[esens]

Anyone notice that this statement from NSO in the article doesn't make sense:

"NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers."

If this is true, how do we have a singular list of all phone numbers penetrated? If there was this type of "segmentation" or firewall between NSO and its clients, why was there this huge central data leak?

NSO is tracking what its clients are doing. It may not be telling its clients it is also tracking them. I wouldn't be surprised if NSO could also access every one of those penetrated devices as well independently of its clients.

[aritmo]

They are trying to claim that the service is so fully automated that it is the client that does the selection of the target. They claim that their system does not require any fine-tuning from their side, etc.

And that's totally bullshit.

[physicles]

“It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter.” - Nathaniel Borenstein

Quoted at https://blog.codinghorror.com/your-favorite-programming-quot...

[prox]

So the good old plausible deniability?

[hn8788]

It could mean that NSO controls the infrastructure that manages the tool, but that they don't actually collect the data themselves. So what they said could technically be true if all they do is manage the infrastructure that enables their clients to do the collection of data.

[esens]

But do they have access to the phone numbers that their customers are targeting? That seems by itself to contradict their statement ("nor has any access to any kind of data of its customers") right there.

Something isn't adding up.

[JumpCrisscross]

> Something isn't adding up

It's bullshit at best.

If we assume they aren't lying, which is generous given their track record, it could be that they provide the tools and infrastructure to collect the data, but don't instruct the software to collect the data. Sort of like if I had a loaded gun and told you I would point and shoot it where you told me to, and then argued that I didn't technically make the decision. It's technically true and complete bullshit.

[lupire]

But then where did the list of numbers come from, if there is no "access"?

[hn8788]

They could be lying, or they could just be trying to use weasel words. "Data" could be referring to collected data, and they consider phone numbers "metadata". I haven't been following the story though, so I don't know which is more likely.

[srswtf123]

Seems more likely they’re lying.

[breakingcups]

How does that clear with "NSO does not operate its technology" though?

[ruggeri]

Thank you. I was trying to understand this myself.

NSO seems to be trying to distance themselves from how its software is used by its "clients," but that seems undercut by the plausible supposition that NSO knows exactly who its clients' targets are.