Malware Marketer NSO Group Looks Like It's Blowing Off Facebook's Lawsuit
from the why-bother-being-accountable-in-any-minimal-fashion dept
In late October of last year, Facebook and WhatsApp sued Israeli surveillance tech provider NSO Group for using WhatsApp to deliver device-compromising malware. The lawsuit sought to use the CFAA to stop NSO from using WhatsApp as an attack vector.
The lawsuit is dangerous. It asks the court to read the CFAA to cover attacks targeting users' accounts, rather than attacks on the service provider itself. The CFAA is already problematic enough without this sort of expansion. WhatsApp users certainly appreciate the efforts the developers make to protect them from malware, but asking a court to reinterpret an easily-abused law just so Facebook can go after NSO isn't an acceptable solution.
NSO has been the target of non-stop criticism due to its willingness to sell malware and surveillance tech to countries with long histories of human rights violations. Its malware has also been observed targeting activists, dissidents, journalists, and critics of the governments that have deployed NSO malware.
Facebook's lawsuit is going nowhere fast. While it's not uncommon for there to be a delay between the filing of a complaint and the defendant's response, NSO hasn't filed anything -- not even a notice of appearance from its corporate counsel -- since the filing of the suit.
Facebook wants the court to take notice of this no-show. It's asking for the upcoming case management to be postponed indefinitely since it has heard nothing at all from NSO. But the administrative motion [PDF] is not just there to deal with a logistical problem. It's there to let the court know NSO isn't cooperating with the litigation.
After filing the Complaint, Plaintiffs promptly sought to serve Defendants under the Hague Convention, which was effected on December 17, 2019.Plaintiffs also contacted Defendants via email, physical mail, and hand service, but have not received any response. As of the date of this filing, no counsel has entered an appearance in this matter on Defendants’ behalf, nor have Defendants filed an answer to the Complaint. Thus, Plaintiffs cannot fulfill their obligations under the Court’s initial case management scheduling order (ECF No. 9), including the obligations to meet and confer regarding initial disclosures, early settlement, ADR process selection, and a discovery plan.
The NSO is certainly welcome to sit this one out. It's not like blowing off the WhatsApp lawsuit will do anything to its reputation that NSO hasn't already done to it by selling hacking tools to authoritarians. It's possible Facebook will receive a default judgment if NSO decides this is a waste of its time. Even if it did, what use would it be? NSO isn't going to stop marketing malware that can be deployed via messaging services and the governments it sells to aren't going to stop targeting WhatsApp users just because a court in California says it violates the CFAA.
This lawsuit is mostly for show. On the odd chance NSO decides to participate, discovery could expose some of its inner workings and the clients it sells this brand of malware to. NSO isn't going to risk that. It makes more sense to let Facebook flail away ineffectively with a civil suit that will have absolutely no effect on its business model.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, default judgment, lawsuits, spyware
Companies: facebook, nso group
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not a problematic expansion of the law.
Can you even mention a valid legal reason to attack user accounts?
[ link to this | view in chronology ]
Re: Not a problematic expansion of the law.
Do you want to be sued under the CFAA for using the Internet to access infringing content?
[ link to this | view in chronology ]
Re: Re: Not a problematic expansion of the law.
How does this relate to someone attacking user accounts and getting sued for CFAA? Honest question.
[ link to this | view in chronology ]
Re: Re: Re: Not a problematic expansion of the law.
If Apple can sue NSO, when they are not directly affected, your ISP could sue you for using their network for piracy.
[ link to this | view in chronology ]
Re: Re: Re: Not a problematic expansion of the law.
Looking more closely, the story doesn't actually say that they were attacking user accounts. It would make sense for Facebook to sue if they were. What it says is that they sent unwanted messages (malware) to a Facebook-provided account, and then it misrepresents that as an attack on Facebook. Facebook is the middleman; from what I can tell, nobody attacked any server or account provided by Facebook---only the non-FB-owned devices logging into those accounts.
[ link to this | view in chronology ]
Re: Re: Re: Re: Not a problematic expansion of the law.
By that logic, if you own a high-security apartment building, then someone breaking into one of the apartments and robbing it is none of your business, even if it harms your reputation.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Not a problematic expansion of the law.
It may be of concern to you, but you cannot bring a damages case for the damage to raided apartment.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Not a problematic expansion of the law.
That analogy would work if someone came in and started picking the locks. But in this case, apparently, no accounts were broken into. They just received unwanted messages, sent in the usual way. That's more like someone sending unwanted harassing mail to your tenant, which really is none of the landlord's business.
[ link to this | view in chronology ]
Re: Re: Not a problematic expansion of the law.
No, but it might be nice to be able to sue someone under CFAA for HACKING your account.
[ link to this | view in chronology ]
Re: Not a problematic expansion of the law.
