In late October of last year, Facebook and WhatsApp sued Israeli surveillance tech provider NSO Group for using WhatsApp to deliver device-compromising malware. The lawsuit sought to use the CFAA to stop NSO from using WhatsApp as an attack vector.
The lawsuit is dangerous. It asks the court to read the CFAA to cover attacks targeting users’ accounts, rather than attacks on the service provider itself. The CFAA is already problematic enough without this sort of expansion. WhatsApp users certainly appreciate the efforts the developers make to protect them from malware, but asking a court to reinterpret an easily-abused law just so Facebook can go after NSO isn’t an acceptable solution.
NSO has been the target of non-stop criticism due to its willingness to sell malware and surveillance tech to countries with long histories of human rights violations. Its malware has also been observed targeting activists, dissidents, journalists, and critics of the governments that have deployed NSO malware.
Facebook’s lawsuit is going nowhere fast. While it’s not uncommon for there to be a delay between the filing of a complaint and the defendant’s response, NSO hasn’t filed anything — not even a notice of appearance from its corporate counsel — since the filing of the suit.
Facebook wants the court to take notice of this no-show. It’s asking for the upcoming case management to be postponed indefinitely since it has heard nothing at all from NSO. But the administrative motion [PDF] is not just there to deal with a logistical problem. It’s there to let the court know NSO isn’t cooperating with the litigation.
After filing the Complaint, Plaintiffs promptly sought to serve Defendants under the Hague Convention, which was effected on December 17, 2019.Plaintiffs also contacted Defendants via email, physical mail, and hand service, but have not received any response. As of the date of this filing, no counsel has entered an appearance in this matter on Defendants’ behalf, nor have Defendants filed an answer to the Complaint. Thus, Plaintiffs cannot fulfill their obligations under the Court’s initial case management scheduling order (ECF No. 9), including the obligations to meet and confer regarding initial disclosures, early settlement, ADR process selection, and a discovery plan.
The NSO is certainly welcome to sit this one out. It’s not like blowing off the WhatsApp lawsuit will do anything to its reputation that NSO hasn’t already done to it by selling hacking tools to authoritarians. It’s possible Facebook will receive a default judgment if NSO decides this is a waste of its time. Even if it did, what use would it be? NSO isn’t going to stop marketing malware that can be deployed via messaging services and the governments it sells to aren’t going to stop targeting WhatsApp users just because a court in California says it violates the CFAA.
This lawsuit is mostly for show. On the odd chance NSO decides to participate, discovery could expose some of its inner workings and the clients it sells this brand of malware to. NSO isn’t going to risk that. It makes more sense to let Facebook flail away ineffectively with a civil suit that will have absolutely no effect on its business model.
Permalink | Comments | Email This Story