As information started to leak out from the… everywhere about NSO Group’s secondhand contribution to surveillance abuses all over the world, the world (except for the worst of NSO’s customers) began taking action. Even the government that facilitated many of NSO’s sales to human rights violators decided it might be time to toss a few restrictions on the Israel-based malware merchant founded by former Israeli intelligence officers.
The same thing happened in the United States. NSO was joined by lesser known (but no less infamous) Candiru, another Israel-based malware developer with ties to the country’s intelligence services in being shut out by another major world government.
The blacklisting of NSO by the US Commerce Department made things awkward for US federal agencies, who might have (and indeed did!) welcome NSO into their offices to hear a sales pitch and watch demonstrations of US-friendly versions of the malware that has generated negative news coverage for most of the past two years.
In January 2022, it was revealed the FBI tried out an NSO offering that would have removed the spy-blinkers inherent to its most powerful offering to make it possible for the FBI to target phones belonging to US persons (an option supposedly not available in the off-the-shelf version of Pegasus). The FBI appeared to like the product, but felt there was no way it could both tip the cap to the Constitution while deploying zero-click malware that fully compromised targeted phones.
This revelation led to demands from Congress that the FBI explain its decision to invite NSO over for a demonstration of its powerful spyware. Those demands led to further admissions from the FBI that it did indeed want to acquire this spyware, having allegedly spent $5 million on licenses for malware it (supposedly) never bothered to deploy. But even that testimony to Congress didn’t tell the whole truth, as was later revealed by public records obtained by the New York Times following an FOIA lawsuit.
Nevertheless, the FBI did offer its concern that someone, somewhere in the federal government might have purchased and used malware developed by NSO. Congress began asking questions again when documents surfaced showing a government contractor had purchased a license for this malware. It asked the FBI to get to the bottom of this.
The FBI did. And, according to this schaudenfraudelicious report from the New York Times, the FBI is shocked, SHOCKED! to report that it was the FBI itself engaged in this particular dirty dealing.
When The New York Times reported in April that a contractor had purchased and deployed a spying tool made by NSO, the contentious Israeli hacking firm, for use by the U.S. government, White House officials said they were unaware of the contract and put the F.B.I. in charge of figuring out who might have been using the technology.
After an investigation, the F.B.I. uncovered at least part of the answer: It was the F.B.I.
The deal for the surveillance tool between the contractor, Riva Networks, and NSO was completed in November 2021. Only days before, the Biden administration had put NSO on a Commerce Department blacklist, which effectively banned U.S. firms from doing business with the company.
Riva Networks secured the spyware — an NSO offering called Landmark — and, apparently, put it to use without the FBI’s explicit approval. As the NYT report notes, Landmark has been linked to abusive deployments by the government of Mexico to track journalists, activists, and other people that continually inconvenience those in power.
What the FBI has been forced to admit is that it apparently — despite its billions in funding — is incapable of preventing its contractors from doing stuff it claims it doesn’t do or doesn’t want to do.
The F.B.I. now says that it used the tool unwittingly and that Riva Networks misled the bureau. Once the agency discovered in late April that Riva had used the spying tool on its behalf, Christopher A. Wray, the F.B.I. director, terminated the contract, according to U.S. officials.
Pretty convenient. The FBI can benefit from supposedly unauthorized malware deployments and then just claim it fixed things in post. The internal investigation doesn’t bother to specify which investigations this malware may have played a part in and the FBI clearly feels that doing nothing more than admitting wrong after the fact is the equivalent to preventing wrongs from occurring or, at the very least, informing targets they were improperly targeted or shutting down investigations affected by unapproved spyware deployments.
Instead, we’re getting nothing but the FBI’s awkward admission it was the FBI that did the bad stuff. And it’s still not clear if Riva did the same thing for other federal agencies that employed it, meaning there’s probably more fallout on the way.
What we’re left with is some hindsight and a bit of information that suggests (without any confirmation) that no data/communications obtained by these illicit deployments (which allegedly targeted Mexican citizens) made their way back to the FBI. But that only covers what the FBI knows and what the FBI did. Riva’s work for other federal agencies is still a mystery. And the contractor has been unwilling to directly answer any questions about its decision to use products from a blacklisted company to engage in surveillance.
So, we have some answers. But we also have plenty of room for speculation:
Government databases show that Riva Networks has had numerous lucrative contracts with government agencies, including the Defense Department, the F.B.I. and the Drug Enforcement Administration. As recently as October, the company was awarded a contract for work with the Air Force Research Laboratory.
Contractors that work for the US government are subject to the same restraints that prevent the government from abusing constitutional rights. What happened here indicates the FBI can’t even promise it’s ensuring rights are respected because it’s apparently unable to prevent its contractors from doing things even the FBI won’t do. And it shows NSO — no matter what shape it’s in following months of negative press — might still be able to talk contractors into buying its services, even when it’s obviously clear the government entities they work for want nothing to do with this particularly toxic vendor.