WhatsApp sues NSO Group: is this what it takes to hold surveillance tech to account?

Photo: Lucas Gallone/Unsplash

There’s been widespread coverage of the news that Whatsapp is suing NSO Group – an Israeli surveillance company – because of a cyberattack exploiting a vulnerability in Whatsapp . There was a pattern to the attack, the lawsuit shows, in that it targeted at least 100 human-rights defenders, journalists and other members of civil society across the world. NSO has vigorously denied the allegations.

One technology company suing another because of attacks on human rights defenders is new - but allegations that NSO Groups’ technology is being used like this are not:

  • In 2019, Maati Monjib, an activist, and Abdessadak Ek Bouchattaoui, a human rights lawyer representing protesters in Morocco, were allegedly targeted through the use of NSO Group's Pegasus software in 2019.  The Business and Human Rights Resource Centre (BHRRC) raised the allegation with NSO who in response promised to investigate.
  • In 2018, it was reported that NSO Group provided the Saudi government with the software that allowed it to spy on conversations of Mr. Abdulaziz with the prominent journalist Jamal Khashoggi before his killing.
  • In 2017, reports documented that journalists and human rights defenders denouncing forced disappearances and sexual abuses were spied upon by the Mexican government using NSO Group software. The company responded to BHRRC’s invitation to comment, arguing that the software was meant to only be used against drug cartels or terrorist groups.

Privacy and expression are inseparable in the digital age - online privacy is necessary to exercise freedom of opinion and expression. On the flipside, interference with privacy can enable targeting and physical attacks. After journalist Jamal Khashoggi was killed in October 2018 in the Saudi consulate in Istanbul, a lawsuit filed by his friend and colleague Mr. Abdulaziz claimed that in the months before the killing, the royal court had access to Mr. Khashoggi’s communications because of the NSO spyware on Mr. Abdulaziz’s phone. While this was denied by the Saudi Government, many Western intelligence agencies concluded the killing was orchestrated by Saudi’s royal court.

One technology company suing another because of attacks on human rights defenders is new - but allegations that NSO Groups’ technology is being used like this are not.

This attack fits into a wider trend of attacks on human rights defenders and civic freedoms that BHRRC has been tracking for the past 4 years. We have registered over 2000 attacks since 2015 linked to activists raising human rights and environmental concerns about companies from all sectors. Defenders are killed, injured and threatened because of their work, they are also increasingly subject to judicial attacks, including Strategic Lawsuits Against Public Participation (SLAPPs).

Digital attacks are often a precursor to physical ones: this includes surveillance, interception of emails, voice calls and online messaging, but also online stigmatization campaigns and hacking websites to control information and spread misinformation. There are companies who, like NSO, build and profit from technology which gets used in this way.

When technology is used to orchestrate attacks and stigmatization of defenders and journalists, through tracking their movements and conversations, individuals rights and freedoms are at risk. But it also threatens the future of open democratic societies and responsible businesses, neither of which can function properly without defenders being able to hold governments and companies to account.

NSO Group have begun to react to sustained public exposure and criticism by releasing human rights and whistleblower policies in summer 2019. The UN Special Rapporteur on Freedom of Expression has raised several concerns around the substance of these policies.

Some investors, again in the context of concerns being raised by civil society, have begun to react. Blackstone Group, a private equity firm, pulled out of a deal to buy NSO Group amidst public criticism and engagement from pension funds.

However, there is too little being done to regulate a surveillance technology sector shrouded in secrecy and whose products can be used to such devastating ends.

The United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, has made clear that surveillance companies have human rights responsibilities. The Special Rapporteur has said that “…it is essential that companies  immediately cease the sale and transfer of and support for such technologies, until they have provided convincing evidence that they have adopted sufficient measures concerning due diligence, transparency and accountability…”

Certainly, it’s positive that with Whatsapp’s lawsuit there is some legal scrutiny being brought to such egregious allegations of abuse linked to NSO Group’s products. But we cannot depend on tech companies to police the surveillance industry. Governments everywhere need to understand the full extent of damage to people and our democracies from the misuse of this technology. Laws to insist these companies conduct the strictest due diligence and risk management before any export would be a first step. Exports without this should be outlawed and become a criminal liability for reckless companies.