WhatsApp CEO takes issue with NSO's denials of iPhone Pegasus hacks

Posted:
in iOS edited July 25
WhatsApp chief Will Cathcart has problems with the NSO Group taking no responsibility for surveillance and hacking of journalist and activist iPhones and other devices.




Following the discovery that the Pegasus spyware by NSO Group was being used to surveil high-level journalists, campaigners, and world leaders, NSO took steps to quieten the story. On July 23, NSO CEO Shalev Hulio claimed it couldn't control what governments ultimately did with its tools, which were allegedly intended to catch serious criminals and terrorists.

However, speaking to the Guardian, WhatsApp head Will Cathcart suggested the leaked list of more than 50,000 phone numbers believed to be people of interest of NSO clients may be genuine. Cathcart also believes it matches up to WhatsApp's own investigation in 2019, seemingly proving it has been going on for a number of years.

"The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then," according to Cathcart.

The comment was in reference to WhatsApp's 2019 investigation into attacks against its own systems and users, seemingly with Pegasus. Along with "senior government officials," targets at that time included journalists and human rights campaigners, which Cathcart believes had "no business being under surveillance in any way, shape, or form."

Cathcart's comments go against NSO Group CEO Hulio's claims that people who weren't criminals had "nothing to be afraid of" by the tool.

The WhatsApp chief also questioned NSO's insistence that the list was "exaggerated," as WhatsApp's 2019 attack saw some 1,400 users impacted over a two-week period. "That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high," said Cathcart.

According to court documents seen by The Washington Post about WhatsApp's 2019 lawsuit against NSO Group over the matter, NSO said it should be granted "sovereign immunity" since its clients were vetted government customers, and that it couldn't be sued over the actions of its clients.

NSO insisted it didn't have control over targeting, but exhibits suggested otherwise. One exhibit of internal NSO documents mentioned "The company will provide the End user with assistance in operating, managing, and configuring the System as well as resolving any Software technical issues."

Another exhibit mentions that clients should only insert the phone number of the target, with the rest "done automatically by the system, resulting in most cases with an agent installed on the target device."

A judge in the still-ongoing lawsuit ruled that NSO retained some control, allowing the suit to proceed. NSO appealed in April 2021 to the U.S. Court of Appeals for the 9th Circuit. A decision has yet to be issued.

The 2019 attack wasn't the first time that Facebook, which owns WhatsApp, has dealt with NSO Group. In 2017, the social network enquired about buying Pegasus to get more data about iOS user activity, but NSO at the time refused, citing it only sells products to a "sovereign government or government agency."

Cathcart has called on Apple to adjust its approach regarding malware, given the discovery the iPhone was successfully infiltrated numerous times by Pegasus.

"I hope that Apple will start taking that approach too. Be loud, join in. It's not enough to say, most of our users don't need to worry about this. It's not enough to say oh this is only thousands or tens of thousands of victims.'"

"If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all," Cathcart continued. "And if anyone's phone is not secured that means everyone's phone is not secure."

Apple condemned the attacks on July 19, insisting "we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."

Read on AppleInsider
lam92103

Comments

  • Reply 1 of 10
    Apple should hurry to close the iOS vulnerabilities that enables the Pegasus spyware to infiltrate iPhone by sending an "invisible" sms (thus just the phone numbers of the victims are needed).
    If they don't hurry it will look like an Apple sanctioned back door!
    lam92103caladanianlkruppapplguywatto_cobra
  • Reply 2 of 10
    WHATAPP is a surveillance app in its own right -- unless one believes everywhere where you go, what you type, almost everyone you know, almost everything you buy (among others) recorded into a single profile of you isn't surveillance.

    With that said, this guy is absolutely right. Apple was wimpy on this, feeble. They put out a media department canned answer. Apple doesn't scour and record everything you do in order to monetize iit and this is their response? Weak...  
    tmaywilliamlondonbaconstangbloggerbloglkrupp
  • Reply 3 of 10
    lam92103lam92103 Posts: 52member
    Very well put
    watto_cobra
  • Reply 4 of 10
    uraharaurahara Posts: 585member
    WHATAPP is a surveillance app in its own right -- unless one believes everywhere where you go, what you type, almost everyone you know, almost everything you buy (among others) recorded into a single profile of you isn't surveillance.

