Tethering Pegasus: WhatsApp takes NSO Group to Court
A lawsuit filed in a US federal court in San Francisco on Tuesday threw up a few interesting, and disturbing considerations. In it, the Facebook-owned platform WhatsApp advanced an allegation that now seems commonplace: that the Israeli spyware Pegasus (known in computer wonderland as a remote access trojan) had again made an appearance, deployed against 1,400 WhatsApp users. In a process that now seems familiar, the spyware made by Israeli cyber-firm NSO Group is triggered by activating a link sent to the phone, turning the device into a veritable surveillance machine.
In the case of WhatsApp, the attacks are focused on the video calling system as a supply line for the malware and were first detected in May 2019 after the platform noted suspicious activity on its network. The platform duly asked its users to upgrade its app to cope with any malicious code that had been transmitted between April 29 to May 10.
On October 28, WhatsApp made a public attribution to the NSO Group as a prelude to legal action in US courts. The legal action involves two main grounds: seeking a permanent injunction that would block NSO from accessing the systems of Facebook, its parent company and a ruling that NSO’s actions constituted a breach of US federal law and California state law on computer fraud. Additional grounds of breach of contract and wrongful trespass are also being ventured.
The targets seem to have varied, a true open church of monitored interests. Senior government and military officials in several US-allied countries are said to have had their phones sought through WhatsApp. But these are merely the cream of power and influence; scraping activists and those with stances against their governments have also been the subject of keen interest.
According to the independent research group Citizen Lab, a good hundred recipients of the spyware have been dissidents and journalists across 20 countries. “It is an open secret,” suggests John Scott-Railton from the group, “that many technologies branded for law enforcement investigations are used for state-on-state and political espionage.” Figures also include notable personalities, many women, who have been the subject of incessant hate campaigns, and those facing “assassination attempts and threats of violence.”
On Thursday, another country was added to the spyware casualty list. India has 400 million WhatsApp users, a truly rich target. According to a WhatsApp spokesman, “Indian journalists and human rights activists have been the target of surveillance and while I cannot reveal their identities and the exact number, I can say that it is not an insignificant number.” The period of interest spiked just prior to the 2019 general elections.
We know what inglorious role NSO Spyware played in the monitoring and eventual demise of dissident journalist Jamal Khashoggi, though NSO Group’s CEO Shalev Hulio was adamant that “Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking, and intelligence collection.” From being a subject of interest, a Saudi hit squad was dispatched to butcher the unsuspecting journalist in the compound of the Kingdom’s consulate in Istanbul. Human rights figures and dissidents have also been the target of Pegasus in Mexico, the United Arab Emirates, Panama and the Kingdom of Bahrain. An employee of Amnesty International was also singled out.
NSO, for its part, is keen to boast a clean slate. It’s all business, and principled for the most part. “In the strongest possible terms,” the group claims in a statement, “we dispute today’s allegations and will vigorously fight them.” The company’s “sole purpose” was “to provide technology to licensed government intelligence and law enforcement agencies to help fight terrorism and serious crime.”
Such statements can be taken as disingenuous and daft. In seeing the licensing approval as the be-all and end-all of legitimacy, peering behind motivations and misuse is not in the firm’s interest. The supply of customers would dry up – not so much a case of buyer beware as vendor be cautious. What matters is the purchase, suitably washed, before it fulfills its sordid end.
Surveillance, in of itself, implies voyeurism, though it is often dressed up in a far more benign guise. That guise usually assumes the form of national security, safety, the well-being of the general, unsuspecting, and often apathetic citizenry. But dissidents and opposition politicians are ever the troublemakers the status quo wishes to mark, thereby becoming particular important subjects for the monitors.
NSO does its bit in a thriving global surveillance industry where it asserts a certain primacy; the state agencies in question do theirs. The company has also made various overtures claiming that it will start abiding by UN procedures established in 2011 to deal with instances where technology might breach human rights. Meek suggestions about evaluating processes of sale obliging customers to restrict the use of products to the prevention and investigation of serious crimes have also been mooted. Even the callous can be idealistic.
Such private sector vanguardism has troubled the United Nations’ special rapporteur of opinion and expression, David Kaye. His report in June called for an immediate moratorium on the sale, transfer, and use of surveillance technology until such time human rights frameworks had been put in place. “Surveillance tools can interfere with human rights, from the right to privacy and freedom of expression to rights of association and assembly, religious belief, non-discrimination, and public participation.”
Danna Ingleton, deputy director of Amnesty Tech, suggests a simple, if imperfect solution to the problem. “The safest way to stop NSO’s spyware products reaching governments who plan to misuse them is to revoke the company’s export license.” But which government officials ever express a desire to officially misuse such products? The proof lies in the conduct.
On November 7, Tel Aviv’s District Court is scheduled to hear a case against NSO Group, arguing that Israel’s Ministry of Defence should reconsider the company’s export license. The action is being mounted by some 30 members and supporters of Amnesty International Israel and has the backing of the New York University School of Law’s Bernstein Institute for Human Rights and Global Justice Clinic.
Unfortunately, such reasoning does not go far enough. If you want to deal with such digital merchants of endangering surveillance, best prohibit their manufacture altogether. Ban and scrap them. Impose, not just moratoriums but injunctions. There are no good or bad governments in this business; there are only governments who share one common purpose: the ultimate erosion of encryption that protects privacy from the often nasty intrusions of the State.