Illustration: Sarah Grillo/Axios
In what could become a landmark case limiting how government surveillance contractors can operate, Facebook is suing Israeli firm NSO Group for allegedly hacking WhatsApp in order to monitor users on behalf of foreign governments.
Why it matters: Firms like NSO sell software ostensibly intended to surveil potential criminals and terrorists. In practice, their tools have been used to commit human rights abuses.
The big picture: Western governments and human rights advocates have raised their voices about those abuses, but so far they have been unable to stop them. The WhatsApp suit represents a different and potentially stronger kind of threat to the surveillance industry.
- If NSO and other surveillance software companies lose the ability to transmit spyware over popular, private networks, their ability to infect targets would dramatically decline.
- "For years, we wondered when private companies were going to reach the breaking point and sue," said John Scott-Railton, senior researcher at Citizen Lab, a University of Toronto outfit dedicated to rooting out cyber weaponry used to commit human rights abuses. "WhatsApp may be the beginning of that other shoe dropping."
- Citizen Lab worked with Facebook to investigate illicit WhatsApp activity at the center of the lawsuit. The lab has been a thorn in the side of NSO for years, documenting oppressive regimes using the software to spy on journalists, opposition politicians, protesters and religious figures — even advocates for a tax on soda in a country whose leaders did not want a tax on soda.
Details: In the lawsuit, Facebook claims that NSO used WhatsApp to send malware to 1,400 targeted cellphones and mobile devices. A blog post from WhatsApp says that at least 100 of those were civil society targets.
- The spread of NSO's tools and other firms' spyware isn't limited to WhatsApp. Researchers have seen surveillance products spread using phishing messages on a variety of platforms.
- Potentially, other tech firms' apps could follow Facebook's lead and seek to enjoin NSO from using their networks. That could include Amazon, which Facebook claims played an unwitting role in NSO's operations by renting the group cloud servers used to anonymize the attacks. Amazon did not reply to questions about whether it would take similar actions.
Context: NSO is a major player in commercial spyware, but by no means alone.
- Other companies selling commercial spyware include Gamma, Hacking Team, Intellexa, Ability, Verint, Fifth Dimension, and Circles Technologies.
The catch: Spyware contractors operate with the express permission of governments and are based abroad, blurring the issue of U.S. judicial oversight, even as it relates to the use of private networks.
- "Some of the issues are ones that will need to be litigated out and may need to be negotiated diplomatically," said Michael Daniel, former White House coordinator for cybersecurity and current president and CEO of the Cyber Threat Alliance.
What they're saying: NSO fiercely denies the charges in the Facebook suit, saying in a statement that it "considers any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. ... This technology is rooted in the protection of human rights — including the right to life, security and bodily integrity."
- NSO has recently announced new measures that it says are aimed at eliminating the use of its product in human rights abuses.