NSO Lobbyists’ “Urgent” Request for Meeting With Antony Blinken

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM From: Dickinson, Timothy L Sent: Tuesday, November 7, 2023 2:10 PM To: ete gov ce oe ov; Cate gov] state.gov JE O<tate gov; te co SE Cate 50, State gov, SEEEOState gov; IC cin senate gov; IEC isch senate gov Subject: NSO Group. Attachments: 2023.11.07 - Letter to Secretary Binken re NSO Group pel **This materials distributed by Paul Hastings LLP on behalf of NSO Group. Additional information is available at the Department of Justice, Washington, DC.** Dear Ms. George, 1am writing on behalf of NSO Group to urgently request an opportunity to engage with Secretary Binken and the offical at the State Department regarding the importance of cyber intelligence technology in the wake of the grave. security threats posed by the recent Hamas terrorist attacks in Israel an thei aftermath. | have sent the attached to Secretary Binken via UPS and am also sharing a digital copy via email for convenience. Thank you for your time and consideration. | can be reached at the phone number and email adress lsted below with any questions. Best regards, Timothy L. Dickinson Timothy Dickinson | Partner, Litigation Department PAUL Paul Hastings LLP | 2050 M Street NW, Washington, DC 20036 | Direct: +1.202.551.185 Main: +1.202.551.1700 | Fax: +1.202.551.0258 | timothydickinson@paulhastings.com | HASTINGS I resings.com Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM AEE io Tard PAUL PO ts HASTINGS 1(202) 551-1858 timothydickinson@paulhastings.com es 1h — we I SRE Ora convenience), | am writing on behalf of NSO Group ("NSO” or the “Company’) to reaffirm the importance a Rll CL Toit] A A AE SO SANS So oa the Middle East, there are significant concerns over potential violence from emboldened terrorist EE a an i Wr ir onl i dn A le anes, a channels via intelligence collection technologies may represent the clearest way to thwart Hamas's and Hezbollah's attacks( NSO's cyber intelligence technology is a critical tool that is used to aid the ongoing fight against terrorists. im LL ao ls yy ‘where there is a reasonable suspicion, supported by evidence, that the target is involved in a terrorist mes A — A TE atelier asd Technology (July 31, 2023), hitps:/iwww.csis org/analysis/understanding-hamass-and-hezbollahs-uses-information- Jeo Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM PAUL “Tis material is distibuted by Paul Hastings LLP on behalf of NSO Group. HASTINGS Pegasus tool is treated in Israel as a defense article subject to regulation by the country’s regulators, a comprehensive, industry-leading human rights compliance program based upon the United Nations ‘measures to curb their misuse by certain governments. Indeed, NSO has long called for the EE sl Sy Re requests an opportunity to engage with you and your colleagues to share the processes the Company discussion, enclosed is the position paper prepared by NSO summarizing essential background Aud LV . J. . Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM PAUL Thi mater s iste by Pui Hastings LLP on behalf of NSO Group ey Adon] formation 5 avaiable f te Department of Justo, WashIGon, 0.C. HASTINGS James E. Risch United States Senator Bonnie Denise Jenkins Under Secretary of State for Arms Control and Intemational Security Gonzalo ©. Suarez Deputy Assistant Secretary, Bureau of Intemational Security and Nonproliferation Christopher A. Landberg Acting Coordinator for Counterterrorism, Bureau of Counterterrorism Uzra Zeya Under Secretary of State for Civilian Security, Democracy, and Human Rights Erin M. Barclay Senior Official, Bureau of Democracy, Human Rights, and Labor Robert S. Gilchrist Principal Deputy Assistant Secretary, Bureau of Democracy, Human Rights, and Labor Barbara A Leaf Assistant Secretary, Bureau of Near Eastern Affairs Richard C. Visek ‘Acting Legal Advisor, Office of the Legal Advisor Enclosure: 3 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM “This material is distributed by Paul Hastings LLP on behalf of NSO Group. ‘Additional information is avaiable at the Department of Justice, Washingion, D.C. 1(202) 561-1858 timothydickinson@paulhastings.com January 7, 2022 Lisa Peterson Acting Assistant Secretary. Bureau of Democracy, Human Rights, and Labor USS. Department of State. 2201 C Street NW. Washington, DC 20520 Re: NSO Group Dear Ambassador Peterson: 1am writing on behalf of NSO Group to request an opportunity to engage with you and your colleagues regarding the recent initiative announced by the U.S Government at the Summit for Democracy to cub the proliferation of technology that has been misused by governments. NSO is a technology company that only licenses technologies to vetted, U.S. and Israeli allied legitimate law enforcement and inteligence agencies for use in fighting terrorism and serious violent crimes such as human trafficking and the dissemination of child sexual abuse materials. While NSO does not operate. the technology, these agencies have successfully used it to prevent terrorist shooting sprees, car explosions and suicide bombings, break up pedophilia and sex and drug-trafficking rings, as well as to find and rescue kidnapped children. NSO is regulated and subject to Israel's stringent export licensing requirements. In addition, NSO has developed internal protocols over a number of years, consistent with efforts to continuously improve is practices and align fs conduct with the UN Guiding Principles on Business and Human Rights, o prevent the sale of is technology to customers who might misuse it, and take appropriate measures against those customers who do misuse it. The company has also Sought to faciltate the development of standards for the industry and has advocated for the importance of such measures. For that reason, NSO applauds the announcement of the U.S. Government, made in conjunction with Australia, Denmark, and Norway, and supported by Canada, France, the Netherlands and the. UK. These govermments recognize, as does NSO, that responsible use of technologies such as NSO's “is essential for the well-being of our future generations.” They also recognize, as does NSO, that authoritarian governments can abuse the technologies vithin and across their borders. As a result, the aligned goverments have committed to working to establish a voluntary code of conduct fo states to use. export control tools to prevent the prolferation of technologies used to enable serious human rights abuses. We are also pleased that these aligned governments have committed to work vith industry and academia in these efforts. As a company that has advocated for industry-standards to faciltate responsible use of technologies, vie are highly supportive of this initiative. In furtherance of that effort, we would like to engage with your office o share the processes we have developed and the industry standards we have sought to embed, 1o help prevent serious human rights abuses within our sector and help address the serious issues. identified by all the relevant partes. Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM PAUL HASTINGS or [Eee io RE —_— Aud LAV TT, now Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSDFARA Registration nit, L107 2053, Zits [evar so ar, aston Re en 1(202) 551-1858 murano wpe ty sore BS a a i ee EEE Comsmsmneprirn Furr tomy sarspoon on. 212, to ol pba NSO Gr "NSO" or “the Company’) regarding the Export Controls and Human Rights Initiative (‘the Initiative") ee on Ct ion 0 Suen), Ember wr Soe Ss eer A “The Company welcomes and strongly supports this Initiative. As you may know, NSO has supported the EE or ae res, Fe ho TS rr RT a ERR To inform and facilitate the discussions, we enclose a position paper prepared by NSO summarizing essential background information on NSO's Pegasus product, NSO's human rights initiatives, and NSO's. A A RE a oe do i om ne Weim —g oy ot snes errs me Auch LA Lane I son Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Department of sie, Waligion DC NSO, Pegasus and Human Rights Introduction “The rapid development and widespread use of technology has profoundly changed the ability of states to prevent and investigate terrorism and other serious crime, bringing great challenges as well as opportunities. The use of new technologies by terrorists and criminals to further their unlawful activities has, in tum, required intelligence and law enforcement agencies to search for and embrace new technologies to combat terorism and other serious crime. Of particular concen is the impact and potential risk of misuse of technology and how to balance legitimate security concerns with respect for human rights and, in particular, the right to privacy. “This position paper summarizes essential background information on “Pegasus” and NSO Group Technologies (NSO")’s human rights program, and sets out proposals for hor society should collaborate to regulate the sector and better mitigate potential harms caused by NSO’s technologies while till benefiting from the protections they provide. NSO was founded in 2010 with the ambition to make the world a safer place. Its mission was and remains - (0 assist lawful investigations by state authorities to protect the security and safety of ciizens against major crimes and terrorism, thereby contributing to the enjoyment of human rights. NSO's products are licensed and provided to goverment intelligence and law enforcement agencies to fight crime and terror. In particular, NSO products help state authorities address the “going dark” problem: the growing misuse of encryption by terrorists and criminals to conceal messages and plots when communicating through devices. NSO is most wellknown for “Pegasus”, a technology used by states and state agencies around the world to collect data from specific mobile devices of suspected major criminals ‘As terrorists and criminals routinely further their criminal activities by misusing end-to-cnd encryption to communicate and conspire securely, Pegasus remains a technology essential to ‘combatting terrorism and other serious crimes and to defend the rule of law. NSO’s technology enables state authorities to penetrate the cloak of secrecy concealing targeted criminals and dismantle sex-, drug- and human-trafficking rings, tackle pedophilia rings, locate missing and kidnapped children, rescue survivors from collapsed buildings and protect the security of airspace A clear illustration of severity of the risks posed to children online by inaccessible encrypted services, for example, is highlighted by the WeProtect Global Alliance, which brings together ‘govemments, the private sector, civil society and intemational organizations to develop policies and solutions to protect children from sexual exploitation and abuse online. The organization's 2019 Global Threat Assessment identified: “Publicly-accessible social media and communications plaiforms (as) the most common methods for meeting and grooming children online. In 2018, Facebook Messenger was responsible for nearly 12 million of the 18.4 million worldwide reports of CSAM [child sexual abuse material to the US National Center for Missing and Exploited Children. These reports risk disappearing if end-to-end encryption is implemented by defaulr, since current iools used fo detect CSAM do not work in end- to-end encrypted environments.” 1 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This seria is dsb by Pol Hastings LLP on bela of NSO Gro Adina fortis available tthe Department of sie, Waliogion DC In their 2021 Assessment, WeProtect Global Alliance restated the urgency of the situation. “Their findings confirmed that the risks posed to children online have continued to grow and diversify as “[e]ven offenders with minimal technical ability can evade detection by using. easily accessible encrypred messaging services and anonymity iools.” Similarly, Australian legislators have acknowledged the “going dark” problem posed by end- to-end encrypted messaging. Indeed, this is one of the main challenges for intelligence and law enforcement agencies in today's highly digitized world and dynamic environment. A 2019 report prepared by Australia’s Parliamentary Joint Committee on Law Enforcement, for example, noted: “The challenges to law enforcement posed by criminal activity ‘going dark’ are significant and ongoing. As the implementation and uptake of encryption increases, including through the use of entirely legal infrastructure such as SG networks, the impact on law enforcement’s capacity 10 detect and disrupt cyber and cyber-enabled crime will only be exacerbated.” NSO's Pegasus technology has enabled state authorities to thwart numerous terrorist attacks and has been instrumental in apprehending terrorists and other serious criminals operating clandestinely in the cybemetic world. As stated in the New York Times Magazine (Jan. 31, 2022): “Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capiure Joaguin Guzman Loera, the drug lord known as EI Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, Jight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO's producis seemed 10 solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and ferorisis had better technology for encrypling their communications than investigators had fo decrypt them. The criminal world had gone dark even as it was increasingly going global.” Tis clear that any given technology is not inherently good or bad. Pegasus is a technology designed and provided to contribute to the fight against major crime and, therefore, the protection of human rights. But, like any other technologies, it can also be misused to violate human rights. The same is true of end-to-end encryption a technology that can contribute to the respect of human rights, including the right to privacy, but can also be misused by criminals responsible for severe human rights violations. In fact, the Pegasus system allows for targeted surveillance only, with customers purchasing a limited number of licenses for concurrent targets, and is therefore less intrusive when ‘compared with a backdoor. This concept was recognized in a recent interview featuring Belgian Minister of Digitalisaion and Privacy Mathieu Michel, who expressed disagreement with: WeProtect Global Alice, 2021 and 2019 Global Threat Assessment Reports, availble a. [i —— 2 Parliamentary Join Commitee on Law Enforcement, Commenwealh of Australi, Impact of New and Encrging Information nd Communication Technology (April 2019, available at psa aph gov a Parliamentary Business Committees Join Law. Enforcement NewandemergingICT/Re port 2 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available tthe Department of sie, Waliogion DC “[1Jowering the level of security and privacy of all Belgians’ messages... to