State Dept. Expands NSO Group-Targeting Ban To Include Anyone Who Misuses Commercial Malware

Well, NSO Group really made a mess of this for everyone. Ever since the devastating leak showing its customers routinely targeted journalists, government critics, dissidents, and human rights activists (you know, rather than the violent criminals and terrorists they said they'd use the spyware to track), things have gone from bad to worse to career-ending for the Israeli malware purveyor.

NSO had always been controversial, given its predilection for selling powerful phone exploits to some of the worst governments in the world. But it had managed to remain profitable and un-sanctioned for years, despite its willingness to get in bed with whatever autocrat would have it.

That all changed following the leak... which was then followed by a never-ending stream of negative press. Investigations into the company were initiated by several world governments, including NSO's own, which also took the unprecedented step of limiting who the company could sell to.

NSO and one of its Israeli-based competitors, Candiru, also found themselves on the receiving end of a US State Department blacklisting late in 2021. The stated reason for this ban? NSO and Candiru were considered a threat to US national security.

The ERC determined that NSO Group and Candiru be added to the Entity List based on 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.

Being Candiru or NSO Group is its own problem. With the latest move by the US State Department (prompted by two years of reports of abusive targeting), certain users of these companies' spyware are no longer welcome in the United States.

This visa restriction policy is pursuant to Section 212 (a)(3)(C) of the Immigration and National Act, and allows the Department of State to implement visa restrictions for(1) individuals believed to have been involved in the misuse ofcommercial spyware, to target, arbitrarily or unlawfully surveil, harass, suppress, or intimidate individuals including journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals; (2) individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware described in prong (1) above, including but not limited to developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware to governments, or those acting on behalf of governments, that engage in activities as described in prong (1) above; and (3) the immediate family members of individuals subject to the restrictions in prongs (1) and (2) above. For purposes of this policy, immediate family members" include spouses and children of any age.

Malware abusers and their families: that's potentially a whole lot of people who will have a bit more trouble traveling to or staying in the Land of the Free. And it's all due to NSO Group and its unwillingness to keep its products out of the hands of serial human rights abusers. The company may state otherwise when approached for comment, but none of this would have happened if it hadn't decided it was somehow OK to cash checks from autocrats.

Of course, while the policy is certainly tough enough, it's difficult to see it being a particularly effective deterrent. People who like abusing human rights (and targeting dissidents, activists, journalists, etc.) aren't going to stop doing it just because of some visa complications. On top of that, it's extremely difficult to identify who exactly is behind malicious spyware deployments. In most cases, an educated guess will only point in a government's direction. It's almost impossible to pinpoint the origin of malware attacks because that's pretty much the point of these products: to be undetectable and un-attributable if discovered.

Still, it's the thought that counts, especially when the thought is now part of US foreign policy. And while it's unlikely to make the worst governments in the world behave better, it might make malware purveyors think twice before handing out spyware to governments likely to abuse it. No company wants to be the one forced to answer uncomfortable questions poised by angry governments, especially when it knows the answers involve governments that aren't above murdering and dismembering people who've displeased them.