WhatsApp CEO takes issue with NSO's denials of iPhone Pegasus hacks
WhatsApp chief Will Cathcart has problems with the NSO Group taking no responsibility for surveillance and hacking of journalist and activist iPhones and other devices.
Following the discovery that the Pegasus spyware by NSO Group was being used to surveil high-level journalists, campaigners, and world leaders, NSO took steps to quieten the story. On July 23, NSO CEO Shalev Hulio claimed it couldn't control what governments ultimately did with its tools, which were allegedly intended to catch serious criminals and terrorists.
However, speaking to the Guardian, WhatsApp head Will Cathcart suggested the leaked list of more than 50,000 phone numbers believed to be people of interest of NSO clients may be genuine. Cathcart also believes it matches up to WhatsApp's own investigation in 2019, seemingly proving it has been going on for a number of years.
"The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then," according to Cathcart.
The comment was in reference to WhatsApp's 2019 investigation into attacks against its own systems and users, seemingly with Pegasus. Along with "senior government officials," targets at that time included journalists and human rights campaigners, which Cathcart believes had "no business being under surveillance in any way, shape, or form."
Cathcart's comments go against NSO Group CEO Hulio's claims that people who weren't criminals had "nothing to be afraid of" by the tool.
The WhatsApp chief also questioned NSO's insistence that the list was "exaggerated," as WhatsApp's 2019 attack saw some 1,400 users impacted over a two-week period. "That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high," said Cathcart.
According to court documents seen by The Washington Post about WhatsApp's 2019 lawsuit against NSO Group over the matter, NSO said it should be granted "sovereign immunity" since its clients were vetted government customers, and that it couldn't be sued over the actions of its clients.
NSO insisted it didn't have control over targeting, but exhibits suggested otherwise. One exhibit of internal NSO documents mentioned "The company will provide the End user with assistance in operating, managing, and configuring the System as well as resolving any Software technical issues."
Another exhibit mentions that clients should only insert the phone number of the target, with the rest "done automatically by the system, resulting in most cases with an agent installed on the target device."
A judge in the still-ongoing lawsuit ruled that NSO retained some control, allowing the suit to proceed. NSO appealed in April 2021 to the U.S. Court of Appeals for the 9th Circuit. A decision has yet to be issued.
The 2019 attack wasn't the first time that Facebook, which owns WhatsApp, has dealt with NSO Group. In 2017, the social network enquired about buying Pegasus to get more data about iOS user activity, but NSO at the time refused, citing it only sells products to a "sovereign government or government agency."
Cathcart has called on Apple to adjust its approach regarding malware, given the discovery the iPhone was successfully infiltrated numerous times by Pegasus.
"I hope that Apple will start taking that approach too. Be loud, join in. It's not enough to say, most of our users don't need to worry about this. It's not enough to say oh this is only thousands or tens of thousands of victims.'"
"If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all," Cathcart continued. "And if anyone's phone is not secured that means everyone's phone is not secure."
Apple condemned the attacks on July 19, insisting "we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."
Read on AppleInsider
Following the discovery that the Pegasus spyware by NSO Group was being used to surveil high-level journalists, campaigners, and world leaders, NSO took steps to quieten the story. On July 23, NSO CEO Shalev Hulio claimed it couldn't control what governments ultimately did with its tools, which were allegedly intended to catch serious criminals and terrorists.
However, speaking to the Guardian, WhatsApp head Will Cathcart suggested the leaked list of more than 50,000 phone numbers believed to be people of interest of NSO clients may be genuine. Cathcart also believes it matches up to WhatsApp's own investigation in 2019, seemingly proving it has been going on for a number of years.
"The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then," according to Cathcart.
The comment was in reference to WhatsApp's 2019 investigation into attacks against its own systems and users, seemingly with Pegasus. Along with "senior government officials," targets at that time included journalists and human rights campaigners, which Cathcart believes had "no business being under surveillance in any way, shape, or form."
Cathcart's comments go against NSO Group CEO Hulio's claims that people who weren't criminals had "nothing to be afraid of" by the tool.
The WhatsApp chief also questioned NSO's insistence that the list was "exaggerated," as WhatsApp's 2019 attack saw some 1,400 users impacted over a two-week period. "That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high," said Cathcart.
According to court documents seen by The Washington Post about WhatsApp's 2019 lawsuit against NSO Group over the matter, NSO said it should be granted "sovereign immunity" since its clients were vetted government customers, and that it couldn't be sued over the actions of its clients.
