WhatsApp Sues NSO Group Over Exploit Which Attacked Political, Military Leaders in 20 Nations
DONATE: As many of you know, I support my blogging as a freelance journalist writing for publications like Middle East Eye, The Nation, Al Jazeera and Jacobin Magazine. It’s a precarious business since you are at the mercy of editors who you hope understand the importance of your work, but who sometimes don’t. You may pitch a story you believe is profoundly important and not even get a reply.
I’ve found that you go through troughs, periods when your work is valued and periods when you can’t buy a thrill. Periods when publications are interested and periods when they’re not. Right now, seems one of those periods. Recently, an editor commissioned this piece. When I produced the first draft, she said it “sounded like it was written for an Israeli audience.” Though the current published version is expanded and considerably different from the one I offered her, I’ll let you be the judge of that. She killed the piece. At least she offered a small kill fee.
That’s why I ask you, who has better appreciation of the importance of my work, to step up now and support it with a donation. When the going gets tough, I need to rely you to step into the breach. You understand how important this reporting is, the obstacles I face, and how few researchers and journalists are doing it. So take the next step. Please give generously via the Network for Good icon or Paypal button in the sidebar.
If you can’t donate, you can make friends, family and allies aware of this blog and encourage people to subscribe. It’s important to expand our audience and our presence in the media conversation.
Last June, Whatsapp revealed that the Israeli spyware company, NSO Group, used an exploit to compromise the communications of 1,400 users living mainly in Middle East countries (as well as Mexico, and the latest targeted country, India). The Financial Times profiled some of the victims here. Today, Reuters revealed that senior government officials in as many as 20 countries were also targeted:
Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook Inc’s WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation.
Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents.
The hacking of a wider group of top government officials’ smartphones than previously reported suggests the WhatsApp cyber intrusion could have broad political and diplomatic consequences.
This takes the attack beyond the realm of individual victims into the realm of state-against-state espionage; a far more serious breach than previously known. Whatsapp also announced that it had reported the incident to the FBI. Facebook has taken further punitive action, deleting all accounts of NSO employees on its platform.
It was previously known that Intelligence agencies in Bahrain, Saudi Arabia and the UAE have used NSO’s Pegasus malware, the most powerful product of its kind on the market, to spy on targets they view as threatening the security of their dynastic regimes.
When Whatsapp first announced the NSO attack, I wrote this piece for Jacobin in which I argued that it was imperative for the former company and its corporate parent, Facebook, to sue the Israeli firm and hold it accountable for its behavior. I also encouraged the federal government to assume a role in protecting U.S. companies and the privacy of American citizens who use their technology. It’s not surprising that the Trump Justice Department has taken no action against the Israeli firm. But luckily, Whatsapp announced yesterday that it was suing NSO in federal court in San Francisco.
Its leader explained the company’s position in this Washington Post op-ed. This takeaway echoes my own views in Jacobin:
…Far more needs to be done to define what amounts to proper oversight of cyber weapons. NSO said in September that “human rights protections are embedded throughout all aspects of our work.” Yet it maintains that it has no insight into the targets of its spyware. Both cannot be true. At a minimum, leaders of tech firms should join U.N. Special Rapporteur David Kaye’s call for an immediate moratorium on the sale, transfer and use of dangerous spyware.
At the time the exploit was originally exposed, NSO published this non-response response:
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation.”
Note the severe disconnect between creating the malware and knowing precisely what its ultimate use will be; while claiming that releasing it to your customer absolves you of any responsibility for what they do with it. An amazing game of moral hocus-pocus.
In response to the lawsuit, NSO stated:
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO said in a statement. “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”
Yes, but you yourself refuse to guarantee that those are the actual uses made of Pegasus. So what good is such a statement?
In my earlier story, I urged governments to develop regulations which laid out proper and improper uses of the technology. Currently, there are no such regulations in place anywhere. It is the wild west out there. But given how many hundreds of millions of cell phones are in use and the pervasive impact of the technology on every aspect of modern life, it’s astonishing that we’ve let things go this far. If governments don’t take action, we private citizens and NGOs whose mission is to protect digital privacy must mount effective campaigns to educate the public about the critical need for such rules.
The only Israeli government agency monitoring NSO is the defense ministry’s export control committee, which approves Israeli technology for commercial purposes. It has offered the company licenses to sell its products around the world. The ministry has no interest in what clients do with the technology and does not monitor this. In fact, Israeli weapons exports are one of the most powerful drivers of the Israeli economy. The country ranks 9th in the world in total value of its arms exports. So would the defense ministry mess with a goose laying golden spyware?
