WhatsApp Breach Was Politically Motivated. Now What?

[dropcap]T[/dropcap]HIS is the question moving forward as the cloud hanging over the WhatsApp breach from April 2019 darkens as more information continues to come out. This week, the Facebook-owned platform alleged that the Israeli-based NSO Group targeted as many as 1,400 WhatsApp users through the use of the spyware named Pegasus, in a lawsuit filed in US federal court on October 29.

Those targets are believed to include hundreds of journalists, politicians, lawyers, political dissidents and human rights activists targeted through smartphone attacks. The victims of the attack were contacted by WhatsApp on Tuesday, according to a statement they released on their site. Pegasus was also reportedly used by the NSO to surveil the Washington Post reporter Jamal Khashoggi before his death according to his friend Omar Abdulaziz.

A University of Toronto research group that tracks hacking campaigns, Citizen Lab, volunteered to help WhatsApp investigate the attacks on its users. Citizen Lab reported that among those people targeted in the campaign, 100 were members of “civil society” from 20 countries including:

  • human-rights defenders
  • human rights lawyers
  • humanitarian organization officials
  • journalists and television personalities
  • religious figures from across different religions
  • women targeted by cyber violence in the past
  • individuals who faced assassination attempts or threats of violence

“The commercial spyware industry is one that has tried to carve out an unaccountable space for itself, cozying up to the governments that it sells stuff to while simultaneously denying any responsibility for abuses conducted with its tools,” John Scott-Railton, a Citizen Lab senior researcher, told ArsTecnhica. “WhatsApp’s lawsuit, which is important and precedent-setting, shatters that false distinction and makes it clear that they are willing to hold NSO accountable for the Wild West that exists in the spyware industry generally and is reflected in the target set.”

WhatsApp approach against the NSO charges that they violated the Computer Fraud and Abuse Act (CFAA), a federal anti-hacking law in the US that makes it illegal to intentionally access a computer without authorization. WhatsApp is hoping for a permanent injunction barring NSO from access to WhatsApp servers, creating or using WhatsApp accounts, or violating WhatsApp terms of service.

However since users of WhatsApp were the ones that were hacked, and not WhatsApp itself, the lawsuit relies heavily on the fact that NSO breached the WhatsApp terms of service. This strategy is a completely new approach from a hacked company and whether it works or not in court is to be seen.

Will Cathcart, the head of WhatsApp and vice president at Facebook, in a Washington Post op-ed wrote that:

“This should serve as a wake-up call for technology companies, governments, and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”

That statement underlies the bigger problem at hand, the continued privacy complaint against social media companies to reign in the abusive targeting of their technology. Some would argue that this could include misinformation campaigns, which are more prevalent than ever. Whether its from false political ads that run on Facebook or bots spreading false information on Twitter, big tech has a big problem.

Recent survey results from the search engine DuckDuckGo, found that 80% of respondents adjusted the privacy settings on their social media accounts – one way or another – in the last year. In fact, 23% of people either deleted or deactivated their profiles due to privacy concerns according to survey findings.

Social media scandals will continue to erupt around the world likely centered on privacy concerns. Surveillance of private and public citizens, misinformation campaigns, and fake news coupled with the constant onslaught of data breaches, makes the case that there is so much more for us to consider when it comes to sharing our personal information. Defining what our own right to privacy means, no matter what we get in return, is critical in today’s sharing society.


Read the suit here: