Facebook is suing Israeli exploit developer NSO Group for utilizing WhatsApp to target 1,400 users with malware that allowed NSO’s clients to circumvent the chat app’s end-to-end encryption.

That NSO is being accused of helping bad people surveill good people is not news. NSO is not very selective when it comes to selling malware, putting its powerful tech in the hands of governments that seem just as likely to target NSO’s home country as they are to target local dissidents, journalists, and activists. NSO’s software and cavalier approach to sales have been exposed by multiple Citizen Lab investigations, which have outed NSO’s sales to blacklisted countries.

Facebook’s lawsuit [PDF] basically echoes the findings of Citizen Lab.

In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.

WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.”

Abusive it is, especially when you’re trying to tout the benefits of end-to-end encryption, only to have a malware developer show you how easy it is to route around these protections. NSO’s malware was spread using WhatsApp’s video chat feature, which apparently allowed government agencies to eavesdrop on communications and possibly access device contents.

This isn’t the only lawsuit NSO is facing.

NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.

Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to “stop it profiting from state-sponsored repression.”

This matters enough to NSO for it to engage in a very limited charm offensive. It has promised to abide by UN guidelines on human rights abuses, which means it’s going to have to trim a few countries off its client list. It also claims to have saved the lives of “tens of thousands” of people. It’s a great claim to make, especially when no one really expects you to back up it up with evidence or data.

But the lawsuit Facebook is pursuing is questionable, if not a bit dangerous. Facebook likely doesn’t have a way to block NSO clients from accessing WhatsApp. It has permanently deleted the accounts of every employee of NSO Group it could find for “violating” Facebook’s terms of use. But it’s helpless to root out accounts used by NSO’s customers, since these aren’t nearly going to be as obvious as those belonging to people who list NSO as their employer.

That explains the lawsuit and Facebook’s desire to obtain a permanent injunction against NSO Group, blocking it from utilizing WhatsApp to spread malware. But the lawsuit is on pretty shaky legal ground. Worse, if Facebook somehow prevails, the much-abused CFAA will be rewritten in a way that’s going to harm plenty of people who’ve never sold malware to known human rights abusers.

Here’s Wired’s Andy Greenberg (and defense attorney Tor Ekeland) explaining just one of the problematic aspects of Facebook’s lawsuit.

To make that charge stick, WhatsApp will have to show that NSO obtained illegal access to WhatsApp’s own systems. Given that NSO’s targets were WhatsApp users rather than, say, WhatsApp’s servers, they’ll have to find an argument that they, as the plaintiff, were the victim. “The fundamental question is, what’s the unauthorized access?” says Ekeland. “You might be able to argue that NSO hacked WhatsApp and not just their users. Maybe they’re trying to make that argument. But they’re not being clear about it, and that lack of clarity is an attack vector for the defendant.”

Facebook’s on a clear path if it chooses to stick with the argument NSO violated its terms of service. Those terms specifically forbid reverse-engineering code or sending malware via the app. But even if it’s limited to that, the obvious solution is for Facebook to ban NSO from using its services. That may be close to impossible to do since Facebook doesn’t have access to its client list or their user accounts. Arguing past that point may cause problems, though.

While it may work out for Facebook to have the CFAA cover “uses of our stuff that we don’t like,” it’s going to harm a lot of other people. Security researchers, regular researchers, and anyone else who might use Facebook’s platform or apps in a way Facebook doesn’t like could be prosecuted or sued under this definition. While it’s plainly advantageous for Facebook to force all users to use its products only in a way it approves, the downside is a garden with higher walls that put users completely at the mercy of Facebook. Since terms of use can be rewritten on the fly and applied immediately, Facebook could go after “violators” who aren’t even aware they’ve actually violated anything.

Adding to Facebook’s hurdles is a recent Ninth Circuit Court of Appeals ruling (this lawsuit is filed in the Ninth Circuit) that says scraping a site for data — even when forbidden by the terms of use — isn’t necessarily a violation of the CFAA. Making this tougher for Facebook is there’s no evidence it ever gave NSO prior notice its abuse of WhatsApp was forbidden. The lack of notice makes it a bit more difficult for Facebook to claim NSO knowingly violated the terms by using WhatsApp to distribute malware. It will be tough to prove NSO clients had unauthorized access, especially since Facebook didn’t get around to permabanning anyone until after it filed its lawsuit.

I’m no fan of NSO and its client list, but I’m no fan of Facebook’s lawsuit, either. An opinion finding using internet services in a way their developers don’t like is not the precedent we need — not if we’re going to keep pushing for a safer internet for everyone. It will allow dominant players to establish rules that benefit the platforms and stave off competition from third-party offerings that attempt to address shortcomings major platforms refuse to correct. It will also prevent researchers from making online services safer or better, which will be a net loss for all platform users, even if it prevents a handful of authoritarians from exploiting a single service to target the people they think need more surveilling.

There’s a lot at stake here but Facebook can’t see past its immediate (and somewhat convenient, given its recent rakings over Congressional coal) desire to appear to be the good guy for once.

Permalink | Comments | Email This Story

Techdirt.