conduct investigations from time to time. Is a i. because the police and the justice system do searches from time io time, everyone should leave their back door open... today we have technological means to access tapping other than by degrading the level of security of all Belgians. Look at the Pegasus software.” NSO is fully aware of and committed to its own human rights responsibilities and the duties ofits clients, and is determine that ts products be used appropriately and lawfully. Any allegation that Pegasus has been misused by a sate or state agency to wrongly target anyone including a journalist or human rights defender — is extremely concerning. Any such allegation immediately triggers a thorough review process and investigation into the reported claims. NSO is not affaid to take decisive action, such as terminating the contract with a customer, when necessary. Moreover, as a highly regulated company, NSO may only pursue customer relationships within the consiraints imposed by Isracli law, including the Isracli ‘government's own set of human rights protections. NSO is also aware that progress requires a mobilization beyond an individual company. The United Nations Guiding Principles on Business and Human Rights (“UNGPs"), for example, specifically note that “[s}ates do not relinquish their international human rights law obligations when they privatize the delivery of services that may impact upon the enjoyment of human rights.” Continuing dialogue, including multistakeholder exchanges and ‘multilateral efforts that encompass governments, industry, academic communities, and civil Society, therefore remains key to appropriately regulating this sector to best ensure proper respect for human rights. NSO is uniquely situated, as the sector’s pioncer with more than 60 clients in 45 countries across different continents, to contribute to such discussion. “This is why NSO: «Reiterates its strong support for the establishment of an international legal framework and sector-specific standards for sates and companies. This is critical to guide and regulate the use of surveillance tools by states and state agencies for legitimate law enforcement and national security purposes. Such a framework would also establish ‘ground rules regarding transparency and the provision of remedy when appropriate. «Welcomes the Export Controls and Human Rights Initiative to help stem the tide of authoritarian government misuse of technology and promo a positive vision for technologies, anchored by democratic values. This initiative was announced by the United States, Australia, Denmark and Norway and is further supported by Canada, France, the Netherlands, and the United Kingdom. NSO is fully prepared to engage with these countries and others, as well as with any other intemational organizations or stakeholders. «Renews ts standing invitation to all stakeholders, including civil society organizations, tates, international organizations and the United Nations Special Procedures, to engage in a meaningful dialogue with a view to establish concrete solutions to promote respect for human rights by all. * United Nations, Guiding Principles on Business and Human Right, available at Hips vo beh rg. 3 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Department of sie, Waligion DC Better Understanding Pegasus ‘While substantial public attention has been drawn to Pegasus, it remains poorly understood. tis important to underline that it is designed — and can only function - to collect intelligence from specific mobile devices. The technology is more limited in scope than public reporting. suggests: « Itis used with specifi, pre-identified phone numbers, one at a time; «In many ways, Pegasus is similar in concept t0 a traditional wiretap. Instead of listening to specific conversations, it helps law enforcement monitor mobile ‘messaging, offering legitimate law enforcement and intelligence operations personnel a window into the activities of previously identified and targeted criminal actors on an individual basis; «Pegasus does not delete or edit data on a targeted device or allow for such deletion or editing; «Pegasus cannot be used to gather information broadly and does not penetrate computer networks, desktop or laptop operating systems or data networks; «Pegasus is not a mass surveillance technology and only collects intelligence from the ‘mobile devices of specific, pre-idenified individuals. In addition, NSO does not operate this technology. NSO licenses Pegasus to law enforcement and intelligence agencies of sovereign states and govemment agencies, following a careful and sector-leading pre-engagement due diligence process (see NSO's Due Diligence Procedures set out in Annex 1 below). Licenses are limited in number and contracts are: carefully erafied to permit only legitimate use For good reason, and a core tenet of NSO's corporate ethics since it was founded, NSO does not have any knowledge of the individuals whom states might be investigating, nor the plots they are trying to disrupt. Sovereign states normally do not, will not, and should not, share this extraordinarily sensitive information with NSO or any other provider of similar technology. NSO is constrained init ability 10 say more about its customers, the crimes prevented and criminals tracked and apprehended using is technology, as a result of the legitimate legal and operational need for secrecy of sovereign intelligence and law enforcement agencies 4 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Department of sie, Waliogion DC ‘Three Myths Surrounding Pegasus Myth 1: NSO operates Pegasus and collects information about the individuals it is used against. «Fact: NSO licenses Pegasus to sovereign states and state agencies, does not operate Pegasus, has no visibility into its usage, and does not collect information about customers. Myth 2: Pegasus is a mass surveillance tool. «Fact: Data s collected only from the mobile devices of specific individuals, suspected to be involved in terrorism and other serious crime, subject to judicial or other appropriate oversight. Myth 3: Pegasus can delete or alter data stored or shown on an individual's phone. «Fact: Pegasus is not capable of creating, editing or deleting data on a mobile device. Instead, the software enables sates to access and collect data stored on a devi. The NSO Challenge As the UN High Commissioner for Human Rights restated on July 19, 2021, surveillance ‘measures are justified where they are necessary and proportionate to achieving a legitimate goal. NSO recognizes and embraces the fundamental principles of human rights law, notably ICCPR article 4, which requires states not to derogate from their obligations with respect to certain human rights under any circumstances. These rights include the right to if, freedom of thought, conscience and religion, and freedom from torture or cruel, inhuman or degrading treatment. Similarly, NSO recognizes that derogation from other rights is only permitted in the special circumstances defined in intemational human rights law: any such measures must be of exceptional character, strictly limited in time and to the extent required by the exigencies of the situation, subject to regular revierv, consistent with other obligations under intemational nw and not be discriminatory in any way. Because NSO's technology is exclusively provided to and operated by states and state agencies, it is inherently challenging to ensure that states fulfill their primary duty not to violate human rights through the misuse of NSO's technology. To mitigate the risks and provide concrete solutions, in 2019 NSO adopted an upgraded human rights due diligence procedure. This procedure, which was presented in detail in the 2021 NSO Group Transparency and Responsibility Report, is summarized in Annex 1. The NSO Due Diligence Procedure is based on ex-ante, during and ex-post controls and verifications on both the customer and the use of Pegasus. The human rights due diligence program: «Has identified the most salient human rights isks associated with NSO products, and is tailored to prioritise mitigating these risks. This includes working to prevent misuse: against journalists, members of civil society organizations, lnwyers and dissident politicians and campaigners. 