This is not the first lawsuit targeting the NSO Group for the nefarious use of its technology. A Palestinian lawyer in Britain is suing the company on behalf of a Saudi dissident targeted by Saudi intelligence. He was one of the colleagues of murdered journalist Jamal Khashoggi, whose infected cell phone offered his killers details about his movements and played a key role in his death. And Amnesty International is suing NSO after one of its staff, whose job was to monitor Saudi human rights violations also was targeted.
While this may be the beginning of a rough patch for the spyware developer, its first five years of existence have been truly golden. Started by two IDF veterans in 2012 as part of serial start-up attempts after they ended their military service, most of which failed, they happened to be at the right place at the right time. Just as international consumers took to cell phones on a mass scale, its founders realized that there would be a commercial niche both to protect the security of the phones and to compromise them. Within two years, their company was worth $100-million, and earlier this year, a UK venture capitalist made the company a unicorn by paying $1-billion to buy it outright.
In Stephen Peel, NSO found the perfect buyer. A young trendy venture capitalist whose wife ran a modern art museum, Peel was a board member of Global Witness, a British anti-corruption NGO. Once the purchase of NSO was made public, a furor arose over this seeming conflict of interest. Peel resigned from the board and was offered a glowing au revoir by its director who called him “typically selfless.” Unfortunately, he couldn’t seem to understand the conflict between NSO’s products and his own organization’s mission.
Peel immediately sought ways to kasher NSO’s bad reputation. He inveigled Amnesty and other human rights NGOs to sit down and recommend ways in which the company’s products could be transformed from treif to kosher. The NGOs smelled a rat and wanted nothing to do with what they perceived as an empty exercise.
Stymied by the international human rights community, Peel then turned to an Obama official with the Department of Homeland Security, Juliette Kayyem. Despite her having no experience with ethics in the field of technology and social policy, she was tasked with developing ethical guidelines for NSO’s products. Keep in mind as well, that NSO declares almost as a point of pride that it does not monitor its customers’ uses of its products. That’s how it absconds from any responsibility for the crimes committed by security services using Pegasus.
Given this, one wonders how a bona fide ethicist (which Kayyem is not) would feel comfortable developing ethics guidelines when the company itself refuses to accept any responsibility for how the products are used?
Kayyem began her career as a homeland security advisor for Massachusetts Gov. Deval Patrick, She then made the move to DC during the Obama administration working first as a trial lawyer in the Justice Department and later as a senior official in the Department of Homeland Security. Her bio offers no trace of any experience developing corporate ethics policies:
Juliette Kayyem has spent over 15 years managing complex policy initiatives and organizing government responses to major crises in both state and federal government. A national leader in homeland security, resiliency and safety, she is currently the Senior Belfer Lecturer in International Security at Harvard’s Kennedy School of Government, where she is faculty chair of the Homeland Security and Security and Global Health Projects.
…She was President Obama’s Assistant Secretary for Intergovernmental Affairs at the Department of Homeland Security. There she played a pivotal role in major operations including handling of the H1N1 pandemic and the BP Oil Spill response; she also organized major policy efforts in critical infrastructure protections and community resiliency.
She has served as a member of the National Commission on Terrorism, a legal advisor to US Attorney General Janet Reno, and a trial attorney and counselor in the Civil Rights Division at the Justice Department.
Recently, the Washington Post named her to its stable of columnists. The most bitter irony here is that NSO may be an accessory to Jamal Khashoggi’s murder. Many in the media speculate that Saudi intelligence was able to know the journalist’s plans and whereabouts based on this surveillance. It enabled his Saudi killers to ambush him at the Saudi embassy in Istanbul. At the time of his murder, he too was a columnist for the Post. Both Jeff Bezos and the senior editors railed against the Saudis for their perfidy and demanded action from the Trump administration to hold them accountable. Unfortunately, that never happened.
Despite this disappointment, no one would expect that the Post’s opinion editor, Fred Hiatt would make such a tone-deaf decision to hire Kayyem. There were a few days of uproar, during which the Post and Kayyem attempted to argue that she was not personally responsible for the Israeli company’s actions because she didn’t serve in direct capacity in the company’s operations. But that made it seem like her work on the ethics guidelines had nothing to do with the company at all. Recently, she bowed out of her position saying she didn’t want to be a distraction from the worthy journalism of the Post.
I’ve addressed several questions to Dr. Kayyem about her work for NSO including how much they paid her in consulting fees; what expertise she has in the field of ethical use of technology. I also asked whether her guidelines offered guidance on the specific uses of Pegasus by NSO clients. Did they offer any restrictions on its use or caution against applications that would violate her guidelines? She has not responded and I will update here if/when she does.
