WhatsApp (and parent company Facebook) has been in a year-long battle against Israeli firm NSO Group over unauthorized use of its cyber surveillance tools on the platform. That case received an injection of support from fellow Silicon Valley firms as Google, Microsoft and Cisco Systems among others have filed an amicus brief in support of WhatsApp.
The brief provides expert testimony as to the cybersecurity risks created by allowing such cyber surveillance tools to be used by intelligence and law enforcement agencies on social media and e-commerce platforms. It is filed in counter to NSO Group’s request for sovereign immunity, arguing that setting such a precedent would allow foreign governments to violate United States law and create openings for criminal parties to engage in espionage.
NSO’s cyber surveillance tools under scrutiny
The case begins with NSO Group’s Pegasus spyware being targeted on the phones of at least 1,400 activists, lawyers and journalists located in 20 different countries in 2019, with the bulk of these requests allegedly made by the Indian government for the purpose of tracking political dissidents and human rights activists. The attackers were able to use a previously unknown zero-day WhatsApp vulnerability to send malicious messages through the platform, which would attempt to install spyware when opened. The Indian government is believed to be involved due to the target selection and the fact that NSO Group’s cyber surveillance tools are only supposed to be available to government law enforcement agencies. However, the damage was not limited to India: among the 1,400 parties that were attacked were the wife of a journalist who was murdered in Mexico and a close confidant of Washington Post journalist Jamal Khashoggi.
NSO Group has asked for sovereign immunity from the federal court due to its general business relationships with foreign governments (though it declined to specifically name any of those governments). WhatsApp and the tech giants are pushing back on this point, arguing that they should not have to entertain the use of their platforms in this way.
Google, Microsoft and Cisco Systems lent their names to the brief, but it is also signed by the Internet Association which represents many of Silicon Valley’s other big technology companies (including Facebook and Twitter). Additionally, the Electronic Frontier Foundation (EFF) filed its own separate amicus brief alleging that the ultimate decision in this case will impact the privacy rights of millions of people around the world. And CyberScoop is reporting that a number of other activist groups are preparing their own amicus briefs that are soon to be filed: Amnesty International, the Internet Freedom Foundation, Privacy International and Reporters Without Borders among them.
While amicus briefs are not specifically requested, they will be considered as expert testimony by the United States Court of Appeals for the Ninth Circuit as it weighs the outcome of this case. WhatsApp is alleging that NSO Group’s provision of the software to the attackers and its subsequent use in the US constitutes a violation of the Computer Fraud and Abuse Act, and that the firm should pay unspecified damages in addition to being barred from further use of Facebook or WhatsApp.
A blog post from Microsoft took NSO Group and its use of these sorts of cyber surveillance tools to task, calling these firms “private-sector offensive actors” and “mercenaries.” The post paints these groups as unaccountable private actors that would essentially answer to no one if given sovereign immunity protections normally reserved for agents of foreign governments.
The Pegasus spy tool has a disturbing range of capabilities: as it hides in the background of a victim’s device it can track their location, listen in on calls, view text messages, rifle through files and photos, and see what apps the target has installed. Any claim by NSO Group that it needs sovereign immunity to do this sort of work on behalf of the law enforcement agencies of its native Israel would likely be undermined by its seemingly free dealings with governments all over the world that in some cases oppose Israel’s national interests, such as provision of its cyber surveillance tools to Saudi Arabia and the UAE.
History of NSO’s cyber surveillance
The WhatsApp lawsuit also claims that NSO Group is not merely providing cyber surveillance tools to governments, it is facilitating their use. The lawsuit traced several incidences of the spyware back to servers controlled by NSO Group, some of which were located in the US.
Controversy is not unfamiliar for the now decade-old surveillance firm, which was founded by former Israeli army signals intelligence staff. The company’s software was implicated in the tracking of journalists in Mexico in 2012, an illegal espionage case in Panama in 2015, and spying cases involving members of Amnesty International and Citizen Lab in 2018. In April of 2019, NSO froze its partnership with Saudi Arabia over allegations that its cyber surveillance tools had been used to track Khashoggi ahead of his killing.