Platforms, Encryption, and the CFAA: The Case of WhatsApp v NSO Group

42 Pages Posted: 11 Mar 2022

See all articles by Jon Penney

Jon Penney

Harvard University - Berkman Klein Center for Internet & Society; Citizen Lab, University of Toronto; Harvard Law School; Osgoode Hall Law School; Oxford Internet Institute, University of Oxford

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society; Harvard University - Harvard Kennedy School (HKS)

Date Written: March 7, 2022

Abstract

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now more important than ever.

In this Article, we take up these very issues, using the recent case WhatsApp v. NSO Group as a case study to explore them. The case involves a lawsuit launched in 2019 by WhatsApp and Facebook against the cybersecurity firm NSO Group, whose spyware has been linked to surveillance of human rights activists, dissidents, journalists, and lawyers around the world, as well as the death of Washington Post journalist Jamal Khashoggi. The lawsuit, brought under the CFAA, alleged NSO Group launched a sophisticated hack that compromised countless WhatsApp users—many of which were journalists and activists abroad. Despite these broader human rights dimensions, the lawsuit’s reception among experts has been largely critical. We analyze WhatsApp’s CFAA claims to bring greater clarity to these issues and illustrate how best to theorize encrypted platforms and networks under the CFAA. In our view, the alleged attack on WhatsApp’s encrypted network is actionable under the CFAA and is best understood using what we call a network trespass theory of liability. Our theory and analysis clarifies the CFAA’s application, will lead to better human rights accountability and privacy and security outcomes, and provides guidance on critical post-Van Buren issues. This includes setting out a new approach to theorizing the scope and boundaries of computer systems, services, and information at issue, and taking the intended function of code-based access barriers into account when determining whether circumvention should trigger liability.

Keywords: platforms, encryption, CFAA, Computer Fraud and Abuse Act, human rights, cybersecurity, infosec, data breach, privacy, Whats App, NSO Group, hacking, Van Buren, Facebook, Khashoggi,

JEL Classification: Z10, Z18

Suggested Citation

Penney, Jonathon and Schneier, Bruce, Platforms, Encryption, and the CFAA: The Case of WhatsApp v NSO Group (March 7, 2022). Berkeley Technology Law Journal, Vol. 36, No. 101, 2022 (Forthcoming), Available at SSRN: https://ssrn.com/abstract=4052081

Jonathon Penney (Contact Author)

Harvard University - Berkman Klein Center for Internet & Society ( email )

Harvard Law School
23 Everett, 2nd Floor
Cambridge, MA Nova Scotia 02138
Canada

Citizen Lab, University of Toronto ( email )

Munk School of Global Affairs
University of Toronto
Toronto, Ontario M5S 3K7
Canada

Harvard Law School ( email )

1575 Massachusetts
Hauser 406
Cambridge, MA 02138
United States

Osgoode Hall Law School ( email )

4700 Keele Street
Toronto, Ontario M3J 1P3
Canada

Oxford Internet Institute, University of Oxford ( email )

1 Saint Giles
Oxford, OX1 3JS
United Kingdom

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society ( email )

Harvard Law School
Cambridge, MA 02138
United States

Harvard University - Harvard Kennedy School (HKS) ( email )

79 John F. Kennedy Street
Cambridge, MA 02138
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
78
Abstract Views
331
rank
417,657
PlumX Metrics