WhatsApp chief Will Cathcart has problems with the NSO Group taking no responsibility for surveillance and hacking of journalist and activist iPhones and other devices.
Following the discovery that the Pegasus spyware by NSO Group was being used to surveil high-level journalists, campaigners, and world leaders, NSO took steps to quieten the story. On July 23, NSO CEO Shalev Hulio claimed it couldn’t control what governments ultimately did with its tools, which were allegedly intended to catch serious criminals and terrorists.
However, speaking to the Guardian, WhatsApp head Will Cathcart suggested the leaked list of more than 50,000 phone numbers believed to be people of interest of NSO clients may be genuine. Cathcart also believes it matches up to WhatsApp’s own investigation in 2019, seemingly proving it has been going on for a number of years.
“The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then,” according to Cathcart.
The comment was in reference to WhatsApp’s 2019 investigation into attacks against its own systems and users, seemingly with Pegasus. Along with “senior government officials,” targets at that time included journalists and human rights campaigners, which Cathcart believes had “no business being under surveillance in any way, shape, or form.”
Cathcart’s comments go against NSO Group CEO Hulio’s claims that people who weren’t criminals had “nothing to be afraid of” by the tool.
The WhatsApp chief also questioned NSO’s insistence that the list was “exaggerated,” as WhatsApp’s 2019 attack saw some 1,400 users impacted over a two-week period. “That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high,” said Cathcart.
According to court documents seen by The Washington Post about WhatsApp’s 2019 lawsuit against NSO Group over the matter, NSO said it should be granted “sovereign immunity” since its clients were vetted government customers, and that it couldn’t be sued over the actions of its clients.
NSO insisted it didn’t have control over targeting, but exhibits suggested otherwise. One exhibit of internal NSO documents mentioned “The company will provide the End user with assistance in operating, managing, and configuring the System as well as resolving any Software technical issues.”
Another exhibit mentions that clients should only insert the phone number of the target, with the rest “done automatically by the system, resulting in most cases with an agent installed on the target device.”
A judge in the still-ongoing lawsuit ruled that NSO retained some control, allowing the suit to proceed. NSO appealed in April 2021 to the U.S. Court of Appeals for the 9th Circuit. A decision has yet to be issued.
The 2019 attack wasn’t the first time that Facebook, which owns WhatsApp, has dealt with NSO Group. In 2017, the social network enquired about buying Pegasus to get more data about iOS user activity, but NSO at the time refused, citing it only sells products to a “sovereign government or government agency.”
Cathcart has called on Apple to adjust its approach regarding malware, given the discovery the iPhone was successfully infiltrated numerous times by Pegasus.
“I hope that Apple will start taking that approach too. Be loud, join in. It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say oh this is only thousands or tens of thousands of victims.'”
“If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all,” Cathcart continued. “And if anyone’s phone is not secured that means everyone’s phone is not secure.”
Apple condemned the attacks on July 19, insisting “we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, “Hey, Siri,” to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.
If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple’s Podcasts app, or via Patreon if you prefer any other podcast player.
AppleInsider has affiliate partnerships and may earn commission on products purchased through affiliate links. These partnerships do not influence our editorial content.
Apple should hurry to close the iOS vulnerabilities that enables the Pegasus spyware to infiltrate iPhone by sending an “invisible” sms (thus just the phone numbers of the victims are needed). If they don’t hurry it will look like an Apple sanctioned back door!
WHATAPP is a surveillance app in its own right — unless one believes everywhere where you go, what you type, almost everyone you know, almost everything you buy (among others) recorded into a single profile of you isn’t surveillance. With that said, this guy is absolutely right. Apple was wimpy on this, feeble. They put out a media department canned answer. Apple doesn’t scour and record everything you do in order to monetize iit and this is their response? Weak…
Very well put
BS your 1st paragraph: Where did you get the information that WhatsApp does all that? your 2nd paragraph: Have you ever checked the notes to any of the iOS updates? Where there any security vulnerability fixes? What are the chances that Apple doesn’t care about the security of iPhone?
This is the reason you never put anything in writing that you never want anyone knowing about. People only have themselves to blame for their information being spied upon. Grant it I’m surprised that Apple allows the microphone and camera turned on without you unknowing.
For the latest “This Week in Apple,” we examine Apple’s supposed mistaken leak of the M1 16-inch MacBook Pro, the release of iOS 14.7, rumors around the iPhone 13, and more.
Apple has issued an update that stops the “woozy face” emoji from appearing when users type in the word “stammer” into messaging apps on iOS, including iMessage.
A fisherman has caught an iPhone, plus case and photograph, in the Waccamaw River.
With the launch of the Beats Studio Buds, Apple now has a total of four wireless earbuds it sells to consumers. Here’s how the newcomers face against AirPods, AirPods Pro, and Beats Powerbeats Pro.
Sony launched the WF-1000XM4 wireless earbuds in June, its noise-cancelling rival to the Apple AirPods Pro. Here’s how Sony’s latest stacks up against Apple’s heavy hitter.
Apple has evolved its remote control over time, with each iteration introducing physical improvements and better features. After launching the second-generation Siri Remote, has Apple created its best controller?
In April, Amazon upgraded its Echo Buds to make it a better value-oriented rival to Apple’s AirPods. Here’s how Amazon’s offerings stack up to Apple’s AirPods and AirPods Pro.
Apple’s launch of AirTag puts it into a growing market of tracking accessories, but how does it compare against the Tile Pro and the Find My-enabled Chipolo One Spot? We compare the trackers.