NSO insisted it didn't have control over targeting, but exhibits suggested otherwise. One exhibit of internal NSO documents mentioned "The company will provide the End user with assistance in operating, managing, and configuring the System as well as resolving any Software technical issues."
Another exhibit mentions that clients should only insert the phone number of the target, with the rest "done automatically by the system, resulting in most cases with an agent installed on the target device."
A judge in the still-ongoing lawsuit ruled that NSO retained some control, allowing the suit to proceed. NSO appealed in April 2021 to the U.S. Court of Appeals for the 9th Circuit. A decision has yet to be issued.
The 2019 attack wasn't the first time that Facebook, which owns WhatsApp, has dealt with NSO Group. In 2017, the social network enquired about buying Pegasus to get more data about iOS user activity, but NSO at the time refused, citing it only sells products to a "sovereign government or government agency."
Cathcart has called on Apple to adjust its approach regarding malware, given the discovery the iPhone was successfully infiltrated numerous times by Pegasus.
"I hope that Apple will start taking that approach too. Be loud, join in. It's not enough to say, most of our users don't need to worry about this. It's not enough to say oh this is only thousands or tens of thousands of victims.'"
"If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all," Cathcart continued. "And if anyone's phone is not secured that means everyone's phone is not secure."
Apple condemned the attacks on July 19, insisting "we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."
Read on AppleInsider
Comments
If they don't hurry it will look like an Apple sanctioned back door!
With that said, this guy is absolutely right. Apple was wimpy on this, feeble. They put out a media department canned answer. Apple doesn't scour and record everything you do in order to monetize iit and this is their response? Weak...
your 1st paragraph: Where did you get the information that WhatsApp does all that?
your 2nd paragraph: Have you ever checked the notes to any of the iOS updates? Where there any security vulnerability fixes? What are the chances that Apple doesn’t care about the security of iPhone?
Grant it I'm surprised that Apple allows the microphone and camera turned on without you unknowing.
Congratulations, you have just been given an education on how Facebook earns the majority of its 100+ billion dollars in revenue a year.
Now as an internet poster, you are likely to again claim "that's BS!" and continue to misinform and try to confuse on this factual, very publicly known process of data mining monetization. For those that aren't trolls, please take just a short bit of time to web search the term "surveillance capitalism". I suggest you do not use Google as they are the biggest data miner, even above #2 Facebook. Once done, some may not care that their data is mined. That is their choice. For those that may be concerned, both Facebook and Google (and Apple too) are now required to provide you a copy of the data they have mined on you. It's a free copy. Request a copy and they'll make download links available to you. Just be prepared from Facebook (and Google) to have a lot to download and a HUGE amount of your private data to see.
On patching vulnerabilities, that's just unbelievable someone would go there, "Apple doesn't care:". Anyone who takes the time to be cognizant of vulnerabilities knows that updates are typically the only way to patch the always evolving security vulnerabilities. Apple has the vast number of their user base updated within a week or two of update release. Approaching 75% of the world uses Android and a huge number walk around with a phone not updated many months after an update is released. That's another one of those facts you conveniently leave out, fyi.
But right, Pegasus is was reported in news -- so Apple doesn't care! As reported, a highly sophisticated (and likely expensive) operation that is used by gov agencies may have minded data of smartphone users. They didn't say only iPhones. Guess you missed that part too? Or you knew that and are, ahem, out there accusing Android of not caring!! about security?
You also know that although WhatsApp is part of Facebook, private chats are exactly that, 'private'. Yes, Facebook will track you (metadata included) and your behaviour for all it is worth. Apple does the same directly or indirectly, even if it doesn't put that much emphasis into monetising it.
Surveillance is a perfect example of the 'extreme' angle.
By that definition your ISP is also a surveillance organisation.
There are devil's in the details all over the place of course but most people will be happy knowing that what they type into WhatsApp can only be seen by the receiver of the text (vulnerabilities excepted).
Of course, the more privacy you seek, the more effort you will put into finding and using apps like Signal.
However, if you live somewhere like the EU there are other data protection measures at your disposal (including access to and erasure of what someone might have on you).
https://www.privacypolicies.com/blog/gdpr-eight-user-rights/amp/#Do_I_Have_To_Comply_With_A_Right_To_Erasure_Request
But again that is a different subject. On the subject of data privacy: wrong, Your private chats are not just you and the end receiver. ToS, they use your text under a fine sounding “metadata” in your profile. It’s most used words and phrases.
You are Right: If my isp is logging and recording my data and websites usage (they’re not thanks to the magic of VPN), and then are monetizing it, that is surveillance. And as said before, one of the worst parts is the more data they get the more they can monetize. The huge incentive is to find more and record more.