That $168M fine isn’t enough to stop NSO spies

Should Apple have abandoned its lawsuit against Israeli mercenary spyware vendor NSO Group — the company it once described as, “21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.” Perhaps not, but it’s still heart-warming to learn NSO has been slammed with a huge $168 million fine for spying on WhatsApp.

Mercenaries in your machine

The NSO is one of the most renowned of a multitude of surveillance-as-a-service companies exploiting complex and expensive hacks to break into people’s digital devices and spy on them, frequently for oppressive governments.

That the spyware sector is thriving is a grim reflection of our deeply amoral age. Its existence should encourage everyone to invest in more security, rather than demand less, even at the encryption-eroding UK Home Office. But, I digress.

NSO Group broke into the mainstream in 2019 when reports emerged showing the extent to which its Pegasus spyware had been used against 1,400 WhatsApp messages in addition to attacks against iPhones. 

Pegasus was an insidious attack that, once installed, granted total access to compromised devices. It turned people’s phone records, emails, messages, video content, and location data into open books, and could even be used to activate cameras and microphones to engage in remote surveillance.

Litigation potentially raised the risk

Both Apple and Facebook began litigation against NSO Group, but Apple withdrew its attempt last year, arguing that continuing in the claim could undermine the systems it has built to secure its ecosystem. “While Apple continues to believe in the merits of its claims, it has also determined that proceeding further with this case has the potential to put vital security information at risk,” it told the court.

WhatsApp continued its case, which it has now won, winning what sounds like a lot: $168 million in compensation. 

Since then, NSO Group and others like it have been embroiled in numerous attacks against a huge range of targets, including human rights protectors, opposition parties, dissidents, journalists and others on behalf of a range of governments, including those with very poor human rights records. 

That’s not how the company sees itself, of course. “We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” said NSO spokesman Gil Lainer via email. 

Is that right?

Meta claims NSO repeatedly targeted people involved in its case against the company, which undermines the claim to be on the right side of history. The legal defenses it put up in court were equally evasive.

The company delivers attacks that are complex, sophisticated, and cost a lot of money to mount, which means most people don’t need to worry about being attacked this way, while those that do should be using Apple’s Lockdown Mode. These attacks often require no user input whatsoever and can begin with a missed call or an unrequested message. 

With many thousands of people seemingly affected by these attacks, and with OS providers shouldering the additional cost of mitigating against such attacks, it’s pretty clear NSO Group will likely see the fine as a small tax on earnings. 

This fine is small change

The thing is, $168 million may well be peanuts to NSO Group. Six years ago, The New York Times reported that the market for digital espionage systems of this kind had already reached past $12 billion. Just last year, it was reported the company charged a “standard price” of $7 million for simultaneous access to hack 15 devices. 

Targeting individuals outside of national borders cost people $1 million or $2 million dollars a pop. (These exploits were widely used internationally — even the CIA and FBI used the software, paying more than $7 million for the privilege, before its use was banned.) 

But the company wasn’t just generating plenty of money in exchange for undermining digital security for one or two individuals, it’s been implicated in smashing the digital windows belonging to thousands of people. 

No one is safe until everyone is safe

For enterprise users, the implications are stark. It means that if you or your business is involved in some way with national security or possesses unique business secrets, you can no longer assume your data is at all safe. For as long as companies such as NSO Group exist, your data is just waiting for a competitor to pick up the phone, cough up the cash, and get some mercenary spyware company to break it out. This seems a very sub-optimal reality in digital transformation.

Rather than stopping the company in its tracks, the fine could just cause NSO to raise prices a little, I imagine. The risk remains and is real. And these attacks will trickle down.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.