Whatsapp ‘Hack’ Is Serious Rights Violation, Say Alleged Victims

from The Guardian

More than a dozen pro-democracy activists, journalists and academics have spoken out after WhatsApp privately warned them they had allegedly been the victims of cyber-attacks designed to secretly infiltrate their mobile phones.

The individuals received alerts saying they were among more than 100 human rights campaigners whose phones were believed to have been hacked using malware sold by NSO Group, an Israeli cyberweapons company.

WhatsApp launched an unprecedented lawsuit against the surveillance company earlier this week, claiming it had discovered more than 1,400 of its users were targeted by NSO technology in a two-week period in May.

Filed in a Californian court, the lawsuit described the alleged attacks as an “unmistakeable pattern of abuse” that violated US law.

Two pro-democracy campaigners from Morocco who received the WhatsApp warnings said any use of the sophisticated malware, known as Pegasus, against them would be a serious violation of their rights.

More here.

Posted in Privacy, Technology and tagged , , , , , , .


  1. Our world is changing in a way unprecedented. Governmental powers across the globe are changing their approaches to meet the digital world, specifically nations and groups bent on authoritarian control. For most people, the apps they use on their phones just fill up the leisure time they have. However, much of their personal data is incredibly telling to those who want to control or exploit them. People like Aboubakr Jamaï and Abdellatif El Hamamouchi, are finding now that groups will do anything to uncover the actions of those that they feel threaten them. While they may try to persuade us to, we cannot disconnect NSO from their dealings with authoritarian governments. They are not simply onlookers, they are players on the field, and we have no reason to take their word for it. This includes the employees who are mad about their accounts being taken down. The did not react with questions or concerns, they reacted with an exaggerated anger. They called Facebook the world’s biggest privacy violator, which is simply not true. Sure, Facebook has done some pretty unfavorable things with people’s data, but some governmental powers in this day-and-age are much worse. For instance, China has pretty much staked claim in any data they can get their hands on, whether it be their citizens, or people who foreign companies. The NSO employees are simply mad. We’ve talked about this many times before, that companies get rights to our data simply by having us sign Terms of Service Agreements, which we do. Sure, there is a strong case to be made that this practice is manipulative, if the NSO employees are going to call Facebook the biggest privacy violator then maybe they should be aware that they signed their privacy over. On the other hand, almost every governmental power in the world has collected data and information of its citizens without asking or signing a contract. It so obvious that these employees are complicit in the actions of NSO and are trying to redirect blame onto another company. This is not something new and this is not something that is only going to happen once. As we dive further and further into this digital age, we will see more of this. Our technological advances have just opened up new ways for powerful groups to attempt to control the people against them. They don’t need spies moving to other countries and blending in much anymore, they can just set a virus in your phone of hack a database and get your information that way. The real kicker is that the best way for a human rights activist in an authoritarian government to get their message out is to port it. This gives the government access to their personal opinions and makes them targets. It’s good that WhatsApp took initiative to alert some of the people who were targets of this attack, now they know how to defend themselves. This could be a sign that Facebook is changing strides, though that is yet to be seen. We need the help of companies like Facebook in this new age. When groups attempt to harvest the data of people they fear, they only people that can protect and alert us are the people that hold our data and messages. The next era of war is in the cloud.

  2. Another day, another hacker. Another hacker, another loss of privacy and data. Another loss of privacy and data, another loss of security. That is how issues like this arise and cause so many issues in our society and government today. The growth of technology, as discussed very often in class deliverables, proves to cause incredible issues with the security of not only people and users, but of entire countries.
    In this case, political activists were hacked on their personal cell phones, a place where so much data piles up and exists for the taking. In this case, hackers from an Isaeli cyberweapons company, took data from the user’s phones through WhatsApp.
    Wait a second. Cyberweapons company? That exists? Apparently so. That in itself seems like an issue calling for resolution. How a cyberweapons company even allowed to exist under the laws of any country is beside me. It is almost laughable, except it absolutely is not because the data and privacy of people is at stake because of such companies. WhatsApp is launching a lawsuit against the company, which makes sense, except it is going to do absolutely nothing to the company. The company is going to continue its operations because quite honestly, if you are involved in a cyberweapons company, you do not care about the value of data privacy unless you can use it against someone else.

  3. I have been seeing an advertisement from the U.S. Army more and more recently. It reads “Can you hack it as hacker for the army?” and is intended to recruit computer science students to put their skills to use for the United States Army.

    We think of ‘warfare’ in pretty conventional ways. We think of soldiers, guns, tanks, and planes. In recent years warfare has become technologically driven, with piloted drones being used to strike targets without jeopardizing any American lives.

    Cyber warfare defies these conventional notions. In some ways, a cyber attack on this nation would be more effective than a conventional military attack. I read a book on this topic by Ted Koppel called ‘Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.” Koppel argues that “a major cyberattack on America’s power grid is not only possible but likely, that it would be devastating, and that the United States is shockingly unprepared.”

