Fast 50 Länder setzen den Staatstrojaner Pegasus etwa 12.000 bis 13.000 Mal pro Jahr ein, um Smartphones zu hacken. Das sagte der Hersteller NSO im Untersuchungsausschuss des Europaparlaments. Wir veröffentlichen das Protokoll der Anhörung. Einzelne Länder will NSO nicht nennen, das dürfen nur die Regierungen.
Seit April beleuchtet ein Untersuchungsausschuss im Europaparlament den Einsatz von „Überwachungs- und Spähsoftware“ wie Pegasus. Im Juni hat der Ausschuss das Unternehmen NSO eingeladen, das den Staatstrojaner Pegasus herstellt und verkauft. Für NSO sprach Chaim Gelfand, Chefjustiziar und Chief Compliance Officer der Firma aus Israel.
Leider gibt es von der Anhörung nur eine Video-Aufzeichnung, ein Download ist umständlich. Dazu gibt es ein Wortprotokoll, doch das ist nicht öffentlich. Wir veröffentlichen jetzt die Video-Datei und das offizielle Wortprotokoll.
Etwa 12.000 bis 13.000 Ziele pro Jahr
Das Parlament schreibt in einer Pressemitteilung, die Abgeordneten hätten den NSO-Vertreter „gegrillt“. Wir bezeichneten die Aussagen als „Litanei von Nicht-Antworten“. Tatsächlich sagte Chaim Gelfand zwei aufschlussreiche Dinge, die bisher wenig Beachtung fanden.
NSO gab zu, dass sie in der Vergangenheit „etwa 60 Kunden in 45 Ländern“ hatten, darunter 14 EU-Mitgliedstaaten. Derzeit hat NSO „weniger als 50 Kunden“, darunter zwölf EU-Länder. Diese Kunden greifen „etwa 12.000 bis 13.000 Ziele“ pro Jahr mit dem Staatstrojaner Pegasus an. Das bedeutet, Polizei und Geheimdienste setzen Pegasus alle 40 Minuten ein, um Smartphones zu hacken und zu überwachen.
Länder dürfen Pegasus diskutieren
Welche Länder Pegasus nutzen, wollte NSO nicht sagen. Laut Gelfand darf NSO diese Fragen nicht beantworten. Er sagte jedoch, dass die „Regierungen der einzelnen EU-Mitgliedsländer“ Auskunft über Pegasus geben dürfen: „Es geht um ihre Sicherheit, und sie können entscheiden, ob sie diese Frage diskutieren wollen oder nicht.“
Damit widerspricht NSO der deutschen Bundesregierung. Das Innenministerium hatte im Bundestag das Gegenteil behauptet: „Die Unternehmen wollen nicht, dass es offenbar wird, dass sie mit der Bundesregierung oder mit Sicherheitsbehörden des Bundes kooperieren. Wenn dies der Fall ist, dann beenden sie ihre Geschäftsbeziehungen mit uns.“ Diese pauschale Aussage hat NSO jetzt offiziell widerlegt.
Obwohl längst öffentlich bekannt ist, dass Bundeskriminalamt und Bundesnachrichtendienst Pegasus einsetzen, verweigert die Ampel-Regierung weitere Auskunft. Innenministerin Faeser will nicht einmal sagen, ob die mit Pegasus überwachten Daten vor Zugriff Dritter geschützt sind oder ob die Bundesregierung mit Pegasus gehackt wurde.
Bundestagsabgeordnete der Regierungsparteien FDP und Grüne fordern: „Die Bundesregierung muss dem Parlament Auskunft über den Einsatz von Pegasus geben.“ Mit der Erlaubnis von NSO hat sie eine Ausrede weniger. Wir haben den Vertrag zwischen BKA und NSO angefordert. Wenn wir die Antwort nicht bekommen, werden wir wieder klagen – wie beim Staatstrojaner FinFisher.
- Date: 2022-06-21
- Place: Brussels
- Institution: European Parliament
- Committee: Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware
- Chair: Jeroen Lenaers
Exchange with NSO
- Chaim Gelfand, General Counsel and Chief Compliance Officer, NSO
- Nicola Bonucci, Partner, Global trade and investigations & white-collar defence practices, Paul Hastings law firm (Paris)
The exchange of views opened at 15.06.
