WhatsApp just took a hard new line against the malware industry, suing notorious Israeli surveillance contractor NSO Group for attacks on more than a thousand of its users. The case could mark a turning point in Silicon Valley’s fight against private-sector espionage mercenaries. But before it can convince a court that NSO engaged in criminal hacking, WhatsApp may have to win a thorny legal argument—one that legal experts say could require some creative contortions.
On Tuesday afternoon, WhatsApp published a statement accusing NSO of targeting 1,400 of its users, including at least 100 members of “civil society” such as journalists and human-rights defenders, with malicious voice calls designed to infect targeted phones with malware and steal messages despite WhatsApp’s end-to-end encryption. Those numbers would represent a new scale for NSO, whose malware has already been linked to attacks against activists ranging from the now-imprisoned United Arab Emirates dissident Ahmed Mansoor to Mexican activists opposing a soda tax.
WhatsApp paired its statement with a lawsuit in a Ninth Circuit court, accusing NSO of violating the Computer Fraud and Abuse Act, as well as state-level charges including breach of contract and interfering with their property. The case represents a bold attempt to use the CFAA in an unusual way: to punish not just hackers who breach a company’s computers, but those who exploit its software to breach the computers of its users.
But some hacking-focused lawyers who have analyzed WhatsApp’s complaint warn that—noble as its attempt to slap back NSO and protect its users may be—its central argument may not fly in court.
That’s because, fundamentally, the CFAA outlaws so-called “unauthorized access,” explains Tor Ekeland, a well-known hacker defense attorney. To make that charge stick, WhatsApp will have to show that NSO obtained illegal access to WhatsApp’s own systems. Given that NSO’s targets were WhatsApp users rather than, say, WhatsApp’s servers, they’ll have to find an argument that they, as the plaintiff, were the victim. “The fundamental question is, what’s the unauthorized access?” says Ekeland. “You might be able to argue that NSO hacked WhatsApp and not just their users. Maybe they’re trying to make that argument. But they’re not being clear about it, and that lack of clarity is an attack vector for the defendant.”
WhatsApp’s most obvious unauthorized access argument relates to its terms of service, which prohibit reverse-engineering WhatsApp’s code, harming its users, or sending malware via WhatsApp. The company might argue that by agreeing to those terms of service and then violating them, NSO’s use of WhatsApp was unauthorized all along. The complaint appears to lay the groundwork for that case: It points out that NSO Group staff “created various WhatsApp accounts and agreed to the WhatsApp Terms.”
But that terms-of-service argument will be an uphill battle, says Ekeland. Terms of service have long been a controversial element of hacking cases, from the 2009 cyberbullying case of Lori Drew to the hacking charges against information freedom activist Aaron Swartz. And the Ninth Circuit in particular has set a clear precedent that terms-of-service violations alone don’t constitute unauthorized access. “A terms of service violation under the CFAA is a very thin reed to hang your case on,” Ekeland says.
WhatsApp parent company Facebook has sought out CFAA rulings against terms-of-service violators in the past. It sent a warning to a company called Power Ventures, which created its own user interface for Facebook and other social media sites, to stop violating its terms. It then sued under the CFAA only after the company persisted. In that instance, a judge ruled explicitly that Power Ventures had broken the CFAA—but that it wouldn’t have if Facebook hadn’t first told it to stop accessing its site.
“There’s a lot of precedent here with Facebook,” says Alex Stamos, former Facebook chief security officer. “If you use Facebook services in the way where you are knowingly violating terms of services, they can bar you from the service and call it a violation of the CFAA.”
