Updated: Dec 9, 2021
Ministry of Defense publishes updated version of End User Declaration as NSO finds itself in the hot seat once more – but also three days before the mega-summit which will also deal with limiting surveillance tech
The Defense Export Controls Agency (DECA) in the Israel Ministry of Defense has tightened the control of cyber exports, publishing an updated version of the End User Declaration on Sunday.
Any state interested in acquiring a cyber or intelligence system is required to sign the declaration, as a condition for issuing an export license. The updated user declaration was formulated by the Ministries of Defense and Foreign Affairs, as part of the State’s update of its export control policy with regard to cyber systems.
According to a statement issued by the Israeli MoD, this update is “part of a series of measures taken in the last several years regarding cyber export controls. As part of the controls mechanism, Israel approves the export of cyber systems solely to governments for the purposes of investigation and prevention of terrorism and crime.
“The declaration obligates the acquiring state to restrict the use of cyber systems for the investigation and prevention of crime and terrorism. The definition of serious crime and terrorism has been clarified in the declaration.”
What falls under those definitions? According to the MoD, it is “an intentional act, as defined as offences under national law, which given its nature or context, may seriously damage a country or an international organisation.” A list is then provided, which includes serious intimidation, unduly compelling a government or international organisation to perform or abstain from performing any act, attacks upon a person’s life which may cause death, kidnapping, and more.
As far as serious crimes are concerned, they are defined as “crimes for which the national law imposes a term of imprisonment of 6 years or more.”
The lingering spirit of Jamal Khashoggi
It is interesting to take a look at the aesthetics of the updated End User Declaration, where, immediately below the sub-heading “Terrorist acts, as defined below” (and above the various stipulations above mentioned), one can read the following: “An act of expressing an opinion or criticism, as well as presenting data regarding the state , including any of its institutions, shall not, in and of itself, constitute a Terrorist Act.
The reference is clear. Various global research projects link Israeli cyber surveillance groups – not only NSO’s infamous “Pegasus”, to hacking the phones of multiple journalists, human rights activists, minorities, and opposition leaders around the world – from tracking Palestinian activists and Mexican journalists (NSO), to hacking the phones of opposition heads in Russia and Belarus (Cellebrite).
Above it all hovers the spirit of Jamal Khashoggi, the Saudi journalist who used his pen to criticize the regime, and became a veritable beacon of enlightenment and the quest for freedom, at least in the eyes of the West. While the NSO group repeatedly claims that its technology was not involved in this murder, it is virtually impossible to stop the flow of information that suggests otherwise.
And at the same time, it might be worth noting another stipulation that falls under the definition of terror, according to the updated Israeli End User Declaration: “Seriously destabilizing or destroying the fundamental political, constitutional, economic or social structures of a country or an international organization.”
Might it be possible for some countries to argue that public criticism might pose a hazard of serios destabilization? This might sound like splitting legal hairs, but only the future will reveal if this argument might be used.
Having something to show for at the upcoming Summit of Democracy
Why did Israel decide, in this particular point in time, to update the declaration? True, NSO group has been the cause of major headaches recently to the country’s leaders, who are always trying to market Israel as an advanced cyber nation. The snowball effect, which started with the publication of the Pegasus Project this past July, is still gaining momentum – be it the blacklisting (together with Candiru) by the US Department of Commerce, the Meta and Apple lawsuits, or the various new surveillance allegations.
But two main time-dependent factors can be bound together, and might help to shed some light. The first: this past Friday, it was reported that “Pegasus” was used to hack the iPhones of at least nine State Department employees in Uganda. According to Reuters, who broke the story, the intrusions represent the widest known hacks of US officials through NSO technology. As far as the Americans are concerned, this is a bright red flag.
The second: this coming weekend, President Biden will host a virtual summit, attended by some 100 nations, titled “Summit for Democracy.” At the summit, the president is expected to announce the formation of a new global coalition, that will limit the proliferation of surveillance technologies to authoritarian countries. "We will assemble a group of like-minded governments that will commit to working together to determine how export control tools could be better monitored,” a government official said.
A 100-nation summit. Simply put, this divides the world into “good” versus “bad”. Israel, which was also invited to the more limited international ransomware summit held in October, is of course invited to this one as well. Israel is on the side of the good guys, the like-minded countries, and does not want to be associated with the bad boys left outside the party such as China, Russia, Saudi Arabia, Turkey, and the UAE, to name a few.
Given the myriad of unflattering headlines criticizing Israel’s cyber industry recently, it is likely that Jerusalem, which repeatedly emphasizes that it implements controls in line with the Wassenaar Arrangement (of which it is not a member), is interested in (virtually) showing up in Washington with some sort of accomplishment that will show it to be a team player that owns its mishaps and mistakes and corrects them, sometimes even prone to severity.
The updated declaration also states circumstances under which the use of cyber systems is prohibited, and explicitly specifics the possible sanctions in the event of non compliance with the obligations set forth in the declaration including restricting the use of the cyber system or shutting down the system. With that, Israel can show that it doesn’t fall from any “like-minded government”.