What’s Up with WhatsApp: Thoughts on the NSO CFAA Complaint

I’ve been getting a lot of calls asking me what I think about the civil Computer Fraud and Abuse Act (CFAA) lawsuit WhatsApp just filed in the Northern District of California against NSO. Below this post are links to my comments in the press. Here’s the complaint:

I’m going to elaborate a little more on the complaint because it’s a useful learning tool.

But first, a disclaimer. This is the first complaint filed in this case, and plaintiffs will likely have a chance to amend. Some of what I’m saying is speculative, and other things easily fixed. But I’ve been trained (through Trial Lawyers College), and believe, that it’s more effective to critique something as if it’s the finished product than it is to hem and haw with all sorts of qualifiers about how this is just a first draft, or whatever. It is common for lawyers to need to file a complaint asap, knowing that they can clean it up later. “Better done than perfect” as they say. That being said, I had some strong first impressions of this complaint. Mainly that I didn’t find it that convincing because it’s muddled and gives the impression that it’s hiding the ball – maybe because there is no ball.

The complaint’s main problem is that it’s not clear on what its theory is of unauthorized access to WhatsApp’s computers. The CFAA prohibits unauthorized access to a computer, and the complaint argues that NSO, a cyber ops company based in Israel, accessed WhatsApp servers to target users of WhatsApp with malware. It stumbles on this point in paragraph number 1, which I quote in full:

1. Between in and around April 2019 and May 2019, Defendants used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices (“Target Devices”). Defendants’ malware was designed to infect the Target Devices for the purpose of conducting surveillance of specific WhatsApp users (“Target Users”). Unable to break WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages and other communications after they were decrypted on Target Devices. Defendants’ actions were not authorized by Plaintiffs and were in violation of WhatsApp’s Terms of Service. In May 2019, Plaintiffs detected and stopped Defendants’ unauthorized access and abuse of the WhatsApp Service and computers.

WhatsApp and Facebook v. NSO Group Tech. Ltd. and Q Cyber Tech. Ltd., No. 19-CV-07123, (N.D. Ca., Oct. 29, 2019).

Talk about burying the lede. NSO’s surveillance software Pegasus is what the Saudis allegedly used to track down the Washington Post journalist Kashoggi in Turkey in order to kill him. If what’s said about NSO is true, it’s an organization responsible for the surveillance and murder of political dissidents globally, and it’s a threat to our free speech and liberty. The sterile, technical opening of the complaint misses the opportunity to let everyone know that people’s lives are at stake, that the defendant is a dangerous actor, and that this is a matter to be taken seriously.

But the bigger mistake the complaint’s introduction makes is that it implies that access to WhatsApp was unauthorized only because it violated WhatsApp’s terms of service (ToS) agreement. That’s just not the law in the jurisdiction this case is in – the 9th Circuit.

In the 9th Circuit, you need affirmative notice to a user that their access to a computer is unauthorized beyond just what’s stated in the ToS. The logic behind this is that if a ToS violation constitutes unauthorized access under the CFAA, then people lying about their age and weight on dating sites in violation of those sites’ ToS are also committing computer crimes. And most jurisdictions have sensibly said this is absurd. Giving the impression in your introductory paragraph that your theory of unauthorized access is solely based on a ToS violation dings your credibility. Because it’s so plainly wrong.

What the complaint is struggling with is the fact that while you’ve got a strong argument that the targeted users computers (read phones) were accessed without authorization, it’s unclear on the face of it why using a valid user account on WhatsApp to send malware to someone else constitutes unauthorized access of WhatsApp’s servers. The complaint largely reads as if it’s pleading causes of action for the targeted users, who aren’t parties to the lawsuit. And the way the complaint hems and haws on the issue of unauthorized access makes me think WhatsApp is aware of the issue.

Intriguingly, the complaint does suggest an alternative theory of unauthorized access but doesn’t develop it:


35. On information and belief, Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers. Defendants’
program was sophisticated, and built to exploit specific components of WhatsApp network protocols and code. Network protocols generally define rules that control communications between network computers, including protocols for computers to identify and connect with other computers, as well as formatting rules that specify how data is packaged and transmitted.

36. In order to compromise the Target Devices, Defendants routed and caused to be routed malicious code through Plaintiffs’ servers—including Signaling Servers and Relay Servers—concealed within part of the normal network protocol. WhatsApp’s Signaling Servers facilitated the initiation of calls between different devices using the WhatsApp Service. WhatsApp’s Relay Servers facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to use Plaintiffs’ servers in this manner.

