WhatsApp Claims That an Israeli Tech Firm’s Spyware Targeted Human-Rights Activists and Journalists

According to a lawsuit announced on Tuesday, the Israeli spyware-maker NSO Group developed malware specifically to access WhatsApp communications. Photograph by Daniella Cheslow / AP

By  - TNY - 29. October 2019

This spring, a team of engineers at WhatsApp detected a series of suspicious calls on the messaging service’s networks, many of them emanating from phone numbers in Sweden, the Netherlands, Israel, and other countries. At first, WhatsApp wasn’t sure what was happening. Then the engineers, working with their counterparts at Facebook, which owns WhatsApp, realized that the voice and video calls were somehow infecting targeted phones with advanced spyware, using a penetration method that the company had never encountered before. Most disturbing to the investigators was that it appeared many of the targeted phones became infected whether the calls were answered or not—what’s known as a zero-click vulnerability.

The malware then instructed the targeted phones to upload their content to servers owned by Amazon Web Services and other companies, where the stolen data was stored and could be accessed by the intruders. After the malware was loaded on some of the targeted phones, the call logs were wiped. Victims who heard their phones ringing overnight found no evidence of the calls in the morning.

On May 13th, WhatsApp announced that it had discovered the vulnerability. In a statement, the company said that the spyware appeared to be the work of a commercial entity, but it did not identify the perpetrator by name. WhatsApp patched the vulnerability and, as part of its investigation, identified more than fourteen hundred phone numbers that the malware had targeted. In most cases, WhatsApp had no idea whom the numbers belonged to, because of the company’s privacy and data-retention rules. So WhatsApp gave the list of phone numbers to the Citizen Lab, a research laboratory at the University of Toronto’s Munk School of Global Affairs, where a team of cyber experts tried to determine whether any of the numbers belonged to civil-society members.

On Tuesday, WhatsApp took the extraordinary step of announcing that it had traced the malware back to NSO Group, a spyware-maker based in Israel, and filed a lawsuit against the company—and also its parent, Q Cyber Technologies—in a Northern California court, accusing it of “unlawful access and use” of WhatsApp computers. According to the lawsuit, NSO Group developed the malware in order to access messages and other communications after they were decrypted on targeted devices, allowing intruders to bypass WhatsApp’s encryption.

The lawsuit also details how NSO Group may have planned the attack, noting that the company had created a series of WhatsApp accounts that were used to initiate the calls which injected the spyware onto the victims’ phones. An NSO Group employee appeared to reach out directly to someone involved in patching the WhatsApp vulnerability after it was disclosed, writing, “You just closed our biggest remote for cellular. . . . It’s on the news all over the world,” according to the lawsuit.

NSO Group said in a statement in response to the lawsuit, “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists.” In September, NSO Group announced the appointment of new, high-profile advisers, including Tom Ridge, the first U.S. Secretary of Homeland Security, in an effort to improve its global image.

In a statement to its users on Tuesday, WhatsApp said, “There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world. Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders.”

The Citizen Lab’s investigation into the identities of the victims is ongoing. So far, the university laboratory said that the attacks targeted at least a hundred members of civil society in at least twenty countries. The list of targets includes prominent religious leaders of multiple faiths, well-known journalists and television personalities, and human-rights activists and human-rights lawyers. John Scott-Railton, a senior researcher at the Citizen Lab, said, “It is the largest attack on civil society that we know of using this kind of vulnerability.” He added that the Citizen Lab is not releasing the names of the victims at this time, because of confidentiality restrictions.

In addition to targeting civil-society members, the malware was used against diplomats and foreign government officials, presumably by NSO Group’s customers, which include law-enforcement and intelligence agencies.

This piece has been updated to include a comment from NSO Group.

(*) Author:

  • Adam Entous is a staff writer at The New Yorker


True Human Rights Defenders and Environmental Acticists should not use WhatsApp, Telegram or Signal, but TOX or BRIAR.


