WhatsApp, a popular cross-platform messaging service, sued the Israeli cybersurveillance firm NSO Group in federal court in San Francisco on October 26, 2019. WhatsApp, which is owned by Facebook, claimed that NSO’s technology was used to spy on more than 1,400 WhatsApp users across twenty countries.
Further, WhatsApp investigated the attacks, from April to May 2019, and found that the groups NSO targeted included one hundred journalists, prominent leaders, people who had faced unsuccessful assassination attempts, and various other members of civil society. NSO was using malicious voice calls designed to infect targeted phones with malware and steal messages from WhatsApp users in the United Arab Emirates, the kingdom of Bahrain, and Mexico.
NSO manufactures, distributes, and operates surveillance technology for governmental intelligence and law enforcement agencies all over the world. NSO was using WhatsApp servers to send the spyware to smartphones and other devices. The lawsuit was filed by WhatsApp in the United States District Court in the Northern District of California.
In WhatsApp’s complaint, it accused NSO of violating the Computer Fraud and Abuse Act (CFAA), a federal law, and raised state breach of contract and tortious interference claims. NSO said in a statement that it “will vigorously fight [those claims]” in the “strongest possible [way].” WhatsApp will be seeking damages and injunctive relief against NSO, to bar the company and anyone affiliated with it from using WhatsApp or Facebook.
WhatsApp’s legal team will aim to leverage the CFAA in an unorthodox way – to penalize hackers for both breaching WhatsApp servers and exploiting WhatsApp’s software to breach the devices of its users. This is a tricky legal argument because WhatsApp will have to show that it, as the plaintiff, was the victim in the hackers’ use of WhatsApp software to access users’ information, rather than the adversely affected users.
Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at Stanford Law School noted that “part of [WhatsApp’s strategy] is a publicity exercise calling out NSO” and that “[WhatsApp] is trying to up the embarrassment factor for NSO and other…hackers for hire.” The WhatsApp-NSO conflict serves as a good wake-up call and cautionary tale for technology companies and their users. The possibility of sophisticated hackers gaining access to one’s user data is not remote and could affect anyone. Even prominent companies like WhatsApp may not have defenses sufficient to protect their users.