Milipol is a rare moment of relative transparency for an industry used to secrecy.

“It’s important to let people know what companies are out there and who they’re selling to,” says Edin Omanovic of the UK-based organization Privacy International. “It’s important to know if regulation is in place. You can’t hold these decisions to account if you don’t know what the decisions are.”

NSO Group, the Israeli company currently embroiled in a long list of controversies over alleged spyware abuse, is one of many vendors to set up shop at the conference. NSO’s booth is one of the biggest on the floor, but relatively private, with a dark cyberpunk theme. Skyscraper walls keep visitors discreet and conversations private as deals are being made.

The surveillance industry has come under intense scrutiny in recent years, none more so than the spotlight on NSO Group. The company has been sued by WhatsApp for allegedly spying on politicians, journalists, and human rights activists in India, Mexico, the United Arab Emirates, Bahrain, and Saudi Arabia. It denied all allegations of wrongdoing while it went on a public relations offensive and adopted the United Nations guidelines on human rights.

Israel is a dominant country in the industry thanks to “the Israeli mind and the Israeli experience,” says Alon Shahak of the Israel Export Institute. Its life in a hostile neighborhood has given rise to a world-class hacking industry by necessity. Drones, weapons, and armor companies from Israel are hawking their goods at Milipol too.

At Milipol you can buy potent zero-day vulnerabilities or powerful data interception equipment plus the drones, vehicles, or backpacks to move hacking tools wherever needed. All of that is a short walk from the machine guns, grenades, and state-of-the-art mine detection tech. If you need matching body armor and holsters for you and your attack dogs, I know the booth you should go to.

Despite the tens of thousands of visitors, the company organizing the event, Comexposium, makes sure attendance is limited to professionals. There are no hobbyists or NRA gun fetishists here, says Michael Weatherseed, who runs the security unit at Comexposium—not unless they have a weighty professional title too.

But it’s cyber that’s growing the fastest as the sector attracts new people, companies, buyers, and technology thanks in part to the success of high-profile, high-controversy firms like NSO Group.

An NSO employee who declined to be named says the company is unreasonably attacked in spite of efforts to abide by United Nations guidelines on human rights. The reported government abuse of NSO Group’s hacking tools has given rise to ethical concerns inside the company, the employee says, but management has done an effective job of making employees feel that those concerns are heard and that outside criticism is overblown.

The big question facing these increasingly powerful companies is whether there is anything they should or even could do to prevent abuse of their powerful surveillance technologies by the governments that pay them millions. The tech has targeted terrorists and criminals but also opposition politicians, human rights activists, journalists, and many others.

NSO Group is said to have declined or canceled multiple contracts because of abuse concerns, although there is no specific information on those cases. The employee is unaware of any team within the company paid specifically to find and prevent abuse by government customers, a common tool in many big tech companies.

The company responded by saying they “always investigate whenever we become aware of a well-founded report of alleged unlawful digital surveillance and communication interception that might involve a customer’s use of our products.’” Such an investigation is carried out by the Governance, Risk and Compliance Committee.

A view of some of Milipol's intelligence, surveillance, and spyware companies selling their wares. Photo: Patrick Howell O'Neill

"While misuse is extremely rare, the company takes it seriously and considers using the technology for anything other than prevention or investigation of crime and terrorism a misuse," a company spokesperson says.

However, NSO Group did not respond to the question of whether anyone within the company is proactively looking for abuse as opposed to responding to outside reports.

Future-facing

Sometimes acts of war can get in the way of the business of war.

The Paris show is Milipol’s flagship event. Others take place in Kuala Lumpur, to serve Asian customers, and in Qatar, for the demanding Middle East region.

The Qatar event is getting complicated because the Saudi Arabians and their regional Emirati allies, some of the biggest and wealthiest customers for these companies, refuse to enter the country because of diplomatic conflict. That clash has roots in the Arab Spring, the Yemeni civil war, and ongoing terrorism throughout the region.

“But we did the Qatar event last year anyway,” Weatherseed says. “It was still a record year. No Saudis or Emiratis this time, but we still had the Kuwaitis, Bahrainis, and countries from Northern Africa, Western Asia, and Southern Asia. Despite it all, everything worked well. And my prediction is that the cyber sector at these events will only continue to grow.”

The Persian Gulf is home to a trio of major events where spyware companies and government officials mingle to make multimillion-dollar deals. Milipol, ISS World, and IDEX all attract big crowds with increasing demands. Tal Dilian, the CEO of the surveillance company Intellexa, says Asian and African governments feel more comfortable purchasing surveillance equipment and spyware in the region—where, critics say, there is less legal oversight of the booming industry.

But judging by the expensive bottles of champagne several salespeople popped at the end of this show, it’s safe to say Paris was yet another big surveillance industry success.

Update: The article has been updated to include NSO Group's response to questions about anti-abuse.