When is it legal to hack?

Facebook entered new territory this week by suing Israeli cyber-intelligence firm, NSO Group, in California federal court. There are lots of issues here. Most people want private communications to be private. Most people want to be able to have criminals prosecuted.  But what’s a criminal act in one country may not be in another, and in the days of the Internet, international boundaries are largely meaningless from a communication perspective. WhatsApp, iMessage, and the less-widely deployed Signal are all encrypted communication, where even the provider of the service can’t read the messages. Facebook announced plans in March to encrypt messages across all of its platforms, but the US Justice Department is discouraging them from doing this (they want to be able to access those messages, from the Facebook side without you knowing, when they have a court order). Of course, in general, “hacking” is illegal. But what about when a government does it? NSO Group claims, ““The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”  The lawsuit alleges that NSO clients used the technology to target journalists and human-rights activists. But, these are not mutually exclusive. Certainly, in many countries, people that might be considered journalists and human-rights activists in the anglo-world would be considered criminals. Is any company in any country allowed to sell hacking technology to governments? And whether they are or not, what does a lawsuit in the US do to a foreign company, even if they’re found guilty? If NSO is selling to, for example, the UK, then … so what if they lose the lawsuit? I use the UK as an example, not because I think their legal ideas of what one can do with a journalist or activist are all that different from the US, but rather because there’s a long history of the US and UK spy agencies spying on each other and then sharing information, in order to circumvent local laws (e.g., the UK’s MI-6 could spy on US journalists, and then share that information with the NSA). Given this state of affairs, you should probably never count on your communications being secure. For most people, most of the time, the encryption built into the major messaging apps is sufficient, but if you’re at the front line of activism or journalism, and need to protect communication for life-saving reasons in unfriendly jurisdictions, you’ll probably never be able to safely use a mass-market product. All of that said, it’s worth watching this lawsuit, to see what shakes out.

Leave a Reply

Your email address will not be published. Required fields are marked *