Malware Marketer NSO Group Looks Like It's Blowing Off Facebook's Lawsuit

from the why-bother-being-accountable-in-any-minimal-fashion dept

In late October of last year, Facebook and WhatsApp sued Israeli surveillance tech provider NSO Group for using WhatsApp to deliver device-compromising malware. The lawsuit sought to use the CFAA to stop NSO from using WhatsApp as an attack vector.

The lawsuit is dangerous. It asks the court to read the CFAA to cover attacks targeting users’ accounts, rather than attacks on the service provider itself. The CFAA is already problematic enough without this sort of expansion. WhatsApp users certainly appreciate the efforts the developers make to protect them from malware, but asking a court to reinterpret an easily-abused law just so Facebook can go after NSO isn’t an acceptable solution.

NSO has been the target of non-stop criticism due to its willingness to sell malware and surveillance tech to countries with long histories of human rights violations. Its malware has also been observed targeting activists, dissidents, journalists, and critics of the governments that have deployed NSO malware.

Facebook’s lawsuit is going nowhere fast. While it’s not uncommon for there to be a delay between the filing of a complaint and the defendant’s response, NSO hasn’t filed anything — not even a notice of appearance from its corporate counsel — since the filing of the suit.

Facebook wants the court to take notice of this no-show. It’s asking for the upcoming case management to be postponed indefinitely since it has heard nothing at all from NSO. But the administrative motion [PDF] is not just there to deal with a logistical problem. It’s there to let the court know NSO isn’t cooperating with the litigation.

After filing the Complaint, Plaintiffs promptly sought to serve Defendants under the Hague Convention, which was effected on December 17, 2019.Plaintiffs also contacted Defendants via email, physical mail, and hand service, but have not received any response. As of the date of this filing, no counsel has entered an appearance in this matter on Defendants’ behalf, nor have Defendants filed an answer to the Complaint. Thus, Plaintiffs cannot fulfill their obligations under the Court’s initial case management scheduling order (ECF No. 9), including the obligations to meet and confer regarding initial disclosures, early settlement, ADR process selection, and a discovery plan.

The NSO is certainly welcome to sit this one out. It’s not like blowing off the WhatsApp lawsuit will do anything to its reputation that NSO hasn’t already done to it by selling hacking tools to authoritarians. It’s possible Facebook will receive a default judgment if NSO decides this is a waste of its time. Even if it did, what use would it be? NSO isn’t going to stop marketing malware that can be deployed via messaging services and the governments it sells to aren’t going to stop targeting WhatsApp users just because a court in California says it violates the CFAA.

This lawsuit is mostly for show. On the odd chance NSO decides to participate, discovery could expose some of its inner workings and the clients it sells this brand of malware to. NSO isn’t going to risk that. It makes more sense to let Facebook flail away ineffectively with a civil suit that will have absolutely no effect on its business model.

Filed Under: , , ,
Companies: facebook, nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Malware Marketer NSO Group Looks Like It's Blowing Off Facebook's Lawsuit”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re: Not a problematic expansion of the law.

Looking more closely, the story doesn’t actually say that they were attacking user accounts. It would make sense for Facebook to sue if they were. What it says is that they sent unwanted messages (malware) to a Facebook-provided account, and then it misrepresents that as an attack on Facebook. Facebook is the middleman; from what I can tell, nobody attacked any server or account provided by Facebook—only the non-FB-owned devices logging into those accounts.

Anonymous Coward says:

Re: Re: Re:3 Not a problematic expansion of the law.

By that logic, if you own a high-security apartment building, then someone breaking into one of the apartments and robbing it is none of your business

That analogy would work if someone came in and started picking the locks. But in this case, apparently, no accounts were broken into. They just received unwanted messages, sent in the usual way. That’s more like someone sending unwanted harassing mail to your tenant, which really is none of the landlord’s business.

Bergman (profile) says:

Re: Standing?

Suppose you are the landlord of an apartment building. You advertise that you have good security and residents will be safe there.

One day, someone breaks into and robs one of your tenant’s apartments. Your reputation for keeping your customers safe has been harmed by the robber’s actions, which are plainly illegal under the interpretation of the laws the government uses.

No direct harm is done to you, but your reputation takes a big hit as a result of the crime, which causes you financial harm — nobody wants to live in a high-security building with no ability to protect them. Shouldn’t you be able to sue the robber for that?

Qwertygiy says:

Re: Re: Standing?

Not completely applicable to this situation. Unauthorized entry into someone’s property (breaking and entering) is completely different than obtaining an authorized entry from someone else (identity theft).

A more apt comparison would be thus:

You own an apartment complex. It’s a fancy apartment complex; every apartment has its own mailbox for sending mail to the other apartments, and each mailbox can only be opened by the mailman or the owner of the mailbox. You’re quite proud of this system, because the mailman will throw out spam mail, or anything that doesn’t have the right sender address, and nobody can send any mail without his knowledge.

A scam artist rents an apartment there. They put a package in their mailbox. It’s properly labeled as from the scam artist, to another tenant. When the mailman opens the mailbox, nothing distinguishes it from any other normal package. It is thus delivered to the tenant by the mailman. But this package actually has a hidden camera inside it.

The tenant takes the package into their apartment, opens the package, and the hidden camera sends the scam artist a photograph of the tenant’s apartment key. The scam artist makes an identical copy of that key from the photograph, and while the tenant is out, the scam artist uses their new copy of the key to enter the tenant’s apartment and read their diary.

Nothing of yours has never been directly attacked. Your security mechanisms were never broken or used without authorization. The mailman did his job exactly the way you instructed him to, exactly as he did for every other apartment. The scam artist didn’t exploit any loophole in your instructions to the mailman. Neither the scam artist’s mailbox nor the tenant’s mailbox were opened by anyone you had not authorized to open them. Nor was there any way your security could have told the difference between the scam artist and the tenant wearing a brand new outfit.

But what Facebook is doing is trying to sue the scam artist for mailing the tenant a package with a hidden camera, saying that the act of mailing that package broke the law that says "no picking or breaking any locks installed by apartment building owners, and no interfering with their employees."

Replace "apartment" with "account", "mailman" with "direct messaging service", "package" with "message", "hidden camera" with "malware", "key" with "password", and that’s more or less what took place.

Anonymous Coward says:


If you are responsible for an action somewhere in American jurisdiction which violates an American law, it doesn’t matter where you are from, or where you were when you performed the action.

In this case, Facebook’s servers are in California. If a crime was committed against Facebook by someone sending malware through those servers, it took place in California.

If someone remotely hacks into Back of America’s computers in Chicago and steals a million dollars, is it no longer a crime that can be investigated and prosecuted by the Chicago P.D. or the FBI because the hacker has never left Russia? (Of course not. They’ll issue an international warrant for the hacker’s extradition to face justice in an American court, for violating American law, against an entity inside America.) It’s the same sort of situation.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...