On May 13, WhatsApp users in multiple countries were targeted with malicious software developed by the Israeli company NSO group and deployed by governments that had purchased the software.
The software appears to have taken advantage of a technical flaw in WhatsApp, that has since been repaired. The attacks were uniquely malicious because of the ease with which they can infect a person’s device — by simply receiving a call or message, a user could unknowingly enable the software to install itself on their device, giving attackers broad access to their private communications and activities.
NSO Group is the creator of the notorious spyware Pegasus, which the company exclusively sells to governments, typically making contracts with law enforcement and intelligence agencies. Once installed, the software ostensibly allows the attacker to see and document everything that victims do and say on their devices, capturing messages, location and many other pieces of data. It has been linked to attacks on activists and journalists in Mexico, Saudi Arabia and the UAE, where it was found on a device belonging to now-jailed human rights defender Ahmed Mansoor.
In response to this and other attacks that have been documented in recent years by advocacy and tech research groups including The Citizen Lab at University of Toronto and Amnesty International, the Bernstein Institute for Human Rights at New York University and Global Justice Clinic are taking legal action in an effort to stop the company from selling this type of software. They have filed a legal challenge demanding that Israel’s Ministry of Defence revoke the export license of NSO Group.
Their petition argues that NSO Group is violating international human rights law by allowing governments to target human rights activists, as opposed to aiding them solely in “fighting crime and terror,” as dictated by their licensing agreement.
NSO Group is also facing lawsuits filed by individuals accusing the company of helping the governments of Mexico and the United Arab Emirates to surveil members of civil society. Late last year, a Canada-based Saudi dissident filed another lawsuit, alleging that the software had allowed Saudi authorities to snoop on his communications with journalist Jamal Khashoggi in the lead-up to Khashoggi’s October 2018 murder at the Saudi embassy in Istanbul.
Safety tips: How to protect your device and update your WhatsApp