WhatsApp v. NSO Group
Reuters (via Hacker News, Court Listener):
U.S. judge ruled on Friday in favor of Meta Platforms’, WhatsApp in a lawsuit accusing Israel’s NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
[…]
WhatsApp in 2019 sued NSO seeking an injunction and damages, accusing it of accessing WhatsApp servers without permission six months earlier to install the Pegasus software on victims’ mobile devices. The lawsuit alleged the intrusion allowed the surveillance of 1,400 people, including journalists, human rights activists and dissidents.
kdbg:
I’m not a lawyer so maybe I’m misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn’t really about holding NSO Group accountable for hacking journalists at all The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group “exceeded authorization” on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims.
[…]
Adding a little more detail that comes from the prior dockets and isn’t in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn’t be able to send. They use this fake client to send some messages that the original application wouldn’t be able to send which provide information about the target users’ device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I’m the only person here who has ever made an alternative client for something before.
Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient.
I guess the vulnerabilities they exploited were in the operating systems, not in WhatsApp, but Apple withdrew its suit against NSO Group.
See also: Nick Heer.
In other news about old lawsuits, I just received my small settlement checks from Peters v. Apple and Equifax.
Previously:
Update (2025-01-09): Tim Cushing (Slashdot):
The win here is limited. And while it does seem to expand the definition of unauthorized access that has so often been a problem in CFAA cases, it only does so because NSO refused to make the source code available to WhatsApp, which means the court has to assume Whatsapp’s allegations are true because NSO is unwilling to prove them false.
1 Comment RSS · Twitter · Mastodon
Reading the order, my impression is that the judge did not rule that the NSO Group violated the CFAA, or any other law, but instead granted a summary judgment because they repeatedly failed to follow court orders, and failed to provide evidence for their claims.
So the actual underlying dispute was not resolved.