5 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Deptt of sie, Waligion DC «Includes pre-engagement due diligence building upon data on states’ human rights performance and track record independently provided by credible civil society organizations and incorporates objective scoring and filtering, subjective rescarch and analysis, internal independent supervision and external government oversight ~ to properly mitigate the risk of providing products to a state authority that might misuse: them. «Involves licenses that define and permit only legitimate uses, require compliance with NSO's Human Rights Policy, include bespoke restrictions as appropriate and ensure enforcement rights for NSO. «Established, maintains and operates internal and extemal whistléblowing policies, accommodating confidential and anonymous reporting, which trigger the product ‘misuse investigation procedure. « Prioritses customer and client training and, increasingly. is embracing transparency despite the legitimate confidentiality constraints inherent in this area of work. «Is developed and continuously improved with key input from an extemal panel of experts and in light of stakeholder feedback, and implemented and enforced in partnership with NSO external lawyers around the world. NSO is proud to be the first and to ts best knowledge the only company in the cyber industry that is implementing policies towards complete alignment with the United Nations Guiding Principles on Business and Human Rights. While NSO is constantly working to improve its policies and practices to further mitigate the risk of misuse, this endeavor takes plac in a context in which we as a society are lacking best practices and guidance both for sates to appropriately balance their essential law enforcement and crime prevention efforts with their human rights obligations and for the industry's responsibilty o respect privacy and human rights. “This is why NSO has highlighted the need for an international legal framework and sector- specific standards, as well as guidelines to better determine criteria for legitimate end users of crucial surveillance systems. This is critical to guide and regulate the use of such invasive tools by states and state agencies for legitimate law enforcement and national security purposes, and to establish ground rules regarding transparency and the provision of remedy when appropriate. Achieving this is beyond the scope of private companies’ efforts alone, and properly requires the direction and oversight of a democratic and public political process. ‘Accordingly, NSO is highly supportive of the export controls and human rights initiative announced and supported by states having participated in the Summit for Democracy in December 2021. NSO stands ready to engage constructively in this process as well as to any other international process or initiative. NSO Reaction to the “Pegasus Project” Reports and NSO's Next Steps Beginning in July 2021, a number of allegations against NSO were published in a series of “Pegasus Project” reports from “Forbidden Stories” (“the Report”). Despite the fact that ‘many of these allegations have proved to be baseless, misrepresented and false, NSO 6 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis aval tthe Department of sie, Waligion DC nonetheless takes them seriously. As with all allegations of misuse, NSO has followed these steps: «Investigate cach and every allegation related to an existing customer, «Continuously improve its human rights program, including through provision for or cooperation in the remediation of human rights harms, «Continue to engage with all stakeholders, and «Support the development of intemational standards. Investigating Allegations “The original allegation — that the “list” contains details of individuals “selected as people of interest by clients of [NSOJ” - does not purport to implicate Pegasus or any NSO technology. “The editor of the IVashington Post, a member of the Report consortium, conceded that “the purpose of the lst could not be conclusively determined” and that “it is unknown how many of the phones were targeted or surveilled”. Additionally, Amnesty wrote that they “never presented this lst as “NSO’s Pegasus Spyware List’, although some of the world's media may have done so”. This nuance and caveat have been conspicuously absent from most reporting of the allegations, resulting in coverage that, whether deliberately or not, was (and remains) ‘misleading, speculative and sensationalist. Despite these serious shortcomings and material inaccuracies, NSO always takes extremely seriously all allegations that its products may have been involved in any human rights adverse. impact. “To address, properly and fully, the allegations reported, NSO immediately started a thorough review process and launched investigations into the reported claims More specifically, and even if some actions cannot be made public in light of legally binding national security restrictions and confidentiality obligations, NSO has undertaken appropriate: steps, including the following «Suspended customers’ use of the system, «Conducted detailed reviews of domestic legal frameworks, «Reviewed relevant contracts and agreements, «Interviewed end-users and legal representatives to understand processes, protections and perspectives, and «Verified facts from objective sources. In some cases, NSO has reinstated the system after gaining comfort that the technology was not misused. In other cases, it has fully severed relationships with customers after misuses were identified. Some cases are still under active investigation, including instances where NSO is awaiting the outcome of various governmentlevel inquiries being conducted in parallel 7 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Department of sie, Waliogion DC NSO is able and willing to cooperate with any official state inquiry into the use of its products by any customer agency of that state, and, indeed, NSO has done 50 successfully in the past. NSO can also participate in any inquiry by an international organization, provided that the confidentiality restrictions mentioned above are addressed. Such cooperation could facilitate: disclosure and potentially the provision of remedy by the state to any victim of human rights violations. Continuously Improving NSO's Human Rights Program AS NSO has consistently sated, including prior o the widespread reporting related to the “Pegasus Project” and the