On November 23, Apple announced that it had filed a lawsuit against Israeli cyber company NSO for using its flagship surveillance product Pegasus in the targeting of Apple users.

This was the latest development in a growing controversy surrounding the use of Pegasus following the release of a report by Amnesty International in June detailing how a number of governments and organisations were using Pegasus to track and spy on dissidents and journalists and oppress human rights. Amnesty International’s report also detailed how Pegasus was used to hack into the phones of several high-ranking politicians, including French President Emmanuel Macron.

Then in early November, the US Department of Commerce added NSO to its Entity List under the United States Export Administration Regulations (EAR), stating that NSO, along with other cyber companies added to the Entity List “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”

The EAR regulates the export from the United States, the reexport and retransfer outside of the United States of all goods and technology that are not sensitive military or space goods and technology, which are controlled by the International Traffic in Arms Regulations (ITAR). No export, reexport or retransfer of goods and technology controlled under the EAR may be made to a person or entity contained on the Entity List without prior approval from the Commerce Department’s Bureau of Industry and Security (BIS) and BIS generally operates a policy of denial with respect to all export license applications in connection with exports to parties named on the Entity List.

Other than a prohibition on exports, reexports and transfers, it is not prohibited to do business with companies on the Entity List, but being included on the list is damaging to a company’s reputation and will harm that company’s prospects of doing business with the U.S. Government. Other governments and businesses will generally also be more hesitant in dealing with a business that has been sanctioned by the U.S. Government in this manner.

What is interesting to note in the case of NSO, is that there are no suggestions that NSO actually broke any laws. NSO claims to have acted in full compliance with Israeli export control laws at all times and has only sold its products in accordance with export licenses issued to it by the Israeli Ministry of Defense. Furthermore, NSO is not accused of having violated any U.S. export control laws. The main accusation that can be levelled at NSO is that it did not do sufficient due diligence to determine how its customers were going to use its products. However, the law does not require a deep level of due diligence. Generally, exporters of military and dual use goods are required to obtain end-user statements from their purchasers in which they confirm that they are the end-user or provide details of who the end-user will be and they state in general terms what the end-use of the item will be. There is very little an exporter is required to do in order to confirm the accuracy of the contents of the end-user certificate or to obtain additional information.

Criticism was also levelled at the Israeli Government for being too lax in the manner in which it considered and approved the issuance of export licenses for the penetrative cyber products. This criticism has recently led to the IMoD reducing the list of countries to whom such products may be exported from 102 to 37, which included removing from the list of permitted countries Israel’s new friends, the United Arab Emirates and Bahrain.

The lesson that can be learned from this saga is that businesses in certain sectors or with certain kinds of sensitive technology, especially technology that can be used to quash human rights, need to go further than the letter of the law in order to stay on the right side of the court of public opinion. These businesses need to consider how they conduct themselves over a particular transaction, not just in terms of “legal compliance”. They need to weigh-up various other factors to determine whether or not a transaction might be advisable, even if legal – or at least how they might conduct themselves over the transaction in a manner that may provide them with greater protection against the kind of fall-out currently experienced by NSO.

Joseph Shem Tov & Co.’s partner Gil Rosen is very experienced in advising businesses in the defense and homeland security sectors, including cyber companies, on all matters related to international transactions, including export control considerations and will be happy to provide any assistance you may require.