5 thoughts on “WhatsApp Sues NSO Group Over Exploit Which Attacked Political, Military Leaders in 20 Nations – Tikun Olam תיקון עולם إصلاح العالم”
Comments are published at the sole discretion of the owner.
Israel’s digital mercenaries unite | Forbes – Oct. 2019 |
Outside of Candiru’s apparent relationship with Dilian’s spyware enterprises—WiSpear and Intellexa—it has at least one tie to the most controversial of Israel’s surveillance providers: NSO Group. That’s because two industry sources said the main Candiru financial backer was Founders Group, cofounded by one of the three men who set up NSO, Omri Lavie.
A tangled web … start-ups to hack into mobiles and with same financial backers and sometimes engineers to setup Interne security. Can’t miss, always a hit.
Mr. Richard Silverstein,
I am laughing out loud right now.
This lawsuit is farcical.
Facebook, parent of WhatsApp, is the software that is being used by bad States to spy on dissidents and journalists, not to mention Facebook being used by Russia, Iran and China to sow political and social dissent in the United States and abroad.
How will What’sApp overcome the Alien Tort Statute and get jurisdiction over NSO?
More to the point, how will What’s App prove that NSO software caused ascertainable damages?
This lawsuit isn’t real law, it is ‘law fare’, and opens Facebook up to scrutiny by NSO’s lawyers IF the case even makes it into a courthouse.
@ Doctor Chuk: Don’t laugh too hard because the laugh is one you.
This is an outright lie. One of the cardinal comment rules here is that you MUST support all claims you make with credible sources. There is no credible source supporting this because it’s a complete fabrication. Do this again & it will earn you immediate banning. Consider yourself banned. And read the comment rules carefully before publishing another comment here.
The Alien Tort Statute has nothing to do with this case. Bringing it up in this context shows either you are a legal ignoramus or arguing in bad faith (or both). U.S. companies sue foreign companies in federal court virtually every day of the week. As for damages, you think when a company’s platform is hacked and half the world’s media reports the hack, and anyone thinking of becoming a Whatsapp user hears of the hack and refuses to become a customer–that there are no damages to the company? Are you daft?
As for who will be scrutinized: I’d say that NSO has far, far more to lose as everything it has ever done, said, or written will be discoverable and the corporate officers will be deposed and anything they say which is proven a lie (and the company lies routinely) would be disastrous to them.
I wonder if it’s a coincidence that the only time ‘Chukwuemeka P. Akwanga’ displays in a Google search is in the two comments you’ve published here. And if you are a Nigerian Igbo Jew, why does your IP resolve to Kenya? I don’t know who you are, but it’s highly doubtful you are who you purport to be. Remember, I’m watching you…
You are done in this thread. Do not publish another comment here.
Mr. Richard Silverstein,
“Facebook, parent of WhatsApp, is the software that is being used by bad States to spy on dissidents and journalists,
‘This is an outright lie.’
My statement is not a lie, it is an absolute fact, which fact makes you an outright ignorant blogger.
“Initially, of course, [Facebook representatives] were very defensive and reluctant to recognize that Facebook was, in fact, if not the instigator, then the facilitator of hate speech in Myanmar,” Marzuki Darusman, head of the fact-finding mission, said in an interview.
Darusman later told the United Nations in New York that “genocidal intent” was apparent in the Facebook posts by [Myanmar] military officers”
I made a mistake citing the Alien Tort Statute. I assumed that the foreign nationals actually damaged by the NSO hack were plaintiffs. Mea culpa.
That said, What’sApp, is primarily seeking injunctive relief. It knows it cannot prove actual compensatory damages.
Facebook, the parent company, needs to come to Court with ‘clean hands’, not bloody hands, as I’ve proved, above.
@ Doc Chukweiemeka: Your original claim was that Facebook’s “software” was “being used to spy on dissidents.” I correctly called this a lie.
Then you pivoted to the claim that Facebook’s platform was used by Buddhist genocidaires to goad their followers into attacking Rohingya. That is a correct, but entirely different claim than your original. Apparently, you can’t keep your arguments straight.
This too is false. YOu are not a lawyer. You are not Whatsapp’s lawyer. You don’t know what the company’s “primary” legal goal or strategy is. You’ve once again made a claim that there are no damages, when I’ve warned you that your opinions do not masquerade as fact.
Facebook doesn’t have to do anything. It is not on trial for what happened in Myanmar. If you or someboy wishes to sue them for what happened, be my guest. But it has nothing to do with NSO’s hack of Whatsapp and you’re just muddying the waters with nonsense.
I’ve moderated you for serial violations of comments rules.