Photo by Jan Persiel on Flickr

Saudi’s alleged hack into Amazon CEO’s iPhone: what happened, who is responsible, and what are the legal consequences?

On January 22, 2020, a statement from The Office of the United Nations High Commissioner for Human Rights noted that two Special Rapporteurs had obtained a report that claimed with “medium to high confidence” that the Saudi crown prince hacked Amazon CEO Jeff Bezos’ cell phone. The hack is alleged to have happened just months before the National Enquirer began releasing intimate details about Bezos’ private life, including alleged extramarital relationships. After the National Enquirer released the images, Bezos started an investigation into the source of the information. Last month we learned about those results.


The Hack

Referencing the report created by FTI Consulting at the behest of Mr. Bezos, the Special Rapporteurs found that on the afternoon of May 1, 2018, Jeff Bezos received a WhatsApp text message from an account owned by Saudi Arabia’s crown prince, Mohammed bin Salman (MBS). The message not only contained “a video of Saudi and Swedish flags with Arabic text,” but it also allegedly contained a piece of code that implanted malware onto Bezos’ phone. The malware gave hackers access to his photos and private communications on the phone.

As relayed by the Special Rapporteurs, forensic experts conducted an analysis of the phone that concluded “that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group’s Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials.” NSO Group Technologies (NSO Group), a spyware vendor, is known for its Pegasus software, which actors can use to “capture everything on a phone, including the plain text of encrypted messages, and commandeer [the phone] to record audio.”

Certain details of the hack are still unclear. The UN’s release did not clarify whether Bezos actually opened the video or whether the WhatsApp function allowing videos received to automatically download (a user preference, not a system bug) was enough to infect the phone with the malicious code. The Saudi government and the NSO Group have denied all involvement.


Immediate Responses

The UN Special Rapporteurs’ investigation sent shockwaves to policymakers and technology executives around the world. Following the release of the report, Senator Murphy (D-Conn.) sent a letter to the FBI and Office of the Director of National Intelligence, urging them to investigate the allegations, specifically asking “who developed the software that enabled the intrusion,” what software was used, and how was it transmitted.


But Who Might Be Responsible for These Actions Under Our Current Legal Regime?

At least two different entities could be criminally liable under the current statutory regime: the hacker and spyware vendors.

The Hacker—The alleged hacker could face prosecution under the Computer Fraud and Abuse Act (CFAA) or the Wiretap Act. The CFAA criminalizes unauthorized access to a U.S.-owned device. Similarly, they could face chargesunder the Wiretap Act, 18 U.S.C. §§ 2511-12, which prohibits the use of tools that intercept “wire, oral, or electronic communication[s].”

Spyware Vendors—If the allegations that NSO Group supplied the technology used to hack into Bezos phone are true, NSO Group could also face prosecution under the CFAA or Wiretap Act. However, the U.S. government would need to prove NSO group “had enough knowledge of or involvement in improper use” of the software before charging the organization under these statutes.

Private lawsuits are also a possibility, and spyware vendors could face suits from messaging platforms like WhatsApp. For example, in October 2019, WhatsApp sued the NSO Group demanding “a permanent injunction blocking NSO from attempting to access WhatsApp computer systems.” WhatsApp asked a California federal judge “to rule that NSO violated US federal law and California state law against computer fraud, breached their contracts with WhatsApp and ‘wrongfully trespassed’ on Facebook’s property.” It’s conceivable that WhatsApp could raise similar claims in this case.

Another open question is whether software companies, such as WhatsApp (owned by Facebook) and Apple, should face liability for the vulnerabilities in their systems. Despite technology companies’ attempts to protect their consumers through additional layers of encryption, “the mobile phones in everyone’s pockets and purses are still vulnerable to attacks that can instantly siphon away secret and embarrassing personal information in a matter of seconds and without a trace.” Even with encryption, hackers “can still gain access to a phone even if much of the data stored on it is encrypted.” Unfortunately, “security experts are divided on what, if anything, can be done about it.” But what they are not divided on is the idea that Bezos’ hack is a reminder “that the proliferation of commercial spyware is a global security problem for all sectors, from government and business to civil society.”

Molly Rosen

Molly Rosen, GLTR Articles Staff Editor; Georgetown Law, J.D., expected 2021; University of Michigan, B.A. 2014