    With that said, this guy is absolutely right. Apple was wimpy on this, feeble. They put out a media department canned answer. Apple doesn't scour and record everything you do in order to monetize iit and this is their response? Weak...  
    BS
    your 1st paragraph: Where did you get the information that WhatsApp does all that?
    your 2nd paragraph: Have you ever checked the notes to any of the iOS updates? Where there any security vulnerability fixes? What are the chances that Apple doesn’t care about the security of iPhone?
    watto_cobra
  • Reply 5 of 10
    maestro64maestro64 Posts: 5,005member
    This is the reason you never put anything in writing that you never want anyone knowing about. People only have themselves to blame for their information being spied upon.

    Grant it I'm surprised that Apple allows the microphone and camera turned on without you unknowing.
  • Reply 6 of 10
    h4y3sh4y3s Posts: 54member
    Install Signal. 
  • Reply 7 of 10
    urahara said:
    WHATAPP is a surveillance app in its own right -- unless one believes everywhere where you go, what you type, almost everyone you know, almost everything you buy (among others) recorded into a single profile of you isn't surveillance.

    With that said, this guy is absolutely right. Apple was wimpy on this, feeble. They put out a media department canned answer. Apple doesn't scour and record everything you do in order to monetize iit and this is their response? Weak...  
    BS
    your 1st paragraph: Where did you get the information that WhatsApp does all that?
    your 2nd paragraph: Have you ever checked the notes to any of the iOS updates? Where there any security vulnerability fixes? What are the chances that Apple doesn’t care about the security of iPhone?
    Wow, vulnerability fixes? Great moving of the point away from the factual, publicly known, data mining that is done by WhatApp/Facebook. I'll speak to vulnerability fixes and your laughable claim that Apple "doesn't care" after the point at hand. Fact, WhatApp/Facebook within their ToS, not a secret (though they like calling it "improving user experience") collects your location, your contacts, the common words, phrases, sentences you use --and more-- across a smartphone's usage. They do this because if they know where you go, they have an idea of what you will buy and what you can be enticed to buy. If they also know who you know(and where they go) and who you speak to most, they have an even better idea of what you'll buy and what you can be enticed to buy. If they know what phrases you often type, they now have an even better dat profile of you to get you and entice you to buy things etc etc etc. The more they know the more certain they are as to what you will buy and can be enticed to buy (they'll even know if one or two or three ads will likely get it done).
    Congratulations, you have just been given an education on how Facebook earns the majority of its 100+ billion dollars in revenue a year. 
    Now as an internet poster, you are likely to again claim "that's BS!" and continue to misinform and try to confuse on this factual, very publicly known process of data mining monetization. For those that aren't trolls, please take just a short bit of time to web search the term "surveillance capitalism". I suggest you do not use Google as they are the biggest data miner, even above #2 Facebook.  Once done, some may not care that their data is mined. That is their choice.  For those that may be concerned, both Facebook and Google (and Apple too) are now required to provide you a copy of the data they have mined on you. It's a free copy. Request a copy and they'll make download links available to you. Just be prepared from Facebook (and Google) to have a lot to download and a HUGE amount of your private data to see.  

    On patching vulnerabilities, that's just unbelievable someone would go there, "Apple doesn't care:". Anyone who takes the time to be cognizant of vulnerabilities knows that updates are typically the only way to patch the always evolving security vulnerabilities. Apple has the vast number of their user base updated within a week or two of update release. Approaching 75% of the world uses Android and a huge number walk around with a phone not updated many months after an update is released. That's another one of those facts you conveniently leave out, fyi.
    But right, Pegasus is was reported in news -- so Apple doesn't care! As reported, a highly sophisticated (and likely expensive) operation that is used by gov agencies may have minded data of smartphone users. They didn't say only iPhones. Guess you missed that part too? Or you knew that and are, ahem, out there accusing Android of not caring!! about security?  


  • Reply 8 of 10
    avon b7avon b7 Posts: 5,901member
    urahara said:
    WHATAPP is a surveillance app in its own right -- unless one believes everywhere where you go, what you type, almost everyone you know, almost everything you buy (among others) recorded into a single profile of you isn't surveillance.

