WhatsApp has said NSO Group, an Israeli surveillance company, was responsible for a series of highly sophisticated cyber-attacks that it claims violated American law in an “unmistakeable pattern of abuse” believing that technology sold by NSO was used to target the mobile phones of more than 1,400 of its users in 20 different countries during a 14-day period from the end of April to the middle of May. The victims include human rights defenders and lawyers, prominent religious figures, well-known journalists, and officials in humanitarian organisations.
WhatsApp’s lawsuit, filed in a California court on Tuesday, has demanded a permanent injunction blocking NSO from attempting to access WhatsApp computer systems and those of its parent company, Facebook. The lawsuit also asked the court to rule that NSO violated US federal law and California state law against computer fraud, breached their contracts with WhatsApp and “wrongfully trespassed” on Facebook’s property.
“This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users", said a WhatsApp spokesman. “In our complaint, we explain how NSO carried out this attack, including acknowledgement from an NSO employee that our steps to remediate the attack were effective".
WhatsApp said it had worked with Citizen Lab, an academic research group based at the University of Toronto’s Munk School, to identify the victims of the attacks and the technology used against them, detecting that they were activists at a human rights protection society.
"The commercial spyware industry is one that has tried to carve out an unaccountable space for itself, cozying up to the governments that it sells stuff to while simultaneously denying any responsibility for abuses conducted with its tools", John Scott-Railton, a Citizen Lab senior researcher, told ArsTechnica. "WhatsApp's lawsuit, which is important and precedent-setting, shatters that false distinction and makes it clear that they are willing to hold NSO accountable for the Wild West that exists in the spyware industry generally and is reflected in the target set".
NSO dismissed the allegations writing in a statement that the purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.
“We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse", the statement reads.
The company was acquired earlier this year by a London-based private equity firm called Novalpina Capital, which in June said it would unveil new governance standards at the company. Novalpina has credited NSO technology with disrupting plans for a terrorist attack at a crowded stadium in Europe and, citing the Mexican government, said it assisted in the 2011 arrest of the drug kingpin known as El Chapo.
The Israeli company released details of that new “human rights policy” in November, which it said was founded on “unequivocal respect for human rights”. Among other initiatives, it vowed to integrate new due diligence procedures to identify, prevent, and mitigate “adverse human rights impacts” due to the possible abuse of its technology. It also said it would conduct an evaluation of the “potential for adverse human rights impacts” arising through the misuse of NSO products, as well as enforcing “contractual obligations” that would prevent NSO’s customers from using its products for anything other than the investigation of serious crime.