NSO Group – sued by Facebook for developing Pegasus spyware that targeted WhatsApp users – this week claimed Facebook tried to license the very same surveillance software to snoop on its own social-media addicts.
The Israeli spyware maker’s CEO Shalev Hulio alleged in a statement [PDF] to a US federal district court that in 2017 he was approached by Facebook reps who wanted to use NSO’s Pegasus technology in Facebook’s controversial Onavo Protect app to track mobile users.
Pegasus is designed to, once installed on a device, harvest its text messages, gather information about its apps, eavesdrop on calls, track its location, and harvest passwords, among other things.
Onavo Protect, acquired by Facebook in 2013, was available for Android and iOS. It used VPN tunneling to wrap users’ internet connections in encryption, shielding their information as it traveled over untrusted and insecure Wi-Fi networks and the like. The iOS version also blocked harmful websites. However, the software blabbed telemetry about its users to Facebook as well as routed connections through Onavo servers, which could monitor people’s online activities. The application was forced out of the Apple iOS store in 2018 for siphoning information about other programs installed on devices, and discontinued in May 2019.
According to the NSO chief exec, Onavo Protect needed more surveillance powers on iOS handhelds, and so Facebook turned to the spyware maker for its technology.
“The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices,” Hulio alleged.
“The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users.”
Because NSO only sells to governments and not private companies, Hulio claimed, he turned down the Facebook licensing offer.
Facebook, in a statement to The Register, characterized the allegations as a distraction from its legal battle against NSO, which kicked off in October 2019. The web giant claims NSO, working on behalf of its customers, illegally hacked targets via security vulnerabilities in Facebook-owned WhatsApp’s code to install Pegasus on devices.
“NSO is trying to distract from the facts Facebook and WhatsApp filed in court nearly six months ago. Their attempt to avoid responsibility includes inaccurate representations about both their spyware and a discussion with people who work at Facebook,” a Facebook spokesperson said.
“Our lawsuit describes how NSO is responsible for attacking over 100 human rights activists and journalists around the world. NSO CEO Shalev Hulio has admitted his company can attack devices without a user knowing and he can see who has been targeted with Pegasus. We look forward to proving our case against NSO in court and seeking accountability for their actions.”
The case has been unusual from the start, with Facebook filing suit after first deleting NSO workers’ personal Facebook accounts. The spyware maker then missed its scheduled court appearance because, it was alleged, Facebook did not properly serve its paperwork.
NSO reckons Facebook’s accusations are baseless because it only sells its software to government departments and agencies, and does not operate the tools itself. Thus, we’re told, it didn’t hack anyone itself, and it cannot be held accountable for the actions of its customers. NSO also noted it only deals with governments allowed under Israeli export laws.
Further, NSO contended the court, in Oakland, California, does not have jurisdiction to hear this case due to America’s Foreign Sovereign Immunity Act, and it argued that the actions described in the lawsuit wouldn’t even run afoul of its spyware’s terms of service