The NSO spyware scandal continues to grow, with Amnesty International announcing on Tuesday that the company’s phone-hacking software, Pegasus, had been used to target 14 current or former heads of state, including South Africa’s president Cyril Ramaphosa and France’s Emmanuel Macron. The fresh allegations follow the damning initial report published on Sunday by Amnesty, which revealed that Israeli technology business NSO’s software had been used by clients to facilitate human rights violations and target journalists and activists.

Though NSO continues to deny any wrongdoing and claims to have taken all possible steps to ensure its software wasn’t used for anything other than fighting crime and terrorism, the Israeli government is reportedly setting up a taskforce to look at the fall-out from the incident and more closely manage the country’s cyber exports. Lindy Cameron, the head of the UK’s National Cyber Security Centre, appeared to refer to the NSO revelations in a speech on Tuesday, when she said: “We now see states that cannot build high-end [cyber] capability being able to buy it,” adding that it was up to the international community to work together to ensure “cyber actors use capabilities in a way that is legal, responsible and proportionate to ensure cyberspace remains a safe and prosperous place for everyone”.

Attention has also turned to the role of cloud providers in facilitating illegal activity. In the forensic analysis published by Amnesty International, the NGO reported that NSO Group had been using infrastructure from cloud providers including Amazon’s AWS to carry out its unlawful surveillance and human rights abuses. “[…] it appears that NSO Group is primarily using the European data centres run by American hosting companies to run much of the attack infrastructure for its customers,” said Amnesty’s document. Three other US cloud providers, Digital Ocean, OVHCloud and Linode, were also among the hosting companies used by NSO Group.

NSO Group cloud infrastructure
Private Israeli firm NSO Group has denied media reports its Pegasus software is linked to the mass surveillance of journalists and human rights activists, and insisted that all sales of its technology are approved by Israel’s defence ministry. (Photo by Mario Goldman/AFP via Getty Images)

AWS says it acted quickly to shut down NSO Group’s accounts after it found out about the company’s illegal activity, but this abuse of the public cloud for illegitimate activities raises the question of whether providers should be taking a more proactive approach to avoid them in the first place – or would this be an overstep from the part of regulators that could potentially backfire?

Should providers take a proactive approach to know what their clients are doing?

Amazon revealed on Monday it had closed down all NSO Group activity running on AWS. “When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts”, an AWS spokesperson said. But could Amazon had acted any sooner to avoid NSO Group using its platform for these activities?

“This is an ongoing dilemma that we will continue to face for a long time, since we are far from seeing the final say on the issue of platform liability,” says Luca Schiavoni, telecoms and technology senior analyst at Assembly Research. “Even the Digital Services Act proposal in the EU largely leaves things as they have been up until now.”

The Digital Services Act is a legislative proposal by the European Commission submitted in December 2020 that aims to increase control of digital services, including online platforms and internet infrastructure services, to prevent illegal or other harmful activities. But in its current guise, it would see organisations such as AWS and other cloud providers retain exemptions to liability for a wide range of cases in which platforms are seen as a ‘mere conduit’.

Schiavoni adds that regulators are trying to strike a balance between the need to make platforms more accountable for the illegal or harmful content they host and the need to guarantee a high degree of openness and freedom for the activity on these platforms. However, achieving that balance could still leave the problem unresolved.

In the wake of this scandal, we could see more cloud providers taking similar action – all eyes are on them now.
Luca Schiavoni, Assembly Research

“In the wake of this scandal, we could see more cloud providers taking similar action – all eyes are on them now after all,” said Schiavoni, referring to the other cloud providers hosting NSO Group’s infrastructure that have as yet not made public any decisions regarding the continuation of their services for the spyware company. According to The Register, Linode and Digital Ocean have not stopped working with NSO Group, though Linode has subsequently said it was “not aware of any of the activities” listed in the Amnesty report and has been unable to validate any of the claims.

“On the one hand, it is true that private companies will continue to advocate against prescriptive limitations as to what they can and cannot do,” continues Schiavoni. “At the same time, when scandals like this one emerge, pressure inevitably mounts on them to implement additional safeguards.”

He adds that actions like the one taken by AWS show that providers care about these situations and that they are aware of the upcoming regulations that will punish them if they fail to act to prevent harmful activities. In the case of the Digital Services Act, the European Commission wants the ability to issue fines of up to 6% of companies’ annual turnover if they do not comply with the proposed obligations.

“A decline in public trust is the last thing cloud providers will want, because it will give regulators and policymakers stronger arguments to propose more prescriptive rules,” Schiavoni concludes.