WhatsApp is suing an Israeli spyware developer. The Facebook-owned chat app alleges in its complaint that NSO Group, also known as Q Cyber Technologies, exploited a security hole in WhatsApp servers in order to hack 1,400 phones and other devices earlier this year.
NSO Group sells its hacking technology to governments and law enforcement agencies around the world with a stated intention to combat crime and terrorism. All too often it seems these tools are used, however, to go after political opponents, dissidents, human rights activists, and journalists. The Citizen Lab, a security research outfit at the University of Toronto, says it helped WhatsApp determine that at least 100 such civilian targets were victims of NSO Group-linked hacking.
One notorious example: Saudi Arabian agents are said to have used NSO Group tech to spy on the slain Washington Post columnist Jamal Khashoggi in the lead-up to his assassination.
WhatsApp has long been lauded for its top-notch security. The app was a pioneer in using strong, end-to-end encryption, a feature designed to secure messages, calls, and media from interlopers of all sorts. The technology is considered so watertight it prevents even WhatsApp, and its parent Facebook, from reading the contents of people’s communications as the bits and bytes traverse the company’s infrastructure—a tremendous irritation to law enforcement agencies seeking to conduct investigations. (Facebook is planning to roll out the feature to its other apps, Messenger and Instagram, by default in the near future.)
Law enforcement agencies everywhere take issue with this kind of encryption since it impedes their work. U.S. Attorney General William Barr has been pushing tech companies to ditch the protections, for one. He would rather they weaken their systems, introducing so-called backdoors, to enable government access. Here’s the thing though: If tech companies like Facebook are already having such trouble keeping their software secure, why introduce more vulnerabilities that would, undoubtedly, be abused by hackers and spies?
Skeptical of this view? Don’t take it from this columnist—take it from Jim Baker, who worked as the Federal Bureau of Investigation’s general counsel during its high-profile fight with Apple over encryption. Baker has recently changed his tune on the topic. In a recent op-ed written for Lawfare, a national security blog, Baker says, “it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China.” He adds: “This is true even though encryption will impose costs on society, especially victims of other types of crime.”
Let’s pause and underscore that point: Baker—the FBI’s former top lawyer during its Apple encryption battle—has pulled a complete about-face. Even he agrees it is time for everyone to promote strong encryption.
In a Halloween-dated letter to the Attorney General, two legislators—Representative Anna Eshoo of California and Senator Ron Wyden of Oregon—shared their concerns about the Department of Justice’s “misguided, hypocritical efforts to pressure technology companies like Facebook into subverting the encryption that protects their messaging apps to enable government access.” The approach is doomed to failure, they say, because “illegal content”—like child abuse imagery—”will simply move to the dark web and to foreign commercial providers who are beyond the reach of U.S. law enforcement, while exposing millions of law-abiding Americans to new cybersecurity threats from stalkers, hackers, and other criminals.”
As the WhatsApp incident shows, our technologies have enough backdoors as it is.
Robert Hackett | @rhhackett | firstname.lastname@example.org