Facebook is under fierce scrutiny for its decisions about political advertisements and consumer privacy, and its foray into developing a new cryptocurrency. So it makes sense that the company would try to drum up a little positive publicity and remind people that there are tech firms out there that pose much greater threats to privacy, democracy and civil liberties.
Whatever you may think of Facebook, the Israeli spyware company known as the NSO Group — whose products have been used to compromise devices belonging to lawyers, dissidents, journalists and diplomats around the world — is inarguably worse. So the decision by Facebook-owned WhatsApp to sue the NSO Group for compromising the mobile phones of WhatsApp users is a brilliant publicity move, casting Facebook as a staunch defender of its users’ privacy and a champion of internet freedom. Public-image rehabilitation aside, however, the lawsuit is also a genuine step forward for drawing attention to the spyware market and the need for stricter regulation of private surveillance companies like NSO.
Founded in 2010, the NSO Group sells a surveillance program called Pegasus that, in the company’s words, “enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device.” While NSO insists it does business only with government customers, it does not disclose which governments it works with and has repeatedly come under fire for targeting human rights activists and journalists — including at least one close confidant and colleague of Jamal Khashoggi, the Washington Post columnist who was assassinated in the Saudi consulate in Istanbul in 2018.
After Mr. Khashoggi’s assassination, one of his friends, Saudi dissident Omar Abdulaziz, filed a lawsuit charging the NSO Group with helping Saudi Arabia spy on his communications with Mr. Khashoggi. A slew of other lawsuits against NSO, including one filed this year by Amnesty International, have levied similar allegations that the company’s tools are used to surveil not just criminals and terrorists, as NSO insists, but also activists, journalists and dissidents. Those charges are backed up by a series of thoroughly researched reports published over the past three years by the University of Toronto’s CitizenLab tracing Pegasus to 45 countries and cataloging the ways the NSO Group enabled surveillance of Mr. Khashoggi, supporters of a proposed soda tax in Mexico, a human-rights activist in the United Arab Emirates and others.
But none of the researchers or activists who have gone up against the NSO Group in the past few years have had anything close to the reach or resources of Facebook. That doesn’t mean that WhatsApp will necessarily triumph in its lawsuit, which alleges that between April 29 and May 10 of this year, the NSO Group used WhatsApp to compromise roughly 1,400 mobile phones belonging to users in several countries, including Bahrain, the United Arab Emirates and Mexico. In fact, WhatsApp may have an uphill legal battle ahead especially given that part of its case rests on the Computer Fraud and Abuse Act, which makes it illegal to tap into computers without authorization, and that the devices that were compromised by NSO belong to WhatsApp users, not WhatsApp itself.
WhatsApp does its best to argue that NSO gained access to its own signaling and relay servers without authorization in the process of contacting WhatsApp users, but this is a dicey interpretation of the Computer Fraud and Abuse Act, akin to arguing that you need Google’s permission to send an email to a Gmail user through Google’s servers. And the lawsuit’s claims that the NSO Group’s operations “burdened” WhatsApp’s networks and injured the company’s “reputation, public trust, and good will” are unlikely to carry much weight — especially since many fewer people would have been aware of the Pegasus compromises had WhatsApp not publicized them in this suit.
But whether or not Facebook wins its case against the NSO Group, it’s doing an important service by bringing it in the first place. Just as the United States Department of Justice has filed a series of indictments against Chinese, Iranian and Russian hackers intended to “name and shame” the perpetrators even if they never stand trial and shed light on exactly how they operate, the Facebook lawsuit describes in detail how the NSO Group was able to compromise the phones of WhatsApp users even if those users never actually answered a call, clicked on a link or downloaded a file. The lawsuit lays out not just how NSO exploited WhatsApp software to compromise user phones, but also the underlying technical architecture that the NSO Group and its clients rely on to carry out their surveillance campaigns. For instance, the lawsuit identifies the operators of the malicious servers used by the NSO Group to distribute their spyware to WhatsApp user phones. According to the complaint, these servers were leased by NSO from Choopa, Quadranet and Amazon Web Services, three American-based companies.
Ideally, WhatsApp’s very public salvo against the NSO Group will garner enough attention to shame those companies into more carefully vetting their customers and cutting ties with clients that are using their infrastructure to distribute spyware. Even more important, the lawsuit could draw regulators’ attention to the NSO Group, as well as the larger problem of private firms’ hawking spyware programs like Pegasus that undermine the security and privacy of consumer devices. Recent reports that the NSO Group used WhatsApp to compromise senior government officials in multiple United States-allied countries may also help generate interest among lawmakers.
The Israeli government has, so far, stood behind the NSO Group and declined to revoke its export license, despite the best efforts of Amnesty International. But the United States and its allies should be leaning hard on the Israeli Ministry of Defense to reconsider this decision in light of how Pegasus is being used. Britain should also consider whether it can bring any pressure to bear on Novalpina Capital, the British private equity firm that purchased a majority stake in the NSO Group this year and promised a “significant enhancement of respect for human rights” at the company.
WhatsApp’s suing the NSO Group is, undoubtedly, a publicity ploy — but it’s also an important step forward for trying to stem the spread of corporate spyware across the globe by drawing attention to how it works, who is distributing it and who is helping prop up that industry by providing infrastructure or merely looking the other way. Whatever its motives, Facebook deserves some credit for refusing to be one of the many governments and tech companies that have chosen to quietly profit from the NSO Group’s business and tools. The United States and British governments would do well to follow suit.
Josephine Wolff (@josephinecwolff) is assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy and the author of “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches.”
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: [email protected].