NSO, a company that has been lightning rod for criticism, has taken the most unusual step of announcing it has adopted a Human Rights Policy, which makes NSO the first cyber firm to do so. NSO develops software that allows governments and other bodies to penetrate individual iPhones and other relatively secure devices. They had always been proud of their roll in fighting terror, and used that calling card when they would recruit some of the best and brightest from the IDF when they completed their service doing related work. However, following the killing of Jamal Khashoggi by Saudi Intelligence, NSO came under immense scrutiny, after it was alleged the Saudi’s had tracked Khashoggi using NSO’s technology. The extent to which this revelation impacted the company is not clear. Although there are anecdotal stories of prospective employees considering other places to work, instead of NSO. Regardless of the reasons for the NSO announcement, their new Human Rights Policy will bring the company into alignment with the UN Guiding Principles on Business and Human Rights.
The company also announced it will add new senior advisors: Governor Tom Ridge, the first U.S. Secretary of Homeland Security; Gèrard Araud, former French ambassador to the U.S.; and Juliette Kayyem, former Assistant Secretary at the U.S. Department of Homeland Security and a professor at Harvard University’s John F. Kennedy School of Government.
The NSO Board of Directors approved the new policy, which includes an External Whistleblowing Policy that will provide a method for outsiders to announce the misuse of the companies products.
Key aspects of the new NSO Human Rights Policy include:
The integration of human rights due diligence procedures to identify, prevent and mitigate the risks of adverse human rights impact;
A thorough evaluation throughout the company’s sales process of the potential for adverse human rights impacts arising from the misuse of NSO products, including the past human rights performance and governance standards of the country involved;
Contractual obligations requiring NSO’s customers to limit the use of the company’s products to the prevention and investigation of serious crimes, including terrorism, and to ensure that the products will not be used to violate human rights;
Specific attention to protect individuals or groups at elevated levels of risk of arbitrary digital surveillance and communication interception on grounds such as their race, color, sex, language, religion, political or other opinions, national or social origin, property, birth or other status, or their exercise or defense of human rights;
The provision of grievance mechanisms to enable reporting of suspected misuse of NSO products by the company’s agency customers;
A renewed commitment to investigate whenever the company becomes aware of alleged unlawful digital surveillance and communication interception of NSO products;
Public reporting on the effectiveness of the NSO Human Rights Policy, taking into consideration the regulatory, legal, contractual, security and commercial constraints that limit the company’s freedom to disclose specific information;
and Periodic review of the company’s human rights governance framework by compliance experts, coupled with a commitment to ongoing dialogue with all relevant stakeholders.
“NSO’s products provide governments with the tools to help stop the world’s worst terror attacks and most dangerous criminals. We are incredibly proud of our products’ record of helping intelligence and law enforcement prevent serious crimes and save lives, but also understand that misuse could represent human rights violations. This new policy publicly affirms our unequivocal respect for human rights and our commitment to mitigate the risk of misuse,” said Shalev Hulio, co-founder and CEO of NSO. “NSO has always taken governance and its ethical responsibilities seriously as demonstrated by our existing best-in-class customer vetting and business decision process. With this new Human Rights Policy and governance framework, we are proud to further enhance our compliance system to such a degree that we will become the first company in the cyber industry to be aligned with the Guiding Principles.”
NSO also announced a new Board Committee: Governance, Risk and Compliance, which will oversee the policy.