Pavel Durov, CEO and co-founder of chat platform Telegram, is the latest person to be swept up in the ongoing scandal involving the NSO Group.
The Guardian reports that Durov’s number was recently identified in a leaked list of some 50,000 cell phone records that researchers say represent “potential surveillance targets” of NSO’s Pegasus spyware, implying that one of the company’s customers may have been spying on him.
That list was recently shared with news outlets by Amnesty International and the French non-profit Forbidden Stories and has served as the basis for a broad investigation into the Israeli surveillance firm’s business practices. It has included the phone numbers of presidents, former prime ministers, and a king, as well as journalists, lawyers, and political activists. The ultimate source of the data has not been publicly disclosed.
So far, it’s unclear why Durov would be a target for surveillance — and it is unconfirmed that he is. However, The Guardian reported that the businessman was added to the list not long after he officially changed his residence from Finland to the United Arab Emirates — a reported NSO client. The outlet subsequently theorizes that it may have been a case of the UAE government “attempting to run checks on their controversial new resident.”
The question as to whether Durov was placed under surveillance raises some especially thorny issues, considering the fact that his company prides itself on prioritising privacy and security. Telegram offers customers the option to encrypt their chats as well as the promise of safety “from hacker attacks.”
When questioned by The Guardian about Durov, NSO seemed to sidestep the issue:
Asked directly whether Durov’s phone was a target of Pegasus or any other activity related to the spyware, an NSO spokesperson did not directly answer the question. They said: “Any claim that a name in the list is necessarily related to a Pegasus target or potential target is erroneous and false.”
NSO has continued to disavow the allegations against it and announced Wednesday that it would no longer be responding to requests for comment from the press.
“Enough is enough!” a company spokesperson proclaimed. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.”
The company also repeated that the list has nothing to do with NSO clients’ surveillance targets: “We will state again: The list is not a list of targets or potential targets of Pegasus.” In recent days, the firm has also issued numerous rebuttals to the Washington Post for its coverage of the apparent scandal.
However, NSO’s claims are at odds with investigative findings related to the data cache. Amnesty International has forensically analysed at least 67 phones whose numbers were on the list, finding digital traces of NSO’s spyware on 37 of them (tests on the other 30 devices were deemed inconclusive). This study was subsequently peer-reviewed by Citizen Lab, an academic research unit with the University of Toronto that has also been deeply involved with the project.
Also contradicting the company’s narrative is the fact that, in a legal letter sent to Forbidden Stories, NSO apparently said that it “does not have insight into the specific intelligence activities of its customers,” which would seem to preclude it from knowing whether the numbers on the list are legitimate or not.
It’s true that some clarity is still missing surrounding the list. For instance, it’s unclear where the leaked data came from, and the ultimate nature of its entire contents haven’t ultimately been proven. News outlets have largely treated the data dump as a compilation of “persons of interest” for NSO clients — individuals who may have been at least considered as targets for spyware deployment, if not outright targeted.