The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Facebook spyware lawsuit opens a new front in encryption battle

Placeholder while article actions load

with Tonya Riley


Facebook launched a new front in the battle over encryption yesterday by suing the Israeli spyware firm NSO Group for allegedly hacking WhatsApp, its encrypted messaging service, and helping government customers snoop on about 1,400 victims.

The targets included at least 100 journalists, political dissidents and human rights activists across 20 countries including the United Arab Emirates, Bahrain and Mexico, WhatsApp head Will Cathcart said in a Post op-ed.

The lawsuit marks the first time a messaging service has sued a spyware company for undermining its encryption and it could prompt a slew of suits against companies that have developed encryption workarounds bolstering governments' ability to spy on their citizens.

Facebook was also quick to connect the suit with U.S. government efforts to give law enforcement special access to encrypted communications, saying the alleged hack "reinforces why technology companies should never be required to intentionally weaken their security systems.”

The Justice Department, along with allies in the United Kingdom and Australia, has charged that expanding encryption on Facebook services will make it easier for child sexual predators to share illegal images on the site or to solicit children. But Facebook says that strengthening encryption protects users from all manner of nefarious actors, outweighing any damage.

“This should serve as a wake-up call for technology companies, governments and all Internet users," Cathcart said. "Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk."

The hack, which WhatsApp first alerted users to in May, was strikingly advanced. It gave hackers access to victims’ private messages, location data and other information just by making it look like they missed a call, according to a write-up from Citizen Lab, a cybersecurity threat tracking group that helped the investigation.

The company is asking for an injunction to stop NSO from violating its terms of service. It’s also calling on other tech firms to endorse a moratorium on selling spyware proposed by U.N. Special Rapporteur David Kaye.

Spyware companies say their tools are designed for government and law enforcement customers to conduct legitimate surveillance operations aimed at combating terrorism, organized crime and drug trafficking. Critics, however, say the companies turn a blind eye when governments and police use the tools to spy on activists and journalists.

An NSO tool called Pegasus was allegedly used to spy on Washington Post contributing writer Jamal Khashoggi before he was killed last year by people affiliated with Saudi Arabia’s security services. “A friend of Khashoggi, Omar Abdulaziz, has alleged in a lawsuit that his phone was infected with Pegasus without his knowledge and that the malicious software helped the Saudis snoop on Khashoggi,” as my colleagues Craig Timberg and Jay Greene report.

A crux of Facebook’s lawsuit is that NSO actually helped conduct some of the hacking operations rather than simply selling its tools to governments that used them. Specifically, “the attackers used servers and Internet-hosting services that were previously associated with NSO,” Cathcart said, and the company “tied certain WhatsApp accounts used during the attacks back to NSO.”

That distinguishes this from a 2015 case where an unnamed company sold the FBI a hacking tool to bypass encryption on a locked iPhone used by San Bernardino shooter Syed Farook. In that case, Apple urged the FBI to share the hack but never filed a lawsuit. 

NSO disputed any direct involvement in its clients' hacking along with other Facebook claims.

“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime,” the company said in a statement. “Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.”

Anti-surveillance and human rights groups were quick to applaud the lawsuit.

Amnesty International called on nations to revoke NSO’s export licenses.

Access Now called on Israel and the United Kingdom, where NSO parent Novalpina is based, to “take immediate action to forestall more violations.” 

Here’s the group’s Executive Director Brett Solomon:

That was echoed by former European Parliament member Marietje Schaake, president of the Cyber Peace Institute launched by Microsoft and other tech companies.

Cybersecurity experts also pounced on the suit. Here's Eva Galperin, cyberscurity director at the Electronic Frontier Foundation:

And a longtime security researcher who goes by the handle The Grugq:


PINGED: Six months after the Mueller report revealed that at least one Florida county election system was penetrated by Russian hackers before the 2016 contest, a top election official says the state is ready for any cyberattacks that 2020 might bring, Bobby Caina Calavan at the Associated Press reports.

Florida Secretary of State Laurel Lee declined to provide substantial details, though, from a review of the systems mandated earlier this year by Gov. Ron DeSantis (R.). During a news conference she said only that her office is working “to address any weaknesses or vulnerabilities that have been identified in advance of the 2020 election cycle.”

The state is providing more than $15 million in grants to local jurisdictions to beef up election security and will install a $2 million network monitoring system, Bobby reported. 

Lee acknowledged security hawks will still keep their eyes on Florida, a key swing state with a history fo election probelms. “I know Florida will be under great scrutiny when it comes to elections and elections security,” she said.


PATCHED: Ethical hackers gave D.C. lawmakers a firsthand lesson yesterday in how Russia and other adversaries could hack voting machines in 2020, Derek B. Johnson at Federal Computer Week reports. This is the second time this year that researchers connected with the Def Con cybersecurity conference's Voting Village have demonstrated for lawmakers a slew of hackable vulnerabilities they say could undermine the 2020 contest.

Rep. Cedric Richmond (D-La.), who chairs the House Homeland Security Committee's cybersecurity panel, told Derek he hopes the demonstrations will encourage voting machine vendors to fix vulnerabilities. “Sometimes if you can't get the legislation done, either holding the vendors accountable or creating potential exposure or liability for them is another way to motivate them,” he said. 

House Homeland Security Chairman Rep. Bennie Thompson (D-Miss.) slammed Republican lawmakers for skipping the event. “It's all for naught if our colleagues on the other side choose to do nothing,” he said.

The committee intends to hold hearings with voting machine vendors before 2020, Thompson said. 



PWNED: Google, Cloudflare and 13 other tech companies are pledging this morning to expand how they hire cybersecurity workers, including recruiting beyond four-year colleges, getting rid of certain job descriptions and developing clearer career paths in the field. The initiative comes from the Aspen Cybersecurity group, which says a growing shortage of cybersecurity workers in the United States could put the country at risk of major attacks.

There will be at least 500,000 unfilled cybersecurity jobs in the United States by 2021, according to a 2018 report from the group.

“It should deeply concern all Americans that businesses and government agencies are struggling to find enough cybersecurity workers,” John Carlin, chair of the Cyber & Technology Program at the Aspen Institute, wrote in a blog post.


— Cybersecurity news from the public sector:

FCC proposal targeting Huawei garners early praise (The Hill)

Significant Pennsylvania election law changes headed to governor’s desk (The Associated Press)

German Spy Chief Says Huawei Can’t Be ‘Fully Trusted’ in 5G (Bloomberg Law)

Blue Dog Democrats push Congress to fund state election security (The Hill)

Pentagon Tech Chief Defends Integrity of JEDI Award (Nextgov)


— Cybersecurity news from the private sector:

Exclusive: A ‘Magic’ iPhone Hacking Startup Bites Back At Apple Lawyers — And Demands $300,000 (Forbes)

The Ransomware Superhero of Normal, Illinois (ProPublica)

Cylance: More and more APT groups are relying on mobile malware to track dissidents (CyberScoop)


— Cybersecurity news from abroad:

Australia Proposes Face Scans for Watching Online Pornography (The New York Times)

Major vulnerability patched in the EU's eIDAS authentication system (ZDNet)

Cyber attack on Asia ports could cost $110 billion: Lloyd's (Reuters)


— Coming up:

  • The Judiciary Committee’s subcommittee on crime and terrorism will host a hearing entitled “How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors on Tuesday at 2:30 p.m. EST.