Calcalis Interviews NSO CEO Shalev Hulio

Omer Kabir and Hagar Ravet of Calcalis:

Perhaps due to the magnitude of the media interest in the investigation, NSO executives chose to break the secrecy that usually surrounds their company and answer questions directly. In an interview with Calcalist, NSO chief executive Shalev Hulio denied his software was being used for malicious activity. At the heart of his claims is the list of 50,000 phone numbers on which the investigation is based, and which it is claimed are potential NSO targets. The source of the list wasn’t revealed, and according to Hulio, it reached him a month prior to the publication of the investigation, and from a completely different source.

The publications behind the Pegasus Project assert that this list of phone numbers is, in the words of the Guardian, “an indication of intent”. This is clearly not a list of random phone numbers — several of the numbers on it are tied to phones with local evidence of Pegasus software, and many more of the numbers belong to high-profile targets. But, according to Hulio, it is impossible that this is entirely a list of targets:

According to Hulio, “the average for our clients is 100 targets a year. If you take NSO’s entire history, you won’t reach 50,000 Pegasus targets since the company was founded. Pegasus has 45 clients, with around 100 targets per client a year. In addition, this list includes countries that aren’t even our clients and NSO doesn’t even have any list that includes all Pegasus targets – simply because the company itself doesn’t know in real-time how its clients are using the system.”

Hulio says that NSO Group investigated these allegations by scanning clients’ records that agreed to an analysis, and could not find anything that matched the Pegasus Project’s list. But it is hard to believe he is being fully honest with examples like these of his hubris:

“Out of 50,000 numbers they succeeded in verifying that 37 people were targets. Even if we go with that figure, which is severe in itself if it were true, we are saying that out of 50,000 numbers, which were examined by 80 journalists from 17 media organizations around the world, they found that 37 are truly Pegasus, so something is clearly wrong with this list. I’m willing to give you a random list of 50,000 numbers and it will probably also include Pegasus targets.”

If a list of just 50,000 random phone numbers — basically, everyone in a small town — contains Pegasus targets, Pegasus is entirely out of control. It is a catastrophic spyware emergency. Hulio was clearly being hyperbolic, but his bluster generated quite the response from Calcalis’ interviewer:

That isn’t accurate. Out of the 50,000 numbers they physically checked only 67 phones and in 37 of them, they found traces of Pegasus. It isn’t 37 out of 50,000. And there were 12 journalists among them. That is 12 too many.

NSO Group’s response, while impassioned, cannot be trusted. The company has not earned enough public goodwill for its CEO to use such colourful language. But the Pegasus Project’s publication partners also need to clarify what the list of phone numbers actually means, because something here is not adding up.