Chair: Dear colleagues, a warm welcome to you all at today’s hearing of our Committee of Inquiry on the use of Pegasus and equivalent spyware. We have interpretation in the following languages today: German, English, French, Italian, Dutch, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian.
Our first point on the agenda is the adoption of the agenda, and if there are no comments, I consider it adopted.
Then we move to the first part of this meeting, which is an exchange with NSO, the company that produces Pegasus, and NSO is represented here by Mr Chaim Gelfand, the General Counsel and Chief Compliance Officer, and Mr Nicola Bonucci from the Paul Hastings law firm in Paris. It’s a pleasure to welcome you here today.
As you know, our committee of inquiry has been set up to investigate the abuse of Pegasus and equivalent spyware in the Member States of the European Union. So our committee will not focus exclusively on the spyware that you produce at NSO Group, but as you probably can infer from the abbreviation of our committee of inquiry, Pegasus will be at the centre of our work. And I read with great interest also the first NSO Group transparency and responsibility report from June last year, because I think transparency and responsibility is exactly what we need today as well to make this hearing a success.
Let me highlight one sentence maybe from the foreword of this report, which says ‘we must hold ourselves to a higher standard and act with stewardship and transparency, taking into consideration the need for the sensitive balance between states’ obligations to ensure public safety and concern for human rights and privacy’.
Now I think that higher standard is exactly also what this committee will be looking for today, and I count on you also to show that commitment, also in answering the questions of our Members today.
Now, on practicalities, before we move into the substance of today’s meeting, I would like to ask you, dear colleagues, that all Members who want to take the floor in this first part of the meeting to indicate this during the contribution of Mr Gelfand so that we can complete the speakers’ list and keep an eye on the clock as well. We will use the ping-pong format so we get immediate answers to our questions. What I really ask you is to stick also to the speaking time to make sure all Members that so desire can take the floor.
Finally I would like to remind the colleagues and everybody who is following this hearing today about the PEGA Committee whistle-blower functionality. If you have any relevant information for the work of our committee that you would be willing to share, please do so and send it to the dedicated email address that you can find on the website of our committee.
Now, without further ado, and with an eye to the clock, I am very happy to pass the floor to Mr Gelfand for 10 minutes.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): On behalf of NSO, I want to thank the members of the committee of inquiry for having us here today. We are very appreciative of the opportunity to speak with you directly and would like to use this time to cover three main areas. First, we will provide the committee with information on NSO as a company, our technologies, goals and practices. Second, we would like to dispel certain rumours and misconceptions regarding our company and its technologies that have been prominent in the press and public debate. Third, we would like to share our goals and commitments for assisting the committee in its ongoing work.
Before we begin, we should note that there are limits to the information we can share with the committee and others. As you know, NSO is a private company providing export-controlled cyber intelligence technologies only and exclusively to government agencies for the purpose of preventing and investigating terrorism and other serious crimes. As a result, we are unable to share details about our customers, as well as the crimes prevented and criminals tracked and apprehended using our technologies, or trade secrets of the technology. This practice is imperative to protect the legitimate legal and operational needs for secrecy of cyber intelligence and law enforcement agencies. We are, however, committed to transparently sharing with you accurate information regarding our company and technologies.
We would like to begin with stating the simple truth that this technology has been conceived and designed to save lives worldwide. NSO was founded in 2010 and was developed in order to respond to the needs and requests from various law-enforcement agencies, including some from EU countries, to find a technological solution to gather intelligence from encrypted mobile devices. NSO was established with the ambition to make the world a safer place and has been doing so since day one.
Since its establishment NSO has set forth four principles to guide the manner in which it works. One: NSO only sells to governments. Number two: NSO will not sell to just any government. Number three: NSO does not operate the systems. And number four: a desire to be regulated by government regulators.
NSO’s products are licensed for sale with the approval of the Israeli Export Control Authority and provided exclusively to government, intelligence and law-enforcement agencies. The rapid development and widespread use of technology by terrorists and criminals has profoundly changed the ability of states to prevent and investigate terrorism and other serious crimes. Our products assist state authorities in addressing the ‘going dark’ problem, meaning the growing misuse of end-to-end encryption of applications by terrorists and criminals to conceal messages and plots when communicating through mobile devices. The only other option to conduct investigation in today’s world is through mass surveillance or backdoors to the devices of all users, which would be much more intrusive technology.
