If you're like 1.5 billion other people on the planet – or if you are Jared Kushner – you conduct a lot of your personal or business conversations on WhatsApp, the Facebook-owned messaging app that says it's largely impervious to snoopers, hackers, and spooks.
But according to a bombshell report in The Financial Times earlier this week, the app has long contained a critical flaw that's enabled hackers to tap into your smartphone just by placing a WhatsApp voice call to you.
The hack relied on a program written by the Israeli tech firm NSO, which designs powerful snooping tools for law enforcement and counterterrorism officials in the Middle East and "western countries."
But it appears that political dissidents, human rights activists, and even a lawyer filing a liability suit against NSO itself were targeted – the FT report doesn't say who the attackers were.
WhatsApp says the bug has been fixed as of Monday. But this story – in which a commercial hacking program sold to governments was used to violate people's privacy and snoop on dissidents –illustrates a few big political challenges that we've highlighted in discussions about cybersecurity.
Cyber-arms control is hard. Cyberweapons, being scripts of computer code, can be very hard to control and contain, even with close oversight of who gets to buy them.
Mission creep is easy. Companies like NSO say they sell these products only to police and counterterrorism officials – but once they are in government hands, they can be used (or sold, or stolen) for other purposes or by other parts of the state.
Liability is murky. Who should be held accountable here: NSO for developing a product that was used beyond its (presumably) stated intent? Or WhatsApp for failing to guarantee the security of its own platform?
Surveillance and espionage are hardly new. But never before has there been a device that contained as much data about your thoughts, habits, preferences, movements, and personal relationships as the device you're holding or reading right this second.
The upshot: With hackers, governments, and commercial developers all trying to figure out how best to crack into it – what are the rules of the game?