NSO Spyware Scandal May Threaten Israel’s Love Affair With Amazon and Google

Amazon reportedly cut NSO off from its AWS service - the same one that is supposed to support Israel’s new official state cloud. Could Jerusalem be cut off, too?

Shutterstock

It’s not as if we didn’t know that our smartphones are portable espionage devices, and that the trail of digital bread crumbs we leave behind could be used against us.

Still, the revelations about the use of NSO Groups’s Pegasus spyware by its clients to conduct or attempt to conduct surveillance of human rights activists, journalists, political opponents and dissidents have shaken us up. Perhaps it’s the cooperation between a private, profitable company and dubious security agencies that is the most frightening aspect.

Whatever the reason, the fairly clear correlation between the list of countries that have purchased the services of NSO’s technological toy and those that have forged new friendly ties with Israel in recent years demonstrates that not only did the defense establishment know about all the Pegasus sales to dictatorships and semi-democracies, but that these transactions took place with its approval - and even encouragement.

It also is clear that the defense establishment values these strategic relationships over any considerations pertaining to human rights. The key, it seems, is who can be given a “token of friendship” in the form of the Pegasus spyware. The logic being that regional calm can be achieved if countries neighboring Israel can repress their dissidents. All this was done behind a digital curtain of concealment and the conscious refusal of the High Court of Justice to intervene.

In all this discourse it seems that a major question has not been addressed, so here it is: What does the NSO scandal have to do with Project Nimbus?

Project Nimbus is a multiyear, large-scale project, led by the official Israel bodies with the goal of setting up an official state cloud for the country. The Government Procurement Administration together with the Government Information and Communications Technology Authority, the National Cyber Directorate, the treasury’s budget division, the Defense Ministry and the Israel Defense Forces are working together to provide cloud computing services for the Israeli government. The idea is that computing services will be supplied by local cloud sites, and the information – from the government, the IDF and private bodies – will be processed and stored within the borders of Israel and subject to state laws. This will take place by establishing Israeli subsidiaries to large companies like Amazon and Google that will do business with the government. Naturally this project will create thousands of jobs, provide opportunities for Israeli startups and boost the development of the local cloud computing industry.

Only a couple of months ago, Amazon Web Services (AWS) and Google were announced the winners of the Nimbus tender and were selected as the firm that will provide cloud services for the project’s first stage. Amazon has already announced that it had begun building local cloud server farms, officially known as AWS regions, at a preliminary investment of some 2 billion shekels ($612.7 million). Last month AWS announced it would open this infrastructure region during the first half of 2023.

Security experts began warning of the strategic risk of setting up above-ground server farms in Israel due to the risk of a potential missile attack, and also raised concerns about security breaches and the disclosure of personal data, especially during the transition from the government’s mainframe computers to the cloud, during which the data would be temporarily stored on servers in Europe. But nobody asked what might happen if Amazon decided that Israel was violating human rights.

So here’s where we go back to NSO. Two days after the Project Pegasus scandal broke, AWS confirmed that it had disconnected cloud sites linked to NSO. What apparently angered Amazon was the use of the CloudFront platform – one of its content delivery services, which allows clients to transfer data, videos, apps and APIs quickly and safely – to conduct the early stages of the attacks against mobile phones that NSO’s tech was attempting to breach, and to conceal the surveillance activity. After Amnesty International contacted Amazon about the issue, an Amazon spokesman told media in the U.S. that it had quickly shut down “accounts” and “infrastructure” linked to NSO.

What the spokesman did not reveal was based on what policy or clause in AWS’ terms of use did Amazon block NSO’s accounts. After all, when Amazon allowed NSO to purchase services in recent years, there was no apparent problem. Moreover, in May 2020, when the Vice website published suspicions that NSO had used Amazon infrastructure to transfer malware, Amazon didn’t even respond to journalists’ inquiries.

If any of this reminds you of the “de-platforming” various digital giants led against then U.S. President Donald Trump after the attack on the U.S. Capitol this past January, you’re getting warm. When Amazon took down Parler, the alternative social network to which numerous Trump supporters migrated after the president’s Twitter accounts were closed, we understood that a person or company could be expelled from a digital platform quickly and efficiently, without any explanation.

Moreover, one could also make it difficult for a company like Cellebrite to list on the Nasdaq; stop investing in a firm like AnyVision because of suspected human rights violations; sue NSO, as Facebook is doing, or to remove Parler from app stores, as Apple and Google did. But nothing is like being kicked off the cloud. That is a punishment to beat all punishments and is tantamount to being banished from the internet.

The closing of NSO accounts, along with the case of Parler in January, and even the paralyzing of Wikileaks’ accounts in 2010, demonstrate that Amazon won’t hesitate to deplatform in cases of “political” violations of its terms of use: violations of human rights and embarrassing government officials around the world. In today’s world, if state or international regulations to protect human rights don’t work, the rules will be made by tech giants who can disconnect violators from their platforms for whatever they deem to be an offensive action that breaches their terms of use.

When the State of Israel deposits all its digital assets, including those of the Defense Ministry and the IDF, in Amazon’s hands, and tells us that our sovereignty will be preserved because the cloud servers will be located in Israel physically, it isn’t prepared for the possibility that the ultimate sovereignty belongs to Amazon. Amazon, not Israel’s considerations, will be more important than any legislation, and Amazon’s considerations won’t always be overt and clear.

In May, during Operation Guardian of the Walls in Gaza, tech website The Verge reported that more than 500 Amazon employees had signed a letter calling on company CEO Jeff Bezos and then-AWS CEO Andy Jassy (who has since replaced Bezos) to recognize the suffering of the Palestinians and cancel contracts with the Israeli government. What will happen when such pressure has an effect, or if other stories similar to the NSO saga get reported?

The NSO case demonstrates that decisions by the defense establishment on exporting security technology have to take into account human rights considerations. This is both because it’s the right thing to do, but also because as the NSO case taught us, unfortunately, there can be others who will enforce those values on us if no internal incentives existed for this to be the case. Paradoxically, the transition to the cloud via the Nimbus Project could provide such an incentive. Otherwise, the State of Israel or sections of its accounts could find themselves booted off the cloud and left suspended in mid-air.

The article was published in Haaretz.