Since a February shakeup of the management structure of Israeli spyware vendor NSO Group, whose software has allegedly been used to target journalists and other civilians, human rights activists have stepped up their scrutiny of the vendor’s new private equity firm.
The probing of London-based Novalpina Capital, which now controls the NSO Group board, is an effort to highlight what critics say is a failure by NSO Group and its investors to prevent the abuse of the company’s mobile-phone hacking tools. Now, the inquiry is drawing attention to the unexpected role that pension funds in the U.S. and the UK are playing in the standoff between the Israeli vendor and digital rights groups like Amnesty International and Citizen Lab, a research center at University of Toronto’s Munk School.
In a letter last week to Britain’s South Yorkshire Pensions Authority (SYPA), Citizen Lab Director Ron Deibert asked the pension fund to take a hard look at its investment in Novalpina Capital, citing SYPA’s stated commitment to consider human rights in its investment decisions.
“I would appreciate a response from the Authority regarding how this investment is consistent with the Authority’s Policy and what measures were taken by the Authority to inform and educate pension fund contributors and members regarding NSO Group,” Deibert wrote. He highlighted Citizen Lab’s research on NSO Group’s Pegasus spyware, which has reportedly been used against journalists in Mexico, among other civil-society targets. NSO Group says it only sells its Pegasus spyware to licensed government customers to hunt terrorists and criminals, and that it investigates any cases of misuse.
George Graham, SYPA’s fund director, told CyberScoop his staff met with Novalpina Capital personnel last Thursday in “what was a regular review meeting arranged before the issues around NSO came to light.”
“We received answers to some of the questions we wanted addressed and Novalpina have taken the rest away and a call with [Novalpina founding partner] Stephen Peel who led the NSO transaction is being arranged for next week,” Graham said by email last Friday. “[W]e are content with the approach being taken by the manager but are seeking further detail on the concrete and practical steps that are being taken to address these issues.”
Asked to what extent the average SYPA pensioner is aware of the fund’s investment in Novalpina Capital, Graham said the fund publishes quarterly lists of its holdings on its website.
“Given we have about 160,000 contributors and pensioners it is difficult to inform them of every investment and potential issue but we do make the information available for those interested,” he added.
Novalpina Capital could not be reached for comment on the Citizen Lab letter.
In being asked to explain their investments in an equity firm that manages a spyware company, pension fund managers are in unfamiliar territory, according to John Scott-Railton, senior researcher at Citizen Lab.
“Novalpina and NSO have been pretty unsatisfying in their responses to questions from civil society groups,” Scott-Railton told CyberScoop. “I wonder how much more clarity pension funds are going to get from them.”
Among Novalpina’s other investors, according to Bloomberg financial data, are Oregon’s Public Employees Retirement System (PERS), the pension fund for Oregon state employees, and the Alaska Permanent Fund Corp., which manages a state-owned Alaskan sovereign wealth fund.
James Sinks, a spokesman for Oregon’s PERS, said that the pension fund is “one of many limited partners invested in Novalpina Capital Partners I [the firm’s equity fund],” adding that the investment officials overseeing Oregon’s state funds authorized the deal. “As a limited partner, we do not comment on portfolio companies in any private equity holdings.”
A spokesperson for the Alaska Permanent Fund Corp. did not respond to requests for comment.
NSO Group, which is reportedly valued at $1 billion, says that it earned $250 million in revenue in 2018, working with dozens of customers.
Peel, a longtime private-equity investor who co-founded Novalpina Capital in 2017, has in recent months traded letters with Amnesty International, Access Now, and other rights groups inquiring about NSO Group’s new management structure. In a March letter, Peel said Novalpina Capital had investigated the claims of human rights abuses involving Pegasus and found nothing “to substantiate the misuse allegations.” The rights groups have asked the equity firm to produce evidence to support its claims that research documenting the spyware’s misuse is flawed.
In his latest missive to Amnesty International and other organizations, Peel offered more details on the management structure of NSO Group, but said that Israeli law prevented him from disclosing “certain categories of information that you seek regarding its current operating arrangements.”
“We are determined to do whatever is necessary to ensure that NSO technology is used for the purpose for which it is intended – the prevention of harm to fundamental human rights arising from terrorism and serious crime – and not abused in a manner that undermines other equally fundamental human rights,” Peel wrote in the letter, dated May 15.
Danna Ingleton, deputy program manager of Amnesty International’s technology program, said that Peel’s response underscored the extent to which “Israeli law and policy seem to represent a fundamental obstacle to genuine reform.” Earlier this month, Amnesty filed a petition in Israeli court to revoke NSO Group’s export license, citing alleged human rights abuses stemming from Pegasus. Ingleton submitted an affidavit in support of that petition.
Asked about the correspondence between Novalpina Capital and the rights groups, an NSO Group spokesperson said, “With Novalpina as our partners, we’ll continue to build on NSO’s existing governance policies and procedures to set a new standard that’s in compliance with the UN Guiding Principles on Business and Human Rights.”
Meanwhile, alleged cases of Pegasus being abused have continued to surface. On Tuesday, a Saudi dissident accused the Saudi government of using Pegasus to target his mobile phone, The Guardian reported.