Rethinking Government Use of Commercial Exploit Tools After WhatsApp Spying

Earlier this year, Facebook released an emergency patch after it discovered a software vulnerability in the voice over IP (VoIP) code used in WhatsApp that allowed attackers to remotely install malware on a user’s device by simply placing a call to their phone—the user would not even need to answer. The seriousness of this vulnerability became even more apparent a week ago after Facebook filed a lawsuit against NSO Group, an Israeli cyber security company, alleging that the company used its malware to infect 1,400 mobile phones belonging to journalists, diplomats, human rights activists and senior government officials in an attempt to access their encrypted WhatsApp messages (presumably on behalf of one or more unknown clients). WhatsApp worked with Citizens Lab, an academic research center at the University of Toronto’s Munk School, to identify the affected users and notify them of this privacy breach.

As Daniel Castro writes in CIO, the lawsuit shows the significant risk to individuals, as well as public trust, that comes from allowing commercial systems to remain exploitable. The US government, and its allies, should recognize that they need to play a larger role in promoting cybersecurity in commercial systems and realign incentives so that it more profitable to fix these vulnerabilities than it is to exploit them.