Wednesday, 30 October 2019

Facebook sues notorious spyware company NSO Group for 1,400 attacks on diplomats, journalists, dissidents, and government officials

The NSO Group is one of the world's most notorious cyber-arms dealers, selling hacking tools to some of the world's most oppressive regimes that are used to identify targets for arrest, torture and even murder.

The Israeli company went through a series of buyouts and buybacks, ending up in the hands of the European private equity fund Novalpina and its owners, including Yana Peel, the former CEO of London's Serpentine Gallery who resigned her position after The Guardian revealed her ownership stake, which was deemed to be at odds with the Serpentine's commitment to human rights and free expression.

Novalpina has pledged to rehabilitate the NSO Group's reputation by reforming its practices and limiting the sale of its spying tools to legitimate actors (whomever they may be). But research from the world-leading Citizen Lab (previously) revealed that NSO was behind a string of attacks on Whatsapp users last may, which was used to target human rights campaigners, journalists, and political dissidents.

Facebook has filed a lawsuit against the NSO Group, accusing the company of being behind Whatsapp attacks in 20 countries (Whatsapp is a division of Facebook); Facebook claims that the attacks swept up at least 100 members of civil society groups.

The suit seeks an injunction against future NSO Group attacks on Whatsapp and unspecified monetary damages.

NSO is also being sued in Israel for allegedly helping to entrap the Saudi journalist Jamal Khashoggi, who was kidnapped, murdered and dismembered at the direction of the Saudi Crown Prince Mohammed Bin Salman.

Facebook's suit presents a mixed bag of legal theories: they accuse NSO Group of violating California contract and property law, but also of violating the tremendously flawed Computer Fraud and Abuse Act, a 1986 federal anti-hacking law that Facebook drastically expanded when it sued a competitor called Power Ventures in 2008 (the CFAA was also the law used to hound Aaron Swartz to death). There's a risk that a verdict in Facebook's favor will strengthen precedents that allow the CFAA to be wielded against legitimate competitors, independent security researchers, and other good actors.

One potential fix for this would be an "interoperator's defense" that would clarify that CFAA and other statutes do not apply to good actors, ever, something like "Notwithstanding any law or regulation, it is never an offense to create a new interoperable product, service, part, software patch or application, tool, or consumable that allows the legitimate owner or user of an existing product to service to repair, reconfigure, improve or customize that product or service."

In its statement, Facebook frames its work in the context of defending human rights, citing the work of UN Special Rapporteur on Free Expression David Kaye (previously), who has called for a moratorium on sales of cyber-weapons, including to nation-states.

The NSO Group denies any wrongdoing.

WhatsApp sues Israel's NSO for allegedly helping spies hack phones around the world [Raphael Satter/Reuters]

NSO Group / Q Cyber Technologies [Citizen Lab]