    An attack of this kind would cripple our society. Supermarkets would run out of food quickly when the gasoline stops pumping. Law enforcement would desert their jobs during this time of crisis in order to protect their own families. Anarchy would ensue. Groups would form, claim territory, and fight for limited resources. The worst of criminals would be free to steal or kill without fear of facing justice.

    A scenario like this is much more threatening to this country than ANY form of conventional warfare. Even a nuclear bomb would only wipe out a portion of the nation; a continental blackout would ruin everything, everywhere.

    The army is fully aware of this, and that is why they are looking for ‘cyber warriors’ to help protect the country — and engage in similar cyber attack efforts against our enemies.

    The case of Pegasus being deployed against political dissidents represents the future of warfare, in my opinion. People with the ‘wrong’ views have always had to worry and watch their backs; there is always someone out to get them. This threat is amplified now. Successful hacks may not even result in bodily harm to the individual; the hacker could simply inform the person that their personal information has been seized, and use it to blackmail them into submission.

    For a journalist or activist who is targeted, the damage would not emanate much beyond that individual. The article specifies, however, that “unnamed diplomats and senior government officials” were also targeted. Hackers almost certainly will try (or have tried) to target senators, White House Cabinet members, and other officials who would possess sensitive national security information.

    A legitimate spying attempt on the White House was unearthed less than two years ago. Small devices used to monitor cell phone conversations were found around Washington D.C., and intelligence officials concluded that Israel was responsible. Trump, for whatever reason, did not so much as verbally rebuke the Israelis who were caught spying on him!

    At the very least I can say that the army is visibly trying to keep up with these trends, and that is a good thing. After all, it will mean that the nation is safer.

    I think.

  4. Its seems like everyday there is another headline exclaiming that the privacy, personal data and assets of people are being compromised. It is no surprise to me that the information that is being breached is being narrowly targeted to certain users. Adjacent to the most recent TID that I have written, money rules the world. A company who claims that there core model consists of selling product that “helps” against the war on terrorism is being accused of selling malware that is being used to hack into social activists is absurd. Now, the integrity and reputation of NSO is at risk once again because once again there is no precaution as to who they are selling to. All of this information and detail is superficial and it all comes down to the integrity of a people and business. The fact that their software is being used in such a manner shows and lack of care for human beings and what their company “stands” for. This is the first time that I’ve heard of a company that specializes in cyber weapons. It all seems like a fairytale or movie ideas but it is seen in real life. This all comes down to the moral of the individuals in charge of these valuable companies.

  5. This article highlights the impacts of hacking and the misuse of people’s personal information. The reason that this is so significant is not only that it targeted a certain pro democratic group of people, but it also involves the popular app WhatsApp, which is used worldwide as a free messaging service to people who do not have iPhones, etc. The absence of a global rule for the protection of people’s rights and personal property is what allowed this to happen all over the world, and now NSO is being sued left and right for what they did.
    However, I think this brings up a much bigger issue of hacking into people’s personal data and information. Hacking has become increasingly common as the decades of using computers has gone by, and it does not seem to be stopping any time soon. While other hacking involves personal information, like address, social security number, etc., what is being hacked through WhatsApp can be argued as even more severe. It is known that our phones have become the source of most of people’s personal information, even more so than someone’s home, and I agree with that. Text messages (or other types of messages, in general) are very telling in all sorts of situations, and to have those hacked by people who are campaigning for pro-democracy and human rights campaigners could have their lives at risk. This is because they are from places worldwide, who’s governments may not be a democracy or vouch for human rights, and they could be implicated by the government for their support of that.
    This goes further than just being a hack on people’s WhatsApp, it gets political. The people who were attacked assumed their government had already even been surveilling them, and were shocked to see that it was not their government at all, but a foreign entity. Aboubakr Jamai, who went to prison for his work as a publisher and journalism, is a big supporter of democratization of the Middle East, which is a highly unfavored opinion amongst the governments of the middle east. This makes him an enemy of the government. Overall, this hack has substantial impacts on not only people’s personal privacy and privacy rights, but it also impacts the political sphere.

  6. Whatsapp is suing NSO Group for violating the Computer Fraud and Abuse Act, as well as state level charges including breach of contract and interfering with their property. The CFAA prohibits accessing a computer without authorization, or in excess of authorization. Sound familiar to what we’ve been discussing in Professor Shannon’s class? That is because this is another example of a company using malware to breach the privacy of another company’s users. However, the difference with this cyber attack is that NSO Group is, seemingly, a glorified online “security and stability” company. On NSO’s website, their heading reads, “NSO creates technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe”. In this, there are opposing arguments to this statement, some people even say that NSO Group’s technology has had a part in human deaths, such as the death of Jamal Khashoggi. Moreover, anonymous Saudi officials have admitted that agents connected to the Saudi government killed him (his body was never found). So if this company is really helping to prevent crime, but they were affiliated with the capture and murder of Khashoggi, then how is NSO’s mission ethical/true? To me, NSO sounds more like a company whose mission is to spy on certain groups of people; in the Whatsapp case the people are social activists who have a voice in society. The fact that NSO technology targeted more than 1,400 Whatsapp users in a 2 week period seems suspicious as well- almost as if they had been paid off to uncover information for a purpose not related to safety and security.

