WhatsApp has filed a lawsuit against Israeli surveillance firm NSO Group, raising questions around the complicated role the private sector plays in facilitating government surveillance and the dangers posed by its cyberweapons ending up in the wrong hands.
The Facebook-owned messaging app has alleged that NSO Group’s WhatsApp spyware was used against more than 100 human rights activists, journalists and lawyers earlier this year.
The private security company had exploited a vulnerability in the popular messaging app to inject commercial spyware, known as Pegasus, onto phones. Pegasus gives the attacker complete control over a phone’s functions without the victim having to accept a phone call.
WhatsApp says it is the “first time an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack”.
While an unprecedented legal move, the underlying principles are familiar – but this time they will be played out in a very different way.
The end-to-end encryption used by WhatsApp and many other messaging apps means that only the sender and recipient can view the message in its original text format. Anyone trying to intercept it – including the tech companies providing the messaging service – would see only gobbledygook.
This is a problem for government intelligence agencies when they have a legitimate reason to see what two criminals are saying to one another.
Nation states in the ‘Five Eyes’ intelligence pact – the US, UK, Canada, Australia and New Zealand – have previously called on technology companies to build backdoor access to users’ encrypted data. This was fiercely rejected by tech companies who – rightly – warn that a backdoor for one person is a backdoor for everyone, including criminals.
In the smog of this stalemate private surveillance companies, such as NSO Group, have made millions selling spyware and digital exploits to governments who lack the legal or technical capability to create their own.
NSO Group says it vets its customers and takes measures to ensure it is only used by licensed governments and law enforcement against criminals and terrorists. But WhatsApp and Citizen Lab’s investigation – triggered by the Financial Times’ reporting in May – is at odds with NSO Group’s assertion.
In September NSO Group introduced a Human Rights Policy, which it said would embed human rights protections “throughout all aspects” of its work. However, it also insists that it does not have oversight into who its spyware is used against.
As Will Cathcart, head of WhatsApp, pointed out in an op-ed for the Washington Post: “Both cannot be true.”
NSO Group lawsuit: Setting a precedent?
If allegations that NSO Group’s spyware was used to target journalists and human rights activists are proved correct, it raises serious questions about the Israeli firm’s vetting process. This in, turn, raises more questions about the private espionage industry, namely: Can private companies be trusted to ensure their digital weapons don’t end up in the wrong hands?
History suggests it’s unlikely, particularly when the world’s largest information gathering agency failed to keep all of its cyber weapons secure.
In 2017 a mysterious hacker group known as the Shadow Brokers stole the EternalBlue exploit from the US National Security Agency (NSA), which had developed it. Shortly after, the exploit was used to carry out the WannaCry ransomware attack, crippling thousands of computers around the world.
“Several firms dealing in cyberweapons have been criticised when their spyware has turned up in inappropriate places, but this could all change if Facebook (WhatsApp) is successful in this suit,” says Craig Young, senior security researcher at Tripwire.
“The precedent set by a ruling in favour of WhatsApp could send shockwaves through this very murky industry, prompting vendors to be more considerate about how their weapons are used.”
Tony Cole, chief technology officer at cybersecurity firm Attivo Networks, agrees.
“Companies such as NSO, where you can ‘legally’ hire the expertise and license the software to ‘monitor’ people, is an issue right from the start,” he tells Verdict.
“A successful lawsuit from Facebook against them could set many precedents and most of them good. If Facebook wins, we could even see lawsuits against governments when their tools are stolen and leaked in the dark web and then used in attacks. Accountability is the key to us fixing many of the cyber issues we have around the globe.”
“Exploit code is a little bit like shooting an arrow”
NSO Group’s vetting process may ultimately prove futile given the danger of malicious code being reverse-engineered once out in the wild.
Tom Van de Wiele, principal security consultant at Finnish cybersecurity firm F-Secure says that it is “technically possible” for a target of the spyware to reverse engineer the malware and use it against others.
But they would have to anticipate an attack coming and set their device to capture and record it via a honeypot or debugging setup, he tells Verdict.
“Then it is technically possible to recover and reverse engineer what issue is being exploited as well as the exploit code itself, where it would then be outside of the control of NSO,” he explains.
“The latter is always a risk for the attacker as once the exploit code is used, it can be picked up by someone and would then be branded as ‘burned’. That also means it can then be potentially re-used against others.
“Of course the attacker will also do their homework and pick their targets carefully so as to avoid exposing their exploit code as much as possible. In this sense, exploit code is a little bit like shooting an arrow. Once it flies over the enemy’s front line it’s now their property and can be shot back at will at whoever.”
Former British intelligence officer and head of cybersecurity at ITC Secure Malcolm Taylor has previously warned against what he describes as the privatisation of espionage capability. This takes place in two ways, he says.
“Fancy Bear and state action by proxy, and the leaking of powerful tools from private sector organisations. Which may all of course raise the question of whether, in our increasingly complex world, states can run espionage functions without the private sector?
“That’s an operational capability question and, contentiously, a legal question. In other words, are states using private companies to do what they are unable to, or not allowed to? The allegations in this case seem to be that it is the latter – the lawyers will decide.”
Verdict asked NSO Group what steps it takes to ensure its spyware doesn’t end up in the wrong hands, but is yet to receive a reply. The firm strongly disputes WhatsApp’s allegations.
Big Tech takes on the murky world of private surveillance
WhatsApp has accused NSO of violating the Computer Fraud and Abuse Act, albeit in an unconventional way. Where this law is usually used to punish hackers for breaching a company’s own devices, WhatsApp is pursuing legal action because its users’ devices were allegedly breached. Legal experts have warned that WhatsApp might struggle to make this stick.
It also creates a situation in which Big Tech – currently facing a ‘techlash’ – is pitted against another industry with its own long list of ethical issues.
For Facebook, arguably the poster boy for Big Tech, the NSO Group lawsuit could be construed as a public relations win on the very same day it agreed to pay a £500,000 fine for its role in the Cambridge Analytica scandal.
“This case is early, but details are needed. Was Facebook hurt by NSO? Are they mysteriously white knighting for 1,400 supposed victims? We need more details because this doesn’t distract from the heat Facebook is taking over misinformation and disinformation policies and the massive effect they can have on the lives of billions of people,” says Sam Curry, chief security officer at Cybereason.
“If Facebook is doing the right thing here on the final examination, great. But that does not exonerate other errors and transgressions from their past.
“Even if you’re a fireman who had saved dozens of homes, you will still go to jail if you are caught committing arson just once.”
Verdict deals analysis methodology
This analysis considers only announced and completed artificial intelligence deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.