A report released today about the activity of Pegasus spyware presents evidence of the tool's use outside the ethical boundaries publicized by its maker.
Pegasus is a known spyware tool developed by Israel-based company NSO Group. It falls into the category of surveillance tools "that are licensed to legitimate government agencies for the sole purpose of investigating crime and terror."
The spyware has been the topic of many discussions over the years, mainly because it was found targeting journalists, lawyers and human rights activists considered a threat by the government of their country.
NSO Group functions as a lawful company that creates advanced surveillance tools for Android and iPhone. The Group sells access to the command and control server of Pegasus to different customers that allegedly use it in good faith.
Researchers at Citizen Lab at the Munk School of Global Affairs at the University of Toronto, Canada, say that some Pegasus licensees are using it actively for cross-border surveillance and in countries with a history of abusive behavior by security services.
At a global scale, the lab says, the spyware is likely coordinated by 36 operators across 45 countries on all continents.
"In total, we identify at least six operators with significant GCC operations, including at least two that appear to predominantly focus on the UAE, one that appears to predominantly focus on Bahrain, and one with a Saudi focus. Three operators may be conducting surveillance beyond the MENA region, including in Canada, France, Greece, the United Kingdom, and the United States," the report from Citizen Lab informs.
Citizen Lab sent a notification to NSO Group informing them of the details in the report and offering to publish the company's public stance on the matter.
Shalev Hulio, one of the NSO Group founders, replied by saying that his business complies with the strict export control laws, so Pegasus could not be used in cross-border operations or in countries listed in researchers' review.
In a public statement, NSO Group says that "there are multiple problems with Citizen Lab's latest report."
"Most significantly, the list of countries in which NSO is alleged to operate is simply inaccurate. NSO does not operate in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework and the product will not operate outside of approved countries," reads the NSO statement.
NSO also states that their product is not build to work in the US, but the researchers say they found a Mexican operator that targeted a minor in the United States using Pegasus.
Citizen Lab admits that not all their results may be accurate, as operators could hind behind VPN and satellite connections that affect geolocation details.