Alrighty - here's my $.02 on the topic (was trying not to poison the well, but will also use this thread to collect my thoughts).

First, it's important to note that Facebook not is suing NSO just because it created and sold an exploit. That's lost in so much of the discussion 1/ https://twitter.com/MalwareJake/status/1342166300664205315
Now governments have sovereign immunity in most matters under international law. Mercenaries, not so much (IANAL, talk to yours).

But certainly suppliers of weapons to a government wouldn't be held liable if they are used against another nation, right? 2/
That's what NSO is arguing - they are just a provider of weapons. The problem is that NSO went far beyond "just providing the exploit." It appears that in most (if not all) cases they delivered the exploit and managed collection from targets as well. 3/
If you're going to call an exploit a "cyber weapon" (and I think the courts are pretty clearly going to), then operating the weapon makes NSO less of an arms supplier than a mercenary.

Fun fact: mercenaries are not entitled to POW protections and many other legal protections. 4/
I'll table the discussion of whether you should be able to sell exploits to governments (or whoever) for another day. While the amicus signers would clearly seek to limit that, their argument is unquestionably biased. The self-interest is obvious. 5/
Now the original case involves the use of the WhatsApp servers. In order to deliver the exploit (which NSO did on behalf of its customers), they had to agree to the terms of service for the WhatsApp. But then they violated the ToS by delivering exploits over the service. 6/
This creates another interesting question of contract law. While Facebook likely would not be able to sue the Government of Mexico for violating WhatsApp ToS (sovereign immunity and all), NSO seems a valid legal target for this violation of contract law. 7/
There are a LOT of moving pieces to this case. While I understand the reasons that Google, Microsoft, etc. filed the amicus, it is overly broad and focuses FAR beyond the facts of the case. I suspect the courts will see this as the overreach that it is. 8/
https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2020/12/NSO-v.-WhatsApp-Amicus-Brief-Microsoft-et-al.-as-filed.pdf
The amicus brief seems intent on establishing liability for those who create and sell exploits. But the facts in the case absolutely revolve around the fact that NSO *operated* the exploit it created, not merely that it was created. 9/
https://media.business-humanrights.org/media/documents/files/Complaint_WhatsApp_v._NSO_Group.pdf
Make no mistake about it: this case was brought by Facebook specifically because the exploit required the use of the WhatsApp service *and* NSO operated as a mercenary. Whatever the outcome, we should not broadly assume the results will apply to other exploit brokers. /FIN
You can follow @MalwareJake.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.