The technology like that developed by NSO is the only type of target-centric solution that is known. NSO is most well known for Pegasus, a cyber intelligence programme used by state law-enforcement and intelligence agencies to collect data from specific mobile devices during investigations.
Through the use of Pegasus, state authorities have and continue to thwart numerous terrorist attacks such as suicide bombings, and it has been instrumental in apprehending paedophiles and other serious criminals. NSO is fully aware of and committed to its own human rights responsibilities and the duties of its clients, and is determined that its products be used appropriately and lawfully. In light of this, NSO has made a fundamental commitment to voluntarily take steps to address these concerns, including by following the approaches described in the United Nations Guiding Principles on Business and Human Rights (UNGPs).
NSO is proud to be the first and, to our knowledge, the only company in the cyber industry effectively implementing policies towards complete alignment with the UNGPs. This includes adopting and implementing policies, procedures and internal human rights programmes, including human rights due diligence procedures, reviewing each credible allegation of misuse that is raised, conducting international investigations and engaging with all stakeholders.
Unfortunately, not all allegations made against NSO are credible. For example, we have identified many allegations that are false or contractually and technologically impossible. These allegations often rely on evidence and data that was not provided to NSO, preventing us from being able to verify or refute such claims, and thus introducing confusion that is detrimental to maintaining public confidence in these technologies.
I would like now to dispel a number of misconceptions that have surfaced in the press and public debate with respect to our company’s activities and technologies. A lot of information has already been presented to the committee and there are numerous allegations that simply are not true. In light of the allocated time, I cannot go through all of them, so I’ll focus on the main or most common misleading and/or incorrect allegations.
It is not true that NSO Group operates Pegasus and collects information about individuals. It is not true that Pegasus has greater technological abilities in its design. It is not true that NSO Group sells its technology to private companies. It is not true that all traces of Pegasus software vanish on devices. It is not true that NSO Group retains data and Pegasus creates a permanent and strong risk of massive security breaches comparable to encryption backdoors. And it is not true that the so-called 50 000 phone numbers list is a list of targets of Pegasus. I will address each of these misconceptions one by one.
Let me state unequivocally that NSO does not operate Pegasus, has no visibility into its usage and does not collect information about customers or who they monitor. NSO licence Pegasus solely to law-enforcement and intelligence agencies of sovereign states and government agencies, following both a careful and sector-leading pre-engagement due diligence process and approval by the Israeli Government.
Licences are limited in number and contracts are carefully crafted to permit only legitimate use. NSO does not have any knowledge of the individuals whom states might be investigating, nor the plots they are trying to disrupt. For obvious reasons, sovereign states normally do not and will not share this extraordinarily sensitive information with NSO or any other provider of similar technology.
Regarding the second misconception, first, Pegasus is not a mass-surveillance tool. The data is collected only from the mobile devices of pre-identified specific individuals suspected to be involved in terrorism and other serious crimes subject to judicial or other appropriate oversight. Pegasus is used with specific pre-identified phone numbers one at a time, and is similar in concept to traditional wiretap.
Second, Pegasus does not delete or edit data on a targeted device or allow for such deletion or editing. Pegasus is designed with intelligence and data-gathering capabilities and is incapable of impersonating a victim. It cannot be used for any other purpose.
And third, Pegasus cannot be used to gather information broadly and does not penetrate computer networks, desktop or laptop operating systems or data networks. Regarding the third misconception, NSO Group sells its technologies strictly and exclusively to government and government agencies for the purposes of combating terrorist activities and crime.
Regarding the fourth misconception, while Pegasus is indeed hard to detect on a target’s phone, it has a built-in investigating capability in case a misuse is suspected. This is impossible to erase or manipulate. Those capabilities cannot be completely deleted and an audit trail log exists permanently with the ability to retroactively check whether or not a certain phone number was penetrated. NSO has been granted access by its customers to perform this type of investigation many times in the past when an allegation of misuse arose, which has led to NSO shutting down systems and terminating a number of contracts.
