Facebook is suing an Israeli cybersecurity firm, claiming it used the social media giant’s messaging service to spy on human rights activists, journalists and political dissidents.
In the complaint filed with the U.S. District Court of Northern California on Tuesday, Facebook and its messaging service WhatsApp allege NSO Group Technologies Limited infected 1,400 smartphone users with malware between April and May through the application to access encrypted messages and other communications.
“Defendants manufactured, distributed and operated surveillance technology or ‘spyware’ designed to intercept and extract information and communications from mobile phones and devices,” Facebook said in the lawsuit.
The targeted users included attorneys, journalists, human rights activists, dissidents, diplomats and senior foreign government officials with WhatsApp numbers in several countries, including Bahrain, the United Arab Emirates and Mexico.
Though the lawsuit does not name who hired NSO Group, it says the Israeli company’s clients include the countries where the targeted individuals have WhatsApp numbers.
WhatsApp called it “a highly sophisticated cyberattack” that exploited its video calling system to send the malware to its users and is asking anyone who may have been infected to contact them.
Facebook said it worked with The Citizen Lab out of the University of Toronto to understand the extent of the attack.
“As part of our investigation into the incident, Citizen Lab has identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East and North America,” the interdisciplinary laboratory said in a statement.
WhatsApp said the number of identified members of “civil society” may increase as more victims come forward.
The messaging app said its findings are the result of a months-long investigation that began in May when they became aware of the issue and that this is the first time a messaging service has taken legal action against a private entity.
NSO Group denied the allegations “in the strongest possible terms” and said in a statement it will “vigorously” fight the charges.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime,” the company said. “Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.”
In an op-ed published Tuesday in The Washington Post, Will Cathcart, head of WhatsApp, said this attack should serve as “a wake-up call” for tech companies, governments and Internet users.
“Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk,” he said.
Cathcart said the attack is proof so-called backdoors should not be created into this type of technology as governments, such as the United States, have requested.
Early this month, U.S. Attorney General William Barr told Facebook CEO Mark Zuckerberg in a letter that he needs to allow law enforcement access to encrypted messages.
Cathcart said backdoors present “too high a danger.” Democracies, he said, rely on journalists and other members of civil society and this weakening of security makes it easier for entities to gain access to their information.
“That’s why we will continue to oppose calls from government to weaken end-to-end encryption,” he said.
Amnesty International charged NSO Group with committing human rights abuses with its surveillance technology, demanding Tel Aviv to revoke its export license.
“These latest revelations underscore that NSO Group continues to profit from its spyware products being used to intimidate, track and punish scores of human rights defenders across the globe,” Amnesty Tech Deputy Director Danna Ingleton said in a statement.