Docs Freed With FOIA Lawsuit Show FBI Misled Congress About Plans For Deploying NSO Spyware

Thanks to a steady stream of reports of abusive uses of its powerful Pegasus malware, Israel's NSO Group saw its reputational stock drop precipitously as it became more and more apparent the company didn't really care who it sold its products to. The list of customers included several notorious human rights abusers and leaked data suggested NSO's customers were deploying phone malware against journalists, lawyers, religious leaders, political opponents, and government critics.

This resulted in the US Commerce Department blacklisting NSO Group, preventing it from doing business with American tech companies. Around this same time, information came to light showing the FBI had courted NSO, hoping to deploy Pegasus against investigation targets and whoever else the agency felt was worth keeping an eye on.

According to the FBI's own statements, this was nothing more than a trial run to determine the malware's capabilities. After the test run, the FBI claimed it thought the malware would result in too many constitutional violations to be useful in investigations. This report was followed by another report - one based on FOIA requests - that showed the FBI had purchased Pegasus licenses nearly a year before NSO Group showed up to demonstrate a bespoke malware product that bypassed built-in restrictions that prevented it from being used to target US phone numbers.

Throughout this, the FBI has maintained it never seriously considered using NSO's powerful malware. According to statements made to congressional oversight, the FBI was merely curious about the malware's capabilities.

But those assertions were, at best, misleading. According to documents obtained by the New York Times following its FOIA lawsuit against the FBI, the agency was very interested in using the malware in its own investigations - an option it continued to pursue even as NSO made headline after headline for its lax oversight of its customers and its customers repeated, abusive deployments of its Pegasus malware.

During a closed-door session with lawmakers last December, Christopher A. Wray, the director of the F.B.I., was asked whether the bureau had ever purchased and used Pegasus, the hacking tool that penetrates mobile phones and extracts their contents.

Mr. Wray acknowledged that the F.B.I. had bought a license for Pegasus, but only for research and development. To be able to figure out how bad guys could use it, for example," he told Senator Ron Wyden, Democrat of Oregon, according to a transcript of the hearing that was recently declassified.

But dozens of internal F.B.I. documents and court records tell a different story. The documents, produced in response to a Freedom of Information Act lawsuit brought by The New York Times against the bureau, show that F.B.I. officials made a push in late 2020 and the first half of 2021 to deploy the hacking tools - made by the Israeli spyware firm NSO - in its own criminal investigations. The officials developed advanced plans to brief the bureau's leadership, and drew up guidelines for federal prosecutors about how the F.B.I.'s use of hacking tools would need to be disclosed during criminal proceedings.

Not exactly the just idle curiosity" assertions made by agency officials last year. While the end result - the abandonment of Pegasus malware as a viable investigative option - may be the same, the path taken by the agency to reach this point apparently diverged from the narrative delivered to congressional oversight.

That this plan was abandoned following months of reporting on NSO's sketchy actions and customer base shows the FBI was at least capable of reading the room. But the documents show the FBI may just be waiting for the uproar to die down. It still wants to acquire and deploy a Pegasus-like product, even if this option would still present the same difficult constitutional issues.

Just because the F.B.I. ultimately decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate and potentially deploy other similar tools for gaining access to encrypted communications used by criminals," stated a legal brief submitted on behalf of the F.B.I. late last month.

And while the FBI would like to give itself a pass on its inability to tell the whole truth during congressional testimony, Senator Ron Wyden's isn't willing to cut the agency any slack.

In a statement, Mr. Wyden said it is totally unacceptable for the F.B.I. director to provide misleading testimony about the bureau's acquisition of powerful hacking tools and then wait months to give the full story to Congress and the American people."

Wyden is right. This isn't acceptable. It certainly seems acceptable to the FBI, which has repeatedly given the impression the public has no business asking what it's up to. And its willingness to stiff arm its own oversight suggests it believes no one inside the government has any business asking questions either. The FBI has too much power to be allowed to shrug off oversight and mislead congressional leaders. But without any meaningful discipline being applied internally or externally, it really has no reason to embrace the accountability that's supposed to come with the job.