Facebook, which owns the popular messaging application WhatsApp, has sued software surveillance vendor NSO Group, alleging that the Israeli company violated a federal anti-hacking law.
The lawsuit filed in a federal court Tuesday alleges that NSO Group violated the Computer Fraud and Abuse Act when NSO’s custom malware was deployed on some 1,400 mobile devices with WhatsApp installed during a sweeping attack in April and May. At least 100 human rights advocates, journalists, and other members of civil society around the world were targeted in the attack, according to WhatsApp.
WhatsApp’s investigation traced user accounts employed by the attackers back to NSO Group, and uncovered computer servers that were previously associated with the Israeli vendor, according to Will Cathcart, head of WhatsApp.
“This should serve as a wake-up call for technology companies, governments and all internet users,” Cathcart wrote in an op-ed for The Washington Post. “Tools that enable surveillance into our private lives are being abused…”
In a statement, NSO Group vowed to fight the lawsuit. “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them.”
The company has denied involvement in the attack, which was first reported in May by the Financial Times. The spyware developed by NSO Group could be used to infect anyone’s phone by calling them, the story alleged.
“We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited,” NSO Group’s statement said. “We take action if we detect any misuse.”
In recent years, NSO Group’s signature spyware, known as Pegasus, has been used to target journalists, anticorruption watchdogs and political dissidents in countries like Mexico and Morocco, according to researchers. NSO Group says it lawfully sells its technology to governments to combat terrorism and organized crime. But despite NSO Group’s pledge to more rigorously adhere to human rights standards last month, human rights advocates remain skeptical of that commitment.
For his part, Cathcart said NSO Group’s claim that it has no insight into the targets of its spyware undercuts the vendor’s new human rights pledge.
Cathcart also called on tech companies to collaborate more closely to protect human rights by sharing technical information to build more secure systems.
“Governments and companies need to do more to protect vulnerable groups and individuals from these [mobile] attacks,” Cathcart wrote.
You can read the full complaint below.
UPDATE: 05:39 p.m. EDT: This story has been updated with a statement from NSO Group.