in the company, even before, there has always been increasingly more scrutiny, and more raising of the bar. This has happened even more so over the past year as a result of the information that came out from the Forbidden Stories and Pegasus project papers. We’ve raised the bar. As I mentioned before, the total number of customers has gone down because we are not willing to sell to more customers. So we are not selling more products to elevated-risk countries.
Again, an explanation on the numbers. The number of licences are concurrent, which means that a customer can, if he has five licences, it means he can target at one given time five phones. Once it has removed the surveillance on those phones, it can then target another five phones. So therefore, over a certain period of time, someone who has five phones can conduct surveillance over a number of phones. And therefore, that is an explanation of the data.
We have in place extremely strict protocols as far as the access to information. And even when customers sometimes want to provide us with information because they have a problem, we make it very clear that this is not something that we as a company can receive. Obviously, I have a lot of respect for our researchers, which are probably top-notch in the world, and therefore I wouldn’t put anything past them as far as their abilities, but this is therefore one of the reasons that we have in place these protocols to assure that we do not access this information. Because, again, this is extremely sensitive information. I think this is clearly evident that none of our customers would allow us to access, they wouldn’t use a system that they thought there was a risk that we would access sensitive information. And again, this is part of the complex compliance world that we as a company are living in and always trying to build and improve upon.
Sophia in ‘t Veld (Renew): I would ask if it is always willing to cooperate in certain matter. Because, Mr Gelfand, you keep saying ‘we’re acting within the law, everything we do is legit’ and well, whatever CitizensLab or Amnesty have found out, we cannot verify it.
The point is that at least three EU governments have admitted that they have used Pegasus on their citizens. And we also know that traces have been found on the phone of a Commissioner and several Commission officials. I do not think you can maintain that that was legitimate. So would you be willing to go through each and every one of those cases together with CitizensLab, Amnesty International and monitors from the European Parliament to verify what happened? Because if it’s true what you’re saying, that you’re always acting strictly within the law, that you’re monitoring permanently and you have very high standards of due diligence, then there should be no reason why NSO should not be willing to do that.
Chair: Sorry, colleagues, I have been extremely flexible for this whole session. We have three distinguished guests waiting for us, and they have been waiting for over an hour. We have used more than an hour more for this debate than we were supposed to have. We will have the ability, the possibility to also address written questions. We will go on a mission to Israel, where we will also visit NSO, where we can ask additional questions. So I really want to conclude this debate now, if you could answer to the question of our rapporteur, Ms in ’t Veld as a concluding remark, please do so. But then we really need to move on to the next item on our agenda. I’m sorry for those colleagues who still want to ask questions, but will need to do that in another way. Please, Mr Gelfand.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Obviously there are a lot of facets to the question that was asked, and there are a lot of considerations that we have to go at. I think it is something we would surely consider, we would have to look at what this would entail and to see what we could do with that, but I would not say that is something we are going to say no to, but it’s something we would have to, you know, understand the boundaries for and how and if what can be shared. And we would we would not try to hide that. But obviously, anything that is getting into confidentiality of customers is going to require us getting permission from those customers. And that is something that is not easy.
Chair: Mr Gelfand, thank you very much for being with us today. You see that our members of the inquiry committee are highly committed and very passionate about the subject, and with reason. Thank you for staying an hour longer than we initially put you on the agenda for, which is also much appreciated and I also appreciate the commitment that you made here to be willing to reply to written questions as well, to also be willing to look at the possibility to, in a less public setting, maybe share more information and to come back on some of the questions from Mr Körner, for instance, about the use of Pegasus in the EU and the lists of scoring of different countries. We will send you some additional questions.
And now I thank you for your presence here, and let’s hope that this is not our last meeting in the mandate of this committee. Thank you very much. I thank you to all the Members for their questions, and thank you for your answers. Please could you leave the position paper with our colleagues and we will make sure it is distributed. If you could also send it to us in digital format, that would be even better.
(The exchange of views closed at 17.31)