Winning the Fight Against Spyware Merchant NSO

Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.

As a reminder, six years ago, our engineers detected and stopped an attack by NSO using its spyware tool Pegasus to target over a thousand WhatsApp users, including human rights activists, journalists, diplomats and others in civil society. At the time, we worked with Citizen Lab to further investigate and alert the people who we believe were targeted – both so we could learn more about the attack and inform them about the steps they can take to secure their devices. 

Now, for the first time, this trial put spyware executives on the stand and exposed exactly how their surveillance-for-hire system – shrouded in so much secrecy – operates. Put simply, NSO’s Pegasus works to covertly compromise people’s phones with spyware capable of hoovering up information from any app installed on the device. Think anything from financial and location information to emails and text messages, or as NSO conceded: “every kind of user data on the phone.” It can even remotely activate the phone’s mic and camera – all without people’s knowledge, let alone authorization. 

This trial also revealed that WhatsApp was far from NSO’s only target. While we stopped the attack vector that exploited our calling system in 2019, Pegasus has had many other spyware installation methods to exploit other companies’ technologies to manipulate people’s devices into downloading malicious code and compromising their phones. NSO was forced to admit that it spends tens of millions of dollars annually to develop malware installation methods including through instant messaging, browsers, and operating systems, and that its spyware is capable of compromising iOS or Android devices to this day. 

Given how much information people access on their devices, including through private end–to-end encrypted apps like WhatsApp, Signal and others, we will continue going after spyware vendors indiscriminately targeting people around the world. These malicious technologies are a threat to the entire ecosystem and it’ll take all of us to defend against it. Today’s ruling shows spyware companies that their illegal actions against American technologies will not be tolerated.

In this specific case, we know we have a long road ahead to collect awarded damages from NSO and we plan to do so. Ultimately, we would like to make a donation to digital rights organizations that are working to defend people against such attacks around the world. Our next step is to secure a court order to prevent NSO from ever targeting WhatsApp again.

As always, we encourage security researchers to report security bugs through our Bug Bounty program so we can work together to quickly resolve them and protect our users.

Finally, we’re publishing (unofficial) transcripts of deposition videos that were shown in open court so that these records are available to researchers and journalists studying these threats and working to protect the public. We intend to add official court transcripts once they become available.

The post Winning the Fight Against Spyware Merchant NSO appeared first on Meta | Social Technology Company.