“Limited licence” for NSO’s Pegasus spyware was obtained by FBI in 2019, but bureau says it never used it to support any investigation
The Federal Bureau of Investigation (FBI) has made the startling admission that it obtained NSO Group’s powerful Pegasus spyware.
However, the FBI says it has never used the spyware in any investigation, and only “procured a limited licence for product testing and evaluation only.”
It comes amid a debate about the future of Pegasus itself. In December Israeli surveillance specialist NSO was said to be exploring its options that included shutting its Pegasus unit or selling the entire company, such is the level of controversy surrounding the infamous spyware.
The FBI made the admission that it had purchased Pegasus during the administration of former President Donald Trump in 2019 to the Guardian newspaper.
It said it bought access to the surveillance tool to “stay abreast of emerging technologies and tradecraft”.
In a statement released to the Guardian, the FBI said it had procured a “limited licence” to access Pegasus for “product testing and evaluation only”, and suggested that its evaluation of the tool partly related to security concerns if the spyware fell into the “wrong hands”.
The FBI also claimed it had never used Pegasus in support of any FBI investigation.
The admission that the FBI had acquired Pegasus in 2019 is a stunning development.
It is even more remarkable when it is remembered that in November 2021, the Biden administration placed NSO on its Entity List, due to the furore surrounding the Pegasus spyware.
NSO was placed on the US commerce department blacklist in 2021, due to evidence the company’s hacking tools had enabled governments around the world to conduct “transnational repression”, targeting dissidents and journalists.
This US blacklisting resulted in NSO’s incoming CEO quitting the following week.
According to the Guardian, once deployed, the user of Pegasus spyware can take complete control of a person’s phone, accessing messages, intercepting phone calls and using the phone as a remote listening device.
A person with close knowledge of the FBI deal told the Guardian that it occurred after a “long process” of negotiations between US officials and NSO.
There was reportedly a disagreement between the FBI and NSO over how much control NSO would retain over its software.
The source told the Guardian that NSO usually kept sensors on its technology so that the company could be alerted in Israel if the technology was moved by a government client.
But the source claimed the FBI did not want the technology to be fitted with sensors that would have allowed NSO to track its physical location.
The source also claimed that the FBI did not want NSO’s own engineers to install the technology and did not want to integrate the spyware into its own systems. It is understood that ultimately NSO and the FBI agreed to keep the technology in a large container.
The FBI was also concerned about possible “leakage” of any data to another foreign intelligence service, the source told the Guardian.
The Guardian also reported that the Pegasus licence was acquired by the FBI using a financial “vehicle” that was not easily identified as being linked to the bureau.
In the end, the source claimed, the FBI did not actually use Pegasus.
“They weren’t using it at all. Like, not even switching it on. But they kept paying for it, and they wanted to renew. It was a one-year test project and it cost about $5m [£3.7m], and they renewed for another $4m,” the source claimed. “But they didn’t use it.”
“The FBI works diligently to stay abreast of emerging technologies and tradecraft – not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties,” the FBI said in an emailed statement to the Guardian newspaper in response to claims about the bureau’s acquisition of Pegasus.
“That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited licence for product testing and evaluation only.”
NSO has categorically denied that its Pegasus spyware can be used against US mobile phones.
Another point to note about the FBI admission is that it has been seeking a way to unlock Apple iPhones for a while now.
In early 2016, Apple and the FBI were engaged in a very public disagreement, after Apple refused an FBI request to help unlock the iPhone 5C belonging to the suspect in December 2015’s shootings in San Bernardino.
In the end the FBI reportedly paid more than £1 million to an undisclosed private firm to unlock the device.
At the time there was speculation that the FBI had used NSO, but it denied it was involved. The finger of suspicion then turned to Cellebrite.
NSO is currently engaged in a legal battle with WhatsApp, after Facebook sued NSO in October 2019 when it alleged NSO was behind the cyberattack that infected WhatsApp users with advanced surveillance hacks in May 2019.
Apple also sued NSO in November last year, alleging NSO engaged in surveillance and targeting of iPhone users in the US.