UK rights advocate co-owns Israeli spyware firm


Why India wants to track WhatsApp messages

  • 30 October 2019


Privacy activists are worried that the new rules could be misused to curb free speech - Image copyright Getty Images 

India's plan to mandate the monitoring, interception and tracing of messages on social media has alarmed users and privacy activists - as well as the companies running the platforms. Prasanto K Roy looks at the potential impact of such a move.

The country's information technology ministry will publish, by January 2020, a new set of rules for intermediaries: platforms that allow people to send, or share, messages. It is a sweeping term, which also includes e-commerce and many other types of apps and websites.

The move is in response to an explosion of fake news that has caused mob violence and led to more than 40 deaths in 2017 and 2018. Most frequent were rumours about child kidnappers, circulated on WhatsApp and other platforms. Those messages, with no basis in fact, caused mobs to lynch innocent passers-by.

Such "forwards" spread to tens of thousands of users in hours, and became nearly impossible to counter once they had spread.

In one example in 2018, the victim of mob violence was a man who had been employed by government officials to go around villages with a loudspeaker and tell locals not to believe rumours being spread on social media.

There are more than 50 documented cases of mob violence triggered by misinformation spread over social media in India in the last two years. Many platforms, including Facebook, YouTube, and Sharechat, a vernacular language social media start-up and app, play a role.

But the Facebook-owned WhatsApp is by far the most popular of the platforms. With India accounting for 400 million of its global base of 1.5 billion users, it ends up being the focus of discussions on the spread of misinformation.

After a spate of rumour-driven mob violence in 2018, the government had asked WhatsApp to help halt the spread of "irresponsible and explosive messages" on its platform. The platform took several steps, including limiting the number of forwards allowed to five at a time, and putting a "forwarded" tag on those messages.

Not enough, said the government, which now wants WhatsApp to use automated tools to monitor messages, as China does, to take down specific messages. It also wants the company to trace and report the original sender of a message or video.

India's attorney general has told the Supreme Court in a related case that social media companies had "no business to enter the country and carry on if they can't decrypt information for investigative agencies, in cases of sedition and pornography, among other crimes".

"See, they [social media companies] have even gone to court to stop us," a government official told me off the record.

He added that online surveillance in China is far deeper and more sweeping. He is right about that: on its popular WeChat platform, messages famously disappear if they contain banned words.

The India WhatsApp video driving people to murder - BBC News


(Sign in! reguired)India 'Whatsapp murders'- Phone rumours spark frenzied mobs | Al Jazeera English

WhatsApp says the steps it has taken are working.

The labels and limits have reduced the number of forwarded messages on the platform by 25%, a spokesperson said. She added that the company actively bans two million accounts a month for "engaging in bulk or automated messaging", and runs a big public education campaign that has reached hundreds of millions of Indians.

Meanwhile, privacy activists are most worried about the demands to "trace" the original sender of a message.

The government says it wants to trace messages that cause violence and deaths, but activists fear it will then track down critics, with a chilling effect on free speech.

This is no unfounded worry, given the spate of cases where those criticising government actions, such as its crackdown in Kashmir last August, or those writing a letter of protest to the prime minister, end up facing a sedition charge.

"What [they want] is not possible today, given the end-to-end encryption we use," says Carl Woog, WhatsApp's global head of communications, told journalists in Delhi in February.

"It would require us to re-architect WhatsApp, leading us to a different product, one that would not be fundamentally private. Imagine if every message you sent was kept with a record of your phone number. That would not be a place for private communications."


The new rules could have sweeping effects on various platforms - copyright Getty Images

Since 2011, India's laws have allowed platforms some safe harbour. A phone company cannot be held responsible for what its customers discuss over its phone lines; nor an email provider for the content of emails a person sends to another.

