POLITICS & INSTITUTIONS - ECONOMY

Lux to review due diligence over spyware firm human rights questions



Illustration photo Shutterstock

Illustration photo Shutterstock

Luxembourg is considering new due diligence legislation for companies based there, after claims that spyware developed by an Israeli firm headquartered in Kirchberg was connected with the murder of the journalist Jamal Khashoggi in Turkey.

It is alleged that NSO Group’s Pegasus software helped the Saudi royal court to spy on a Saudi dissident close to Khashoggi, before his murder. In December 2018, the dissident filed a lawsuit against NSO Group. NSO denies the charge. Amnesty International last year revealed that a Pegasus hack attempt was used against one of its members in June and it raised concerns its use was “problematic from a human rights law perspective.”

The Citizen Lab, a Canadian information and IT research lab, linked Pegasus uses in countries with “dubious human rights records”. “We have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations,” it wrote on its website in September 2018.

NSO Group, which rebranded as Q Cyber Technologies, maintains that its products were designed for investigation and prevention of crime and terrorism. In a 12 January interview with The Times of Israel, NSO Group CEO Shalev Hulio said the spyware had recently thwarted several large attacks in Europe. “I can say in all modesty that thousands of people in Europe owe their lives to hundreds of our company employees from Herzliya,” he was quoted as saying, referring to the tech hub north of Tel Aviv.

What does Pegasus do?

According to Citizen Lab, the Pegasus spyware has been active since August 2016. It targets iPhones and Android devices by getting targets to click on a link which, when clicked, allows the spyware to be installed on the user’s phone without their knowledge or permission.

It reportedly gives the operator access to a user’s smartphone, calendar events, text messages, private voice calls and even takes control of the camera and microphone. Citizen Lab has compiled a series of reports on the way the spyware has allegedly been abused around the world.

What will Luxembourg do?

Amnesty International tried unsuccessfully in September 2018 to get the Israeli defence ministry to rescind the export licence of the software.

In January 2019, Déi Lénk MP David Wagner asked the Luxembourg government what it plans to do in light of the links. Foreign affairs minister Jean Asselborn (LSAP) and economy minister Etienne Schneider (LSAP) responded jointly on 19 February saying that in addition to enacting the UN principles for companies on human rights, from now until 2023, it would “study the possibility of legislation on the obligation for due diligence for companies registered in Luxembourg.”

Wagner said he was not satisfied with the response, and told Delano on Thursday that he has resubmitted two of his questions relating to whether Luxembourg plans to contact the Israeli authorities for further information and whether the government considers the company breached human rights.

Just a week ago, on 14 February, NSO Group founders and managers announced they had acquired the company, buying a 65% stake owned by US Francisco Partners. According to Reuters, the stake was valued at around $1bn. The acquisition was made with the support of European private equity firm Novalpina Capital, which is headquartered at the Cloche d’Or, in Luxembourg.

Digital rights defenders Access Now sent an open letter to Novalpina raising concerns about the human rights impacts of NSO Group’s products and services.

Novalpina responded to Access Now on 15 February saying that had “conducted extensive due diligence” and was “satisfied that the business operates with the highest degree of integrity and caution.” It added that it was committed to “helping NSO to become more transparent about its business--within the confines of the national security constraints inherent in the company’s work.”