NSO’s U.S. ambitions collide with renewed skepticism
NSO Group, the Israeli cyber-surveillance firm behind the Pegasus spyware, has in recent months intensified efforts to rehabilitate its image and press for access to the U.S. market. But critics — from rights organizations to digital-security researchers — say the company’s public commitments to transparency and oversight are inadequate when weighed against a history of alleged abuses.
The debate has deep roots: Pegasus came to global attention during the “Pegasus Project” journalism investigation in July 2021, which documented how the tool was used to target journalists, activists, and political figures worldwide. In the years since, NSO has faced litigation, sanctions and intense scrutiny. In particular, the U.S. Commerce Department added NSO to its Entity List on November 3, 2021, citing its role in enabling government-sponsored spyware operations.
What NSO says it has changed
NSO has responded to critics by stressing new compliance and governance measures. The company routinely states it sells only to “vetted government customers for lawful use” and says it has strengthened client vetting, contractual restrictions and post-sale monitoring. NSO has also pointed to internal compliance teams and a desire to work with Western regulators to meet export-control and human-rights expectations.
Company officials contend these steps address the commercial and legal barriers keeping it off U.S. markets. NSO argues that legitimate law-enforcement and national-security needs require sophisticated tools to investigate serious crime and terrorism, and that preventing access to such tools impedes those efforts.
Why critics remain unconvinced
Human-rights groups and independent researchers say NSO’s measures are too limited. Organizations that investigated Pegasus point to documented instances where the tool was abused by clients to surveil dissidents, journalists and even foreign government officials. Amnesty International, Human Rights Watch and research center Citizen Lab have repeatedly called for far stronger, independent oversight — including public audits, judicial authorization for use, and transparent redress mechanisms for victims.
Experts note several structural problems: the opacity of spyware deployment, the difficulty of attributing misuse to state actors, and the lack of an independent, verifiable audit trail. “Technical controls and contracts cannot substitute for enforceable, independent oversight and legal standards that protect rights,” said researchers at Citizen Lab in past reports detailing Pegasus operations.
Legal and policy implications for the U.S.
Any move by NSO toward U.S. customers or partners would collide with American export controls, procurement rules, and litigation risks. The 2021 Entity List designation restricts access to U.S. technology and complicates licensing; changing that status would require demonstrable, verifiable reforms acceptable to multiple agencies. There is also political risk: lawmakers and civil-society groups in Congress have repeatedly raised concerns about spyware, pushing for tougher limits on tools that can cross borders and be used in democracy-undermining ways.
For U.S. law enforcement agencies, the calculus is fraught. Proponents of offensive surveillance capabilities argue that access to advanced remote exploitation tools fills gaps in investigations of transnational crime and terrorism. Opponents counter that working with companies like NSO risks legal exposure — as seen in past litigation such as the WhatsApp lawsuit filed in October 2019 alleging misuse of Pegasus — and would erode public trust in government surveillance.
Expert perspectives
Security practitioners and civil-rights advocates offer divergent takes. Some national-security analysts say there are legitimate, narrowly defined scenarios where targeted surveillance aids investigations, but they emphasize that any use must be governed by clear legal standards and independent oversight.
Civil-society groups remain blunt. Amnesty International and Access Now have urged regulators to require independent, public audits and strong legal safeguards before any vendor associated with known abuses could re-enter markets. “Voluntary transparency statements are not enough,” one rights coalition said in a joint statement, calling for binding, enforceable conditions tied to export and procurement approvals.
Cybersecurity researchers caution technical limitations on assurance: without open-source oversight or external verification, companies and clients can claim compliance while covert practices persist. These researchers recommend mandatory transparency reporting, court-approved warrants for surveillance, and criminal penalties for misuse.
Conclusion — what to watch next
NSO’s campaign to regain legitimacy and access to the U.S. market will test the intersection of technology, law and human rights. Regulators face a trade-off between equipping law enforcement and preventing international abuse. For NSO, progress will depend on convincing multiple stakeholders — export-control authorities, defense and law-enforcement buyers, and skeptical civil-society actors — that its reforms are verifiable and enforceable.
In the near term, expect continued scrutiny from watchdogs and Congress, possible litigation from victims and advocacy groups, and a policy debate over whether and how to permit commercially developed offensive cyber-tools into democratic-market arsenals. Absent demonstrable, independent oversight mechanisms, critics say any path to U.S. engagement should remain firmly circumscribed.
About the Author
