Human Rights v. Security At Issue In WhatsApp NSO Lawsuit

Last month WhatsApp sued the Israeli cybersecurity company NSO Group for installing surveillance malware on the phones of more than a thousand users, including journalists and human rights activists. The suit doesn’t identify the NSO clients on whose behalf the malware was installed, but NSO Group’s website advertises its product as meant to help “government agencies prevent and investigate terrorism and crime,” and NSO Group malware is implicated in human rights abuses around the world including the murder of journalist Jamal Khashoggi by the Saudis. Nonetheless, according to Alan Z. Rozenshtein, an Associate Professor of Law at the University of Minnesota Law School blogging on Lawfare, law enforcement needs access to encrypted data to ensure public safety and lawful hacking by governments exploiting existing vulnerabilities without requiring companies to create new ones is one (albeit imperfect) way to address this problem. Governments often rely on a “gray market” in cyber vulnerabilities. WhatsApp’s suit sends a signal that it will not tolerate the further development of lawful hacking, and an op-ed by its CEO indicates that it will not distinguish between lawful hacking that abuses human rights and lawful hacking for legitimate law enforcement purposes. If such litigation becomes common, the market in cyber vulnerabilities could dry up, shifting the burden to governments to discover vulnerabilities and increasing the costs of lawful hacking. Whether the law enforcement and national security benefits of lawful hacking outweigh its costs is a tricky question, says Rozenshtein.