Tag Archive for: Facebook’s

Facebook’s Sues Israeli Malware Marketer With A Lawsuit That Aims To Make An Easily-Abused Law Even More Abusable

/in

Facebook is suing Israeli exploit developer NSO Group for utilizing WhatsApp to target 1,400 users with malware that allowed NSO’s clients to circumvent the chat app’s end-to-end encryption.

That NSO is being accused of helping bad people surveill good people is not news. NSO is not very selective when it comes to selling malware, putting its powerful tech in the hands of governments that seem just as likely to target NSO’s home country as they are to target local dissidents, journalists, and activists. NSO’s software and cavalier approach to sales have been exposed by multiple Citizen Lab investigations, which have outed NSO’s sales to blacklisted countries.

Facebook’s lawsuit [PDF] basically echoes the findings of Citizen Lab.

In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.

WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.”

Abusive it is, especially when you’re trying to tout the benefits of end-to-end encryption, only to have a malware developer show you how easy it is to route around these protections. NSO’s malware was spread using WhatsApp’s video chat feature, which apparently allowed government agencies to eavesdrop on communications and possibly access device contents.

This isn’t the only lawsuit NSO is facing.

NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.

Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to “stop it profiting from state-sponsored repression.”

This matters enough to NSO for it to engage in a very limited charm offensive. It has promised to abide by UN guidelines on human rights abuses, which means it’s going to have to trim a few countries off its client list. It also claims to have saved the lives of “tens of thousands” of people. It’s a great claim to make, especially when no one really expects you to back up it up with evidence or data.

But the lawsuit Facebook is pursuing is questionable, if not a bit dangerous. Facebook likely doesn’t have a way to block NSO clients from accessing WhatsApp. It has permanently deleted the accounts of every employee of NSO Group it could find for “violating” Facebook’s terms of use. But it’s helpless to root out accounts used by NSO’s customers, since these aren’t nearly going to be as obvious as those belonging to people who list NSO as their employer.

That explains the lawsuit and Facebook’s desire to obtain a permanent injunction against NSO Group, blocking it from utilizing WhatsApp to spread malware. But the lawsuit is on pretty shaky legal ground. Worse, if Facebook somehow prevails, the much-abused CFAA will be rewritten in a way that’s going to harm plenty of people who’ve never sold malware to known human rights abusers.

Here’s Wired’s Andy Greenberg (and defense attorney Tor Ekeland) explaining just one of the problematic aspects of Facebook’s lawsuit.

To make that charge stick, WhatsApp will have to show that NSO obtained illegal access to WhatsApp’s own systems. Given that NSO’s targets were WhatsApp users rather than, say, WhatsApp’s servers, they’ll have to find an argument that they, as the plaintiff, were the victim. “The fundamental question is, what’s the unauthorized access?” says Ekeland. “You might be able to argue that NSO hacked WhatsApp and not just their users. Maybe they’re trying to make that argument. But they’re not being clear about it, and that lack of clarity is an attack vector for the defendant.”

Facebook’s on a clear path if it chooses to stick with the argument NSO violated its terms of service. Those terms specifically forbid reverse-engineering code or sending malware via the app. But even if it’s limited to that, the obvious solution is for Facebook to ban NSO from using its services. That may be close to impossible to do since Facebook doesn’t have access to its client list or their user accounts. Arguing past that point may cause problems, though.

While it may work out for Facebook to have the CFAA cover “uses of our stuff that we don’t like,” it’s going to harm a lot of other people. Security researchers, regular researchers, and anyone else who might use Facebook’s platform or apps in a way Facebook doesn’t like could be prosecuted or sued under this definition. While it’s plainly advantageous for Facebook to force all users to use its products only in a way it approves, the downside is a garden with higher walls that put users completely at the mercy of Facebook. Since terms of use can be rewritten on the fly and applied immediately, Facebook could go after “violators” who aren’t even aware they’ve actually violated anything.

Adding to Facebook’s hurdles is a recent Ninth Circuit Court of Appeals ruling (this lawsuit is filed in the Ninth Circuit) that says scraping a site for data — even when forbidden by the terms of use — isn’t necessarily a violation of the CFAA. Making this tougher for Facebook is there’s no evidence it ever gave NSO prior notice its abuse of WhatsApp was forbidden. The lack of notice makes it a bit more difficult for Facebook to claim NSO knowingly violated the terms by using WhatsApp to distribute malware. It will be tough to prove NSO clients had unauthorized access, especially since Facebook didn’t get around to permabanning anyone until after it filed its lawsuit.

I’m no fan of NSO and its client list, but I’m no fan of Facebook’s lawsuit, either. An opinion finding using internet services in a way their developers don’t like is not the precedent we need — not if we’re going to keep pushing for a safer internet for everyone. It will allow dominant players to establish rules that benefit the platforms and stave off competition from third-party offerings that attempt to address shortcomings major platforms refuse to correct. It will also prevent researchers from making online services safer or better, which will be a net loss for all platform users, even if it prevents a handful of authoritarians from exploiting a single service to target the people they think need more surveilling.

There’s a lot at stake here but Facebook can’t see past its immediate (and somewhat convenient, given its recent rakings over Congressional coal) desire to appear to be the good guy for once.

