The FBI has confirmed to The Washington Post that the agency had a license to use NSO’s Pegasus spyware and that it tested out the software’s capabilities. The bureau insists that the software, which is capable of silently infecting phones and accessing camera and microphone feeds, contacts, texts, and more, was never used “in support of any investigation,” but the Post’s report says that there were at least discussions within the FBI and Department of Justice about how the FBI might go about deploying the spyware.
The confirmation comes after The New York Times released a sweeping report last week, which included details about the FBI’s relationship with NSO. Not only did the FBI try out the spyware on phones using foreign SIM cards, according to the Post, but the agency also carried out discussions about the legality of a version of Pegasus that could be used in the US, called Phantom.
It’s a worrying detail — NSO has repeatedly claimed that Pegasus cannot be used on phone numbers with a +1 country code and is only allowed to be used in countries outside the US. If Phantom is, as one former NSO employee told Vice, just a brand name for the “same Pegasus,” then the company was telling the public and law enforcement agencies very different stories. According to the Times, the FBI decided it wouldn’t use Pegasus for international or domestic use right around the time when Forbidden Stories and a coalition of news outlets started releasing dozens of reports centered around the spyware.
The FBI didn’t confirm other details from the Times’ report to the Post, such as the allegation that it had racked up a $5 million bill with NSO and that it renewed a contract for Pegasus at one point. The FBI did, however, reiterate a statement that it will “routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands.”
The Times’ report is well worth a read, as it takes an in-depth look at the Israeli government’s approval process for Pegasus and how the tool ended up more or less becoming a part of the country’s foreign policy. It also goes into NSO’s history as a company, tracing how it went from a startup focusing on phone support agents to a spyware company besieged by controversy, lawsuits, and reports of government abuse.
Since the initial reports came out last summer, NSO has faced near-constant difficulties. The company was blacklisted by the US government, severely limiting how it can do business with tech companies based in the States. Further investigations also linked its spyware (which is only supposed to be sold to government agencies approved by the Israeli government) to the murder of journalist Jamal Khashoggi, the hacking of US State Department phones, and political surveillance in Poland. Apple has sued the company for attacking iPhones, and its chairman stepped down amidst accusations that Pegasus was used domestically by Israeli police forces.