As long as the company complies with laws, such as sharing phone records on demand with the authorities, it is safe from legal action. The new proposed rules will make conditions for such safe harbour tougher.

Complying with the proposed rules would weaken the apps or platforms globally, given the difficulties of maintaining different apps for different countries.

And that's not the only problem. The draft rules demand a local India office for any platform which has more than five million users in India. This is ostensibly to find someone to hold accountable when there's a problem.


WhatsApp says its steps to combat the spread of rumours is working. copyright Getty Images

But India's technology laws define intermediary in a sweeping manner, spanning any platform used to share information.

So all of this would end up affecting others too: Wikipedia being an example of a platform that might have to shut down access to Indians, if such a law is enforced. It's also not clear what would be done if a messaging platform, such as the increasingly popular Signal or Telegram, did not comply with this rule.

It's likely that internet service providers would then be directed to shut down access to them.

While privacy activists have taken a hard stance against the contentious provisions - monitoring and traceability - public policy professionals say the government is keener to find a solution than to shut down or seriously disrupt platforms.

"They all use WhatsApp: bureaucrats, politicians, cops," the India policy head of a global tech company told me. "No one wants to shut it down. They just need to see WhatsApp taking more serious steps to tackle a real, serious problem."

Like many others, though, he wasn't able to spell out what those steps should be.

Prasanto K Roy (@prasanto) is a technology writer

If We're Going to Break Up Big Tech, We Shouldn’t Forget Big Telecom

Senator Elizabeth Warren proposed breaking up tech giants Facebook, Google, and Amazon on Friday—but big telecom is in dire need of the same treatment.

By Karl Bode - 09. March 2019

See the source image


On Friday, Democratic Senator Elizabeth Warren proposed breaking up Google, Amazon, and Facebook in a bid to crack down on anti-competitive tech giants. The proposal, which suggests ramping up antitrust enforcement and unwinding the sector’s most problematic mergers, is poised to be a cornerstone of Warren’s 2020 presidential campaign.

Facebook has received well-deserved criticism for its role in spreading propaganda and the Cambridge Analytica fracas. Facebook privacy scandals are so common lately that users barely have time to digest one screw-up before another pops up. Google has similarly come under fire for the way its domination of online advertising has threatened the sustainability and income of smaller news operations. Amazon is enacting a plan to monopolize not just internet retail, but the cloud computing and transit systems that power online commerce itself.

“Today’s big tech companies have too much power — too much power over our economy, our society, and our democracy,” Warren said. “They’ve bulldozed competition, used our private information for profit, and tilted the playing field against everyone else. And in the process, they have hurt small businesses and stifled innovation.”

The attention Warren’s proposal gives to breaking up big tech is welcome, and warranted, but it omits another major sector that is equally deserving of—and long overdue for—the same treatment: big telecom.

In recent years, telecom giants like Verizon have been repeatedly caught covertly spying on customers and selling your private location data to a long chain of dubious middlemen, often with little oversight. Giant ISPs often help scammers rip off their own customers, earning them the worst customer satisfaction ratings of any business sector in America. 

Telecom presents a unique problem in tech. ISPs like Comcast and AT&T not only enjoy vast media and broadcast empires, but a clear monopoly over access to the internet itself thanks to limited broadband competition.

This domination of both the conduit and the content creates unique anti-competitive opportunities ISPs are starting to exploit in a variety of sneaky ways. For example, telecom giants convinced the FCC in 2017 to neuter itself at lobbyists’ behest, demolishing numerous widely popular consumer protections like net neutrality along the way. 

These massive providers are also fused to the United States intelligence apparatus, making them the personification of “too big to fail.” Verizon and AT&T are so politically powerful, when they were caught wholesale spying on American citizens without warrants on behalf of the NSA, they were able to have the laws changed to provide them retroactive immunity from liability. 

