Few outsiders are granted access to the ultra-secretive world of NSO Group, the Israeli maker of the Pegasus spyware at the heart of a global phone hacking scandal. Gerard Araud, a former French ambassador, is one of them.

The recently retired diplomat took a position as a consultant to NSO in 2019, advising on human rights, soon after stepping down as France's ambassador to Washington during the tumultuous years of Donald Trump's presidency.

"I took the position because I found it interesting. It was a new world for me," Araud, who also served as French ambassador to Israel in the early 2000s, told AFP by telephone.

At NSO's offices, he discovered something resembling a classic tech start-up: teams of programmers "all between 25-30 years old, in flip-flops, black t-shirts, all with PhDs in computer science..."

His one-year mission from September 2019, along with two other external consultants from the United States, was to look at how the company could improve its human rights record after a host of negative news stories.

Earlier that year, the group's technology had been linked publicly to spying or attempted spying on the murdered Saudi journalist Jamal Khashoggi by Saudi Arabian security forces, which it denied.

Gerard Araud, former French ambassador to the United States, pictured here in 2018.
Gerard Araud, former French ambassador to the United States, pictured here in 2018. AFP / LUDOVIC MARIN

The group was acquired in 2019 by a London-based private equity group, Novalpina, which hired Araud to recommend ways to make the company's safeguard procedures "more rigorous and a bit more systematic," he said.

Since Monday, a consortium of media groups including The Washington Post, The Guardian and France's Le Monde newspaper have detailed allegations of how those supposed safeguards were ignored between 2016 and 2021.

Using what they say is a database of 50,000 numbers that were identified for possible hacking using Pegasus, the newspapers have detailed how human rights activists, journalists, opposition politicians and even world leaders appear on the list.

NSO Group has denied such a list exists.

NSO Group's Pegasus software has triggered controversy with allegations it has been used hack into the phones of journalists and rights defenders
NSO Group's Pegasus software has triggered controversy with allegations it has been used hack into the phones of journalists and rights defenders AFP / JOEL SAGET

Pegasus is believed to be one of the most powerful mobile phone hacking tools available, enabling clients to secretly read every message of a target, track their location, and even operate their camera and microphone remotely.

Its export is regulated "like an arms sale," said Araud, meaning NSO must seek approval from the Israeli government to sell it, and state clients then sign a lengthy commercial contract stipulating how the product will be used.

They are meant to deploy Pegasus only to tackle organised crime or terrorism -- the company markets itself this way -- but Araud said "you could see all the potential for misuse, even though the company wasn't always responsible."

Did the company have a means to check on the actual deployment of its programme, which some campaigners want banned?

Araud thinks not and said he believes the only leverage the company has after selling Pegasus is to stop offering software updates to clients if they are proven to be violating the terms of the contract.

"It's a small private company, there must be a few dozen employees. I don't think there can be any follow up," he said.

In a firm that practices "a form of extreme secrecy," he says he nonetheless became convinced that NSO Group worked with Israel's Mossad secret services, and possibly with the CIA.

He said there were three Americans who sat on the group's advisory board with links to the US intelligence agency, and the company has said that its technology cannot be used to target US-based numbers.

"There's a question about the presence of Mossad and the CIA. I thought it was both of them, but I have no proof," he said. "But I suspect they're both behind it with what you call a 'backdoor'."

A "backdoor" is a technical term meaning the security services would be able to monitor the deployment of Pegasus and possibly the intelligence gathered as a result.

Israel has denied having access to information from Pegasus.

Araud, an active user of Twitter, has faced criticism online for his decision to work for a company with alleged linked to human rights abuse.

"I have nothing to hide," he said. "I have no regrets."