Platforms, Encryption, and the CFAA: The Case of WhatsApp v NSO Group

42 Pages Posted: 11 Mar 2022

See all articles by Jon Penney

Jon Penney

Osgoode Hall Law School; Harvard University - Berkman Klein Center for Internet & Society; Citizen Lab, University of Toronto

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society; Harvard University - Harvard Kennedy School (HKS)

Date Written: March 7, 2022

Abstract

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now more important than ever.

In this Article, we take up these very issues, using the recent case WhatsApp v. NSO Group as a case study to explore them. The case involves a lawsuit launched in 2019 by WhatsApp and Facebook against the cybersecurity firm NSO Group, whose spyware has been linked to surveillance of human rights activists, dissidents, journalists, and lawyers around the world, as well as the death of Washington Post journalist Jamal Khashoggi. The lawsuit, brought under the CFAA, alleged NSO Group launched a sophisticated hack that compromised countless WhatsApp users—many of which were journalists and activists abroad. Despite these broader human rights dimensions, the lawsuit’s reception among experts has been largely critical. We analyze WhatsApp’s CFAA claims to bring greater clarity to these issues and illustrate how best to theorize encrypted platforms and networks under the CFAA. In our view, the alleged attack on WhatsApp’s encrypted network is actionable under the CFAA and is best understood using what we call a network trespass theory of liability. Our theory and analysis clarifies the CFAA’s application, will lead to better human rights accountability and privacy and security outcomes, and provides guidance on critical post-Van Buren issues. This includes setting out a new approach to theorizing the scope and boundaries of computer systems, services, and information at issue, and taking the intended function of code-based access barriers into account when determining whether circumvention should trigger liability.

Keywords: platforms, encryption, CFAA, Computer Fraud and Abuse Act, human rights, cybersecurity, infosec, data breach, privacy, Whats App, NSO Group, hacking, Van Buren, Facebook, Khashoggi,

JEL Classification: Z10, Z18

Suggested Citation

Penney, Jonathon and Schneier, Bruce, Platforms, Encryption, and the CFAA: The Case of WhatsApp v NSO Group (March 7, 2022). Berkeley Technology Law Journal, Vol. 36, No. 101, 2022 (Forthcoming), Available at SSRN: https://ssrn.com/abstract=4052081

Jonathon Penney (Contact Author)

Osgoode Hall Law School ( email )

4700 Keele Street
Toronto, Ontario M3J 1P3
Canada

Harvard University - Berkman Klein Center for Internet & Society ( email )

Harvard Law School
23 Everett, 2nd Floor
Cambridge, MA 02138
United States

Citizen Lab, University of Toronto ( email )

Munk School of Global Affairs
University of Toronto
Toronto, Ontario M5S 3K7
Canada

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society ( email )

Harvard Law School
Cambridge, MA 02138
United States

Harvard University - Harvard Kennedy School (HKS) ( email )

79 John F. Kennedy Street
Cambridge, MA 02138
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
206
Abstract Views
893
Rank
267,444
PlumX Metrics