The messaging service WhatsApp filed suit in federal court Tuesday against the Israeli surveillance company NSO, claiming it acted illegally in helping governments hack into the mobile devices of more than 100 people worldwide, including journalists, human rights workers and women who had been the subject of online attacks.
The suit amounted to a new legal front in attempts to curb the abuses of the burgeoning global surveillance industry.
WhatsApp alleged that NSO helped government agencies deliver malicious software through seemingly harmless WhatsApp video calls, even if the targets never answered their phones. The malware was capable of initiating a powerful form of spying that included the ability to intercept communications, steal photos and other forms of data, activate microphones, track the locations of targets and more, said people familiar with NSO technology.
Targets, which also included religious figures and lawyers, were identified in 20 countries, according to the lawsuit.
Though human rights and privacy activists long have complained about the increasingly intrusive reach of such surveillance technologies, there has not previously been a similar lawsuit targeting a malware manufacturer on behalf of an encrypted messaging service, said people involved in the suit and the underlying research.
“This is unprecedented,” said John Scott Railton, a senior research at Citizen Lab at the University of Toronto’s Munk School, who worked with WhatsApp on the case. “It’s a huge milestone in digital rights and privacy.”
A representative for NSO did not immediately reply to a request for comment.
The head of WhatsApp, which is owned by Facebook, said in a statement that the company believes NSO and its parent company, Q Cyber Technologies, violated U.S. and California law, as well as the terms of service for WhatsApp.
The messaging service is encrypted end-to-end, making it difficult to intercept communications on it, but such technologies are vulnerable to the hacking of the devices of individual targets where the calls and messages appear in decrypted form so their intended recipients can view or listen to them.
Many technology companies, including Facebook, Google and Microsoft, vastly expanded their use of encryption after the 2013 revelations about the extent of online surveillance by the National Security Agency. This bolstered the market for technologies, such as those produced by NSO, that rely on hacking targets rather than intercepting calls as they travel through phone and internet connections.
WhatsApp said it stopped a sophisticated attack using NSO malicious software in May and subsequently alerted 1,400 users that they may have been affected. Citizen Lab, which long has researched the use of hacking technologies and their manufacturers, volunteered its services to study the impact on targets globally. At least 100 victims have now been identified.
“This number may grow higher as more victims come forward,” a post from the company said. “We are committed to doing all we can, working with industry partners, to protect our users and guard against these kinds of threats.”
It also said, “This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users.”