Facebook is suing Israeli exploit developer NSO Group for utilizing WhatsApp to target 1,400 users with malware that allowed NSO’s clients to circumvent the chat app’s end-to-end encryption.
That NSO is being accused of helping bad people surveill good people is not news. NSO is not very selective when it comes to selling malware, putting its powerful tech in the hands of governments that seem just as likely to target NSO’s home country as they are to target local dissidents, journalists, and activists. NSO’s software and cavalier approach to sales have been exposed by multiple Citizen Lab investigations, which have outed NSO’s sales to blacklisted countries.
Facebook’s lawsuit [PDF] basically echoes the findings of Citizen Lab.
In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.
WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.”
Abusive it is, especially when you’re trying to tout the benefits of end-to-end encryption, only to have a malware developer show you how easy it is to route around these protections. NSO’s malware was spread using WhatsApp’s video chat feature, which apparently allowed government agencies to eavesdrop on communications and possibly access device contents.
This isn’t the only lawsuit NSO is facing.
NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.
Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to “stop it profiting from state-sponsored repression.”
This matters enough to NSO for it to engage in a very limited charm offensive. It has promised to abide by UN guidelines on human rights abuses, which means it’s going to have to trim a few countries off its client list. It also claims to have saved the lives of “tens of thousands” of people. It’s a great claim to make, especially when no one really expects you to back up it up with evidence or data.
That explains the lawsuit and Facebook’s desire to obtain a permanent injunction against NSO Group, blocking it from utilizing WhatsApp to spread malware. But the lawsuit is on pretty shaky legal ground. Worse, if Facebook somehow prevails, the much-abused CFAA will be rewritten in a way that’s going to harm plenty of people who’ve never sold malware to known human rights abusers.
Here’s Wired’s Andy Greenberg (and defense attorney Tor Ekeland) explaining just one of the problematic aspects of Facebook’s lawsuit.
To make that charge stick, WhatsApp will have to show that NSO obtained illegal access to WhatsApp’s own systems. Given that NSO’s targets were WhatsApp users rather than, say, WhatsApp’s servers, they’ll have to find an argument that they, as the plaintiff, were the victim. “The fundamental question is, what’s the unauthorized access?” says Ekeland. “You might be able to argue that NSO hacked WhatsApp and not just their users. Maybe they’re trying to make that argument. But they’re not being clear about it, and that lack of clarity is an attack vector for the defendant.”
Facebook’s on a clear path if it chooses to stick with the argument NSO violated its terms of service. Those terms specifically forbid reverse-engineering code or sending malware via the app. But even if it’s limited to that, the obvious solution is for Facebook to ban NSO from using its services. That may be close to impossible to do since Facebook doesn’t have access to its client list or their user accounts. Arguing past that point may cause problems, though.
I’m no fan of NSO and its client list, but I’m no fan of Facebook’s lawsuit, either. An opinion finding using internet services in a way their developers don’t like is not the precedent we need — not if we’re going to keep pushing for a safer internet for everyone. It will allow dominant players to establish rules that benefit the platforms and stave off competition from third-party offerings that attempt to address shortcomings major platforms refuse to correct. It will also prevent researchers from making online services safer or better, which will be a net loss for all platform users, even if it prevents a handful of authoritarians from exploiting a single service to target the people they think need more surveilling.
There’s a lot at stake here but Facebook can’t see past its immediate (and somewhat convenient, given its recent rakings over Congressional coal) desire to appear to be the good guy for once.
Permalink | Comments | Email This Story