No dispute there. That’s why you should push for accountability and transparency. When we discover groups like NSO, we (the public) should be able to use FOIA like mechanisms to query these cloud providers and check if they are doing business with these criminals. We should be able to see who exactly approved their application and why they didn’t fail whatever standards we (the public) have decided that cloud providers should uphold. Maybe the standards had gaps or maybe there is corruption. Either way, the public has a method for feedback into key parts of society: cloud providers.