Regarding the fifth misconception, the data collected by customers is not stored in any cloud, and there are no backdoors to the system. There is no shared database of NSO customers, and the logs securely exist only on the servers of the customers.
Regarding the alleged list of 50 000 phone numbers, this is simply not possible. Indeed, the number of purported targets is entirely implausible based on the number of licences actually granted by NSO. The so-called list of targets, for which no details or source has been disclosed publicly, is not a list of Pegasus targets, nor has it been taken from the Pegasus system. This has even been acknowledged by several of the organisations that refer to the list. Prominent names given as examples drawn from that list have been verified as never having been a target subject to our technology.
I would like to end my remarks by reiterating NSO’s commitment to assisting the committee in its ongoing work. NSO believes that cooperation between our company and the committee can be fruitful in looking at concrete solutions to address human rights in our industry. As previously stated, as well as many law-enforcement agencies, we firmly believe that cyber intelligence technologies are necessary to address threats of terrorism and other serious crimes.
There is no other alternative that better addresses to equally legitimate public concerns security and privacy. Therefore we strongly reject any calls to ban these technologies or for a moratorium. That being said, NSO has called for, and continues to call for, the establishment of an appropriate international legal framework, sector-specific standards for states and companies, and guidelines to better determine criteria for legitimate end-users of crucial intelligence systems.
NSO is open to engage with all governments and other stakeholders, including civil society organisations, international organisations and the United Nations Special Procedures, and to enter into meaningful dialogue with a view to establish concrete solutions to promote respect for human rights by all.
Lastly, at the end of today’s meeting, and if the Chair allows, NSO intends to provide the committee with a position paper which outlines many of the points we have raised today. We thank you again for your invitation to join the committee today and look forward to answering your questions.
Sophia in ‘t Veld (Renew): Thank you Mr Gelfand, we would be very interested in your position paper and also your speaking notes for today. And I’m also looking forward to the reply to the written questions that I have sent to you, because clearly today there is not sufficient time to put all the questions and written questions will be very helpful. I’ll go very quickly through a handful of questions.
You say that the only purpose for which Pegasus can be used and is sold is fighting terrorism and serious crime. In that case, I would like to understand which cases of terrorism and serious crime were at stake when you sold Pegasus, for example, to the Hungarian and Polish governments? And whom did you sell Pegasus to when it was used to eavesdrop on the European Commission? And exactly how did that prevent terrorist attacks or serious crimes to be committed?
Then, I would also like to understand – you say you obtained export licenses from Bulgaria and Cyprus. They seem to deny that they have ever given you an export license. Can you explain the difference? And can you also explain why you are using Bulgaria and Cyprus in order to obtain export licenses rather than just licensing or getting export licenses from Israel?
Then, there is continuous ambiguity about whether or not you have access to the information. NSO keeps saying, no, we don’t have access to the information – although I thought I heard you say something about when you are investigating allegations of misuse, in that case, with the authorisation of the customer, you do get access. I’d like to hear a bit more about that. But a former employee of yours mentioned in an article in The New Yorker that NSO does have access to all the data of its customers. So can you clarify this discrepancy? Was that person lying or are you not telling the entire truth?
Then, on the structure and the operations of the company, I understand that the consequences of US blacklisting have been very severe for NSO, to the point that you got into financial trouble. So what does that say about the importance of your business with the United States and your Pegasus operations, the fact that being blacklisted with regard to one product hits your company so hard? And then we’ve read in the media about the potential sale of Pegasus surveillance technology or the codes, or parts of the company, even to either L3Harris or Thiel Capital – Thiel, Mr Peter Thiel, friend of Donald Trump and also owner of Palantir. Are you considering indeed selling your technology or parts of your company to either of these two companies? And can you say a little bit more about the reasons for that and what impact that will have on the blacklisting?
I’ll leave it at that for now.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Yes, I know you had sent the written request for written response over the weekend. I saw it yesterday evening and we will review that and try to see what we can get back to.
As I stated, I won’t be able to get into issues of specific customers that have been written about in the press or otherwise. But I can say when we sell the system to the customer – and this is what we’re saying, this is the reason we sell the system to the customer – the customer is committed to that reason, both contractually and in the end-use license that it has to sign and is provided to the Israeli Government, that the only and sole reason that it is purchasing the system is for the fight against crime and terror. If a customer uses it for reasons that are not related to the fight against crime and terror then we take it extremely, extremely seriously and investigate it, as we said. And when we find out if a customer has violated this in a systematic manner, the customer will be shut down and we will terminate the contract with that customer and no longer continue working with that customer.
