On Oct. 29, Facebook and WhatsApp filed suit in the U.S. District Court for the Northern District of California against NSO Group Technologies, Inc. (NSO) and its majority shareholder, Q Cyber Technologies, both Israeli companies. The complaint alleged that Facebook acquired WhatsApp and acted as its "service provider for security-related issues," and that "in and around April and May 2019," the defendants "used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices (target devices), which "malware was designed to infect the target devices for the purpose of conducting surveillance of specific WhatsApp users (target users)." When the defendants recognized that they were unable "to break WhatsApp's end-to-end encryption," they "developed their malware in order to access messages and other communications after they were decrypted on target devices. The defendants' actions were not authorized by the plaintiffs and were in violation of WhatsApp's terms of service. In May 2019, the plaintiffs detected and stopped the defendants' unauthorized access and abuse of the WhatsApp service and computers." The complaint alleged that such actions violated the Computer Fraud and Abuse Act, 18 U.S.C. Section 1030 and related state laws, and sought an injunction as well as damages.

The technology involved in the claimed malware attacks is fascinating, as are the potential consequences arising from the use of this malware should ostensibly private communications regarding defense, business and financial transactions (the latter at both the personal and business levels), personal relationships, political thoughts and actions, i.e., virtually everything discussed or transacted via digital communications. What may be the most fascinating aspect of this complaint, however, is not stated directly in the complaint but has been discussed elsewhere: the defendants are Israeli companies whose clients are restricted to countries, meaning that the defendants' actions would be foreign policy steps taken by those countries. In this month's article, I will discuss the claimed attacks and potential political consequences of the complaint.

NSO, Its Product and Its Clients

Per the complaint, the "defendants manufactured, distributed and operated surveillance technology or 'spyware' designed to intercept and extract information and communications from mobile phones and devices." The defendants' products "included 'Pegasus,' a type of spyware known as a remote-access trojan," as well as its variants, collectively named 'Pegasus." The complaint further alleged that, "According to the defendants, Pegasus" was "designed to be remotely installed and enable the remote access and control of information—including calls, messages and location—on mobile devices using the Android, iOS and BlackBerry operating systems."

The complaint further alleged that, "According to NSO Group, Pegasus could 'remotely and covertly extract valuable intelligence from virtually any mobile device,' which included but was not limited to "communications sent to and from a device, including communications over iMessage, Skype, Telegram, WeChat, Facebook Messenger, WhatsApp and others." To accomplish this, the "defendants promoted that Pegasus's remote installation feature facilitated infecting victims' phones without using spearphishing messages that could be detected and reported by the victims."

As per the complaint, NSO did not simply license Pegasus to a customer to use, but supported the interceptions, using "a network of computers to monitor and update the version of Pegasus implanted on the victims' phones." The aforementioned network "relayed malware, commands, and data between a compromised phone," defendants and their customers. The complaint referred to this network as "the nerve center" through which defendants supported and controlled their customers' operation and use of Pegasus.

The complaint further alleged that between "approximately April 29 and May 10," defendants caused their "malicious code to be transmitted over WhatsApp servers in an effort to infect approximately 1,400 target devices. The target users included attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials … . The target users had WhatsApp numbers with country codes from several countries, including the Kingdom of Bahrain, the United Arab Emirates and Mexico. According to public reporting," the defendants' clients included, but were not limited to, "government agencies in the Kingdom of Bahrain, the United Arab Emirates and Mexico as well as private entities." In support of its averment that "public reporting" set forth the defendants' clients, the complaint cited "Fast Company, 'Israeli cyber weapon targeted the widow of a slain Mexican journalist.'"

A web search revealed a 2016 article in Forbes that reports an email sent by NSO to Forbes that asserted that NSO's clients were, indeed, governments of countries around the world. Per the article, in the email, NSO averred that "its mission was to make the world a safer place 'by providing authorized governments with technology that helps them combat terror and crime.' 'The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does NOT operate any of its systems; it is strictly a technology company,' the statement continued."

Note that the hacking done by NSO required a "single text," while per the complaint, no such luring (or phishing) scheme was required. More importantly, note that in the Forbes piece, the email purportedly sent by NSO was careful to stress that it did not "operate any of its system" to enable or support Pegasus but, rather, simply licensed them to "authorized governmental agencies," while the complaint alleged that NSO supported the interceptions.

Political Issues

The complaint against NSO certainly will require considerable proof to succeed for the plaintiffs. All of that proof will be either straightforward digital forensic proof or eyewitness proof reviewed and supported by digital forensic examinations. The straightforward forensic proof will explain how Pegasus worked during the time period set forth in the complaint and how it is linked to the defendants, while the eyewitness testimony will involve identifying the devices targeted by Pegasus and how the intrusions by Pegasus were without the consent of the users (both the individual users and the governments or other entities with which they were involved) and anyone else who could provide consent.

While issues will arise in presenting, supporting and refuting the above-described proof, perhaps the more interesting question is what political issues will arise from the lawsuit. Perhaps the best way to begin looking at this question is to look back to Dec. 2, 2015.

