NSO’s own denial is internally incoherent. If they don’t have access to client data, how could they know whether or not this is a list of Pegasus targets?
https://twitter.com/iblametom/status/1417872410246885388
I mean, unless I’m missing something… you have to pick one. If you’re claiming you don’t have visibility on targeting & these numbers have “nothing to do” with NSO, then for all you know it might be a list of targets.
You can’t be all: “I know nothing of this murder or the victim. Also I was nowhere near 327 Spruce Street at 8:57 on the night of the 12th, and have never purchased Mapes brand 13.5 piano wire.”
“Necessarily” is also a bit of a dodge, though I guess unavoidable unless you want to claim “none of these people were Pegasus targets.” Could easily be a list derived from some process preliminary to Pegasus targeting, but not exclusively used for that purpose.
On the generous assumption NSO is at least technically telling the truth, that may be the scenario that best fits the facts. Because it sounds like they know or suspect what the list is—one of their prior statements linked it to Home Location Register lookup services.
(The Home Location Register is a database of information about mobile subscribers & where their phones most recently touched a network, and inter alia used to manage handoff between cellular networks.)
So suppose everyone’s telling the approximate truth, at least “technically.” You could have a list derived from some pattern of queries against HLR databases that’s *highly correlated with* Pegasus targeting, but not literally a “Pegasus target list.”
Here’s the NSO response I have in mind… washingtonpost.com/investigations… 
Now, unless the rate of reporters and activists hacked by Pegasus is appallingly high, or Amnesty’s analysts have made a huge and embarassing mistake, Amnesty’s hit rate for signs of breach is too good for the list to be totally unrelated to Pegasus…
But, for the sake of argument, let’s suppose NSO is trying to say strictly-true (but possibly misleading) things in response. One way to make those pieces fit is that there are patterns discernible from HLR lookups…
…that are substantially but not perfectly correlated with Pegasus targeting. Which NSO certainly doesn’t want to draw explicit attention to, because your spyware sounds a bit crap if third parties can infer probable targets from patterns in HLR lookup data.
This does potentially resolve the contradiction I mentioned in my first post: NSO knows there’s a way to imperfectly detect Pegasus targeting based on HLR lookup data, and relatively quickly figured out that’s what “the list” was…
This allows them to “honestly” deny the List is a List of Pegasus targets, even without visibility on client activity, because they know what the list is & how it was generated, and that it doesn’t perfectly map to Pegasus targets.
But they also don’t want to say: “OHO: this is MERELY a 70% accurate method for identifying Pegasus targets from HLR lookup data” because, you know, bad marketing. Pegasus must be stealthy like ninja.
And because even I can draw this inference, they pull a “no further questions!” because they’re running out of space to avoid an embarassing admission without lying, and probably several tech reporters had made similar guesses.
Or not! This is me thinking out loud about one possibility. I can think of others, and probably there are many more I’m not smart/knowledgable enough to think of. Just a “this seems like one option roughly compatible with public facts.”
That said, if this turns out to be even approximately accurate, I will still do a “CALLED IT” endzone dance & memory hole all these caveats.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