Sophia in ‘t Veld (Renew): Have you done that with the Polish and Hungarian governments and whoever has bought Pegasus to spy on the Commission? Can you confirm that those licenses have been terminated?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, I can confirm that when we define a customer that has violated the terms of use, they are terminated. I can’t discuss specific customers, and I have said that at the beginning. And I think if we are discussing issues that are related to these investigations, what I can say is, these investigations are very complex and require a very good understanding with the customer of what the reason he had of suspecting a crime. If they cannot show us that there was an actual suspected crime, that things were not done in accordance with laws or that there is an international determination that the laws of a certain country were not sufficient, then we will go along and we will shut down the system. That is a violation of the use of the system.
Regarding the question on export licenses in Cyprus and Bulgaria, as you mentioned, we have companies that are located also in Cyprus and Bulgaria that deal with other technologies. They do not deal with Pegasus. Licences for export of Pegasus are only received from Israel and I think the response of the Bulgarian and Cyprus authorities were with regard to Pegasus. There are other intelligence items that do other things like locational finding and the like that are developed there and require export licenses as well to be sold. And those are the relevant companies there when they export and receive licenses from the authorities in those countries. But that is not related to Pegasus. I’ll jump over to the other question – I’ll get back to that in a second because this is connected – the structure of the company sometimes is looked at as confusing. In the past – I think it was a year and a half ago – we responded very broadly to Amnesty and that is public. We explained the whole structure – the structure as a result of various acquisitions that happened over the years and the way those companies were set up beforehand. We’re not trying to hide anything. We’re completely transparent as far as the structure and anyone who wants can look and see. We provided there a very detailed explanation of the structure of the company.
Regarding the access to information, we do not have access to the information. It is saved only on the customers’ sites. As I said, on their server, on the customer’s server that is located on the premises, on the customer’s site. There is also an audit log that is kept in an area of the server where the customer cannot access to delete any information there. In the event that it is required as part of an investigation to verify whether a certain phone number was targeted or not, we request access from the customer to that area of the system where we can then connect and verify whether a certain phone number was targeted or not. This is done as part of an investigation. Again, as I said, we have a unique process for whenever an allegation comes up to investigate the issue – investigating an allegation like this includes very often two parts. One, the factual question of was this person actually a target of the system? Because as I mentioned before, numerous reports that have come out and as I have mentioned here, we have stated this publicly before, about President Macron; the issues that came up about Jamal Khashoggi, questions of Jeff Bezos, the system was not used on those numbers. So in those cases, we have a first issue of the facts on the question of was the system used against the number.
The second issue in an investigation is going to be more than that, is understanding what is the reason that a customer targeted a specific number. You can have a person who is in a certain position, which would seem to be a position that is you may be targeted because he is a journalist, human rights activist, but a customer can have serious suspicions of actual crimes against that person, whether related to his activity or unrelated to his activity. If those are legitimate, then using a system like this would not be a violation either of the end-user certificate or the terms of use or of international law. And these are the type of things we have to investigate.
So if a customer is going to try to tell us so-and-so was not a target, we want to verify that. We’re not going to just rely on their word. And in those situations, with the customer’s consent, which under contract they are required to give us, we will access that part of the system to see the phone number and when it was targeted, the dates; we could then verify with the customer if he had warrants that applied to those dates or not. And in those situations, again, that’s what we’ll see is the phone number. We will not see the data that was collected. We will not see the information that was on the phone. We’ll see the audit log, which has the phone number and the questions of when it was targeted in order to complete our investigation. If the customer will not participate, will not cooperate in this ongoing investigation, we will shut down the system. We’ve done it in the past. We’ve done it recently. We’ll continue to do it with any customer that will violate the terms of use.
Regarding the issue of the blacklist, the US Entities List affects the ability of the company to purchase any item that is subject to the export administration regulations of the United States. Those type of restrictions obviously have an effect on the company. And we are confident when we get into discussions with the US Government we will be able to explain to them, similar to what we’re explaining here about how the company works and why we think that the opposite is true, that the company is necessary for the security of the world and why we should not be on that list and that we will be removed from that list.
