In May this year, we published an article detailing a WhatsApp breach where the secure messaging app was found to be vulnerable to a specific type of attack by malicious actors. Today, on the back of a lengthy investigation by WhatsApp and our friends at Citizen Lab, we are finally learning more about who the targets of those attacks were and how they were carried out.
The joint investigation revealed that a total of 1400+ individuals were targeted, out of whom over 100 have already been identified as members of civil society (human rights defenders, activists, journalists). According to Facebook, which owns WhatsApp, all those affected by this security breach are being contacted by WhatsApp and referred to a website with instructions on how to proceed.
Who was behind the attack?
The investigation found evidence to attribute the attack to NSO Group, a known peddler of spyware to governments around the globe. We, together with several other NGOs, wrote several times to Novalpina, which recently acquired a stake in NSO Group, regarding the lack of human rights protections and safeguards for NSO products.
Despite promises of “robust transparency,” Novalpina has not adequately addressed the threats we outlined, nor answered our questions on its exports from E.U. countries, although as a result the company has come out with a human rights policy and now claims that NSO Group is “in line” with best practices under the United Nations Guiding Principles on Business and Human Rights.
Needless to say, the targets of spyware attacks and those studying how these attacks were enabled and carried out would argue that NSO Group is not in line with these guiding principles. U.N. Special Rapporteur on freedom of opinion and expression David Kaye has issued detailed questions to NSO Group on its new policy and implementation, but to date the company has not responded.
A global call to action
As the cyber-surveillance industry continues to thrive, there remain few protections and safeguards put in place to ensure that fundamental human rights do not suffer as a result. This alarming trend led Special Rapporteur Kaye to call for a moratorium on the transfer, sale, and use of surveillance technology until “rigorous human rights safeguards are put in place to regulate such practices and guarantee that Governments and non-State actors use the tools in legitimate ways.” We support this call, which aligns with our recommendation for a “presumptive prohibition on all government hacking” in our 2016 paper, A Human Rights Response to Government Hacking, as well as the U.N. General Assembly’s consensus resolution in fall of 2018, “recognizing States should refrain from employing unlawful or arbitrary surveillance techniques, which may include forms of hacking.”
The impact that surveillance technology has had on people in marginalized and vulnerable communities demonstrates why comprehensive, systemic regulation of this industry is necessary. Export controls are one of the instruments that democratic countries can leverage to control, and, when necessary, stifle the trade of certain categories of spyware. While we are still waiting for a new E.U.-wide framework to be implemented, we continue to be concerned by the reports that NSO Group/Novalpina have been issued licenses by trade authorities in Bulgaria and Cyprus.
On your digital security: we can help
If you are a journalist, activist, or human rights defender and received a notification from WhatsApp informing you that you were a target of this attack, or you have other indications to suggest that you have been targeted by a malicious actor, we encourage you to get in touch with Access Now’s Digital Security Helpline, a free resource for civil society globally. Our team is ready to assist you.