recen interest from several governments, NSO is committed to fully implementing the United Nations Guiding Principles on Business and Human Rights and the OECD Due Guidelines. While NSO is the first company in its sector to undertake such public commitments, NSO is not complacent nor will it wait passively for the adoption of a much-needed interational framework for the industry globally. Instead, NSO is redoubling ts own efforts to continuously enhance its human rights program and mitigate risks; and to address sates” legitimate concerns NSO has begun work on designing and implementing the following initiatives: 1. Reviewing product design options for incorporating stronger human rights safeguards, including the viability and effectiveness of establishing “whitelists” of mobile devices and identifying out-of-scope surveillance activities: 2. Reviewing NSO governance frameworks and the potential for enhanced engagement of independent experts; 3. Further enhancing NSO’s human rights du diligence procedures, including ‘mechanisms to reduce the potential misuse of products in connection with journalists, to be developed in discussion with civil society organizations, academics and policymakers; 4. Reviewing the feasibility of developing an audit process for gathering data regarding customer use and proactively assessing compliance mid-contract; 5. Promoting improved access to effective remedies for victims, including by increasing options in contract terms and pursuing legal action against customers responsible for product misuse and adverse human rights impacts; 6. Reviewing and updating legacy contracts, in light of substantiated concerns communicated by states, o ensure long-standing customer relationships meet the same ‘human rights standards and are subject 0 the same contractual safeguards as new engagements; and 7. Enhanced training of customers to ensure proper compliance with contract obligations. “United Nation, Guiding Principles on Busines and Human Righis, available at hips: sw och or: ‘OECD, Due Diliscnce Guidance for Responsible Business Conduct, availble at hips Ava ccd org nvestmentdue-dlgence- guidance. for responsible business <onduct him. 8 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available tthe Department of sie, Waligion DC NSO welcomes the opportunity to discuss these and other possible enhancements to its human rights program. Engaging Stakeholders NSO is committed to engagement with stakeholders to more fully understand, allay and/or act upon concerns relating to human rights risks. To be clear, NSO is ready and willing to engage in good faith with any credible independent expert, including human rights defenders and others from civil sosiety organizations, representative organizations, companies, or other ‘groups, even if the feedback is critical. NSO hopes that this readiness and willingness is reciprocated as it believes that robust engagement is essential to improving mutual understanding of the risks and challenges associated with balancing the state duty (0 protect the physical security of ts individual ‘populations with the potential misuse of technologies against dissidents, vulnerable populations, and others. Over the past year, NSO has engaged and sought to engage with numerous stakeholders, receiving useful and sometimes pointed feedback and commentary on its human rights program and approach. Many of the suggestions and recommendations have been integrated into NSO’s framework. Examples include sources that are now used as part of NSO’s due diligence procedures, how NSO might consider enhancing transparency in relation 10 issues and incidents despite the inherent limitations that exist in this sector, and the integration of additional international standards into NSO agreements. These suggestions help to strengthen processes, and further mitigate risks of misuse and potential adverse human rights impacts by NSO customers. ‘Supporting International Standards In addition, NSO actively supports efforts to create standards and mandate further transparency in the cyber intelligence world. NSO has actively promoted engagement around responsible product design and usage in its sctor that balances the need for legitimate la enforcement activites with the risk that state actors misuse cyber intelligence products against joumalist, civil society, dissidents and political opponents, and vulnerable populations. NSO is ready to participate actively in dialogue with and within intemational organizations, in the hope that further engagement among leading companies, state agencies, intemational institutions and civil society organizations will help establish rules of responsible conduct for this indusiry and ground rules that sates should meet to be eligible to receive exports of such technology. NSO fully understands and indeed expects that some of those rules could require adjustments to its business approach, and even perhaps cause negative commercial consequences. Nevertheless, NSO's steadfast desire is to help develop a global consensus around the appropriate use of cyber intelligence products, and to create confidence among all stakeholders that such products ar being used as intended — making the world a safer place. 9 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Department of sie, Waligion DC Annex 1 NSO'S HUMAN RIGHTS DUE DILIGENCE PROGRAM (As of May 2022) Our Main Human Rights Risks Through our legal and human rights-focused analysis of our products and new developments, investigations, engagements with third parties and customers, and review of third party reports, we have identified the most salient human rights risks associated with our products These include: «The potential misuse of our products against people and groups that act to promote or protect human rights in a peaceful manner (“human rights defenders”). These include: Gi) journalists; it) members of civil society organizations; Gi) lawyers; and (iv) political parties, candidates and supporters. «The potential misuse of our products for reasons unrelated to national security or law enforcement, such as in support of litigation or to obtain information that may be: embarrassing to individuals. «The use of our products by unauthorized personnel associated with states and state agencies, which is a odds with our agreements and enhances the isks of negative: impacts. «State use of our technology in a manner inconsistent with human rights norms. For instance, there may not be judicial or other independent approval processes, and when they do exist, we have identified situations where the process or protocols for obaining approval, standards against which approvals should be judged, and/or requirements for documenting the reasoning associated with granting approvals, may not be fully transparent. «State use of our technology authorized by regulations regarding surveillance that may lack: i) a definition of the nature of offenses that may legitimately lead to surveillance, and categories of people who may be surveilled; (i) a limit on the duration of surveillance activities; (i) a clear procedure to be followed when examining and using information oblained: (iv) precautions when communicating gathered information to other parties; and/or (v) circumstances in which information ‘may be destroyed. «These impacts can result, and in some cases we believe have resulted, in violations