NSO Group Technologies Ltd. is an Israeli company that creates technology.[1] It says it sells its technology exclusively to government intelligence and law enforcement agencies to prevent and investigate terrorism and other crimes.[2] NSO Group has quickly become famous for its flagship spyware, a remote-activated system called Pegasus, which allows whoever is operating the system to conduct surveillance on people through their smart phones.[3] Once the infection is installed on the device, it sends everything from passwords, contact lists, calendar events, text messages, and live voice calls back to the operator’s servers.[4] The operator can even access the phone’s camera and microphone and use the GPS function to track the phone’s location.[5] But it does not stop there, the spyware can also access data stored in other smartphone apps.[6] Just to see how far reaching the spyware went, Citizen Lab, a research laboratory based at the University of Toronto, collaborated with Lookout Security, a San Francisco-based cybersecurity firm, and found that forty-five countries had possible Pegasus infections.[7]
Most recently, the spyware used WhatsApp to install its infection.[8] Attackers would use the app’s call function to install its spyware onto both iPhones and Androids.[9] Not only did users not even have to answer the call to be infected, the calls often disappeared from call logs.[10] In fact, Jeff Bezos, the Amazon billionaire, was “hacked” after receiving a WhatsApp video message.[11] Although it is unclear what data was taken or how it was used, intimate details about Bezos’ private life, including text messages, were published by the National Enquirer several months later.[12]
On October 29, 2019, WhatsApp filed a lawsuit against NSO Group alleging a violation of the Computer Fraud and Abuse Act (“CFAA”).[13] The CFAA provides that anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . shall be punished.”[14] This lawsuit, between these parties, is notable for two reasons.
First, this lawsuit is the first legal action of its kind because WhatsApp was not directly affected by the hack.[15] In the past, users had to seek relief directly without the help of the tech company, meaning that someone like Bezos would have to sue directly instead of WhatsApp getting involved.[16] The issue for WhatsApp will be showing that NSO Group obtained unauthorized access to WhatsApp servers as opposed to exclusively accessing WhatsApp users’ devices.[17] User devices are “computers,” so any of the 1.5 billion users worldwide could bring claims against NSO. However, servers are also “computers” but are separate from the users’ devices. WhatsApp has to bridge this gap to win on its CFAA claim.
To try and bridge this gap, WhatsApp alleges that when NSO Group hacked into users’ devices, it also created a connection with WhatsApp servers by routing the spyware through WhatsApp servers.[18] NSO Group allegedly established this connection to WhatsApp servers when it initiated phone calls with WhatsApp users’ accounts, automatically infecting that device with spyware even if that user did not answer the call.[19] For the phone to ring through that WhatsApp account, it had to contact WhatsApp “Signaling Servers.”[20] It will be up to the court to decide if that type of communication is enough to establish “access” under the CFAA.
Second, there is a gap in the CFAA that does not typically allow tech companies to pursue legal action against companies who create software used for “cyberweapons.” NSO Group created Pegasus, but there is no evidence that anyone from NSO Group actually effectuated the hack.[21] NSO maintains that it was in no way involved in operating its technology, which is solely operated by intelligence and law enforcement agencies.[22] Therefore, to be successful under its CFAA claim, WhatsApp will have to convince the court to hold the software developer accountable for the hacker’s actions.
[1] Complaint at ¶ 5, WhatsApp v. NSO Group, (No. 3:19-cv-07123-JSC), 2019 WL 5571028, at ¶ 5 (N.D.Cal.).
[2] NSO Group, https://www.nsogroup.com/about-us/ (last visited April 13, 2020).
[3] David Shrestha, Pegasus spyware: All you need to know, Deccan Herald (Nov. 1, 2019, 7:01 PM), https://www.deccanherald.com/specials/pegasus-spyware-all-you-need-to-know-772667.html.
[4] NSO Group / Q Cyber Technologies: Over One Hundred New Abuse Cases, Citizen Lab (Oct. 29, 2019) https://citizenlab.ca/2019/10/nso-q-cyber-technologies-100-new-abuse-cases/.
[5] Id.
[6] Erik Manukyan, Summary: WhatsApp Suit Against NSO Group, LawFare (Nov. 7, 2019, 3:12 PM), https://www.lawfareblog.com/summary-whatsapp-suit-against-nso-group.
[7] Id.
[8] Citizen Lab, supra note 4.
[9] Mehul Srivastava, WhatsApp Voice Calls Used to Inject Israel Spyware on Phones, Fin. Times (May 13, 2019), https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab.
[10] Id.
[11] Stephanie Kirchgaessner, Jeff Bezos hack: Amazon boss’s phone hacked by Saudi crown prince, Guardian (Jan. 22, 2020, 4:04 PM), https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince.
[12] Id.
[13] Complaint at ¶ 2, WhatsApp v. NSO Group, No. 3:19-cv-07123-JSC, 2019 WL 5571028, at ¶ 2 (N.D.Cal.).
[14] 18 U.S.C.S. § 1030(4) (Oct. 31, 2019).
[15] Frank Bajak, Facebook sues Israeli company NSO Group over WhatsApp spyware, USA Today (Oct. 29, 2019, 9:56 PM), https://www.usatoday.com/story/tech/2019/10/29/whatsapp-spyware-facebook-sues-israeli-nso-group/2503858001/.
[16] See id.
[17] Andy Greenberg, WhatsApp’s Case Against NSO Group Hinges on a Tricky Legal Argument, Wired (Oct. 29, 2019, 10:03 PM), https://www.wired.com/story/whatsapp-nso-group-lawsuit/.
[18] Complaint at ¶ 1, 32, 35, 38, 42, WhatsApp v. NSO Group, No. 3:19-cv-07123-JSC, 2019 WL 5571028, at ¶ 1, 32, 35, 38, 42 (N.D.Cal.).
[19] Id.
[20] Id.
[21] Id.
[22] Srivastava, supra note 9.
