[kdbg]

I'm not a lawyer so maybe I'm misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn't really about holding NSO Group accountable for hacking journalists at all

The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.

Quoting the judgement itself:

> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.

> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves

> [...removing more detailed defendant argument...]

> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"

> [...]

> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.

Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.

Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.

I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.

Edit: Adding a link to the judgement for anyone interested: https://storage.courtlistener.com/recap/gov.uscourts.cand.35...

Edit2: And CourtListener if you want to read the other dockets that include the arguments from both sides (with redactions) https://www.courtlistener.com/docket/16395340/facebook-inc-v...

[sangnoir]

> I doubt I'm the only person here who has ever made an alternative client for something before.

I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.

[fc417fc802]

Laws need to be clear about where the line is though. If circumventing rate limiting is illegal then that should be explicit, including the criteria used to determine that a service is in fact rate limited in such a legally binding manner. As it is an API is available but somehow is not considered public (criteria unclear) and thus engaging with it in certain ways (criteria unclear) is out of bounds.

If we want using a service to perpetrate a crime to itself be an additional crime then that should be made explicit. In the (unlikely) event that NSO wasn't actually perpetrating any crimes against the end users then that fact is probably what needs to be fixed.

[Spooky23]

Given the nature of who the stakeholders are, the neatest way to achieve an end is to target authorization. It focuses on the how instead of the who or what.

This reduces embarrassment for stakeholders, protects sources and methods, and sends a message.

The law is as broad as can be. If it were a US National instead of NSO Group, some crazy calculation of damages would be used to extract a plea in lieu of a thousand months in prison.

[ganoushoreilly]

THE CFAA is definitely ripe for reform. It wouldn't be hard to argue it's broad and vague. There's definitely this overarching sweep of online behaviors that could easily be classified as benign.

[8note]

i dont think users of whatsapp would have standing against people hacking whatsapp to get their data.

whatsapp owns the systems, so its up to whatsapp to sue

[Spooky23]

The thing of value isn’t in WhatsApp in this case.

You can’t sue a dude for stealing a screwdriver to break into your home with. Your tort is the act against you.

[EMIRELADERO]

What?

So if someone robs a bank and empties my safety deposit box I can't sue them because it was the bank that had the money, not me?

[endofreach]

Well, haven't you heard? The issue with your analogy is: you don't own your data.

(One might argue that it's similar with "your" money ((in the bank)) , but that's not the point)

[Spooky23]

Different scenario. The bank is a bailor — they have an duty of care for property in their possession that you retain ownership to.

You can sue the thief for stealing your property and the bank for negligent bailment. Same concept as a valet crashing your car.

[unyttigfjelltol]

If someone steals the ownership registry the bank maintains regarding the deposit boxes-- may be the better analogy. Or list of the owner and box number. Clearly this is information the bank controls, not the individual.

[madeofpalk]

> fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device

> I doubt I'm the only person here who has ever made an alternative client for something before

I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.

They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.

[fc417fc802]

> with the intention of spamming or otherwise causing harm to its users

That sounds hopelessly ambiguous to me. What if Google decides that making use of yt-dlp is causing harm to them? What is the criteria here?

We wanted email spam to be illegal and so it was explicitly made illegal. We wanted robocalling to be illegal and so it was explicitly made illegal. In such cases we have (reasonably) clear criteria for what is and is not permitted.