by our customers of several fundamental human rights. These include the right to privacy, the righ to freedom of expression, and the right to freedom of assembly. Potential violations of these rights also represent the most severe, least remediable, ‘most widespread and most likely adverse human rights impacts that could arise from customer misuse of our products. «There is a wide variety of additional govemment-driven risks that could flow from our technologies. These could include rights associated with the legal and judicial process, such as fieedom from arbitrary arrest and detention and similar abuses or improprictics in the legal process, as well as invasions of freedom of though, 10 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis aval t the Department of sie, Waligion DC conscience and religion, restrictions on freedom of movement, or participation in civic life We keep this assessment of our company’s salient human rights risks under review. Human Rights Due Diligence NSO’ human rights due diligence is a vital part of our corporate strategy, enterprise risk ‘management and responsible business conduct. This is especially true when it comes to licensing tools that, if misused, could potentially have serious adverse human rights impacts We cannot ultimately prevent a state misusing our technology, but we can and do ensure that we are very selective with respect to the ideniity of the countries and customers with which we are willing to do business in order to mitigate the risk of such misuse. ‘We adopted our Human Rights Due Diligence Procedure (the “HRDD Procedure”) in ‘April 2020 to further implement our Human Rights Policy and to help the company comply with applicable local laws, intemational norms and human rights principles. The HRDD Procedure requires the assessment of potential human rights impacs prior to the sale of our products to cach customer, paying particular attention to potentially vulnerable groups. We believe our process is best practice and compares favorably with the larger defense industry. In high-level summary, our HRDD Procedure encompasses several components: Initial Filter Based on an in-depth review of various compliance concerns, we have decided upon alist of ‘more than 55 countries to which we do not and will ot sel cyber intelligence products, for reasons such as human rights, corruption, and regulatory restrictions. Opportunities from these countries are not brought to the management committee for consideration and are rejected even before the du diligence process shall be initiated. Initial Risk Assessment and Classification NSO's internal compliance team conducts a two-part evaluation of human rights risks associated with any new business opportunity: a country assessment, followed by analysis of the specific opportunity. First, we generate a numerical country assessment score using a carefully curated and annually reviewed (and, if necessary, updated) lst of external and widely respected rankings, indicators and other data from sources including: the Economist Intelligence Unit; Fund for Peace; Vision of Humanity; Freedom House: Transparency Intemational; the World Bank Worldwide Govemance Indicators; Trace Intemational; and CIVICUS. “Then, we classify the risks relevant to the specific opportunity by examining: (1) the degree to which the specific product(s) could adversely impinge upon the human rights of targeted individuals; (2) the degree to which there is perceived potential adverse human rights impact; (3) reputational risks; (4) where the product(s) would be used: (5) the relative authority and governance of the prospective customer organization; and (6) other factors. The opportunity evaluation must include a review of the product type and capabilities, customer organization type and mission, and proposed duration of relationship. n Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This mse is suid Pa Haig LLP ct bell of NSO Group Adios mation vibe te Deparment fice, Wakinon DC NSO's Vice President for Compliance combines the county score and the opportunity classification o reach an nial isk rating of “elevated”, “moderate” or “low”. This risk rating determines the level of due diligence conducted during the next stage. Information Gathering and Assessment “The diligence process relies on information gathered from a number of sources, including: denied parties checks; results of media searches in English and local languages: information from NSO employes; information about the domestic legal framework; information about the prospective customer; input from relevant govemment authorities; and reports from partners and external risk and investigative ims. “The due diligence requirements for cach risk elasification can be illustrated as follows: [Risk'Source [Low [Moderatettigh Open Source [Results of intemal adverse media Intelligence country and End-User overview | research [Extema risk and investigation im, report to include publicly available Co information and adverse media Lpastih vst country and End-User overview, [human rights and forcign policy Human Intelligence - [Sales Manager Questionnaires bv © lu activity reports - Onsite and Client [Exceutives [NA forrenewals] | [© | [Support [N/A for new End-User] © lv [Partner | | | © lv lo [investigation firms Level [Level | 2 | Government input (strategy) ko Legal Framework [Publicly available information Jabout local laws and legal © framework [Local legal opinion © [Export Control (E.U., U.S., IL) | = = | 3 ISDN / Embargoed Countries fie fie fie hb 2 [End User questionnaires interviews ls 2 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Department of sie, Waligion DC Final risk classification, review and approval Review by the General Counsel of the Compliance Team's assessment memorandum. ‘The General Counsel can require additional due diligence to be undertaken at ths stage. ‘When satisfied with the due diligence performed, the General Counsel determines the final risk classification: “high", “moderate” or “low”, “High" and “moderate” risk marketing opportunites (i.c., new countries without specific customer opportunities) plus all specific customer engagements are subject to Management Commitee review and approval. Enhanced Approval Additionally, the GRCC reviews and has final approval in three circumstances: (1) for all “high risk customer engagements; (2) where Management Committee approval was not unanimous; and (3) where the Management Committee referred the opportunity to the GRCC for consideration. Contractual Provisions Every customer and business partner contract requires compliance with al applicable laws and regulations, including those governing the use of our products, and international human rights norms. Customers and their employees must also receive, understand and comply with NSO's ‘Human Rights Policy. ‘Customers must undertake not to “target individuals or groups because of their race, colour, sex, language, religion, political or other opinions, national or social origin, property, bith or other status of their otherwise lawful exercise or defense of human rights”. ‘We strictly require that Pegasus is used only where there is a legitimate law enforcement or intelligence-driven reason connected oa specific, pre-identified phone number, and after a process is followed where a state agency decision-maker independent of the user — such as a court authorizes that use consistent with a written domestic law. Where not clearly defined under domestic law, or where domestic aw is not consistent with intemational norms, NSO includes contractual provisions defining specific crimes and terorismrelated activites — based on definitions in international instruments ~ in respect of which our products may be used. ‘We limit the specific crimes in respect of which — and the geographic scope within which — our products may be used, along with the duration of our agreements, where appropriate, to ensure NSO can regularly review the appropriateness of each relationship. Customers are obliged to provide timely notice to NSO of any knowledge they may have regarding suspected misuse that may result in a human rights violation, and to cooperate with NSO investigations regarding allegations of human rights violations. 