I can state that the company is always in various negotiations with different companies around the world regarding acquisitions. More than that is something that I can’t get into because it’s confidential information and if anything happens, obviously, things are made public at that time.
Bartosz Arłukowicz (PPE): Jestem z Polski i mam do pana kilka pytań. Powiedział pan, że sprzedajecie system Pegasus tylko i wyłącznie agencjom rządowym i rządom. W tym telefonie mam – dzięki pracy dziennikarzy śledczych z Polski – fakturę między prywatną spółką powiązaną z dawnymi systemami wywiadowczymi w Polsce czasów komunistycznych, fakturę między prywatną spółką a agencją rządową prawdopodobnie sprzedającą system Pegasus. Czy mógłby pan to wyjaśnić? Jak to się ma do tego, że pan mówi „sprzedajemy tylko rządom”, a dziennikarze śledczy w Polsce udowadniają, że prywatna spółka kupuje to z Izraela, a potem sprzedaje agencji rządowej?
Chciałem też pana zapytać – bo mówił pan, że sprzedajecie to tylko rządom, które walczą z terroryzmem i z wielkimi zagrożeniami – kiedy dowiedzieliście się i czy dowiedzieliście się, i skąd, o podsłuchiwaniu i szpiegowaniu Pegasusem szefa kampanii wyborczej w Polsce w roku 2019? Jego nazwisko to Krzysztof Brejza. Wiemy, że był szpiegowany systemem Pegasus, kiedy przewodził kampanii wyborczej do Parlamentu Europejskiego, w którym pan dzisiaj jest. Chcę pana zapytać, czy sprawdziliście, jaką działalność terrorystyczną prowadził były wicepremier Polski, który był według doniesień medialnych szpiegowany systemem Pegasus. Czy o szpiegowaniu szefa kampanii wyborczej w Polsce dowiedzieliście się w roku 2019, kiedy to miało miejsce według doniesień medialnych, czy dopiero po raporcie Citizen Lab w roku 2021? Czy wypowiedzieliście umowę licencyjną Polsce, polskiemu rządowi bądź jakiejkolwiek polskiej spółce?
I podstawowe pytanie: czy sprzedaliście ten system Polsce? Jeśli wypowiedzieliście umowę Polsce, to kiedy i na jakiej podstawie? Skoro pan twierdzi, że nie macie dostępu do gromadzonych danych, to na jakiej podstawie stwierdzacie, że system został nadużyty w sposób niewłaściwy? I w końcu, czy macie jakąkolwiek kontrolę nad tym, gdzie i jak wykorzystywane są dane i przeciwko komu przez waszych klientów, którzy ten system od was kupili?
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said, I cannot respond to specific questions about governments. I can and again, I invite the committee if they want to speak with the various governments in the various countries that are members of the EU. And many of them, I can say it in general, that many of them are customers.
Regarding the issue of sales to government agencies, what I am saying is that the government agencies are always the end user. The installation of the system is always at the government agency. There are sometimes commercial third parties that are involved in the transaction for reasons of security aspects. These commercial third parties will very often be in between as an intermediary between NSO and a government on the contractual side of things. They never receive the system itself, they do not have access to the system. They’re acting only on the commercial aspects and the system itself is installed by the end user and is only used by the end user. It’s installed by our company in the end user’s facility. And again, as I said, a private company can be involved sometimes in the commercial aspects of the sale as part of the marketing, but does not receive the system or access to the system. The end-user certificate is signed by the government and provided to the Israeli Government as a government-to-government commitment.
As I stated before regarding the issues of the investigations, and I’ll repeat it again, we sell the system to save lives. We do not have access to the intelligence. Therefore the way that a suspicion comes up which results in us investing will almost always be either through our whistle-blowing, we also have – and anyone who wants is invited, we also have it on our website – we have a whistle-blowing email. We get reports either through the whistle-blowing email or things that are brought to our attention by NGOs or the media. Those are things that are the beginning of an investigation on our side. And then we will investigate to see that it was properly and correctly used. Again, those investigations are in-depth investigations. If a customer does not cooperate, then we’ll shut them down just for not cooperating with our investigation. This is a requirement under contract, and that is the way that we try to assure that these things are used correctly.
