The WhatsApp-NSO Group Lawsuit and the Limits of Lawful Hacking

On Oct. 29, WhatsApp sued the Israeli cybersecurity company NSO Group for installing surveillance malware on the phones of more than a thousand WhatsApp users, including journalists and human rights activists. (The WhatsApp vulnerability that NSO Group exploited was publicly reported in May 2019 and patched shortly thereafter.) WhatsApp sued primarily under the Computer Fraud and Abuse Act (CFAA), the main federal law criminalizing computer hacking, which also permits private lawsuits.

The complaint is notable for what it doesn’t include: the identity of the “customers” on whose behalf NSO Group installed the malware. But it’s pretty easy to figure out. NSO Group’s website advertises its product as meant to help “government agencies prevent and investigate terrorism and crime.” Previous reporting has tied NSO Group malware to human rights abuses around the world—most notably the murder of journalist Jamal Khashoggi, though NSO Group denies that its software was involved in the killing. Lawfare has previously covered how tools made by NSO Group (and similar companies such as FinFisher and Hacking Team) enable human rights violations by repressive regimes.

When malware is used to violate human rights, it’s laudable for companies to do whatever they can, including filing civil CFAA suits and taking similar legal actions, to stop others from exploiting vulnerabilities in their software. At the same time, the implications of WhatsApp’s lawsuit go beyond the misuse of malware. If the suit is the beginning of a trend, it may ultimately make it harder for governments to use malware responsibly in pursuit of legitimate public safety and national security objectives.

In the debate over law enforcement access to encrypted data, “lawful hacking” has emerged as a promising path forward. Law enforcement needs access to encrypted data to carry out its public safety mission, but the broader importance of secure encryption to information security makes installing “backdoors” potentially too risky. Lawful hacking, by which governments would exploit existing vulnerabilities without requiring companies to create new ones, is one (albeit imperfect) way to address this problem.

Although governments themselves discover many of the vulnerabilities they use, they also rely heavily on a “gray market” in cyber vulnerabilities. When the FBI attempted to force Apple to unlock the iPhone of one of the San Bernardino shooters, what ended the standoff was help provided to the bureau from anonymous professional hackers. Likewise, the NSO Group malware at issue in WhatsApp’s lawsuit has also been used in high-profile law enforcement operations, most notably in the 2016 capture of Mexican drug lord El Chapo.

In suing NSO Group, WhatsApp is sending a signal that it will not tolerate the further development of lawful hacking. As WhatsApp head Will Cathcart wrote in a Washington Post op-ed accompanying the lawsuit, “[C]ompanies simply should not launch cyberattacks against other companies. Responsible actors report vulnerabilities when they are found; they do not use their technology to exploit those vulnerabilities. Likewise, companies should not sell services to others engaged in such attacks.” Cathcart also backed the recommendation of U.N. Special Rapporteur David Kaye for “an immediate moratorium on the sale, transfer and use of dangerous spyware.” Notably, Cathcart’s position does not distinguish between lawful hacking that abuses human rights and lawful hacking for legitimate law enforcement purposes.

Lawsuits like WhatsApp’s similarly don’t distinguish between these two ends. The company has framed its lawsuit in the context of human rights abuses, but the implications are far wider. Although the CFAA does not apply to “lawfully authorized investigative, protective, or intelligence activity” by the government, there is no exception for private actors, like the cybersecurity companies that find vulnerabilities and sell them—or malware based on them—to the government. If suits like WhatsApp’s become common, the market in cyber vulnerabilities could dry up, shifting the burden to governments to discover vulnerabilities and increasing the costs of lawful hacking.

This is not to say that WhatsApp isn’t ultimately making the right decision with this lawsuit, or that it and other technology companies shouldn’t use the law more aggressively to protect their systems. Whether the law enforcement and national security benefits of lawful hacking outweigh its costs is a tricky question, and I’ve always been somewhat skeptical that lawful hacking is sustainable in the long term. As I’ve written previously, “[I]ncreased reliance on lawful hacking would clearly incentivize the government to horde, rather than disclose, vulnerabilities,” thus leading to less overall information security. Lawful hacking will also further harm relations between the government and the technology sector: “Lawful hacking incentivizes each side to be suspicious of the other: the technology industry will (rightly) think that the government is secretly trying to undermine the security of its products, and the government will (rightly) think that the technology industry is not a partner but rather a target.”

Lawful hacking has been one of the few options available for governments to access encrypted data without creating new cybersecurity risks. WhatsApp’s lawsuit suggests that this option will become an increasingly fragile one.