1B Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available t the Department of sie, Waliogion DC NSO ensures we have the contractual right to suspend or terminate use of our products for human rights-related misuse ‘Additional human rights-related assurances are required based on identified risks or ‘mitigation measures, such as training requirements, cerification conditions, enhanced termination rights and other measures. Ongoing Oversight Al customers are subject to ongoing oversight for compliance with the terms of their agreements and NSO's Human Rights Policy. Effective monitoring of customer activity is a significant challenge, since we do not have immediate insight into the use of our products. Moreover, as legitimate law enforcement agencies with a mission of protecting against terorism and serious crime, customers operate with stiet confidentiality requirements, including where required by law and/or judicial or customer procedures, and are reluctant to share information to prevent inadvertently compromising security and law enforcement activities. Despite these challenges, we regularly engage with customers to discuss human rights and ‘examine compliance with the terms of our agreements. We also review public information Sources for reports that may suggest potential misuse. We are always secking additional ways to improve our approach to ongoing oversight, and ‘Some current considerations are outlined in the main body of this position paper. ‘We do not license Pegasus to customers where, following our HRDD Procedure, we conclude there are inadequate country-level protections (including but not limited to an insufficiently. strong rule of lw) in place to confidently prevent misuse. As a result of our HRDD Procedure, from May 2020 through April 2021, approximately 15% of potential new opportunities for Pegasus were rejected for human rights concerns that could not be resolved NSO has rected more than USS300 million in opportunities based on the outcomes of our HRDD Procedure. Grievance Policies NSO encourages both intemal and extemal stakeholders to raise concerns of misconduct, Our grievance mechanisms allow both confidential and anonymous reporting. However, we encourage whistleblowers to interact directly with an assigned team of discreet investigators, including by providing information that may help substantiate allegations. NSO takes all due care to keep whistleblower information confidential, where appropriate. Our policies, for both internal and extemal reports, also reflect the company’s commitment to protect whistleblowers from any unfair or detrimental treatment. Internal Whistleblower Policy ‘Adopted in September 2019, this intemal policy encourages openness and support for whistleblowers who raise concerns in good faith, and provides protection for whistleblowers from detrimental treatment as a result of raising genuine concerns. Applies to all employees, consultants, officers, and directors. 1“ Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available tthe Department of sie, Waligion DC Provides a grievance mechanism to raise concerns o the NSO's most senior management including exceutive management, General Counsel, and the Vice President for Compliance — through a dedicated email account, ‘Though anonymous reporting is supported, interaction with investigators is encouraged, which allows for a more thorough investigation of all key facts. Investigators are required to evaluate all reports, investigate where there is sufficient information, and conduct extensive analysis and review of credible information. External Whistleblower Policy ‘Also adopted in September 2019, this promotes transparency by allowing any extemal person or body ~ including contractors, employees, partners, officers, and directors, as well as potentially affected individuals to report a grievance through a confidential email account, which is reviewed by the Vice President for Compliance. Encourages interaction with investigators, but provides safeguards for anonymous whistleblowers. Once the company receives a report from a whistleblower or otherwise identifies a concern, including through media or NGO reports, NSO conducts an investigation using the. framework described in NSO's Product Misuse Investigation Procedure. Investigations Adopted in April 2020, NSO’s Product Misuse Investigations Procedure (“Product Misuse Procedure”) provides a framework for responding to reports of potential product misuse. The procedure govems the timely investigation of potential product misuse — including a thorough review of potential human rights abuses — and requires consistent and swift mitigation ‘measures when appropriate. “The procedure aims to ensure that cach investigation is conducted in accordance with a ‘number of investigative goals, including to: «Comply with applicable laws and NSO policies, including the HR Policy, «Respect the rights of all stakeholders, «Determine key facts and causes, «Perform investigations objectively and expeditiously, «Draw appropriate conclusions, balancing the rights of stakeholders, «Undertake appropriate remedial action, if any, and «Preserve confidentiality of the incident reporter to avoid or minimize retaliation, if applicable. Upon receipt of information about a potential misuse, NSO undertakes, in all cases, a preliminary review to determine whether there is sufficient information to appropriately is Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis aval tthe Department of sie, Waligion DC investigate a potential instance of product misuse, including whether the allegation is technically feasible. The Vice President for Compliance also responds to the whistleblower, seeks any additional information necessary to conduct the preliminary review and any related investigation, and takes all necessary steps to avoid or minimize the risk of any retaliation against the reporter. The Vice President for Compliance coordinates with the Management Commitee to determine how to proceed. Following the preliminary review, the Management Committee determines whether to proceed with a full investigation and, if so, appoints an investigation team led by an attomey. Investigations may include a review of data, interviews, meetings, and an evaluation of objective risk factors, including an analysis of whether the customer has engaged in previous human rights abuses. NSO Compliance will evaluate information from the customer, such as information abou the process followed in connection with the use of NSO