One of NSO Group’s products is Pegasus software, which aims at countering terrorists and criminals’ tactics of frequently changing SIM cards and using encryption applications and protocols to avoid potential monitoring.
Pegasus overcomes this by remotely-monitored interception. A mobile phone owner is sent an ostensibly innocent SMS message which installs the software when he opens the message. This enables system operators to extract any data from messages and emails to search history and lists of contacts and address, without the awareness or approval of the phone's service provider, and without the phone owner’s knowledge. They can also install their software through rigged Wi-Fi hot spots or using a human spy.
In an August 2013 “Defense News” article, NSO co-founder Omri Lavie said, “We are practically a ghost. For the target, we are completely invisible and leave no traces whatsoever.”
A United Arab Emirates human rights activist and a Mexican journalist who wrote about corruption in the Mexican government were shocked to discover in the past month Pegasus installed on their phones.
NSO’s internal documents details offers to countries throughout Europe and multimillion-dollar contracts with Mexico.
How much will it cost a country's security service or a company to spy on a mobile phone owner and learn his location and communications at any given time, without him being aware? According to the leaked documents, a client first has to pay a flat $500,000 installation fee. Then he will have to pay $650,000 to spy on 10 iPhone or Android users; $500,000 for five BlackBerry users; or only $300,000 for five Symbian users.
Further surveillance targets will require the client to pay an additional $800,000 for 100 extra targets; $500,000 for 50 extra targets; or $150,000 for 20 extra targets. NSO also charges an annual system maintenance fee of 17% every year thereafter.
In exchange for this hefty price, the client receives “unlimited access to a target’s mobile devices” and can “remotely and covertly collect information about the target’s relationships, location, phone calls, plans and activities – whenever and wherever they are….”
The company says it has a strict internal vetting process so that its services aren’t offered to criminals and terrorists, or rogue countries, and it courts mainly state law enforcement.
Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, says this is insufficient. “Once NSO’s systems are sold, governments can essentially use them however they want.”
Now that companies like Apple, Facebook and Google are using stronger encryption means to protect data in their systems, government agencies have found it harder to track suspects and NSO’s capabilities are in higher demand.