    Personally, I believe that NSO Group should be held accountable for their seemingly confusing act to “protect” people’s safety through the breach of Whatsapp users personal accounts. I also think that Whatsapp is doing the right thing by bringing this case to court, as it will create greater awareness in the area of malware and security breaches. If Whatsapp is successful in court, other technology companies may feel empowered to pursue trials against companies like NSO Group who facilitate cyber attacks of their users. Ultimately, it will be interesting to see what company wins this legal dispute due to the minimal amount of laws that have thus far been enacted to protect users personal online information.

  7. I would say I am shocked to hear that WhatApp got hacked, but unfortunately I am not surprised especially because of the fact that they are owned by Facebook. The internet is an open market for cyber-attacks and we are seeing them more frequently every day. It is clear that the people targeted in this attack were human rights activists, scholars and journalists. I will give WhatsApp credit for at least contacting the victims in order to correct their mistakes because of poor privacy protection and following through with a lawsuit. Most companies, especially Facebook have had a terrible reputation when it comes to protecting consumer privacy and I think they are trying to spare any more negative remarks by getting on top of the situation rather quickly. I don’t believe the article when it said that the government had nothing to do with this, because they have access to anything and everything. The more technology keeps evolving the more susceptible we are to these cyber-attacks. These Israeli hackers had a clear motive that only targeted this specific audience, and hacked into their phones. I believe WhatsApp did what they needed to cover their own end but the root of the issue is still ongoing and companies will continue to keep getting hacked due to the rise of technology. I was not aware that such companies even existed that specialize in “cyber weapons” but they need to be stopped. Privacy is a thing of the past but these larger companies should at least pretend that they’re taking actions to prevent this, rather than just wait for another incident to occur and clean up the next mess.

  8. Due to the way we use the internet now, cyber attacks are now a reliable way to cause harm to the victim. Unfortunately activists now seem to be under attack with cyber attacks. Cyber crimes are difficult to combat due to the anonymity that they can be carried out with, but fortunately in this case they seem to know who is responsible. The fact that WhatsApp informed the affected parties and is working on a lawsuit against the aggressors is a positive sign and I think it reflects very well that WhatsApp is working to defend their users. Companies need to take initiative to defend their customers in the event of cyber attacks, and hopefully they follow the lead of WhatsApp. While this Israeli company should be held accountable for selling the malware I fail to see how they will be punished. Cyber attacks like this one will likely only become more and more common, and hopefully we will be prepared to defend against these types of attacks and bring those responsible to justice.

  9. The Internet has become so integral to economic and national life that individual users are targets for cyber-attacks. In this case, a dozen pro-democracy activists, journalists, and academics have gone public with allegations they were among the targets. Whatsapp is a well-known app and is used by billions of people globally. However, it has recently fallen victim to spyware. Israeli cyber intelligence company NSO is responsible for having users’ information breached. As of now, WhatsApp is filing a lawsuit against NSO.

    Just imagining the emotional burden of being hacked is shocking. Hackers can get into users’ personal information online and can collect data such as their name, social security, etc. Obtaining those sensitive data can ruin a person’s lives and is a serious rights violation. As to what Hamamouchi said, “the action taken by WhatsApp against NSO is a positive thing.” Hacking victims experience a ton of stress due to cyber-attacks. By filing a lawsuit, WhatsApp is creating awareness in the area of malware breaches.

  10. As the conversations have become digital, WhatsApp has become one of the most used communication channels and there are chats of all kinds. Sometimes we think that they are outside the eyes of others but are liable to be “hacked”. Even using very common techniques, cybercriminals can take control of our data.

    A known attack is called “phishing” or phishing. Something very common and widespread that consists, basically, in deceiving the victim. There are several ways to do this, but most of them have access to the verification code that is received to confirm membership. This six digit code is sent via SMS or text message. In a first phase, what is usually done is preparing the ground by sending the victim a message that appears legitimate, posing as the WhatsApp company, so the phone number must be known in advance.
    In this communication, the victim is informed of an alleged attempt to access their account from another mobile device, then urging them to enter or send the verification code. An action that, in case of doing so, is given the «key» of access to WhatsApp, thus giving full control to the profile and part of the history of group chats of the deceived user, as well as their contact agenda. It is basically asking the recipient directly to provide the code. From that moment on, the cybercriminal modifies some personal data so that the victim cannot recover their account.
    Therefore, when this type of communication occurs, trying to give it urgency, we should be most suspicious, while the most effective containment measure to avoid falling into this problem is not clicking on suspicious messages, not giving anyone the verification codes or have updated digital services. The greatest danger of these attacks is that you have personal information and it is extracted from you.

    There is another option to “hack” our account, but it requires more complexity, but not unlikely to happen; is to do an operation known as “SIM Swapping”, a method that has grown in recent years and that is not a new phenomenon and that consists of generating a duplicate of the SIM card and associating the number of the SIM card with a different card . Something typical when you do a portability process with a telemarketer, although these types of techniques are usually applied more in attacks against digital services.

Leave a Reply

Your email address will not be published. Required fields are marked *