On Tuesday, WhatsApp and Facebook filed a lawsuit against malware vendor NSO Group, because its tool exploited a WhatsApp vulnerability that customers then used in the wild. WhatsApp said in a public announcement that it, along with researchers from Citizen Lab, identified 1,400 cases of the exploit being used. It said that 100 of those cases were surveillance against against human rights defenders, journalists, and other members of civil society. WhatsApp told Motherboard some of the attacks were also states using NSO tools to spy on other states.
In response to the lawsuit, NSO said in a statement that its customers are "contractually prohibited" from using the company's hacking capabilities to target people for reasons other than preventing terrorism or serious crime investigations.
However, a contract between NSO and Ghana doesn't explicitly mention limiting use to either of those cases anywhere, according to a contract included as an exhibit in WhatsApp's lawsuit.
"Subject to the terms of this Agreement and the payment of the System Consideration in full, the System Provider shall provide the End-User a limited, exclusive, non-transferable, non-pledgeable and non-assignable license to use the System solely for the End-User's internal use, and for the purpose that it is intended for," the contract with the National Communication Authority of the Republic of Ghana reads.
Do you work or used to work at NSO Group? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
NSO has long claimed that it takes care to ensure that its software, called Pegasus, is only used against suspected criminals and terrorists, even though groups such as University of Toronto's Citizen Lab have repeatedly published case studies of NSO malware being used against journalists and activists.
The contract does say, "This Agreement shall be governed, construed and enforced in accordance with the laws of the Republic of Ghana." That is not the same as what NSO claims its contracts enforce, however. The contract makes no mention of respecting international law, or restricting deployment to a certain set of use cases beyond respecting the country's own laws. In authoritarian regimes, targeting journalists or dissidents could still fall within the country's own legal framework.
"Any controversy or claim arising under, out of or in connection with this Agreement its validity, its interpretation, its execution or any breach or claimed breach thereof, are hereby submitted to the sole and exclusive jurisdiction of the competent courts in the Republic of Ghana," the contract adds.
A section of the contract describing "The End-User's Responsibilities" does not mention limiting use to preventing terrorism or serious crime. It does say the user needs to obtain all permits and approvals required to use the system.
In fact, the only time the contract mentions terrorism is in the context of NSO not being held responsible for failure to uphold its obligations due to any action beyond its control, including terrorism.
It is possible that a separate, as-of-yet-unpublished contract includes limiting of use of the tool to terrorism or serious crime. It is also possible that more recent contracts include the language; this Ghana contract is from 2015. In September this year, NSO launched a new "Human Rights Policy" and governance framework which was supposed to cement "the company's existing industry-leading ethical business practices," according to an NSO press release. NSO also hired multiple advisors to guide the company on similar issues.
When asked to do so, NSO did not point to the section of the Ghana contract that limits use to terrorism or serious crime.
"All of our contracts with our actual customers explicitly state that our software is for the prevention of crime and terror and anything else is misuse and grounds for termination," an NSO spokesperson said in a statement.
Ghana Business News previously reported that the country purchased NSO's tools, both for the same government agency and through the same reseller as those mentioned in the published contract.
Update: This piece has been updated to include a statement from NSO as well as more context on Ghana Business News' reporting.
Subscribe to our new cybersecurity podcast, CYBER.