Israeli spyware firm NSO Group rejects WhatsApp’s explosive claim that it used a California-based server to launch more than 700 attacks on the app’s users, in its latest court filing in an ongoing lawsuit. NSO Group doubled down on its argument that it doesn’t have sufficient presence in the US to be tried there and that the court case should be dismissed.
WhatsApp is suing the company for the alleged targeting of more than 1000 of its users – including activists, human rights lawyers and journalists – with the firm’s infamous zero-click Pegasus spyware that compromised phones through missed calls on the app. NSO Group denies these allegations.
In its most recent court filing, WhatsApp claimed to have evidence linking the company to the US. WhatsApp said that its security manager, Claudiu Gheorgh, had identified an IP address used to stage attacks on the app’s users that was linked to a server based in California owned by data centre company, QuadraNet. WhatsApp alleges that NSO Group ran this server, and had therefore entered into a contractual agreement with QuadraNet. However, in its most recent filing, NSO disputes this claim.
In a supplemental declaration to court, CEO Shalev Hulio said: “In my position as CEO of NSO, I was not aware of any contract between NSO and QuadraNet. In response to the new assertions regarding QuadraNet in Plaintiffs’ opposition to NSO’s motion to dismiss, I performed a diligent investigation into whether NSO has ever entered into a contract with QuadraNet. My investigation confirmed my understanding that neither Defendant has ever entered into any contract with QuadraNet.” QuadraNet didn’t respond to a request for comment.
Citizen Lab researcher John Scott-Railton, who has studied the activities of NSO Group extensively, claimed that the group uses a web of loosely interconnected “shell companies” and “intermediaries” in its operations, meaning that while it might be true to say that neither NSO Group or parent company Q Cyber Technologies entered into a contract with QuadraNet, it’s possible that a differently named subsidiary might have. NSO did not respond to a request for comment.
WhatsApp has attempted to build a case for why NSO Group should be tried in the States – including that the company used to be owned by US private equity firm Francisco Partners, that the company entered into a contract with WhatsApp by agreeing to its Terms of Service (TOS), that it used a US server to launch the attacks and therefore entered into a contract with US company QuadraNet, and that it used WhatsApp’s servers in the US to deliver the attacks.
In its rebuttal, NSO Group aimed to undermine these proposed connections and bolster its claim that it’s up to WhatsApp to prove that the trial would not be better held on Israeli soil, where the company is incorporated. NSO asserted that personal jurisdiction cannot be based on foreign communications passing through a server in California. The group pointed out that internet traffic bounces from one server to another, and claims that this doesn’t mean the internet traffic originated in California. However, to cover all bases, the company also said “If Pegasus messages did pass through QuadraNet servers, they would have been sent by NSO’s customers, not NSO”.
Another of NSO Group’s key counterarguments hinges on the fact that the group didn’t access WhatsApp’s servers, but instead used its messaging service to deliver malicious content. The group argues that this isn’t covered under the Computer Abuse and Fraud Act (CFAA) – which WhatsApp alleges the company violated – because this law refers to the corruption of systems, rather than the content of messages. Because WhatsApp’s servers remained intact, NSO argues, the law wasn’t breached.
The company likens it to the hiQ Labs, Inc. v. LinkedIn Corp 2019 case, which found that the automated scraping of publicly available data didn’t violate the CFAA. NSO Group points out that in the case, the defendant wasn’t found to have accessed LinkedIn’s website “without authorisation”. NSO’s court filing concludes: “Plaintiffs’ jargon cannot hide the fact that all NSO allegedly did was send the wrong kind of message over WhatsApp’s servers. That is not a CFAA violation.”
Application of the CFAA has expanded and contracted over the years to cover various internet misdemeanours. In the United States v. Nosal (Nosal I) 2012 case, the court ruled that using a website in a way that violates its terms of use can’t be considered acting “without authorisation”. However, in two subsequent cases, Nosal II and Facebook v. Power Ventures, the rule was applied more loosely, in relation to password sharing. In the former case, the court found that “without authorisation” is not solely limited to bypassing technical access mechanisms such as password barriers, and found that using someone else’s login credentials might also be in contravention of the statute.
Sign up to Emerging Threats, our weekly cyber security newsletter
Another part of NSO Group’s argument is that because (according to the company) its technology is solely operated by sovereign governments, the group should be shielded by a derivative form of the sovereign immunity that would prevent those governments from being taken to court in the US. WhatsApp argued that NSO Group wouldn’t be able to benefit from this, because the Foreign Sovereign Immunities Act (FSIA) only applies to nations. However, in its most recent filing, NSO Group refutes that it’s attempting to rely on the FSIA.
Instead, it argues that it’s entitled to derivative sovereign immunity (a concept WhatsApp argues is ill-defined in legal terms). NSO cites the Butters v. Vance Int’l, Inc. case in 2000, where it was ruled that a private agent from Saudi Arabia was derivatively immune. NSO Group likens itself to a government contractor, who merely produces and markets the goods, but is not responsible for operating them and therefore shouldn’t be held legally liable. Speaking to NS Tech previously, legal expert Chimène Keitner said that NSO’s claim to derivative sovereign immunity was “not an entirely frivolous argument […] but it’s certainly one that may have many hurdles to get through”.
The post NSO Group rejects WhatsApp’s claims about US links in hacking case appeared first on NS Tech.