The NSO Group cites a new transparency report as evidence that it has turned over a new leaf. Critics have savaged the document as reading like a brochure, not an audit, and it comes at a delicate time for the Israeli spyware maker as it seeks to re-enter the United States market after years on a federal blacklist.
The report promises to respect human rights and provide stronger oversight of its government clients — it just doesn’t include the basic ways that outsiders could test those claims. As the company tries to persuade U.S. officials that it should be removed from the Commerce Department’s so-called Entity List, watchdogs say the absent figures matter more than soothing words.
Sparse Transparency Report Fuels Renewed Skepticism
But unlike previous reports, the latest one provides no data on how many customers were under investigation, had been suspended or disconnected for misuse, and it does not tell readers what proportion of potential sales were declined due to concerns they would be used against human rights. That pullback is significant, because previous reports from NSO at least included some quantification.
In its update this time last year, NSO reported three misuse investigations opened, one customer banned and remedies issued to another. It also said it had turned down more than $20 million worth of potential deals because of human rights concerns. One report covering previous years said six government clients had been suspended or terminated, with a self-reported hit of $57 million in revenue, and another disclosure listed more than $100 million in lost revenue from disconnecting five customers since 2016.
There are no comparable numbers this time, and even a total customer figure that previously has appeared is gone. The report’s obfuscations, according to researchers at The Citizen Lab and advocates at Access Now, undermine standards of conduct, casting it as PR instead of accountability.
NSO’s Bid to Get Off the US Blacklist Gains Attention
NSO’s push comes as the company tries to get its name removed from the Entity List maintained by the Commerce Department’s Bureau of Industry and Security. Being put on the list cuts off access to U.S. technology and partners, a crippling blow for any high-end surveillance vendor. The company has indicated it wants a change of ownership and management to change the narrative and open doors.
U.S. investors assumed control, followed by management changes: former U.S. ambassador David Friedman was appointed executive chairman, CEO Yaron Shohat stepped down, and cofounder Omri Lavie left the board. NSO positions these moves as the beginning of a culture shift. Critics deride them as cosmetics with no redeemable reforms.
The larger regulatory landscape is starting to change. U.S. officials have sought to restrict procurement rules for commercial spyware, while lawmakers have advocated for greater scrutiny of vendors associated with abuses. There were reports at the same time that sanctions on a number of executives associated with a rival Libyan-based Intellexa consortium had also been lifted, and some saw it as evidence the U.S. was prepared to soften its stance against parts of the industry. Whether that applies to NSO is less clear.
Track Record of Pegasus Abuses That Raises Red Flags
Both Citizen Lab and Amnesty International’s Security Lab have documented numerous abuses involving Pegasus, NSO’s marquee weapon, some linked to journalist infections but others tied to human rights defenders and dissidents from Mexico down to the Gulf states and across Europe. These are the foundations of current legal and policy initiatives around the world.
In the United States, a lawsuit filed by WhatsApp against NSO has advanced after courts rejected the company’s defense of foreign sovereign immunity. Apple has also targeted mercenary spyware, enabling warning messages to be sent to high-risk users and adding platform hardening protections that limit attack vectors. These developments complicate NSO’s pitch that guardrails would suffice to prevent misuse.
For critics, a good transparency regime must be more than just aspirational language. It should spell out which safeguards are technologically enforced, what kind of oversight resides beyond NSO’s own compliance team, and how often intrusive capabilities are actually turned off when rules are broken.
What True Transparency Would Entail for NSO Group
Experts suggest the UN Guiding Principles on Business and Human Rights and OECD due diligence guidance as the baselines. Defining such a useful measure for NSO, however, would involve publishing metrics on client onboarding and rejections, as well as the number and type of misuse investigations performed, and confirmed suspensions or terminations per year.
Independent verification is key. That could involve third-party audits to review sales approvals and monitoring, disclosure of countries in which products are deployed, and the release of redacted case studies that detail specific instances of violations and corrective measures. Technical transparency would involve how NSO logs client activity, its use of a remotely enforced kill switch, and how frequently the switch is used.
Without this information, watchdogs say, policymakers would be unable to evaluate if NSO’s safeguards were preventing the kinds of abuses discovered again and again by researchers and reporters.
What to Watch Next as NSO Seeks US Market Reentry
NSO’s exit from the Entity List will probably depend on more than just a rebrand and a shaky report. U.S. officials will consider continuing litigation, findings from independent labs, and whether future releases come with measurable metrics and third-party oversight. Shareholders and potential partners will be looking for the same signposts.
If future reports revive and enrich the hard numbers NSO once disclosed — and are subject to independent audit — the company will have a stronger argument that it has reformed. If not, critics will only become louder as the firm tries to re-enter the U.S. market.