Permalink | Comments | Email This Story

Techdirt.

Facebook’s Ex-Security Chief Details His ‘Observatory’ for Internet Abuse – WIRED

/in

Facebook’s Ex-Security Chief Details His ‘Observatory’ for Internet Abuse  WIRED

When Alex Stamos describes the challenge of studying the worst problems of mass-scale bad behavior on the internet, he compares it to astronomy. To chart the …

“internet security news” – read more

Self-Made Millionaire Loses Lawsuit Over Facebook’s Removal Of Videos Of People Urinating

/in

Facebook promised to clean up its platform to make it more family-friendly. And it has done so, with varying degrees of success. If anything, it’s tried too hard and caused a lot of collateral damage to content that should never have been found objectionable in the first place.

For that effort, it has been vilified by everyone from the President of the United States to angry individuals who can’t seem to find a better outlet for their ignorance. Like other social media companies attempting to do the impossible, it’s getting sued for running its business the way it wants to.

Jason Fyk is one of several plaintiffs who have sued social media companies for removing their posts or banning their accounts. Fyk is a little different than the others we’ve covered recently. Fyk is a self-made millionaire whose business model relies almost entirely on Facebook.

As the creator of WTFNews (and dozens of other Facebook pages), Fyk is perhaps more directly affected by content removal than the average misguided plaintiff. When Facebook takes down content you’re hoping will generate clicks and cash, it hurts your bottom line. Fyk is inextricably intertwined with Facebook, but that fact does not make his lawsuit against the company more meritworthy than those claiming anti-conservative bias or hoping to hold social media platforms directly responsibile for acts of terrorism.

As Eric Goldman explains, the content Fyk is suing over is precisely the sort of thing you’d expect Facebook to find and remove, given its history of moderation.

Jason Fyk created Facebook pages “dedicated to videos and pictures of people urinating….Plaintiff alleges that Facebook blocked content posted by Plaintiff and removed content in order to make room for its own sponsored advertisements. Plaintiff contends these actions by Facebook destroyed or severely devalued his pages.”

There’s nothing in this lawsuit about an anti-conservative bias. Nothing suggests Fyk’s action here aligns him with alt-right personalities who’ve been deplatformed. Nevertheless, the idea of suing social media companies seems to appeal to those who think the government should leave private businesses alone. This likely explains Fyk’s decision to discuss his lawsuit on Fox & Friends.

I doubt he’ll be invited back. The court says Section 230 immunizes Facebook against this lawsuit. Fyk hoped to avoid this obvious conclusion by claiming he wasn’t suing Facebook over posts created by another user. His definition of third-party content apparently doesn’t stretch as far as covering stuff he posted to Facebook. It’s a very weird argument to make. Fyk says he’s a first party: he created the uploaded content that was ultimately removed by Facebook. What Fyk is missing — and what the court points out [PDF] — is that the removal of third party content (i.e., anything not created by Facebook) is protected and does not remove Facebook’s Section 230 immunity.

With regard to the second element of the CDA immunity provision, Plaintiff contends that Facebook is not entitled to immunity because although the statute provides immunity for a website operator for the removal of third-party material, here there is no third party as Plaintiff himself contends that he created the content on his pages. This was precisely the argument rejected by this Court in Sikhs for Justice which distinguished the reference to “another information content provider” from the instance in which the interactive computer service itself is the creator or developer of the content. 144 F. Supp. 3d at 1093-94. In other words, “the CDA immunizes an interactive computer service provider that ‘passively displays content that is created entirely by third parties,’ but not an interactive computer service provider by creating or developing the content at issue.” Id. at 1094. Put another way, “‘third-party content’ is used to refer to content created entirely by individuals or entities other than the interactive computer service provider.” Id. (citing Roommates, 521 F.3d at 1162). Here, there is no dispute that Plaintiff was the sole creator of his own content which he had placed on Facebook’s pages. As a result, those pages created entirely by Plaintiff, qualifies as “information provided by another information content provider” within the meaning of Section 230.

With that, Fyk’s lawsuit is dead and he will not be allowed to amend his complaint.

Because the CDA bars all claims that seek to hold an interactive computer service liable as a publisher of third party content, the Court finds that the CDA precludes Plaintiff’s claims. In addition, the Court concludes that granting leave to amend would be futile in this instance as Plaintiff’s claims are barred as a matter of law.

If nothing else, Fyk’s experience is a cautionary tale about making your online business entirely reliant on someone else’s platform. At some point, the rules will change and they way you used to make money won’t work anymore. Fyk’s original complaint details a long list of actions Facebook took that eventually stripped his pages of value.

But switch out “Google” for “Facebook” and the lawsuit could have been written by any SEO huckster in response to the company’s numerous algorithm changes. Or leave the wording the same and any major publication that bought into Facebook’s promise to deliver monetized news from behind the walls of its garden could raise the same complaints. Platforms operating in opaque and inconsistent ways sucks for everyone, not just those who’ve hitched their financial wagon to someone else’s platform. But while it sucks the most for a self-made millionaire who rode Facebook as far as it was willing to carry him, it doesn’t mean the solution is litigating yourself back to financial health.

Permalink | Comments | Email This Story

Techdirt.