As I recall, that was the main point of the CFAA. When it was written, passwords were usually bad and password-guessing was a commonly successful attack.
[ link to this | view in chronology ]
Standing?
Even if the CFAA applies, wouldn't it be the individual user that has to make the claim? Unless there was actual harm done to the provider as a result of the hack.
[ link to this | view in chronology ]
Re: Standing?
Suppose you are the landlord of an apartment building. You advertise that you have good security and residents will be safe there.
One day, someone breaks into and robs one of your tenant's apartments. Your reputation for keeping your customers safe has been harmed by the robber's actions, which are plainly illegal under the interpretation of the laws the government uses.
No direct harm is done to you, but your reputation takes a big hit as a result of the crime, which causes you financial harm -- nobody wants to live in a high-security building with no ability to protect them. Shouldn't you be able to sue the robber for that?
[ link to this | view in chronology ]
Re: Re: Standing?
Not completely applicable to this situation. Unauthorized entry into someone's property (breaking and entering) is completely different than obtaining an authorized entry from someone else (identity theft).
A more apt comparison would be thus:
You own an apartment complex. It's a fancy apartment complex; every apartment has its own mailbox for sending mail to the other apartments, and each mailbox can only be opened by the mailman or the owner of the mailbox. You're quite proud of this system, because the mailman will throw out spam mail, or anything that doesn't have the right sender address, and nobody can send any mail without his knowledge.
A scam artist rents an apartment there. They put a package in their mailbox. It's properly labeled as from the scam artist, to another tenant. When the mailman opens the mailbox, nothing distinguishes it from any other normal package. It is thus delivered to the tenant by the mailman. But this package actually has a hidden camera inside it.
The tenant takes the package into their apartment, opens the package, and the hidden camera sends the scam artist a photograph of the tenant's apartment key. The scam artist makes an identical copy of that key from the photograph, and while the tenant is out, the scam artist uses their new copy of the key to enter the tenant's apartment and read their diary.
Nothing of yours has never been directly attacked. Your security mechanisms were never broken or used without authorization. The mailman did his job exactly the way you instructed him to, exactly as he did for every other apartment. The scam artist didn't exploit any loophole in your instructions to the mailman. Neither the scam artist's mailbox nor the tenant's mailbox were opened by anyone you had not authorized to open them. Nor was there any way your security could have told the difference between the scam artist and the tenant wearing a brand new outfit.
But what Facebook is doing is trying to sue the scam artist for mailing the tenant a package with a hidden camera, saying that the act of mailing that package broke the law that says "no picking or breaking any locks installed by apartment building owners, and no interfering with their employees."
Replace "apartment" with "account", "mailman" with "direct messaging service", "package" with "message", "hidden camera" with "malware", "key" with "password", and that's more or less what took place.
[ link to this | view in chronology ]
It would seem more fitting...
... to go after NSO Mossad-style.
[ link to this | view in chronology ]
Re: It would seem more fitting...
But that would be ILLEGAL! Only a government can do that! It's evil and immoral and unethical for individuals to do it, but it's somehow okay when a large group does it.
[ link to this | view in chronology ]
Dunno..
If this results into a default judgement in Facebooks favor, perhaps they then can use it to get an injunction against NSO peddling it's wares to US companies.
I don't know if it's a realistic scenario though, since I haven't enough knowledge about the applicable laws in the USA.
[ link to this | view in chronology ]
Re: Dunno..
That most likely wouldn't work, as the one isn't directly related to the other.
[ link to this | view in chronology ]
I can't tell if this is a joke or not. The CFAA was intended to go after things attacking a user account usually, but maybe not in Israel because I don't know how or if extraterritoriality applies in this circumstance.
The NSO group not showing up seems like one likely outcome, especially if they're not liable under local law.
[ link to this | view in chronology ]
Not showing is just more street cred for NSO, really.
[ link to this | view in chronology ]
Jursidiction?
I'm curious what jurisdiction a California court has over a company based in a foreign country with no local offices?
Wouldn't that be a lot like getting a court to issue a global takedown order?
[ link to this | view in chronology ]
If you are responsible for an action somewhere in American jurisdiction which violates an American law, it doesn't matter where you are from, or where you were when you performed the action.
In this case, Facebook's servers are in California. If a crime was committed against Facebook by someone sending malware through those servers, it took place in California.
If someone remotely hacks into Back of America's computers in Chicago and steals a million dollars, is it no longer a crime that can be investigated and prosecuted by the Chicago P.D. or the FBI because the hacker has never left Russia? (Of course not. They'll issue an international warrant for the hacker's extradition to face justice in an American court, for violating American law, against an entity inside America.) It's the same sort of situation.
[ link to this | view in chronology ]
Israel itself is a state with human rights abuses why would they care about selling that type of product to others.
[ link to this | view in chronology ]