    With that said, this guy is absolutely right. Apple was wimpy on this, feeble. They put out a media department canned answer. Apple doesn't scour and record everything you do in order to monetize iit and this is their response? Weak...  
    BS
    your 1st paragraph: Where did you get the information that WhatsApp does all that?
    your 2nd paragraph: Have you ever checked the notes to any of the iOS updates? Where there any security vulnerability fixes? What are the chances that Apple doesn’t care about the security of iPhone?
    Wow, vulnerability fixes? Great moving of the point away from the factual, publicly known, data mining that is done by WhatApp/Facebook. I'll speak to vulnerability fixes and your laughable claim that Apple "doesn't care" after the point at hand. Fact, WhatApp/Facebook within their ToS, not a secret (though they like calling it "improving user experience") collects your location, your contacts, the common words, phrases, sentences you use --and more-- across a smartphone's usage. They do this because if they know where you go, they have an idea of what you will buy and what you can be enticed to buy. If they also know who you know(and where they go) and who you speak to most, they have an even better idea of what you'll buy and what you can be enticed to buy. If they know what phrases you often type, they now have an even better dat profile of you to get you and entice you to buy things etc etc etc. The more they know the more certain they are as to what you will buy and can be enticed to buy (they'll even know if one or two or three ads will likely get it done).
    Congratulations, you have just been given an education on how Facebook earns the majority of its 100+ billion dollars in revenue a year. 
    Now as an internet poster, you are likely to again claim "that's BS!" and continue to misinform and try to confuse on this factual, very publicly known process of data mining monetization. For those that aren't trolls, please take just a short bit of time to web search the term "surveillance capitalism". I suggest you do not use Google as they are the biggest data miner, even above #2 Facebook.  Once done, some may not care that their data is mined. That is their choice.  For those that may be concerned, both Facebook and Google (and Apple too) are now required to provide you a copy of the data they have mined on you. It's a free copy. Request a copy and they'll make download links available to you. Just be prepared from Facebook (and Google) to have a lot to download and a HUGE amount of your private data to see.  

    On patching vulnerabilities, that's just unbelievable someone would go there, "Apple doesn't care:". Anyone who takes the time to be cognizant of vulnerabilities knows that updates are typically the only way to patch the always evolving security vulnerabilities. Apple has the vast number of their user base updated within a week or two of update release. Approaching 75% of the world uses Android and a huge number walk around with a phone not updated many months after an update is released. That's another one of those facts you conveniently leave out, fyi.
    But right, Pegasus is was reported in news -- so Apple doesn't care! As reported, a highly sophisticated (and likely expensive) operation that is used by gov agencies may have minded data of smartphone users. They didn't say only iPhones. Guess you missed that part too? Or you knew that and are, ahem, out there accusing Android of not caring!! about security?  


    The problem is that your first paragraph was alarmist and extreme because you know that WhatsApp chats are mostly end-to-end encrypted.

    You also know that although WhatsApp is part of Facebook, private chats are exactly that, 'private'. Yes, Facebook will track you (metadata included) and your behaviour for all it is worth. Apple does the same directly or indirectly, even if it doesn't put that much emphasis into monetising it. 

    Surveillance is a perfect example of the 'extreme' angle. 

    By that definition your ISP is also a surveillance organisation. 

    There are devil's in the details all over the place of course but most people will be happy knowing that what they type into WhatsApp can only be seen by the receiver of the text (vulnerabilities excepted). 

    Of course, the more privacy you seek, the more effort you will put into finding and using apps like Signal. 

    However, if you live somewhere like the EU there are other data protection measures at your disposal (including access to and erasure of what someone might have on you). 

    https://www.privacypolicies.com/blog/gdpr-eight-user-rights/amp/#Do_I_Have_To_Comply_With_A_Right_To_Erasure_Request



    muthuk_vanalingam
  • Reply 9 of 10
    Hank2.0Hank2.0 Posts: 127member
    I am shocked, shocked to find that surveillance is going on in here.

    Your data, sir.

    Oh, thank you very much.
    watto_cobra
  • Reply 10 of 10
    avon b7 said:
    urahara said:
    WHATAPP is a surveillance app in its own right -- unless one believes everywhere where you go, what you type, almost everyone you know, almost everything you buy (among others) recorded into a single profile of you isn't surveillance.

