NEW YORK: Will Cathcart is the chief executive of WhatsApp, the downloadable messaging app used by millions around the world as a primary means of communication. WhatsApp offers end-to-end encryption, meaning messages shared via the platform are, under normal circumstances, highly secure—a feature that has made it attractive for journalists, human rights defenders, and other vulnerable users, particularly in repressive environments.
Cathcart has been outspoken about threats to security, including so-called backdoors, which governments argue would give law enforcement much-needed access to encrypted communications, but which would also be vulnerable to malicious hacking. Cathcart has also been highly critical of the NSO Group, the Israeli firm that has marketed Pegasus spyware to governments around the world. Pegasus can be surreptitiously implanted on smartphones, giving governments unfettered access to all communications on the phone—and bypassing the encryption that WhatsApp and other secure apps like Signal apply to messages in transit.
NSO group says Pegasus is a critical tool that governments use to combat crime and terror. But a recent report dubbed the Pegasus Project—published jointly by 17 media organizations and based on a leaked list of 50,000 phone numbers allegedly selected by NSO clients—revealed that possible targets included hundreds of journalists and human rights defenders, not to mention senior political leaders such as French President Emmanuel Macron.
NSO has told CPJ it has no connection to the list of phone numbers, that it vets all clients and investigates credible allegations of abuse, and that it cannot access customer data except in the course of an investigation. In a statement to the Guardian, the company denied that Macron had been targeted by any of its customers.
CPJ spoke with Cathcart via Zoom on July 23. The interview has been edited for clarity and length. NSO’s responses relating to some of his comments appear at the end.
Right after the Pegasus Project was published, you put out a tweet storm. You posted a thread with your own reaction and you retweeted some interesting folks, everyone from David Kaye to Edward Snowden. Tell me why you responded the way you did.
The issue of spyware, especially unaccountable spyware, is a huge problem. And it’s being used to undermine freedom. We detected and defeated an attack from NSO Group in 2019. And we worked with Citizen Lab who helped us analyze the 1,400 or so victims we saw then, and discovered over 100 cases of clear abuse, including journalists and human rights defenders. The new reporting shows the much, much larger scale of the problem. This should be a wake-up call for security on the internet.
You mentioned the 2019 attack, which resulted in WhatsApp filing a lawsuit [in U.S. federal court] against the NSO Group. Your Washington Post op-ed in which you lay out the rationale is pinned to the top of your Twitter feed. What made you decide to take on the NSO Group?
When we saw the attack and defeated it in 2019, we decided we needed to get to the bottom of what had happened. These were not, as has been claimed, clear law enforcement operations. This was out-of-control abuse.
We felt we needed to be very loud about what we saw, because we knew that even if we had fixed the issue, there still exist vulnerabilities in people’s mobile phones. The operating systems have bugs that are still being exploited. So even though we’d stopped the attack from our perspective, it’s still a problem. If you’re a journalist, if you’re a human rights defender, if you’re a political dissident, you still have to be worried. So yeah, absolutely, we sued the NSO Group. They broke the law. We want to hold them accountable. We think their behaviour needs to be stopped.
There’s clearly a business interest here. One of the selling points of end-to-end encryption is the security that it provides. If there’s spyware out there that’s seeking to subvert that security, it’s a threat to the business model. But do you see this as a matter of principle as well? How do those two things relate to each other? This is a threat to end democracy. What we offer is a service for having private, secure communication. The reason everyone at WhatsApp gets up every day excited about working on that and fighting to defend it, is we believe it enables really important things. We believe journalists being able to talk to each other, and [to] sources, [to] bring out critical stories on governments or companies is a fundamental element of a democracy.—CPJ