PerspectiveThe WhatsApp-NSO Group Lawsuit and the Limits of Lawful Hacking

Published 6 November 2019

On 29 October, WhatsApp sued the Israeli cybersecurity company NSO Group for installing surveillance malware on the phones of more than a thousand WhatsApp users, including journalists and human rights activists. (The WhatsApp vulnerability that NSO Group exploited was publicly reported in May 2019 and patched shortly thereafter.) WhatsApp sued primarily under the Computer Fraud and Abuse Act (CFAA), the main federal law criminalizing computer hacking, which also permits private lawsuits. Alan Z. Rozenshtein writes that the complaint is notable for what it doesn’t include: the identity of the “customers” on whose behalf NSO Group installed the malware. But it’s pretty easy to figure out.

On 29 October, WhatsApp sued the Israeli cybersecurity company NSO Group for installing surveillance malware on the phones of more than a thousand WhatsApp users, including journalists and human rights activists. (The WhatsApp vulnerability that NSO Group exploited was publicly reported in May 2019 and patched shortly thereafter.) WhatsApp sued primarily under the Computer Fraud and Abuse Act (CFAA), the main federal law criminalizing computer hacking, which also permits private lawsuits.

Alan Z. Rozenshtein writes in Lawfare that the complaint is notable for what it doesn’t include: the identity of the “customers” on whose behalf NSO Group installed the malware.

He adds:

But it’s pretty easy to figure out. NSO Group’s website advertises its product as meant to help “government agencies prevent and investigate terrorism and crime.” Previous reporting has tied NSO Group malware to human rights abuses around the world—most notably the murder of journalist Jamal Khashoggi, though NSO Group denies that its software was involved in the killing. Lawfare has previously covered how tools made by NSO Group (and similar companies such as FinFisher and Hacking Team) enable human rights violations by repressive regimes.

Rozenshteinwhen malware is used to violate human rights, it’s laudable for companies to do whatever they can, including filing civil CFAA suits and taking similar legal actions, to stop others from exploiting vulnerabilities in their software. “At the same time, the implications of WhatsApp’s lawsuit go beyond the misuse of malware. If the suit is the beginning of a trend, it may ultimately make it harder for governments to use malware responsibly in pursuit of legitimate public safety and national security objectives.”

He continues:

In the debate over law enforcement access to encrypted data, “lawful hacking” has emerged as a promising path forward. Law enforcement needs access to encrypted data to carry out its public safety mission, but the broader importance of secure encryption to information security makes installing “backdoors” potentially too risky. Lawful hacking, by which governments would exploit existing vulnerabilities without requiring companies to create new ones, is one (albeit imperfect) way to address this problem.

Although governments themselves discover many of the vulnerabilities they use, they also rely heavily on a “gray market” in cyber vulnerabilities. When the FBI attempted to force Apple to unlock the iPhone of one of the San Bernardino shooters, what ended the standoff was help provided to the bureau from anonymous professional hackers. Likewise, the NSO Group malware at issue in WhatsApp’s lawsuit has also been used in high-profile law enforcement operations, most notably in the 2016 capture of Mexican drug lord El Chapo.

In suing NSO Group, WhatsApp is sending a signal that it will not tolerate the further development of lawful hacking.