I’ll go and say more than that. I think, you know, and this is what we were calling for and we think that this issue is an issue that cannot only be dealt with by private companies. Our ability to go and investigate another government even though they have a contractual obligation to us is always going to be very limited. Only as a private company, any decision that we make as far as the legal status of the laws in that country, the way the country itself is following those laws are, you know, are the various different bodies independent of that? We’re a private company. We’re very limited in our ability to do that. Any other private company out there doesn’t even try to do it. We try because there is no government body that has taken that responsibility upon itself. If there would be such a government body that would take the responsibility upon itself, we think obviously that would be the best way to go forward with it.
Bartosz Arłukowicz (PPE): Bardzo przepraszam, panie przewodniczący, bardzo przepraszam. Albo my traktujemy poważnie nasze prace, albo będziemy błądzili wokół. Ja zadałem pytanie. Pan twierdzi: sprzedajemy tylko rządom, a teraz pan mówi: sprzedajemy spółkom prywatnym. Niech pan spojrzy: w tym telefonie mam fakturę na szkolenie między firmą Pegasus a prywatną spółką, która potem to sprzedała polskiej agencji rządowej. To szkolicie czy nie? Macie dostęp czy nie? Jak prowadzicie śledztwo, czy jest dobrze wykorzystywany, skoro nie macie danych?
I w końcu zadałem pytanie: czy odebraliście Polsce licencję? Czy wiecie, że w Polsce był podsłuchiwany i szpiegowany szef kampanii wyborczej, były wicepremier, szef największej organizacji przedsiębiorców i niezależny prokurator, który jest antyrządowy? Czy macie tę wiedzę? Proszę o odpowiedź.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): As I said and I said again, the end user is always the government. We’re not selling to a private company that has access to the system. If they’re involved in a commercial aspect, yes, there could be a private company that is involved commercially in the transaction, but we know who the customer is. The third party cannot just go sell the system to anybody because we install the system by the end user, by the government end user at the end of the day. The third party is there only on the commercial aspects. And these third parties go through or own due diligence of third parties before they’re sold.
I said before, we investigate every credible case and we deal with the investigation that is done, I cannot and again, I repeat, I cannot because of various confidentiality and secrecy issues, I cannot get into specific questions regarding specific customers or specific cases.
Chair: I’m sorry, but we have a lot of Members that want to take the floor. I’m sure also the other members of our committee can follow up on questions that have not been answered and at the end of everybody’s rounds, if there are still questions that have not been answered, I’m happy to give the floor again. But we need to make sure also that all those Members that have requested the floor can take the floor and ask their questions. Ms in ‘t Veld has a point of order.
Sophia in ‘t Veld (Renew): Can you, as Chair, ask Mr Gelfand to either say that he is refusing to answer the questions, or answer the questions, because I’ve asked questions, my colleague, Mr Arłukowicz has asked very specific questions. And Mr Gelfand keeps repeating the same thing, and there seems to be a complete disconnect between reality and between what you’re saying.
So, Chair, I’m asking you, either we get answers or Mr Gelfand says, ‘I don’t want to answer that question’. Fine. OK, then we know where we stand. But this is like, you know, it’s an insult to our intelligence. Sorry.
Chair: Well, I mean, we have our guests here today with us. They have come here to answer the questions. If they are not answering the questions the way we want it, then I would say as a committee, we follow up on those questions. If at the end of this part of the hearing, some questions remain unanswered, I’d be happy to get back to them. But we also need to make sure that we follow the course of our agenda.
But I do take note, and you have also understood the message of our rapporteur, so it would be very helpful if there are concrete questions that they also follow up with concrete answers. And if indeed, you cannot or will not answer a specific question, please also make that known to our committee.
Ms Ernst, you have a point of order as well?
Cornelia Ernst (The Left): Only a very short question. Is it possible to send a list with open questions to NSO to get information, because we have so many questions and I think a lot of things are open, or however.
Chair: We’ll go through the list of the questions that all the Members have today. At the end, I am happy to also collect additional questions that have not been answered and send them to NSO collectively and request answers. And I am sure also NSO Group will be willing to accept that.
