The simple act of signing up for a Twitter account or using the WhatsApp messaging service could expose users to international spying and malicious surveillance, according to two current legal cases—and the implications are particularly concerning for journalists and dissidents who criticize the leaders of authoritarian regimes. The threats also go far beyond what most individuals can defend themselves against, according to a Fletcher School professor.
“There was almost no way an individual could have detected or prevented the infiltration technique” described in the WhatsApp lawsuit, said Josephine Wolff, an assistant professor of cybersecurity policy at Fletcher. “In cases like those, where users don’t even have to open an infected email attachment or visit a shady website to download malware, but can get infected simply from receiving an unanswered WhatsApp call, we are really dependent on tech firms and security researchers to find these threats and provide patches to them.”
The increased concern follows the announcement that two Twitter employees were charged in early November with spying for Saudi Arabia. The men, Ali Alzabarah and Ahmad Abouammo, were said to have obtained information about American citizens and Saudi dissidents who opposed the policies of the kingdom, which is known for silencing its critics.
And in late October, an Israeli firm called NSO Group was sued by the messaging service WhatsApp, which is owned by Facebook. WhatsApp alleges that NSO Group was involved in a cyberattack that installed spyware on the phones of human rights defenders, political dissidents, and journalists around the globe who used its service.
Tufts Now spoke with Wolff to understand more about the current cases—and what they mean for our cybersecurity.
Tufts Now: We usually think of cybersecurity in terms of outside hackers, but the Twitter story is about employees at a U.S. company being charged with using their access to help Saudi Arabia. How concerned should we be about security within technology companies?
Josephine Wolff: “There are definitely lessons to be learned from this story for Twitter and other companies, but it’s also important to recognize that insider threats are notoriously difficult to identify and stop,” said Josephine Wolff, an assistant professor of cybersecurity policy at Fletcher.One of the elements of cybersecurity that concerns organizations is the potential for people to remotely access networks and data—but just because it’s possible for outsiders to access that information, doesn’t mean that insider threats aren’t a serious concern. Vetting employees, contractors, and other people who are granted access to firms’ computer systems and given login credentials is a huge part of trying to secure data and one that needs to be integrated with other, more technical security measures that may be more focused on outside access.
What should tech companies like Twitter be doing differently to protect users’ data?
It’s not clear that Twitter made major missteps in this case—perhaps they could have done a better job of vetting Ali Alzabarah and Ahmad Abouammo before they were hired and uncovered their ties to Saudi Arabia, but that kind of information is not something that a private company would necessarily have any access to when making hiring decisions.
Similarly, Twitter could perhaps have been a little more on top of the question of which users their employees were pulling information about and put together the pattern of their employees looking up information more quickly—for instance when Abouammo looked up user email address and phone numbers for Twitter users who had criticized the Saudi government.
But these would have been fairly subtle patterns that might not have looked so out of the ordinary for automated monitoring systems tracking what Twitter employees were doing. There are definitely lessons to be learned from this story for Twitter and other companies, but it’s also important to recognize that insider threats are notoriously difficult to identify and stop.
One of the Twitter accounts that was compromised reportedly belonged to Omar Abdulaziz, a prominent Saudi dissident and associate of Jamal Khashoggi, the journalist murdered by Saudi agents last year. Abdulaziz has sued Twitter and the Israeli firm NSO Group, which creates sophisticated spyware he claims infected his phone and helped lead to Khashoggi’s killing. NSO Group says its technology is meant only to help governments and law enforcement agencies fight terrorism and crime. How culpable is a private company like NSO Group if its spyware is misused by its clients?
We don’t really know the answer to the question of whether NSO Group is legally liable in these types of situations because the suits that have been filed against NSO by Abdulaziz and others are still unresolved.
It’s certainly possible that NSO Group could be culpable for helping foreign governments illegally access individuals’ mobile devices if they were directly delivering their spyware and exfiltrating the intercepted data on behalf of their customers. A lot may hinge on the question of what, exactly, NSO Group’s role was in operating the spyware they sold to foreign governments and how directly involved they were in illegally accessing the devices and data of individual victims.
Should Twitter be held responsible if their employee provided information about Abdulaziz’s account to Saudi Arabia?
In this particular case, I think it’s hard to argue that Twitter was negligent given the limited scope of the information that their employees looked up—email addresses and phone numbers—and how little was previously publicly known about those employees’ ties to the Saudi government. If Twitter had been aware of what was happening and decided not to notify Abdulaziz and other victims, then that decision would probably invite some greater scrutiny—though in this case, that might have been because they were working with the Department of Justice and didn’t want to interfere with the government’s investigation.
WhatsApp, which is owned by Facebook, recently sued NSO Group in U.S. federal court, claiming the Israeli firm was behind a cyberattack that installed spyware on users’ phones and targeted human rights defenders, political dissidents, and journalists. What impact is that lawsuit likely to have?
My hope—and, I suspect, WhatsApp’s hope—is that it will place greater pressure on policy-makers to take stronger actions against NSO Group. By filing their lawsuit, WhatsApp is drawing attention to what NSO Group and its clients have been doing and how those actions have affected individual WhatsApp users. They may or may not win their suit, but they will certainly provide some high-profile publicity about NSO and the most unsavory elements of its business.
It’s not just NSO Group—malware tools that enable surveillance and disruption of people’s lives are proliferating. What should be done to reduce our vulnerability to attacks?
Defending our data and devices against malware and intrusions requires that we, as individuals, get better at certain types of basic cybersecurity hygiene, from downloading security patches to using multi-factor authentication, but it also requires that the large tech companies that manufacture, maintain, and distribute those devices and the programs that run on them do a better job of identifying and remediating spyware initiatives like those sold by NSO Group.
There was almost no way an individual could have detected or prevented the infiltration technique that NSO Group used, as described in the WhatsApp lawsuit. In cases like those, where users don’t even have to open an infected email attachment or visit a shady website to download malware, but can get infected simply from receiving an unanswered WhatsApp call, we are really dependent on tech firms and security researchers to find these threats and provide patches to them.