On that date, at the Inland Regional Center in San Bernardino, California, one Syed Rizwan Farook, an American citizen of Pakistani descent, and his wife, Tashfeen Malik, a Pakistani citizen residing legally in the United States, killed 14 people and seriously injured an additional 22 in a terrorist attack consisting of a mass shooting and an attempted bombing. Both perpetrators were killed.

Farook had on his person a cellphone, which was locked and encrypted. Per many sources, including Fox News, the FBI looked to the Israeli company, Cellebrite, arguably the leader in cellphone forensics, to open the phone, and Cellebrite complied. The FBI wanted to learn whether the phone contained evidence of whether the shootings were isolated or part of a larger conspiracy and, with that information, head off any possible future shootings, as well as whether the shooters were acting on behalf of any foreign country and, if so, which one(s).

There is some dispute as to whether Cellebrite provided the aforementioned assistance. The Washington Post reported that anonymous "people familiar with the matter" averred that the FBI may have approached Cellebrite but ultimately used "professional hackers" to access the cellphone. Regardless of whether Cellebrite did open the San Bernadino cellphone at the FBI's request or did not respond to that request before others had opened the phone, if the FBI felt comfortable approaching Cellebrite with its request, that may indicate not simply that governments in general are NSO's clients, but that NSO—again, an Israeli company like Cellebrite—may have as one of its clients the U.S. government.

It is long been known that the United States and Israel, notwithstanding differences as to how Israel should set its borders and conduct its relationships with some other Middle Eastern countries, have a "special relationship." Israel was born out of the end of the Holocaust, which the United States very much helped to end in Europe with the successful conclusion of Wold War II. Many Israeli citizens migrated there from the United States and held dual citizenship; indeed, the current prime minister, Benjamin Netanyahu, grew up in Tel Aviv as well as Cheltenham, Pennsylvania, graduating from Cheltenham High School and then matriculated to Massachusetts Institute of Technology (MIT). His older brother, Yonatan (Yoni), was born in the United States and is also a graduate of Cheltenham High School. As an Israeli Defense Force officer, he is hailed as a national hero killed in action in Entebbe, Uganda when he was deployed to rescue 100 mostly Israeli hostages hijacked by terrorists and flown to the Entebbe Airport.

It has long been "known," i.e., specific facts have become publicly known and inferences have been drawn from them, that Israel has provided support to the United States in the form of digital forensics, IT security and other scientific matters, as well as through providing the United States with information gained through espionage operations. It has equally been "known" that in previous "stare downs" between Israel and its Arab neighbors, the United States stood beside Israel while the former Soviet Union stood beside its neighbors. The Mideast looks different than it did many years ago: former enemies of Israel, such as Egypt, Saudi Arabia and the United Arab Emirates, are no longer actively belligerent, have made certain public accommodations to Israeli territory (when, after the 1947 War of Israeli Independence and up until relatively recently, no country in the Middle East accepted as a sovereign nation) and have long faced internal problems with Islamic "purists," which problems they are rumored to address and to have addressed with secret Israeli and U.S. help.

Given this background, then, it is possible, if not probable, that NSO, an Israeli private company, was working on behalf, or at least with the blessing, of the Israeli Defense Force (IDF), and that NSO's "clients" included the governments (or entities working on their behalf) of the United States, Israel, Egypt, Saudi Arabia the United Arab Emirates, and others similarly situated. If this is the case, then, how will the complaint proceed?

There are many possible answers to that last question, many answers turning on who the clients were. One highly unlikely answer is that the United States will publicly move to have the complaint dismissed. Another is that the United States will work out something privately with Facebook and the plaintiffs will withdraw their complaint. A third is that, to protect the privacy of the relationship between the United States and Israel, Israel has long agreed with the United States that it would "take it on the chin" should a complaint such as the one at issue be filed. A fourth is that one or more Arab countries recently friendly with the United States and Israel, e.g., Egypt, Saudi Arabia, the United Arab Emirates, are countries who engaged the plaintiffs (with the blessings of the United States and Israel) and approach Facebook on the side to withdraw the complaint. There are many more "on the side" permutations. (The Financial Times, in a May 14, 2019, had a piece far less generous to Israel than I have been here.

Conclusion

From a technological point of view, whether to support IT security is a no-brainer. When that security, however, is used by people and countries that want to kill you, the issue is more nuanced. I do not know whether the complaint by Facebook against NSO falls within the former or latter scenario, but the facts known about Israel's relationship with the United States, as well as those about Arab countries recently friendly with the United States and Israel, increases greatly the probability of the latter scenario. If indeed it is the latter scenario, then perhaps behind-the-scenes movements can remove the matter from U.S. courts and settle it. If such movements, however, fail to settle it, then it will undoubtedly be poorly addressed in court, which is certainly not set up to preside over such matters.

Leonard Deutchman is a legal consultant retired from one of the nation's largest e-discovery providers, KLDiscovery, where he was vice president, Legal. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses. Contact him at [email protected].