Facebook representatives approached controversial surveillance vendor NSO Group to try and buy a tool that could help Facebook better monitor a subset of its users, according to an extraordinary court filing from NSO in an ongoing lawsuit.
Facebook is currently suing NSO for how the hacking firm leveraged a vulnerability in WhatsApp to help governments hack users. NSO sells a product called Pegasus, which allows operators to remotely infect cell phones and lift data from them.
According to a declaration from NSO CEO Shalev Hulio, two Facebook representatives approached NSO in October 2017 and asked to purchase the right to use certain capabilities of Pegasus.
At the time, Facebook was in the early stages of deploying a VPN product called Onavo Protect, which, unbeknownst to some users, analyzed the web traffic of users who downloaded it to see what other apps they were using. According to the court documents, it seems the Facebook representatives were not interested in buying parts of Pegasus as a hacking tool to remotely break into phones, but more as a way to more effectively monitor phones of users who had already installed Onavo.
Do you work for NSO or Facebook, or used to? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
"The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices," the court filing reads. "The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users."
Facebook proposed to pay NSO a monthly fee for each Onavo Protect user, the filing adds.
In a statement, Facebook suggested NSO is misrepresenting these conversations between NSO and Facebook employees.
"NSO is trying to distract from the facts Facebook and WhatsApp filed in court over six months ago. Their attempt to avoid responsibility includes inaccurate representations about both their spyware and a discussion with people who work at Facebook. Our lawsuit describes how NSO is responsible for attacking over 100 human rights activists and journalists around the world. NSO CEO Shalev Hulio has admitted his company can attack devices without a user knowing and he can see who has been targeted with Pegasus. We look forward to proving our case against NSO in court and seeking accountability for their actions," the statement from a Facebook spokesperson read.
NSO has maintained that it only sells Pegasus to intelligence and law enforcement agency clients.
"Facebook is a private entity and not a sovereign government or government agency for national security and law enforcement purposes and therefore does not meet NSO's customer criteria. NSO declined the sale and informed Facebook that NSO only licenses its Pegasus technology to governments," the declaration adds.
In 2019 Apple forced Facebook to remove Onavo Protect from the App Store, and Facebook removed it from Google Play as well following a backlash for the user monitoring.
NSO is a highly contentious player in the surveillance industry, selling powerful hacking technology to authoritarian governments such as Saudi Arabia. It has also recently been working on another product that would digest location data in an attempt to provide insights to potential spreading of the coronavirus, but privacy experts were highly cautious of the approach.
Hulio, did not immediately respond to a request for comment. In an email, an NSO spokesperson said: "At this stage we are only releasing what is contained in the official court documents."
Lorenzo Franceschi-Bicchierai contributed reporting.
This story was updated to include NSO's spokesperson response and a statement from Facebook.
Subscribe to our cybersecurity podcast, CYBER.