products to target specific individuals, the duration of use, circumstances leading an individual to believe they were targeted using an NSO product, and customer country information. “The customer is contractually required to provide this information, which is maintained in the customer's systems logs in a tamper-proof manner. Refusal to cooperate resuls in the. immediate suspension of the customer's right to use the system “The compliance team will also engage in an in-depth review of media reports, open source. rescarch, analysis of domestic law and protections, customer processes, and adherence to intemational human rights norms. “This analysis will include a review of the legal basis for the customer's use of NSO's products, their interference with individual human rights at issue and whether the customer applied sufficient safeguards when obtaining intelligence using NSO products. During an investigation, NSOs compliance team meets directly with our customer to ascertain: the extent of the customer's compliance with the terms of its contract; customer practices regarding compliance with the legal framework; operational protections; the customer reporting lines; responses 10 previous human rights abuses, if any; and the basis for interception. Investigation results are shared with the Management Committee and the GRCC to collaboratively determine next steps and potential remediation. Depending on the outcome of the investigation, when warranted, the company wil take appropriate corrective action to ‘mitigate potential harm. As a result of the findings, the customer may be subject to corrective action ranging from retraining to termination of the relationship. In some cases, we are unable to conclusively determine whether there was, or was not, a ‘misuse of our products. In those instances, we develop and implement additional mitigation ‘measures designed o prevent future misuse. ‘Through our experience conducting these investigations, and with recommendations from our extemal advisors, NSO has strengthened our initial du diligence and review processes, including by enhancing the intial assessment of domestic laws, strengthening contractual provisions, and providing human rights training for customer personnel. 16 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available tthe Department of sie, Waligion DC However, a number of inherent challenges remain, given the nature of our customers. Because of their strict confidentiality requirements, we are unable to provide actual or alleged victims with information about adverse impacs or implemented remediation, or even acknowledge relationships with specific customers. [Currently,] even where we identify product misuse, we cannot breach these confidentiality requirements. While we cooperate with states to ry to ensure that when abuses occur within their jurisdictions those affected have access to effective remedy, the confidentiality restrictions limit our ability to do much ‘more. While we follow the approaches described in the UNGP to the extent feasible with respect to remediation, both the UNGPs and we, ourselves, recognize that this is a complex and difficult area in particular for our sector. Training and Communications NSO conducts human rights trainings for employees and customers: Employees All new employees receive human rights training as part of their on-boarding process. ‘We provide staff with regular employee updates on human rights, including through the CEO's “all hands” meeting. The company trains existing employees in key functions — including sales, marketing, and those with direst relationships With customers ~ twice a year on human rights matters In 2020, the company, with support from human rights advisors, conducted approximately 18 targeted trainings focusing specifically on human rights. Some 121 participants attended these targeted training sessions. ‘The Vice President for Compliance also meets regularly with the company’s R&D team to discuss human rights concerns, mitigating measures, and relevant questions. Each new product is evaluated from a human rights perspective. Customers NSO also provides comprehensive human rights training to customers. This training includes a discussion of human rights obligations, the international framework for human rights norms, and customer responsibilities with respect to individual human rights, focusing on the right to privacy and the right to freedom of expression. Key stakeholders are required to attend. During 2020, approximately 127 customer participants attended the 18 human rights trainings held by NSO. Government Oversight Even after we have completed our internal human rights processes, we are closely regulated by export control authoritis in the countries from which we export our products: Isracl, Bulgaria and Cyprus. ” Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM 

Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM This tri i dsb b Pa Hastings LP on bef of NSO Group Adina fortis available tthe Department of sie, Waligion DC ‘The Defense Export Controls Agency (“DECA™) of the Isracli Ministry of Defense strictly restricts the licensing of Pegasus, conducting its own analysis of potential customers from a ‘human rights perspective, Transparency NSO is committed to transparency 10 the maximum extent possible, while necessarily we must respect our customers” critical national security considerations and our corresponding legally binding confidentiality obligations In June 2021, we published NSO's firs Transparency and Responsibility Report. As the first company in our sector to issue such a report, we are proud that we took a large step towards greater openness by volunteering as much detail as possible about NSO’s human rights program. All this notwithstanding the inherent challenges to prepare such a report, owing to our customers’ critical national security considerations and our corresponding legally binding confidentiality obligations. “This report was not intended as the last word on NSO's human rights work. To the contrary, we are committed to publishing further such reports, which we hope will show that we continu to improve our systems of preventing and mitigating misuse of our products and ensuing adverse human rights impacts. Also public is NSO's correspondence with the human rights Special Procedures of the UN Human Rights Council in recent years, in which we have sought to engage constructively on what it means to operate an effective human rights program in our sector and how NSO could contribute to multilateral and multi-stakeholder collaboration aimed at developing much- needed robust, effective, coherent and realistic sector-wide policy solutions. We hope to receive a response from the UN Special Procedures responding in equally constructive spirit to the questions, recommendations and invitation contained in our latest leter dated September 20, 2021 We are actively exploring various possible means of reducing or overcoming some. confidentiality constrains in order to further enhance our transparency. We appreciate that this is an important part of building trust with our stakeholders, identifying instances of product misuse by our customers, and enabling us to do more to ensure that victims of such ‘misuse are provided information and access to effective remedy. 18 Received by NSD/FARA Registration Unit 11/07/2023 2:59:21 PM