“The ‘Project Pegasus’ revelations match what we saw in the attack two years ago”

By Interview by Stephanie Kirchgaessner

Posted today at 11:00 a.m., updated at 11:20 a.m.

Will Cathcart is the CEO of WhatsApp. In 2019, the company discovered that NSO Group was using a flaw in its software to infect phones with Pegasus. WhatsApp had then sealed the flaw, filed a complaint, and warned 1,400 victims of this attack. The company’s observations at the time corroborate those of “Project Pegasus.”

Also listen Pegasus: at the heart of a global investigation into phone spying

What is your take on the revelations released this week regarding Pegasus?

Well, first of all I can say that these revelations match what we saw in the attack we fought two years ago. These revelations are perfectly consistent with what we have learned. Among the 1,400 victims and potential victims attacked in 2019 through WhatsApp, there were also government officials, including in senior positions, and allies of the United States, in addition to journalists, human rights activists. the man, and other people who had no reason to be watched in any way.

Read also the archive (2019): WhatsApp files complaint against Israeli company NSO Group, accused of spying

More generally, I think this is also an Internet security alert. Either phones are safe for everyone or they are not safe for anyone. Either we can all have private chats or no one can. I think it’s a good time for governments to stop asking us to deliberately weaken security [des messageries], and so that we have, instead, an industry-wide discussion on how best to make the Internet and our communications more secure. This is what we need.

You talk about government officials who have been attacked. Can you give more details? Have these people been notified?

We have notified everyone, everyone who has been attacked has been notified. (…) We have discussed these attacks with some governments, we have described to them what we have discovered, of course being very careful to protect the privacy of the victims. But you have to remember, and this is also what your revelations show, that the attack we foiled was only active for a few weeks. And over that short period, we counted 1,400 victims; over a longer period, over several years, the number of people attacked is very high. Although we were able to block this WhatsApp attack, we know that NSO is also directly attacking mobile operating systems. Something had to be done to draw attention to this problem.

In fact, analyzes carried out by Amnesty International’s Security Lab have shown that even the very latest versions of iOS, the core iPhone software, are vulnerable to Pegasus.

Article reserved for our subscribers Read also Sold as very safe, iPhones have been hacked by Pegasus for years

From our perspective, if you really want to protect the privacy of the users of your service, of course you need to do everything in your power to make it technically secure, but you also need to make some noise. You have to talk about what you see, file a complaint, make sure that the attackers are held responsible, share information with the victims, computer security researchers …

This is why we were very happy that Microsoft, Google and the Internet Association [qui représente de nombreuses entreprises technologiques, mais pas Apple] are filing written motions to support us in our lawsuit against NSO. I hope Apple will also decide to follow this approach, make some noise and join the proceedings.

Read also Spyware: legal proceedings on the rise against NSO Group

We can’t just say to ourselves that these problems only concern a tiny minority of our users. These are subjects that affect journalists, human rights defenders all over the world, and therefore it affects us all. Any security breach is a problem for everyone. That’s why the entire industry must come together to end spyware and change the way governments think about it.

Where is your lawsuit against NSO?

I can’t go into details, but overall NSO asserted at the last hearing in the United States that they could be immune from lawsuits because their clients are governments. We disagree, and the court ruled in our favor. NSO has appealed this decision, and we are awaiting the appeal court’s decision.

Many governments, and in particular that of the United Kingdom, ask you to introduce security holes in the encryption …

Yes, several governments are publicly calling for the weakening of communications encryption, and we believe that is a mistake. We have said it over and over again, and we will continue to do so: if we weaken communications security, there will be abuse. [Pegasus] allows access to phones one by one; imagine what would happen if an attacker could simultaneously attack all phones at the same time. It would be a disaster. What is needed, on the contrary, is to completely reverse this debate: the most important question is to know what we can do to improve the security and confidentiality of the discussions. This is what governments should be asking of us, the private companies.

Read also WhatsApp, Twitter, Facebook, Snapchat: who encrypts users’ private messages?

But is there a solution? Is it possible to imagine a phone that would be completely secure?

Just because things can never be perfect doesn’t mean we shouldn’t talk about it. We should be able to make phones and their software more secure – anything that can make it harder for attackers is helpful. If you install a heavy-duty lock and an alarm system in your house, and the police patrol your neighborhood, you are making a burglar’s job much more difficult. On a phone, and in computers, it’s a bit the same thing: security is a series of layers of protection. But also, of course, the culprits have to be prosecuted and held accountable – otherwise, you make it seem like what they did was not a problem.

Article reserved for our subscribers Read also “Project Pegasus”: How Israeli company NSO Group revolutionized espionage

The Biden administration has put in place a doctrine, in part inspired by the assassination of journalist Jamal Khashoggi, that provides for sanctions for governments that illegally harass or monitor opponents. Our revelations show that this is the case in many countries, such as Rwanda …

Yes, and it is the role of all governments to help bring the bad actors to face their responsibilities. NSO says that many countries have purchased its software. This means that many countries, even those that monitor their use of Pegasus more carefully, are funding this tool. Should they stop? Should they ask about other customers?

Read also Spying on journalists and opponents: the “Pegasus” affair provokes outrage

NSO claims its software does not work on US phones. Is this consistent with what you saw in 2019?

NSO says a lot of things (…). And a computer code can easily be changed. It’s kind of like saying you build missiles, but promise they’ll only explode in certain parts of the world. Missiles don’t work that way. Security vulnerabilities exploited by NSO exist on American phones just as they exist everywhere else in the world.