Will Cathcart, the head of WhatsApp, told CPJ why technology companies should raise their voices against spyware, shortly after investigative reporting known as the Pegasus Project alleged NSO Group spyware was linked to thousands of possible surveillance targets, including journalists. (Facebook)

WhatsApp Head Will Cathcart: The spyware industry is undermining freedom

Will Cathcart is the chief executive of WhatsApp, the downloadable messaging app used by millions around the world as a primary means of communication. WhatsApp offers end-to-end encryption, meaning messages shared via the platform are, under normal circumstances, highly secure—a feature that has made it attractive for journalists, human rights defenders, and other vulnerable users, particularly in repressive environments.

Cathcart has been outspoken about threats to security, including so-called backdoors, which governments argue would give law enforcement much-needed access to encrypted communications, but which would also be vulnerable to malicious hacking. Cathcart has also been highly critical of the NSO Group, the Israeli firm that has marketed Pegasus spyware to governments around the world. Pegasus can be surreptitiously implanted on smartphones, giving governments unfettered access to all communications on the phone—and bypassing the encryption that WhatsApp and other secure apps like Signal apply to messages in transit.

NSO group says Pegasus is a critical tool that governments use to combat crime and terror. But a recent report dubbed the Pegasus Project—published jointly by 17 media organizations and based on a leaked list of 50,000 phone numbers allegedly selected by NSO clients—revealed that possible targets included hundreds of journalists and human rights defenders, not to mention senior political leaders such as French President Emmanuel Macron.

NSO has told CPJ it has no connection to the list of phone numbers, that it vets all clients and investigates credible allegations of abuse, and that it cannot access customer data except in the course of an investigation. In a statement to the Guardian, the company denied that Macron had been targeted by any of its customers.

CPJ spoke with Cathcart via Zoom on July 23. The interview has been edited for clarity and length. NSO’s responses relating to some of his comments appear at the end.

Right after the Pegasus Project was published, you put out a tweet storm. You posted a thread with your own reaction and you retweeted some interesting folks, everyone from David Kaye to Edward Snowden. Tell me why you responded the way you did.

The issue of spyware, especially unaccountable spyware, is a huge problem. And it’s being used to undermine freedom. We detected and defeated an attack from NSO Group in 2019. And we worked with Citizen Lab who helped us analyze the 1,400 or so victims we saw then, and discovered over 100 cases of clear abuse, including journalists and human rights defenders. The new reporting shows the much, much larger scale of the problem. This should be a wake-up call for security on the internet.

You mentioned the 2019 attack, which resulted in WhatsApp filing a lawsuit [in U.S. federal court] against the NSO Group. Your Washington Post op-ed in which you lay out the rationale is pinned to the top of your Twitter feed. What made you decide to take on the NSO Group?

When we saw the attack and defeated it in 2019, we decided we needed to get to the bottom of what had happened. These were not, as has been claimed, clear law enforcement operations. This was out-of-control abuse.

We felt we needed to be very loud about what we saw, because we knew that even if we had fixed the issue, there still exist vulnerabilities in people’s mobile phones. The operating systems have bugs that are still being exploited. So even though we’d stopped the attack from our perspective, it’s still a problem. If you’re a journalist, if you’re a human rights defender, if you’re a political dissident, you still have to be worried. So yeah, absolutely, we sued the NSO Group. They broke the law. We want to hold them accountable. We think their behavior needs to be stopped.

There’s clearly a business interest here. One of the selling points of end-to-end encryption is the security that it provides. If there’s spyware out there that’s seeking to subvert that security, it’s a threat to the business model. But do you see this as a matter of principle as well? How do those two things relate to each other?

This is a threat to end democracy. What we offer is a service for having private, secure communication. The reason everyone at WhatsApp gets up every day excited about working on that and fighting to defend it, is we believe it enables really important things. We believe journalists being able to talk to each other, and [to] sources, [to] bring out critical stories on governments or companies is a fundamental element of a democracy. We believe, in democracy, you need to have opposition. We believe human rights defenders all around the world do really, really important work. WhatsApp is popular in a lot of countries around the world that don’t have as robust traditions of freedom and liberal democracy. We’re popular in a lot of places where the ability to communicate securely is critical to someone’s safety.

You’ve been very outspoken about your concerns. What would you like to see from the tech community at large?

I would love to see all the other tech companies stand up, talk about this problem, talk about the victims, talk about the principles at stake, and do everything they can to put a stop to it. I was really excited to see Microsoft, when they discovered some spyware from a different company a few weeks ago, they were loud about it. They worked with Citizen Lab to understand the victims. I think that needs to be the model. I don’t think it is okay, when you find these vulnerabilities and you find these attacks to say, “Well, it’s disappointing, but it only affected a few people.” An attack on journalists, an attack on human rights defenders, an attack on political figures in democracies, that affects us all.

