Revelations of the misuse of NSO Group technology may not have originated in Luxembourg, but they raise the question of export controls on sensitive technologies, including for European companies Photo: Shutterstock

Revelations of the misuse of NSO Group technology may not have originated in Luxembourg, but they raise the question of export controls on sensitive technologies, including for European companies Photo: Shutterstock

The use of Pegasus, the technology of the Israeli company NSO Group, is far from being a unique case of “tolerated misuse” of technology, nor does it originate in Luxembourg, foreign minister Jean Asselborn tried to reassure concerned citizens on Tuesday 20 July. But the ambiguities are mounting.

“Our technologies are used every day to break up paedophile, sex and drug trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings and protect airspace from the disruptive penetration of dangerous drones,” said NSO Group. “Simply put, NSO Group is in the business of saving lives, and the company will faithfully execute that mission undaunted, despite all the continued attempts to discredit it on false grounds.”

—Since 2016, five customers have been disconnected, representing a loss of $100 million for NSO Group, because they did not comply with the company’s standards of human rights protection.

—The misuse of technology is deemed to be less than 0.5% by the company.

—In 2020, 12 internal investigations were conducted, which resulted in the termination of one contract and two requests for information; two others are still ongoing.

—NSO Group has foregone $300 million in new opportunities, or 15% of its new prospects.

No exports from Luxembourg, says Asselborn

In the same report, NSO Group also confirms that its technology is sold under an Israeli export licence, but also Bulgarian and Cypriot ones (pages 4 and 30). “No exports have been made from the two Luxembourg structures,” confirmed foreign affairs minister  (LSAP) on Tuesday.

On 30 June, a few days before the revelations by the media consortium led by Forbidden Stories, NSO Group tried to defuse the upcoming crisis , describing the measures taken to comply with international regulations on the protection of human rights.

This raises other questions: What is the point of the European regulation (which the government and MEPs support) on “dual use”, where a technology marketed for a laudable and avowed purpose is used in a less “glorious” context? How were NSO Group’s exports from Bulgaria and Cyprus checked and what was the outcome of these controls?

After months of discussions, the EU Council and the European Parliament published on 20 May a complete overhaul of the regulation on the control of exports of dual-use items (which account for 3% of EU exports), which will enter into force on 9 September.

Europe’s and China’s widespread surveillance

In 2019, the year of the last available report on this issue, 1,858 goods were checked across roughly 1,000 products listed (including 94 in the field of telecommunications and information security). According to the table in the report, the top five recipient countries of these goods are the United States (22%), China (12–13%), Switzerland (7%), Russia (5%) and Singapore (4%).

In the autumn, all the NGOs were against the text finally adopted in May, finding it far too “lukewarm” compared to the reality of the market. They all point out that .

. While MEPs are crying foul in Brussels or Strasbourg, business also benefits European companies: During the Arab Spring, many European technologies were sold in Egypt, Libya, Syria, Ethiopia, Saudi Arabia and elsewhere; France’s Morpho (now Idemia), Sweden’s Axis Communications and the Netherlands’ Noldus Information Technology, for their part, helped the Chinese government set up widespread surveillance of its population (the Skynet and Sharp Eyes projects), including that of the Uighurs; the UK, France and Germany alone account for 35% of the world's surveillance companies, and the market will reach €54 bn by 2025.

The Wassenaar Arrangement is ineffective

European ambiguity is also being exported: 42 countries, including the United States, France and Luxembourg, are members of the “Wassenaar Arrangement”, which has been trying to provide an international response since 1996. On 20 December, the members of this small, well-meaning club before handing over the presidency of the organisation to Hungary, itself a Pegasus client, as dei Lénk noted in a statement. The left-wing party calls for a Luxembourg investigation, while Sven Clement and Marc Goergen of the Pirate Party ask the authorities to certify that no Luxembourg institution does business with NSO and that no journalist or politician is subject to surveillance similar to those revealed in other countries.

This article was originally published in . It has been translated and edited for Delano.