There are two open entrances into the Parc des Expositions, a short train ride from the heart of Paris just outside of Charles de Gaulle airport. Walk into Hall 5 and you might see what looks like an Apple store for armies: powerful weapons positioned to look beautiful on minimal marble tables, or hanging from walls like pieces of art.
The presentation is aimed at selling to hordes of buyers from countries all around the world, from the United States to the United Arab Emirates—some in full military dress and most outfitted more discreetly, with name tags hidden in their inside jacket pockets. The machine gun sales pitches and spyware product demos take place in an atmosphere of mild discomfort, the consequence of a secretive industry doing business in a semi-public space.
The 246,000-square-meter Parc des Expositions complex is home to Milipol, the world’s biggest gathering of companies selling the latest, greatest, and most powerful technology to militaries, police, and intelligence agencies. In a world of seemingly permanent geopolitical tension and security fears, this is the event no enterprising arms dealer can miss.
It’s Hall 4 that’s devoted to the future of cyber, a domain of war where demand is growing rapidly. Some countries have the goods in spades, but most countries lack powerful cyber capabilities, and every country wants more.
The physical side of the show—the guns, grenades, and armored vehicles—has experienced an enduring boom ever since 9/11. But it’s the cyber side—the spyware, interception kits, and cybersurveillance tools—that has seen rapid growth ever since the Arab Spring proved that the internet is a tool powerful enough to bring down regimes. Those very same regimes, and many others, come to shows like Milipol looking to buy their way to stronger control.
Milipol is where you buy it.
Milipol is a rare moment of relative transparency for an industry used to secrecy.
“It’s important to let people know what companies are out there and who they’re selling to,” says Edin Omanovic of the UK-based organization Privacy International. “It’s important to know if regulation is in place. You can’t hold these decisions to account if you don’t know what the decisions are.”
NSO Group, the Israeli company currently embroiled in a long list of controversies over alleged spyware abuse, is one of many vendors to set up shop at the conference. NSO’s booth is one of the biggest on the floor, but relatively private, with a dark cyberpunk theme. Skyscraper walls keep visitors discreet and conversations private as deals are being made.
The surveillance industry has come under intense scrutiny in recent years, none more so than the spotlight on NSO Group. The company has been sued by WhatsApp for allegedly spying on politicians, journalists, and human rights activists in India, Mexico, the United Arab Emirates, Bahrain, and Saudi Arabia. It denied all allegations of wrongdoing while it went on a public relations offensive and adopted the United Nations guidelines on human rights.
Israel is a dominant country in the industry thanks to “the Israeli mind and the Israeli experience,” says Alon Shahak of the Israel Export Institute. Its life in a hostile neighborhood has given rise to a world-class hacking industry by necessity. Drones, weapons, and armor companies from Israel are hawking their goods at Milipol too.
At Milipol you can buy potent zero-day vulnerabilities or powerful data interception equipment plus the drones, vehicles, or backpacks to move hacking tools wherever needed. All of that is a short walk from the machine guns, grenades, and state-of-the-art mine detection tech. If you need matching body armor and holsters for you and your attack dogs, I know the booth you should go to.
Despite the tens of thousands of visitors, the company organizing the event, Comexposium, makes sure attendance is limited to professionals. There are no hobbyists or NRA gun fetishists here, says Michael Weatherseed, who runs the security unit at Comexposium—not unless they have a weighty professional title too.
But it’s cyber that’s growing the fastest as the sector attracts new people, companies, buyers, and technology thanks in part to the success of high-profile, high-controversy firms like NSO Group.
An NSO employee who declined to be named says the company is unreasonably attacked in spite of efforts to abide by United Nations guidelines on human rights. The reported government abuse of NSO Group’s hacking tools has given rise to ethical concerns inside the company, the employee says, but management has done an effective job of making employees feel that those concerns are heard and that outside criticism is overblown.
The big question facing these increasingly powerful companies is whether there is anything they should or even could do to prevent abuse of their powerful surveillance technologies by the governments that pay them millions. The tech has targeted terrorists and criminals but also opposition politicians, human rights activists, journalists, and many others.
NSO Group is said to have declined or canceled multiple contracts because of abuse concerns, although there is no specific information on those cases. The employee is unaware of any team within the company paid specifically to find and prevent abuse by government customers, a common tool in many big tech companies.
The company responded by saying they “always investigate whenever we become aware of a well-founded report of alleged unlawful digital surveillance and communication interception that might involve a customer’s use of our products.’” Such an investigation is carried out by the Governance, Risk and Compliance Committee.
"While misuse is extremely rare, the company takes it seriously and considers using the technology for anything other than prevention or investigation of crime and terrorism a misuse," a company spokesperson says.
However, NSO Group did not respond to the question of whether anyone within the company is proactively looking for abuse as opposed to responding to outside reports.
Sometimes acts of war can get in the way of the business of war.
The Paris show is Milipol’s flagship event. Others take place in Kuala Lumpur, to serve Asian customers, and in Qatar, for the demanding Middle East region.
The Qatar event is getting complicated because the Saudi Arabians and their regional Emirati allies, some of the biggest and wealthiest customers for these companies, refuse to enter the country because of diplomatic conflict. That clash has roots in the Arab Spring, the Yemeni civil war, and ongoing terrorism throughout the region.
“But we did the Qatar event last year anyway,” Weatherseed says. “It was still a record year. No Saudis or Emiratis this time, but we still had the Kuwaitis, Bahrainis, and countries from Northern Africa, Western Asia, and Southern Asia. Despite it all, everything worked well. And my prediction is that the cyber sector at these events will only continue to grow.”
The Persian Gulf is home to a trio of major events where spyware companies and government officials mingle to make multimillion-dollar deals. Milipol, ISS World, and IDEX all attract big crowds with increasing demands. Tal Dilian, the CEO of the surveillance company Intellexa, says Asian and African governments feel more comfortable purchasing surveillance equipment and spyware in the region—where, critics say, there is less legal oversight of the booming industry.
But judging by the expensive bottles of champagne several salespeople popped at the end of this show, it’s safe to say Paris was yet another big surveillance industry success.
Update: The article has been updated to include NSO Group's response to questions about anti-abuse.