NSO Lawyer Tells Lawmakers Company Can Count To Five, Will Need More Time To Count Higher Than That

Israeli phone malware manufacturer NSO Group has plenty of customers. Or at least it did until the Israeli government edited the company's list of approved customers and the US government slapped sanctions on it.

NSO has sold its malware to plenty of abusive governments with long histories of human rights violations. It has also sold its products to countries far less notorious for human rights abuse, but who still misused the company's powerful Pegasus malware to target dissidents, political opponents, and government critics.

Facing pressure and criticism from pretty much every country that doesn't openly engage in human rights abuses, NSO Group is trying to survive several months of bad press, sanctions, and dwindling funding. When not courting potential purchasers who may not care about the company's sordid past, NSO Group reps are answering questions posed to them by lawmakers who appear to be poised to engage in more direct regulation of malicious code.

According to this report by Antoaneta Roussi for Politico, the spyware developer has publicly admitted it has a handful of European customers.

The Israeli spyware firm NSO Group on Tuesday told European lawmakers at least five EU countries have used its software and the firm has terminated at least one contract with an EU member country following abuse of its Pegasus surveillance software.

Speaking to the European Parliament's committee looking into the use of spyware in Europe, NSO Group's General Counsel Chaim Gelfand said the company had made mistakes," but that it had also passed up a huge amount of revenue, canceling contracts since misuse had come to light.

At least five" leaves a whole lot open to interpretation. And counting any number accurately seems like something a tech company that has developed some of the most fiendishly clever malware ever created should be able to do easily. Providing an accurate total should be well within its technological grasp.

But, much like the FBI and its billions in funding can't seem to count the number of encrypted devices in its evidence lockers, NSO Group appears to be unable to count the number of European customers it has in total during testimony it was informed ahead of time it would need to attend.

That's all NSO could provide, apparently. And it's not much. We already know Poland is an NSO customer. (And it's still part of Europe, no matter what the Russian government would prefer at the moment.) And it seems pretty clear the Spanish government has deployed the malware. Phones owned by Catalan members of the EU Parliament were hit with Pegasus malware and the Spanish government has made no secret of its desire to crush the Catalan independence movement.

That's two out of the at least five." Every other country in the European Union has national security interests" and a desire to fight crime - two justifications used by NSO to move its product - so it stands to reason the number of European customers is much greater than the at least five" NSO claims to have.

More ridiculous than this open-ended (but still seemingly small!) number the NSO handed to EU lawmakers is the follow-up statement by its general counsel.

At least five EU countries had used NSO's tool, Gelfand said, adding he would come back to MEPs with a more concrete number."

Come back?" Are you kidding? How does NSO's lawyer not have the actual number readily available? How was it not possible to have the actual number sent to him during this inquiry, moments after asking for it from NSO's executives or account managers?

The only answer for this lack of accurate information is someone doesn't want it revealed. NSO may not want to let the rest of the world know how many customers it has in Europe, especially given the propensity of its customers to abuse its products. And plenty of EU members may not want the public to know they've been buying powerful tech tools from a shady digital arms dealer.

Claiming you'll come back with an answer when you already have instant access to one is pure bullshit. Granted, it's the kind of bullshit you pay your general counsel handsomely to deliver when facing government inquiries but it's not the sort of thing that endears you to regulators or the public they serve. This inability to count past five is going to do more reputational damage to a company that literally cannot afford it.