Whatsapp May Find It Tough To Prove That Israeli Spyware Firm Violated Computer Fraud And Abuse Act, Say Experts

WhatsApp which has taken Israeli spyware company NSO Group as well as its parent company Q to a court in the United States, may find it an uphill task to prove its claims, since its main argument may probably not convince the court, according to legal experts.

WhatsApp has accused NSO of violating the Computer Fraud and Abuse Act (CFAA), as well as state-level charges including breach of contract as well as interfering with its property. The case is an attempt to use the CFAA in an unusual way—to punish not just hackers who breach a company's computers, but also those who exploit its software to breach computers or devices of its users.

The CFAA outlaws so-called “unauthorized access” and to make that charge stick on NSO, WhatsApp would have to prove that the Israeli spyware company obtained illegal access to WhatsApp's own systems.

Since NSO’ targets were WhatsApp users rather than WhatsApp's servers, WhatsApp would have to find an argument that it was the victim.

The fundamental question would be what unauthorized access is or how it is defined. It may be possible to argue that NSO hacked WhatsApp and not merely WhatsApp users. Any lack of clarity in that argument could leave room for the defendant, which is NSO.

WhatsApp's “unauthorized access” argument is based on its ‘terms of service’, which prohibit reverse-engineering WhatsApp's code, harming its users, or sending malware through WhatsApp. Hence, WhatsApp could argue that by agreeing to those ‘terms of service’ and yet violating them, NSO's use of WhatsApp was “unauthorized”.

WhatsApp’s complaint appears to lay the groundwork for such a case since it points out that NSO staff “created various WhatsApp accounts and agreed to the WhatsApp terms”.

However, the terms-of-service argument would be an uphill battle because it has long been a controversial element in hacking cases. There has been a clear precedent that terms-of-service violations alone don't constitute “unauthorized access”.

Besides, WhatsApp's lawsuit has not make any mention of prior notice issued to NSO to stop abusing its services or hacking its users like a “cease and desist” notice or an attempted to block NSO’s access, according to legal experts.

Therefore, WhatsApp may not be able to claim CFAA violation based on terms of service alone, according to legal exports.

WhatsApp’s complaint has accused NSO of distributing malicious data through WhatsApp servers which itself is a kind of “unauthorized access”, besides initiating malicious calls which hid NSO’s attack code in fake settings data.

Doing so has bypassed “technical restrictions” on what sort of data WhatsApp's servers were designed to pass on to phones and this could be the crux of WhatsApp's CFAA claim.

WhatsApp could claim that its own access restrictions were “hacked” by NSO in this manner, as if somebody bypassed a more obvious access restriction like one that demanded a username and password. There could be ways to argue that NSO concealing its spyware as normal traffic is actually hacking, legal experts opined.

That could appear to be an untested argument, and one which would require some creative logic to explain to a judge or jury because if even if WhatsApp claims that NSO used its system in a way which it didn’t want anybody to, it might find it difficult to prove that a username or password was hacked.

Yet, even if the courts dismissed WhatsApp's CFAA charge, NSO would still face three other charges, including the California state hacking charge and breach of contract. All these other allegations are, however, based on state laws, which would mean that the case would need to be re-filed in a state court.

The case would be in public eye since the CFAA dispute, in particular, could mean that NSO is liable for criminal hacking charges as well, legal experts opined.