37. Between approximately April and May 2019, Defendants used and caused to be used, without authorization, WhatsApp Signaling Servers, in an effort to compromise Target Devices. To avoid the technical restrictions built into WhatsApp Signaling Servers, Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings. Disguising the malicious code as call settings enabled Defendants to deliver it to the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling Servers. Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.

Complaint ¶¶ 35-37.

Note the “laugh test” problem. A company whose software is meant to conceal a user’s identity is complaining that a user concealed their identity while using their software. I’d pound that point in front of a jury, and let you make all the logical arguments you wanted to try and explain it away. But the vagueness here is just as big a problem.

We’re not told how network protocols were “exploited.” There’s no indication anywhere in the complaint that any code was altered, or that anything at all was hacked. The quoted paragraphs are consistent with the proposition that the plaintiffs think there was unauthorized access because they didn’t like the way their network was used. But if that’s the standard for CFAA liability (it’s not, with a caveat about U.S. v. Morris not worth diving into here) then most of the internet is in trouble. Because it’s a subjective standard for criminal liability. “I don’t like what you’re doing so therefore it’s criminal.” So without more detail, we’re left to speculate as to what precisely the “exploit” at issue here is.

The complaint doesn’t help itself by pleading all of its CFAA causes of action under one cause of action.

FIRST CAUSE OF ACTION

50. At various times between April 29, 2019, and May 10, 2019, Defendants accessed, used, or caused to be accessed or used Plaintiffs’ Signaling Servers and Relay Servers without authorization in an effort to compromise approximately 1,400 Target Devices. . . .

53. Defendants violated 18 U.S.C. § 1030(a)(2) because they intentionally accessed and caused to be accessed (a) Plaintiffs’ computers, and (b) Target Devices, without authorization and, on information and belief, obtained data from the Target Devices. . . .

54. Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with intent to defraud accessed and caused to be accessed (a) Plaintiffs’ protected computers and (b) Target Devices without authorization, and by means of such conduct furthered the intended fraud and obtained something of value. Defendants’ fraud included falsely agreeing to the WhatsApp Terms, sending unauthorized commands to Plaintiffs’ computers and concealing the commands as legitimate network traffic, in order to gain access of the Target Devices without the Target Users’ knowledge or consent. As a result of the fraud, Defendants obtained money, customers, remote access and control of the Target Devices, data from the Target Devices, and unauthorized use of the WhatsApp service, the value of which exceeds $5,000 . . . .

Paragraph 53 makes your standard unauthorized access to a computer and obtaining information claim under 1030(a)(2)(C). This is the simplest CFAA cause of action to bring and it arguably renders most of the other unauthorized access causes of action redundant. Usually there’s not a good reason to bring other CFAA causes of action that require you to prove more elements than you need when you’ve got 1030(a)(2)(C). Sometimes there’s reason to, like when you’re the U.S. government and want to take advantage of the 10-year statute of limitations under 1030(a)(1) to prosecute Julian Assange, because the statute of limitations is only 5 years under 1030(a)(2)(C). But most of the time you’re just muddling things by piling on additional charges, something I think this complaint does in paragraph 54 by unnecessarily dragging fraud into it.

A muddled complaint is a gift to a defense attorney, and if I was defending this case one attack vector I’d take is shredding the plaintiffs’ credibility on this fraud claim. This case may involve a lot of bad behavior, but the fraud claim isn’t clear. Arguing that it’s fraud to agree to a ToS and then violate it isn’t what we traditionally think of as fraud. And it raises the same problem with saying ToS violations constitute unauthorized access in that it criminalizes a lot of innocuous behavior like lying about your age on a dating website. And even if you can make a compelling case for fraud, you’re going to spend so much time explaining your case to a jury that they’re going to fall asleep, get bored, and maybe rule against you because you’ve annoyed them. Why take that risk when you can get the same result through 1030(a)(2)(C) without having to argue fraud? If the complaint is trying to paint NSO as fraudsters with this claim it fails because it hasn’t really told any story up to this point. All it’s done is engage in an arid, technical recitation of the facts without clearly conveying that lives are at stake.

As for the rest of the claims, they’re your typical throw it at the wall and see what sticks state law claims. With the exception of California’s computer crime statute. Since I have a trial coming up involving this statute, I’m not going to say more about it other than I think plaintiffs are missing some opportunities here.

In short, the complaint doesn’t convince me that any unauthorized access occurred. It lacks a cohesive narrative, muddles its causes of action, and gives the impression that it’s hedging or trying to hide something. But it’s early, and Plaintiffs will likely have a chance to amend the complaint and fix these issues. But as it stands now I think there’s a reasonable chance a judge dismisses it as written.

Here a Wired article about the case: https://www.wired.com/story/whatsapp-nso-group-lawsuit/