The University of Toronto’s Citizen Lab, whose researchers have authored multiple reports on the the misuse of spyware developed by a company called NSO Group, sent a letter to the company’s rumoured buyer on Tuesday with a list of questions and concerns.
“We urge you to carefully consider the human rights and ethical implications of an investment in a spyware company such as NSO Group,” reads the letter, which is addressed to the board of directors of investment firm Blackstone Group, and signed by Citizen Lab director Ron Deibert.
Citizen Lab researchers have found that spy software developed by NSO Group has been used to target a human rights activist in the United Arab Emirates, and journalists investigating corruption in the Mexican government, among others.
Reuters reported over the weekend that Blackstone was offering $ 400 million US in exchange for a 40 per cent stake in the Israeli-based company, citing a report by the country’s Calcalist business newspaper. Blackstone counts former Canadian prime minister Brian Mulroney among its directors.
NSO Group is currently owned by another investment firm, San Francisco-based Francisco Partners, which purchased a majority stake in the company for $ 120 million in 2014, and considered selling that stake the following year.
“These firms may have limited experience acquiring companies that do offensive cyber, that sell zero-days, or that sell spyware,” said John Scott-Railton, one of Citizen Lab’s senior researchers and a lead author on its NSO group reports.
Citizen Lab has published five reports during the last year that detail the improper use of spyware developed by NSO Group, and has asked whether Blackstone has considered the risks of investing in the company.
More generally, the researchers have also asked Blackstone whether it has “any specific policies or ethical guidelines concerning investments in firms such as NSO Group that sell zero-day exploits and surveillance technology.”
The attack relied on three zero-day exploits — a term used to refer to secret software vulnerabilities that have not been previously disclosed or patched by the software’s manufacturer. Citizen Lab researchers noted that a similar chain of exploits had been sold for $ 1 million in 2015.
And in recent months, Citizen Lab has detailed similar attacks in Mexico targeting journalists, lawyers, activists, scientists, opposition party politicians, and international experts investigating a missing persons case.
An NSO spokesperson told Motherboard last year that its agreements with clients “require that the company’s products only be used in a lawful manner.”