NSO Fires Back At Facebook, Says It's Not Responsible For Malware Deployments By Foreign Governments
from the fair-point-but-doesn't-really-make-NSO-Group-look-any-better dept
NSO Group has finally decided to engage in the lawsuit Facebook filed against it late last year. The Israeli surveillance tech company has shown itself to be pretty cavalier about its market expansion plans. Despite being located in a country surrounded by unfriendly governments, NSO is more than willing to give Israel’s enemies something to use against it. Its client list includes Saudi Arabia, United Arab Emirates, Bahrain, and Kazakhstan.
Facebook’s lawsuit is questionable and if it wins, it would cause a lot of damage. Facebook is unhappy NSO software uses WhatsApp to deliver malware payloads to targets. But seeking precedent that would criminalize terms of service violations isn’t going to help anyone, much less stop NSO from using encrypted messaging apps as attack vectors.
NSO is now firing back. And it makes a point that’s true, if not all that sympathetic. It is not its customers. Much like the gun dealer who sells the gun eventually used in a mass shooting, NSO’s sales of malware to governments that use them in questionable ways isn’t really NSO’s fault. It may have provided the surveillance tech, but it is not telling governments who to target or participating in the surveillance directly.
In its first substantive legal filing in the case, filed last week, NSO hit back at WhatsApp and its parent company, Facebook, which it said were seen by governments as “safe spaces for terrorists and other criminals” who – without NSO’s services – could operate “without fear of detection by law enforcement”.
NSO Group also argued that WhatsApp had “conflated” NSO Group’s actions with the actions of NSO’s “sovereign customers”. While NSO Group licenses its signature spying technology, Pegasus, to government law enforcement and intelligence agencies and assists with “training, setup, and installation”, it said it did not operate the technology.
This is NSO arguing it cannot be held responsible for the actions of others. If Facebook doesn’t like what these governments are doing with NSO’s tech, it’s welcome to sue those governments directly. Not that those lawsuits would succeed. We’re not the only nation that extends sovereign immunity to government agencies. That’s standard operating procedure around the world. This is what NSO is hoping will convince the court to toss the suit.
“For that reason,” the company said in the filing, “permitting this litigation to proceed would infringe critical national security and foreign policy concerns of sovereign governments”.
NSO is also fighting back with a little dirt of its own. Long before it was sued by Facebook, it spent a little time discussing its spyware with the company.
In October 2017, NSO was approached by two Facebook representatives who asked to purchase the right to use certain capabilities of Pegasus, the same NSO software discussed in Plaintiffs’ Complaint.
The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices. The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users. Facebook proposed to pay NSO a monthly fee for each Onavo Protect user.
Onavo was Facebook’s VPN — one that had little to do with offering privacy to its users. It may have shielded them from others attempting to take a look at their web traffic, but it didn’t do anything to prevent Facebook from collecting tons of data on users, which included a whole lot of minors. It was booted from Apple’s App Store in 2018 for hoovering up too much sensitive data. Roughly six months later, Facebook killed the faux VPN for good.
Facebook claims this is an “inaccurate” portrayal of its meeting with NSO, but it’s not like Facebook has much credibility on the privacy front. Its thirst for data has been unquenchable and its mitigation attempts have been provoked by Congressional inquiries and years of work by privacy activists. It hasn’t suddenly become altruistic.
Facebook is right to be concerned about the use of WhatsApp to spread malware. But this lawsuit that attempts to use the already badly-abused CFAA to cover things Facebook doesn’t like other people doing is going to cause collateral damage to researchers and journalists, rather than prevent NSO from selling WhatsApp-exploiting malware to government agencies.