But now I feel we should move on with the agenda.
Sándor Rónai (S&D): Köszönöm szépen a szót és köszönöm a beszámolóját Gelfand úrnak, amiben elmondta, hogy az NSO cégcsoport a Pegazus szoftvert a terrorizmus elleni küzdelem céljából hozta létre. Nyilvánvalóan abból a célból, hogy terroristákat figyeljenek meg vele nemzetbiztonsági okokból. És ha a cég úgy találja, hogy egy tagállam, akinek eladták ezt a szoftvert, ezt nem megfelelően használja fel, az ügyet kivizsgálják és felbontják a szerződést abban az esetben, ha bebizonyosodik, hogy nem megfelelően, tehát illegálisan használták a Pegazus szoftvert. A magyar kormány 2021 év végén beismerte, hogy használta ezt a szoftvert, és az oknyomozó újságíróknak köszönhető, hogy kiderült, hogy nem terroristák ellen, hanem illegálisan újságírók, gazdasági szereplők és politikusok ellen használták fel a Pegazus szoftvert. Ezzel kapcsolatban lennének azok a kérdéseim, hogy van-e még továbbra is élő szerződésük a magyar kormánnyal? Amennyiben nincs élő szerződésük, akkor azt mikor és milyen okból bontották fel, illetve ha van arra lehetőség, hogy a magyar kormány újra szerződjön a NSO-csoporttal, újra megkösse ezt a szerződést?
Egy másik dolog, amit szeretnék kérdezni: Önök 2021-es átláthatósági jelentésükben többször hangsúlyozzák, hogy mennyire komolyan veszik az átvilágítási eljárásokat, mielőtt engedélyezik a Pegazus kémszoftver használatát, alkalmazását tagállamok és állami ügynökségek számára. Az átvilágítási eljárás során az alapvető emberi jogok és a jogállamiság tiszteletben tartását is fontos szempontként kezelik Önök, mint az NSO-csoport. Magyarország esetében köztudott, hogy évek óta jogállamisági problémák vannak. Az Európai Parlament és az Európai Unió ezt nagyon komolyan veszi. Az a kérdésem, hogy meg tudná-e erősíteni nekünk, hogy Magyarország esetében végeztek-e átvilágítási eljárást? Ha igen, akkor annak mi volt az eredménye? Ha nem, akkor miért nem végezték el ezt az átvilágítást? És még egy utolsó kérdés: miután kiderült, hogy a magyar kormány újságírók, ellenzéki politikusok és gazdasági szereplők, ügyvédek és civil szervezetek szereplői ellen vélhetően illegálisan használta ezt a szoftvert, utána megvizsgálták-e, hogy a magyar kormány jogszerűen használta-e fel, a szerződésüknek megfelelően használta-e fel ezt a szoftvert? Ha igen, hogyan, és ha nem tették ezt, akkor milyen okból nem tették ezt? Konkrét kérdéseket tettem fel, legyen szíves konkrét válaszokat is adni ezekre! Köszönöm szépen.
Chaim Gelfand (General Counsel and Chief Compliance Officer, NSO): Again, I will repeat and I think we said it also before we were invited, that with respect to issues regarding specific customers, I cannot get into specific customers. I will answer in general and I can use the reports that were in the press regarding Hungary maybe as an example to try to explain how we work in these investigations and what things we are doing.
First of all, every customer that we sell to goes through the due diligence review in advance. And very often, if concerns are raised regarding the rule of law – because what we’re looking at is also the rule of law, also the specific laws that are in place in that country – we use international standards that have graded countries as far as their human rights record as a basis for determining the risk level of the country. When we begin the due diligence process, we then gather information regarding the due diligence process, regarding the country itself, the human rights aspects in the country from various public sources that we can gather information from and then make a determination about a country before we make a decision to sell to that country.
I obviously will say that working based on publicly available information is never going to be 10
Die Arbeit von netzpolitik.org finanziert sich zu fast 100% aus den Spenden unserer Leser:innen.
Werde Teil dieser einzigartigen Community und unterstütze auch Du unseren gemeinwohlorientierten, werbe- und trackingfreien Journalismus jetzt mit einer Spende.
0 Commentaires