PARIS (AFP) – The Israeli group NSO is in the eye of a storm over its spy Pegasus – but is by far the only company assisting governments in their covert surveillance operations.

Explosive allegations that Pegasus was used to spy on activists and even heads of state have enlightened the attention of the software, which allows highly intrusive access to a person’s cell phone.

But the NSOs are merely a player in an industry that has quietly flourished in recent years, arming even money-laden governments with powerful surveillance technology.

“These tools have become increasingly cheap,” said Allie Funk, a senior technology and democracy research analyst at the United States Freedom House.

“So it’s not just the major intelligence agencies in the world that can buy them – they are smaller governments, or local police agencies.”

Emerging economies such as India, Mexico and Azerbaijan dominate the list of countries where a large number of telephone numbers are suspected to have been identified as potential targets by NSO clients.

Professor Ron Deibert, director of the University of Toronto’s Citizen Lab research center, said such companies allowed governments to effectively “buy their NSA” – a nod to the U.S. National Security Agency, the broad oversight of which was exhibited by Mr. Edward Snowden.

The Citizen Lab checks the internet for traces of digital espionage by governments.

Just last week she published an investigation into another Israeli secret company that sells spyware to foreign governments, Candiru.

It seems to have been used similarly to target dissidents and journalists, from Turkey to Singapore.

And in 2017, Citizen Lab discovered that Ethiopia had used spyware developed by Cyberbit – another Israeli firm – to infect the computers of exiled dissidents.

Former ‘entrepreneur’ spies

“There are many factors why we see so many Israeli companies,” Prof Deibert said.

One is the “openly entrepreneurial” stance of the Israeli cyber espionage unit Unit 8200, who “encourage their graduates to go out and develop beginners after their military service,” he told AFP.

He added that there was “a strong suspicion” that Israel was gaining “strategic intelligence” from this technology being offered to other governments, removing some of the information gathered.

But while Israel is now facing calls for an export ban on such technology, it is not the only country hosting companies selling spyware off the field.

Like Pegasus, Germany’s FinFisher is marketed as a tool to help intelligence and law enforcement agencies fight crime.

But it has also been accused of being used for abusive surveillance, including spying on Bahraini journalists and activists.

The Italian firm Hacking Team was at the center of its Pegasus-style scandal in 2015 when a leak revealed it was selling spyware to dozens of governments around the world. It has since been rebranded as Memento Labs.

Not all companies in this shadow industry specialize in the same type of technology.

Some sell devices that mimic cell phone towers, helping authorities eavesdrop on phone calls; others, such as Cellebrite, have aided U.S. police forces in Botswana to crack down on cell phones.

Gray area

Prof. Deibert made a distinction between companies operating in the “legitimate eavesdropping” industry and “hack for rent” clothing – border criminal groups “hacking on behalf of states”.

However, analysts suspect that spyware companies often rely on hacker expertise.

Recent versions of Pegasus have used vulnerabilities in software commonly installed on smartphones – such as Apple’s WhatsApp and iMessage – in order to install spyware on people’s devices.

While it remains unclear how NSO developers discovered these vulnerabilities, hackers typically sell access to these so-called “zero day vulnerabilities” on the Dark Network.

“NSO has done a lot of research and development, but also relies on the gray market for vulnerabilities,” said French cybersecurity expert Loic Guezo.

He said companies like Zerodium in the US buy access to these software vulnerabilities from hackers and sell them directly to states or to companies like NSO.

As the Pegasus scandal erupts, calls are mounting for the industry to face greater regulation – or even a moratorium on this type of surveillance technology altogether.

But for Prof. Deibert, “the reality is that almost all governments have an interest in keeping this industry as it is – secret, unregulated – because they benefit from it.”

“So it will take a lot to bring about the kind of moratorium my colleagues are looking for,” he said.