WhatsApp and Facebook filed suit against the Israeli security firm, NSO Group, alleging that in April 2019, it sent “malware to approximately 1,400 mobile phones and devices…designed to infect the Target Devices for the purpose of conducting surveillance of specific WhatsApp users.” This step was taken, Facebook and WhatsApp claim, in order to circumvent WhatApp’s end-to-end encryption. The social media companies are suing “for injunctive relief and damages pursuant to the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502, and for breach of contract and trespass to chattels.”
The NSO Group has been accused of being involved in a range of activities, including providing the surveillance technology related to the death of Jamal Khashoggi and surveilling some of the journalists investigating and alleged victims of former movie studio head Harvey Weinstein.
In August 2019, NSO co-founder and CEO Shalev Hulio appeared on 60 Minutes denied any involvement with Khashoggi’s murder: “we had nothing to do with this horrible murder.” Of course, such a denial does not rule out the possibility that the firm’s surevillance software, Pegasus, was used by the Saudi government to penetrate Kashoggi’s phone. In terms of whether the NSO Group turns a blind eye to how governments that buy the technology use it, Hulio asserted
…in the last eight years that the company exist, we only had real three cases of misuse, three cases. Out of thousands of cases of saving lives, three was a misuse, and those people or those organization that misuse the system, they are no longer a customer and they will never be a customer again.
In their suit regarding NSO Group’s Pegasus software, Facebook and WhatsApp asserted
Defendants took a number of steps, using WhatsApp servers and the WhatsApp Service without authorization, to send discrete malware components (“malicious code”) to Target Devices. First, Defendants set up various computer infrastructure, including WhatsApp accounts and remote servers, used to infect the Target Devices and conceal Defendants’ identity and involvement. Second, Defendants used and caused to be used WhatsApp accounts to initiate calls through Plaintiffs’ servers that were designed to secretly inject malicious code onto Target Devices. Third, Defendants caused the malicious code to execute on some of the Target Devices, creating a connection between those Target Devices and computers controlled by Defendants (the “remote servers”). Fourth, on information and belief, Defendants caused Target Devices to download and install additional malware—believed to be Pegasus or another remote access trojan developed by Defendants—from the remote servers for the purpose of accessing data and communications on Target Devices.
Facebook and WhatsApp further alleged that those people targeted by NSO Group
had WhatsApp numbers with country codes from several countries, including the Kingdom of Bahrain, the United Arab Emirates, and Mexico. According to public reporting, Defendants’ clients include, but are not limited to, government agencies in the Kingdom of Bahrain, the United Arab Emirates, and Mexico as well as private entities.
In a Washington Post op-ed, WhatsApp head Will Cathcart claimed
As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and Internet-hosting services that were previously associated with NSO. In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.
Cathcart claimed the attack “targeted at least 100 human-rights defenders, journalists and other members of civil society across the world.” He stated that “[t]his should serve as a wake-up call for technology companies, governments and all Internet users…[and] [t]ools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”
Last month, the Amnesty International published a report detailing “targeted digital attacks against two prominent Moroccan Human Rights Defenders (HRDs) using NSO Group’s Pegasus spyware. “ The ACLU said “these targeted attacks have been ongoing since at least 2017…[and] were carried out through SMS messages carrying malicious links that, if clicked, would attempt to exploit the mobile device of the victim and install NSO Group’s Pegasus spyware.”
Update and Correction: I erroneously mixed up the American Civil Liberties Union (ACLU) and Amnesty International in identifying the organization that researched and documented alleged digital attacks in Morocco. Sorry about that.
Michael Kans 