These same ISPs now hope to expand into the online ad space in the wake of numerous acquisitions, ranging from Comcast’s 2011 merger with NBC, to AT&T’s recent acquisition of Time Warner. As such, it only makes sense to see them as integral components of any meaningful conversation about monopoly power in the US. 

Telecom is often forgotten in the midst of our collective outrage over the latest Facebook scandal. Users routinely can be found deleting the Facebook app to “secure their privacy,” yet remain oblivious to the perils of using a spyware-laden stock handset on incumbent wireless networks that track and monetize your daily habits in often staggering detail.

Yet the telecom industry is only mentioned by Warren in passing as an example of “days gone by” monopoly power.

“A century ago, in the Gilded Age, waves of mergers led to the creation of some of the biggest companies in American history — from Standard Oil and JPMorgan to the railroads and AT&T,” Warren said. “In response to the rise of these ‘trusts,’ Republican and Democratic reformers pushed for antitrust laws to break up these conglomerations of power to ensure competition.”

While that is true, in the years since lobbyists have slowly eroded not only regulatory oversight of giant ISPs, but the antitrust authority that’s supposed to act as a last line of defense against monopoly power.

Read More: Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years

That was made very clear recently when the DOJ face planted during its attempt to stop AT&T’s $86 billion merger with Time Warner, a deal that resulted in higher rates for both consumers and competitors within weeks of closing. Trapped by tightening legal restrictions, government antitrust lawyers are often incapable of proving even the most obvious of harms.

When asked for comment by Motherboard, Senator Warren’s office stated that addressing telecom’s monopoly problems remains a priority. Telecom has been specifically singled out in past speeches by the Presidential candidate.

Much of what Warren proposes—like greater scrutiny of big mergers—would help rein in the telecom sector as well. But activists note that as a uniquely potent threat to the internet, telecom deserves specific scrutiny in any conversation about America’s monopoly problems.

“We can, and must, walk and chew gum at the same time,” Evan Greer, Deputy Director of consumer group Fight For the Future told Motherboard in an email. 

Greer pointed out that while the telecom sector and Silicon Valley giants used to be heated adversaries in the early quest for net neutrality, more recently they’ve been working in concert to derail meaningful privacy laws as both sectors look to dominate online advertising with minimal oversight.

“These industries have often tried to snipe at each other in their public relations efforts to take attention off their own bad practices, but the reality is that monopoly power and centralization of both big telecom and big tech pose a significant threat to our most basic rights in the digital age,” Greer said.

Michael Powell, former FCC boss turned top cable lobbyist, has spent much of the last two years urging government to regulate the “big tech” companies his clients want to compete with in the online ad space--while eliminating oversight of his own monopoly clients.

“For years, big tech companies have been extinguishing competitive threats by buying or crushing promising new technologies just as they were emerging,” Powell told attendees of a telecom sector event last year, lamenting how Silicon Valley giants also avoid meaningful competition by simply buying their competitors.

The telecom industry routinely engages in this exact behaviour. As attention has fixated on the perils of social media and big tech mergers, wave upon wave of anti-competitive, price-hiking telecom mergers have sailed through the bipartisan approval process. A few examples:Comcast’s superunion with NBC, Spectrum’s acquisition of Time Warner Cable, AT&T’s acquisition of DirecTV, or T-Mobile’s looming merger with Sprint.

Consolidated and largely unsupervised, these telecom giants have open runway to behave anti-competitively for the foreseeable future. Killing net neutrality was just one small part of a much bigger plan to gut FCC oversight of ISPs, shuffling any remaining oversight to an FTC that critics say lacks the authority or resources to properly police them. 

None of this is to downplay the negative repercussions that Facebook, Google, and Amazon’s unchecked power has had on numerous sectors. But if a healthy, democratic internet is truly the goal, tackling the worst habits of both “big telecom” and “big tech” simultaneously is going to prove essential in the years and decades to come.

Read More: US Courts Just Greenlit AT&T’s Anti-Competitive Ambition for Decades to Come