WhatsApp alleged that NSO helped government agencies deliver malicious software through seemingly harmless WhatsApp video calls, even if the targets never answered their phones. The malware was capable of initiating a powerful form of spying that included the ability to intercept communications, steal photos and other forms of data, activate microphones and cameras, track the locations of targets and more, said people familiar with NSO technology.
Targets, which also included religious figures and lawyers, were identified in 20 countries, according to the WhatsApp lawsuit.
An NSO surveillance tool called Pegasus has been implicated in spying on Washington Post contributing writer Jamal Khashoggi before he was killed by people affiliated with Saudi Arabia’s security services last year. A friend of Khashoggi, Omar Abdulaziz, has alleged in a lawsuit that his phone was infected with Pegasus without his knowledge and that the malicious software helped the Saudis snoop on Khashoggi.
Though human rights and privacy activists long have complained about the increasingly intrusive reach of such surveillance technologies, they have had little luck pursuing new laws or other remedies against makers of spying software as such tools have spread into many countries, with Israeli being a leader in the field. This has prompted government surveillance victims to seek remedies in the courts. This suit was filed in the United States District Court in the Northern District of California.
“This is unprecedented,” said John Scott-Railton, a senior research at Citizen Lab at the University of Toronto’s Munk School, who helped WhatsApp investigate the targeting of civil society groups and contacted some of the people affected. “It’s a huge milestone in digital rights and privacy.”
NSO rejected the allegations, saying its technology is used by governments and law enforcement to fight terrorism.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO said in a statement that was forwarded to The Washington Post by a Washington public relations agency.
The company said using its technology for any purposes other than preventing crime and terrorism is a misuse and contractually prohibited.
WhatsApp, which is owned by Facebook, said in a blog post that the company believes NSO and its parent company, Q Cyber Technologies, violated U.S. and California law, as well as the terms of service for WhatsApp.
“At WhatsApp, we believe people have a fundamental right to privacy and that no one else should have access to your private conversations, not even us,” said Will Cathcart, head of WhatsApp, in an op-ed that The Washington Post published online Tuesday. “Mobile phones provide us with great utility, but turned against us they can reveal our locations and our private messages, and record sensitive conversations we have with others.”
The suit should put governments that want to snoop on notice, said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, a civil liberties group.
“If you are an authoritarian government who buys spyware from NSO, you now run the risk of being caught,” said Galperin, who believes other tech companies whose platforms have been allegedly targeted by NSO could also follow WhatsApp’s lead.
The messaging service is encrypted end-to-end, making it difficult to intercept its communications. But such technologies are vulnerable to the hacking of the devices of individual targets where the calls and messages appear in decrypted form so their intended recipients can view or listen to them. Once a device is penetrated, the malicious software can take over nearly any function and turn it against the owner — typically with no sign that anything is amiss.
Many technology companies, including Facebook, Google and Microsoft, vastly expanded their use of encryption after the 2013 revelations about the extent of online surveillance by the National Security Agency. This bolstered the market for technologies, such as those produced by NSO, that rely on hacking targets rather than intercepting calls as they travel through phone and Internet connections.
WhatsApp said it stopped a sophisticated attack using NSO malicious software in May and subsequently alerted 1,400 users that they may have been affected. Citizen Lab, which long has researched the use of hacking technologies and their manufacturers, volunteered its services to study the impact on targets globally. At least 100 victims have now been identified, though WhatsApp declined to name the victims, citing privacy policies.
According to the suit, the WhatsApp users had numbers with country codes from several nations, including the Kingdom of Bahrain, the United Arab Emirates, and Mexico. The suit also noted that NSO’s clients include government agencies in those three countries, among others.
“This number may grow higher as more victims come forward,” the post from the company said. “We are committed to doing all we can, working with industry partners, to protect our users and guard against these kinds of threats.”
It also said, “This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users.”
NSO has a malware tool called Pegasus that, according to a Citizen Lab report from last year, has been used in 45 countries and, in at least 10, has been used to conduct surveillance across international borders. The report names six nations — Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates — that it says “have previously been linked to abusive use of spyware to target civil society.”
David Kaye, the U.N. Special Rapporteur on freedom of expression, has written about NSO and its history of working with governments that targets members of civil society, but he said the surveillance industry overall needs more scrutiny in terms of its clients, its targeting and what safeguards, if any, are in place to prevent abuses.
“A fundamental problem with these companies — and NSO isn’t the only one — is that the private surveillance industry acts in practical darkness,” Kaye said Tuesday night, after the lawsuit was filed.
WhatsApp, founded in 2009, has become the world’s most popular messaging app, allowing free text, voice and video links carried free over the Internet. Facebook bought it for $19 billion in 2014, and it now has more than 1.5 billion users.