New Suit Against Spyware-Maker Demonstrates One Company’s Offensive Strategy Against Cyber Attacks
November 5, 2019
On October 29, 2019, Facebook Inc. (Facebook), owner of WhatsApp messaging service, filed a lawsuit against the Israel-based NSO Group (NSO), alleging that the spyware-maker unlawfully hacked nearly 1,400 WhatsApp users’ phones to surveil their encrypted communications. NSO—whose customers include government agencies as well as private companies—makes Pegasus, a remotely installed surveillance product that can access and control information on mobile devices. Facebook is seeking a permanent injunction banning NSO from using WhatsApp, as well as damages and a declaratory judgment that NSO violated federal and state law.
With nearly 1.5 billion users in 180 countries, WhatsApp is one of the most popular messaging apps deploying “end-to-end encryption,” which is designed to ensure that only the sender and recipient can decrypt and read messages. But in May 2019, the Financial Times reported that NSO had successfully installed malware on certain WhatsApp users’ devices, potentially allowing NSO to access the decrypted communications on those devices. Upon discovering the hack, WhatsApp issued notifications to its users and announced that it had added additional protections to its systems.
Facebook’s complaint alleges NSO set up WhatsApp accounts to “initiate calls” that were “designed to secretly inject malicious code” into users’ phones. Once infected, NSO was able to download and install additional malware on the user’s phone to gain access to user data and communications. According to the complaint, NSO allegedly targeted attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials in the Kingdom of Bahrain, the United Arab Emirates, Mexico, and other countries.
The complaint alleges violations of the Computer Fraud and Abuse Act (“CFAA,” 18 U.S.C. § 1030) and the California Comprehensive Computer Data Access and Fraud Act (“CDAFA,” California Penal Code § 502), as well as the WhatsApp Terms of Service. Facebook is seeking damages and a declaratory judgment that NSO’s actions violated the law and that it should be banned from using WhatsApp.
Facebook’s complaint is the most significant example yet in an emerging trend of companies using legal process to go on the offensive to protect against threats to user privacy and product security. In May 2017, LinkedIn Corp. (LinkedIn) sent a cease-and-desist letter to hiQ Labs (hiQ), a web analytics company that harvests or “scrapes” user data from publicly available LinkedIn profiles. HiQ packages and sells LinkedIn user information to employers so they can better understand which of their current employees might be recruited to other companies. In the letter, LinkedIn demanded that hiQ stop copying data from its servers, which LinkedIn believed violated the CFAA. In response, hiQ sought a preliminary injunction and a declaratory judgment preventing LinkedIn from impeding hiQ’s access to LinkedIn’s data. Ruling in September, the Ninth Circuit rejected LinkedIn’s argument noting LinkedIn’s data was publicly available.
Another example is Ticketmaster LLC’s (Ticketmaster) recent attempts to harness available legal avenues to crack down on unauthorized computer bots that purchase mass quantities of tickets in order to resell them on the secondary market. Ticketmaster’s complaint, filed in February 2018, alleged 13 causes of action, including under the CFAA, CDAFA, Copyright Act, and other state laws. The suit settled in July.
The Facebook suit against NSO is a significant development and could be a sign of things to come with other technology firms going on offense to address perceived misuse of their products, services, and data. Companies seeking to protect their sensitive data—and that of their customers and employees—should be aware that communications and information, even if encrypted, may be vulnerable to advanced hacking capabilities. In addition to appropriate security measures, companies may also consider using legal process to combat the activities of hackers and third parties.This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O’Melveny partner licensed to practice law in the District of Columbia, Lisa Monaco, an O’Melveny partner licensed to practice law in New York, John Dermody, an O’Melveny counsel licensed to practice law in California, Kristin R. Marshall, an O’Melveny associate licensed to practice law in the District of Columbia and Missouri, and Evan N. Schlom, an O’Melveny associate licensed to practice law in California and the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.