    With that said, this guy is absolutely right. Apple was wimpy on this, feeble. They put out a media department canned answer. Apple doesn't scour and record everything you do in order to monetize iit and this is their response? Weak...  
    BS
    your 1st paragraph: Where did you get the information that WhatsApp does all that?
    your 2nd paragraph: Have you ever checked the notes to any of the iOS updates? Where there any security vulnerability fixes? What are the chances that Apple doesn’t care about the security of iPhone?
    Wow, vulnerability fixes? Great moving of the point away from the factual, publicly known, data mining that is done by WhatApp/Facebook. I'll speak to vulnerability fixes and your laughable claim that Apple "doesn't care" after the point at hand. Fact, WhatApp/Facebook within their ToS, not a secret (though they like calling it "improving user experience") collects your location, your contacts, the common words, phrases, sentences you use --and more-- across a smartphone's usage. They do this because if they know where you go, they have an idea of what you will buy and what you can be enticed to buy. If they also know who you know(and where they go) and who you speak to most, they have an even better idea of what you'll buy and what you can be enticed to buy. If they know what phrases you often type, they now have an even better dat profile of you to get you and entice you to buy things etc etc etc. The more they know the more certain they are as to what you will buy and can be enticed to buy (they'll even know if one or two or three ads will likely get it done).
    Congratulations, you have just been given an education on how Facebook earns the majority of its 100+ billion dollars in revenue a year. 
    Now as an internet poster, you are likely to again claim "that's BS!" and continue to misinform and try to confuse on this factual, very publicly known process of data mining monetization. For those that aren't trolls, please take just a short bit of time to web search the term "surveillance capitalism". I suggest you do not use Google as they are the biggest data miner, even above #2 Facebook.  Once done, some may not care that their data is mined. That is their choice.  For those that may be concerned, both Facebook and Google (and Apple too) are now required to provide you a copy of the data they have mined on you. It's a free copy. Request a copy and they'll make download links available to you. Just be prepared from Facebook (and Google) to have a lot to download and a HUGE amount of your private data to see.  

    On patching vulnerabilities, that's just unbelievable someone would go there, "Apple doesn't care:". Anyone who takes the time to be cognizant of vulnerabilities knows that updates are typically the only way to patch the always evolving security vulnerabilities. Apple has the vast number of their user base updated within a week or two of update release. Approaching 75% of the world uses Android and a huge number walk around with a phone not updated many months after an update is released. That's another one of those facts you conveniently leave out, fyi.
    But right, Pegasus is was reported in news -- so Apple doesn't care! As reported, a highly sophisticated (and likely expensive) operation that is used by gov agencies may have minded data of smartphone users. They didn't say only iPhones. Guess you missed that part too? Or you knew that and are, ahem, out there accusing Android of not caring!! about security?  


    The problem is that your first paragraph was alarmist and extreme because you know that WhatsApp chats are mostly end-to-end encrypted.

    You also know that although WhatsApp is part of Facebook, private chats are exactly that, 'private'. Yes, Facebook will track you (metadata included) and your behaviour for all it is worth. Apple does the same directly or indirectly, even if it doesn't put that much emphasis into monetising it. 

    Surveillance is a perfect example of the 'extreme' angle. 

    By that definition your ISP is also a surveillance organisation. 

    There are devil's in the details all over the place of course but most people will be happy knowing that what they type into WhatsApp can only be seen by the receiver of the text (vulnerabilities excepted). 

    Of course, the more privacy you seek, the more effort you will put into finding and using apps like Signal. 

    However, if you live somewhere like the EU there are other data protection measures at your disposal (including access to and erasure of what someone might have on you). 

    https://www.privacypolicies.com/blog/gdpr-eight-user-rights/amp/#Do_I_Have_To_Comply_With_A_Right_To_Erasure_Request



    “Surveillance capitalism” is not my phrase, it was coined by privacy rights group.  However, your point is taken regarding “surveillance” and WhatApp and alarmist as it applies to the OP.  Though it is a different subject, I don’t doubt end to end comms are quite secure, I’m sure. Nowadays comms aren’t as often attacked (very unlikely MITM excepted). Modern TLS/SSL has made it difficult. Much more efficient to go after an app vulnerability or vulnerability within the root/OS. 

    But again that is a different subject. On the subject of data privacy: wrong, Your private chats are not just you and the end receiver. ToS, they use your text under a fine sounding “metadata” in your profile. It’s most used words and phrases.

    You are Right: If my isp is logging and recording my data and websites usage (they’re not thanks to the magic of VPN), and then are monetizing it, that is surveillance. And as said before,  one of the worst parts is the more data they get the more they can monetize. The huge incentive is to find more and record more. 

    Wrong, Apple does not do it indirectly or directly. How do I know this? Besides they don’t monetize itsodont have the incentive, but I got a copy of my data from both Apple and Google. Apples data mining was extremely scant. No Siri, virtually nothing. They had a handful of locations when using Apple Maps, only when using it. Why wouldn’t it be scant, they don’t monetize it so they don’t have incentive to push it.  Google’s recordings were massive. Google voice I’ve never ever! used! and it was there. Maybe that is most concerning. But their tracking across apps was staggering. 
     I have not done request from Facebook. I’ve used WhatApp twice so a Facebook data request may be worth requesting as this is an important subject to me. Facebook is second only to Google in private data mining incentivized Monetizing.
    williamlondon
Sign In or Register to comment.