The FBI has admitted to violating a US federal policy that forbids the use of spyware tools manufactured by the Israeli vendor NSO Group, according to a report by the New York Times. The NSO Group is notorious for its Pegasus spyware, which has been used to monitor journalists, human rights activists, and innocent civilians in numerous countries. The FBI conducted an investigation after being ordered by the White House to identify the federal agency that had violated the executive orders by engaging with the banned vendor. The investigation revealed that the FBI itself was responsible, or rather its contractor, Riva Networks.
The FBI had provided Riva with a few Mexican phone numbers to track, claiming that they belonged to wanted fugitives. The agency believed that Riva was using its own geolocation tool to track these individuals. It was later discovered that Riva was, in fact, using an NSO spyware tool called Landmark, which tracks the location of individuals based on the cell phone towers they are connected to. The FBI had not been informed of Riva’s contract renewal with NSO in 2021, despite the agency’s prohibition on the use of NSO products.
According to an FBI official, the agency became aware of Riva’s use of Landmark earlier this year. However, the official claimed that no data from Landmark was shared with the agency, based on Riva’s own reports. These reports would not have included any mention of the use of an illegal spyware tool.
The FBI’s claims of ignorance are further called into question by its authorization of Riva to acquire NSO’s Pegasus in the past. The cover name used for Riva in the Pegasus purchase, Cleopatra Holdings, was also used when Riva purchased Landmark from NSO. Furthermore, Riva’s CEO, Robin Gamble, used the same pseudonym, William Malone, to sign both contracts.
It is worth noting that Riva is not the only US government agency contracting with NSO. The company has also been paid by the Drug Enforcement Agency, the Department of Defense, and others. When asked about potential penalties for Riva’s violation, the White House declined to comment.
While NSO’s Pegasus was initially prohibited from hacking US numbers, the company developed a workaround called Phantom, which the FBI acquired in 2019 but claims to have never used.
It remains to be seen what actions, if any, will be taken by the US government and the FBI to address this violation of federal policy. The incident highlights the challenges faced by government agencies in ensuring compliance with regulations when dealing with sophisticated spyware technologies. The use of these tools raises concerns about privacy, surveillance, and the potential abuse of power. The revelations also underscore the need for stronger oversight and accountability measures to prevent the misuse of such technologies.