You’ve recognized the communications needs of journalists and human rights defenders, particularly those working in high-risk environments. But some security experts believe that phones just aren’t secure anymore. Do you still feel confident that WhatsApp is a secure form of communication for vulnerable individuals, given this emerging security threat of spyware?

Well, the mobile phone is the computer for most people. It’s the only computer most people have ever experienced. We need to make it secure. We need mobile operating systems to invest a lot more in security to fix these vulnerabilities. That’s why we defend end-to-end encryption [and] privacy. This is a moment where governments should stop asking us to weaken end-to-end encryption. That is a horrible idea. We have seen the damage that comes from this spyware with the security we have today. We should be having conversations about increasing security.

Within WhatsApp, your messages are extremely secure when they’re being delivered from you to the person you’re talking to. What other forms of security can we add? I’m not sure it’s good for everyone to keep a copy of every conversation on their phone forever. Because what if your phone gets stolen? What if someone forces you to open the phone for them? So we added, late last year, the ability for you to have messages disappear after a week. If someone gets your phone, all you have is the last week’s worth of messages.

We haven’t added this yet, but we’re working on the ability for you to send a photo that the recipient can only see once. We’re working on the ability for you to change a setting in your WhatsApp account to say, “I want every thread that I create, or that someone creates with me, to disappear by default.” I think there’s a lot more we can do to help protect people – but it takes the whole industry saying, “We need to make the phone secure.”

You’ve called for import controls and other kinds of regulations to rein in a spyware industry that’s out of control. But if you look at the way technology develops, things get cheaper and easier over time. What makes you think that even if the current generation of spyware purveyors are somehow put out of business, they won’t be replaced by others who are even more ruthless? Or by state level technology from Russia, China, the U.S. for that matter? Can the spyware threat be defeated through regulation or import controls?

Well, I think all of it helps. If you think about people breaking into our homes, obviously that’s still a problem. But we have locks on the doors. We have burglar alarms. We also have accountability. If someone breaks into my home, hopefully I can go to the police, I can go to the government, they’ll hold them accountable. If governments were actually holding people accountable when [spyware attacks] happen – that makes a huge difference. There will always be bad people out there. There will always be hostile governments out there. You’ve got to have as much security as possible in defense.

You’ve emphasized WhatsApp’s commitment to privacy, to operating within the human rights framework. But WhatsApp is owned by Facebook. You worked at Facebook for many years. Facebook is involved in a huge public controversy, and was recently accused by President Biden of “killing people [in relation to COVID-19 vaccine disinformation].” Their business model is based on monetizing data. And there’s a huge amount of concern about misinformation circulating on the platform. Of course, people raise those concerns about WhatsApp as well. Does the relationship with Facebook complicate your messaging about privacy and human rights?

We added end-to-end encryption to WhatsApp as part of Facebook. We’ve been very consistent on that and very supportive across the whole company – about the importance of that, why that’s the right thing, why that protects people’s fundamental rights, including journalists. Obviously, there are a lot of issues. But they’re different products. Take misinformation, for example. The question of what you do about misinformation on a large public social network is very different from how you should approach it on a private communication service. We think on a private communications service, you should have the right to talk to someone else privately, securely without a government listening in, and without a company looking at it. That’s different than if you’re broadcasting something out to every single person on a public social network.

We’ve talked today about spyware. But are backdoors an even greater threat to secure online communication?

Absolutely. Security experts who’ve looked at this agree. If you look at the threat from spyware, they’re having to go to each phone individually and compromise it. If you talk about holding a backdoor into any encryption, you are creating a centralized vulnerability in the whole communications network. And the scenario you need to be worried about is: what if a spyware company, what if a hostile government, what if a hacker, accessed all of the communications? It’s why, honestly, the proposals from some governments to weaken end-to-end encryption are just terrifying. They aren’t grappling with the nightmare scenario of everyone’s communications in a country being compromised.

If this was a big wake up call, what are you planning to do next? What should the industry do next? What can people who are concerned about this do to fight back?

We’re continuing to add security and privacy to WhatsApp, continuing our lawsuit in our push against NSO Group. We’re hoping more of the industry joins, and that more of the industry is loud about the problem. But what’s most important is governments. Governments need to step in and say this was not okay. Who was behind it? Who were the victims? What’s the accountability? Governments need to step in and have a complete moratorium on the spyware industry. It’s got to stop.

[Editor’s note: CPJ emailed NSO with a request for comment on the WhatsApp lawsuit and the attack Cathcart attributed to NSO, but did not hear back before publication. The company denied the WhatsApp allegations when the lawsuit was announced, as CPJ noted at the time, and is challenging the suit in court, arguing it should be immune on grounds that its clients are foreign governments, according to the Guardian.]