Tuesday, December 24, 2024

Catching Pegasus: Mercenary Spyware and the Liability of the NSO Group


December 24, 2024
FacebookTwitter


The NSO Group, Israel’s darling of malware infection and surveillance for the global security market, was the brainchild of three engineers drawn from that busiest of cyber outfits in the Israeli Defense Forces known as Unit 8200.  Niv Carmi, Shalev Hulio and Omri Lavie, have certainly made an impression since they founded their technology company in 2010.

The unmistakable impression from the group is its dazzling amorality.  There is literally no government it will not add to its lists for supply, no wallet it will not empty with satisfaction.  The jewel in the supply chain has, for the most part, been its Pegasus spyware, which NSO claims is used exclusively to “investigate terrorism and crime”.

Despite such a lofty assertion, this dainty infectious number has found its way into the surveillance armoury of various states and clients who regard human rights defenders, journalists and dissidents as worthy of targeting.  Most notoriously, it was taken up by the Kingdom of Saudi Arabia, which used it to eavesdrop on calls between the late dissident Saudi journalist Jamal Khashoggi and Omar Abdulaziz, another figure who had earned the ire of the Kingdom.  In October 2018, Khashoggi blithely walked into the Saudi consulate in Istanbul, only to be carved up by a death squad on the orders of Saudi Arabia’s Crown Prince Mohammed bin Salman.  Abdulaziz subsequently gathered a legal team claiming that the hacking of his phone “contributed in a significant manner to the decision to murder Mr Khashoggi.”

In July 2021, the Pegasus Project, a collaborative effort involving over 80 journalists from 17 media organisations and civil society groups steered by Forbidden Stories with technical assistance from Amnesty International’s Security Lab, displayed much of the dirty laundry of NSO.  Some 50,000 phone numbers deemed interesting to various governments had appeared on a list of hackable targets.  Pegasus had been the key to open the lock.

On December 20, the most significant legal decision to date regarding NSO’s conduct was handed down by Senior District Judge Phyllis J. Hamilton of the US District Court for the Northern District of California.  Her judgment concerned WhatsApp’s legal suit filed in 2019 against the NSO Group, alleging that Pegasus had been installed on approximately 1,400 mobile phones and devices owned by journalists, activists and diplomats to conduct surveillance upon them.  In so doing, WhatsApp alleged that NSO had breached both the federal Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act.  After five years, the case took an interesting turn with a move by WhatsApp to seek partial summary judgment.

Throughout the case, the District Judge was clearly unimpressed with NSO’s slippery conduct.  “Overall, the court concludes that defendants have repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery.”  Throughout, the Israeli company refused to produce the Pegasus code, their golden goose.  Then came a grudging disclosure of the installation level of the code.  Unsatisfied by this incomplete picture, the judge asked for full disclosure.

NSO did so, but only in Israel.  This hobbled matters: Israeli law prevented the production of the source code, making it inaccessible to the plaintiff’s lawyers or any US court.  With audacity, not to mention parochial extravagance, the company insisted that WhatsApp and the court might engage Israeli counsel to view the code, or pursue an Israeli government export license to use the code in the US.  Judge Hamilton fumed at the sheer impracticality of it all, while NSO legal representative Aaron Craigh of King & Spalding submitted that his clients had been “compliant” with the court order.

The judge made short work of claims that the NSO Group was not subject to the court’s reach, as “the evidentiary record supports the conclusion that [the] defendants are subject to personal jurisdiction in this district.”  She also took note of the full acknowledgment by NSO “that the WIS (‘Whatsapp Installation Server’ – a modified variant of WhatsApp) sent messages through Whatsapp servers that caused Pegasus to be installed on target users’ devices, and that the WIS was then able to obtain protected information by having it sent from the target users, through the Whatsapp servers, and back to the WIS.”  NSO had “caused digital transmissions to enter California, which constituted a violation of the law within that jurisdiction.”

The case put paid to NSO’s previous assertions that the customer, not the creator of the spyware, was essentially responsible or “sovereign”.  Citing a senior executive’s deposition, a filing by WhatsApp notes that “the customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus.”  By the company’s own admission, installing the spyware through WhatsApp was “a matter for NSO and the system to take care of, not a matter for customers to operate.”

The spyware installation was accordingly found to have violated both the federal Computer Fraud and Abuse Act and the state Comprehensive Computer Data Access and Fraud Act. But US law is also keen to emphasise the scriptural sanctity of contractual obligations.  NSO had fallen short in violating WhatsApp’s terms of service by reverse-engineering and decompiling the software to develop the WIS.  With rat-like cunning, the defendants argued that any such modifications would have taken place “before agreeing to the terms of service.”  The judge remained unconvinced by the cheek of it all, seeing as the defendants “have withheld evidence regarding their agreement to the terms of service.”  Nor could NSO “meaningfully dispute that agreeing to the terms of service was necessary to create a Whatsapp account and to use Whatsapp.”  With a breach of contract found, the issue of deciding damages will be determined at trial.

In a statement, WhatsApp expressed some satisfaction.  “After five years of litigation, we’re grateful for today’s decision.” The NSO Group could “no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists and civil society.”  Senior tech legal counsel at Access Know, Natalia Krapiva, was also jubilantat “the first successful case against NSO Group where NSO was found liable for compromising the digital security infrastructure that millions of people rely on with Pegasus spyware.”

Given the brazen course of conduct by the NSO Group, what Judge Hamilton regarded as “pure gamesmanship”, we can expect a fight to diminish any award of damages.  But in this woefully unregulated industry, Israel’s poster child of spyware will most likely cough up and continue to make money from the pathologies of government insecurity.  They will just have to be mindful of the US market from hereon in.

Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne. Email: bkampmark@gmail.com

No comments: