The agency added in a statement Wednesday that it obtained a
limited licence from the Israeli firm “for product testing and evaluation
only,” never using it operationally or to support any investigation.
But critics wondered why the premier US law enforcement
agency would need to pay for access to a notorious surveillance tool that has
been extensively researched by public interest cyber sleuths if its interest
was so limited.
“Spending millions of dollars to line the pockets of a
company that is widely known to serially facilitate widespread human rights
abuses, possible criminal acts, and operations that threaten the US's own
national security is definitely troubling,” said Ron Deibert, director of
Citizen Lab, the University of Toronto internet watchdog that has exposed
dozens of Pegasus hacks since 2016.
“At the very least, this seems like a terribly
counterproductive, irresponsible, and ill-conceived way” to keep abreast of
surveillance tech, he added.
An FBI spokesperson did not say what the agency paid NSO
Group or when, but The New York Times reported last week that it obtained a
one-year licence for $5million, testing it in 2019.
On Wednesday, The Guardian quoted a source familiar with the
deal as saying the FBI paid $4 million to renew the licence but never used the
spyware, which infiltrates a target's smartphone, granting access to all its
communications and location data and converting it into a remote eavesdropping
device.
In November, the US Commerce Department blacklisted NSO
Group, barring it from access to US technology. Apple subsequently sued the company,
calling it “amoral 21st century mercenaries.”
NSO Group has said Pegasus is programmed not to target
phones with the +1 US country code, but American citizens living abroad have
been among its victims.
Deibert, of Citizen Lab, called for a congressional
investigation. Senator Ron Wyden of Oregon said in a statement that the US
public deserves greater transparency from its government about any
“relationships with NSO and other cyber-mercenaries” and should know if its
government “believes the use of these tools against Americans is legal.”
People hacked with Pegasus have included Uganda-based US
diplomats, Mexican and Saudi journalists, leading members of Poland's
opposition, the ex-wife of Dubai's ruler and her British lawyers, Palestinian
human rights activists, and Finnish diplomats.
NSO does not identify its clients but says it sells its
products only to state security agencies upon approval of Israel's Defence
Ministry. It says the products are intended to be used against criminals and
terrorists.
The key parts of the FBI statement issued Wednesday,
initially in response to a request from the Guardian:
"The FBI works diligently to stay abreast of emerging
technologies and tradecraft — not just to explore a potential legal use but
also to combat crime and to protect both the American people and our civil
liberties.
That means we routinely identify, evaluate, and test
technical solutions and services for a variety of reasons, including possible
operational and security concerns they might pose in the wrong hands.
“The FBI procured a limited licence for product testing and
evaluation only, there was no operational use in support of any investigation.
Since our testing and evaluation is complete, and we chose
not to proceed with use of the software, the licence is no longer active.
Accordingly, the software is no longer functional.“