After United Nations officials aired allegations that Jeff Bezos’s phone had likely been hacked in the course of his WhatsApp communications with Saudi Crown Prince Mohammed bin Salman, the logical next question was whether other rich-and-famous pen pals had been maliciously spammed too.
An aide to Jared Kushner did not respond to my queries about whether Donald Trump’s son-in-law was worried about his own devices being compromised as a result of his reported WhatsApp correspondence with the Saudi leader. A spokesperson for Virgin confirmed that its billionaire founder, Richard Branson, had communicated with the crown prince (known as MbS) by phone, but told me the company had nothing more to add. Twitter, whose CEO, Jack Dorsey, has met with MbS, declined to comment.
But focusing on the specific individuals who may or may not have come into the crown prince’s crosshairs risks missing the larger lesson of this episode: that these people could conceivably come into his crosshairs at all.
In this dystopian digital age in which we’re desperately trying to salvage some semblance of privacy, we have become accustomed to raised alarms about companies mining people’s data and about governments waging elaborate cyberattacks against their adversaries. But this is different terrain: a powerful state actor allegedly infecting a powerful non-state actor as their personal relationship soured. It’s the specter of cyberwarfare at its most atomized and human, the end of our collective innocence about adding a “new contact.”
Many observers have noted that if a hack like this can happen to as well-resourced a figure as Bezos—the head of Amazon and the owner of The Washington Post, who enjoys the additional distinction of being the wealthiest person in the world—it can happen to anyone. But the more significant takeaway may be that if it can happen to anyone, it can happen to the rich and powerful, and with extraordinarily high stakes, convulsing international relations and global business in the process.
As my colleague Alexis Madrigal wrote, “You and I could chat on WhatsApp, but we would not have a cyberattack team able to craft us a virus for hacking each other’s phones, nor would our beef contribute to the collapse of certain Silicon Valley business models” predicated on Saudi investments. Democratic Senator Ron Wyden put it another way: “If the Saudi government had access to Jared Kushner’s phone, it'd be practically like putting a bug in the Oval Office.”
“That is the real story here. That is the most amazing story,” Thomas Rid, an international-security expert at Johns Hopkins University, told me. “Bezos, one of the richest and most influential businesspeople in the United States, on the planet, is using the same technology—an iPhone X and WhatsApp—that all of us are using.” And even with all of his money and clout, he’s still struggling to get "proper visibility into whether his phone was hacked."
Agnes Callamard, one of the two UN human-rights rapporteurs who released the statement on the Bezos allegations last week, told me the announcement was intended as a “warning” to the world that a no-holds-barred battle is brewing over information and that mechanisms need to be put in place to scale it back. Callamard invited “individuals who feel that they may have been compromised or their phone may have been compromised” by state-sponsored cyberattacks to approach her office confidentially, whereby they could be connected with cybersecurity experts.
The UN statement also called for further investigation by U.S. and other relevant authorities into what Callamard and her colleague, David Kaye, deemed a credible forensic analysis of Bezos’s iPhone, which the businessman had commissioned from the consulting firm FTI. That probe concluded with “medium to high confidence” that a malware-laced video sent from a WhatsApp account belonging to MbS secretly siphoned data from the businessman’s device. The Post had been publishing columns critical of Saudi leaders by the Saudi journalist Jamal Khashoggi, who in 2018 was murdered by agents of MbS’s government. But several information-security experts have questioned the FTI report. Rid, for instance, argued that FTI’s findings are “a very potent lead for further investigation” but not conclusive. The Saudi government, for its part, has dismissed the claims as “absurd.”
Yet even if Bezos wasn’t hacked in the way FTI indicates he likely was, that doesn’t mean the scenario the company sketched out couldn’t happen. The fact remains that states currently have largely unfettered ability to purchase digital-surveillance technology from a growing number of private companies, and can exploit it for their own ends. Security experts at the University of Toronto’s Citizen Lab have accused the Saudi government of deploying advanced spyware against journalists and dissidents, and these groups have been similarly targeted by other governments as well.
The malware that allegedly breached Bezos’s phone is “almost impossible to trace and it has the capacity to self-destroy, so finding the source with 100 percent certainty is never possible,” Callamard said, underscoring the peril of such stealthy technologies in the hands of so many actors angling for access to sensitive information. (Consider, for example, the head-spinning speculation that MbS himself could have been hacked.)
She urged a moratorium on the global trade in commercial surveillance tools until an international framework is created for preventing their misuse. Noting that more than 150 such tools are now on the market, a Washington Post editorial this week proposed that the framework involve governments requiring “vendors to certify that clients pass human rights muster, and that they don’t abuse a tool after purchase.”
Such a regulatory framework, however, is unlikely to be erected. And even if one is, as Callamard acknowledged, “there will always be bad apples.” Rigorously policing the kind of spyware that may have infiltrated Bezos’s phone will be challenging; the depressing truth is that anyone who has the resources to develop or acquire this technology and access to valuable targets—two conditions that most governments meet—will not hit many obstacles along the way. "There are enough powerful players in this space who want these capabilities that they will continue to be created and sold,” Rid said. “But that doesn't mean we shouldn't do anything about it.”
While Rid, who has written a forthcoming book on the history of disinformation and political warfare, said he sees value in seeking to rein in these technologies, he also noted that efforts to raise awareness about the tools risk going too far. When “we overstate the threat, we are creating more of it. It's a self-fulfilling prophecy,” he explained, pointing to how exaggerated characterizations of the effectiveness of Russian disinformation efforts during the 2016 U.S. election encouraged other countries to invest in those capabilities.
“I have absolutely no doubt that a lot of intelligence agencies, a lot of powerful players in the world are thinking [after high-profile incidents such as the Bezos case], This is interesting … I want one of those,” Rid said. And some of those new players will develop much more sophisticated operations than the one allegedly prosecuted against Bezos. These days, he said, “I am trusting my phone less and less.”
What makes this an especially confounding public-policy issue is that today’s unparalleled connectedness is both irresistibly alluring and profoundly dangerous, nowhere more so than in the circles MbS and Bezos inhabit. As the heir apparent to the Saudi throne since 2017, the crown prince initially dazzled luminaries around the world with demonstrations of his accessibility and determination to get down to business unencumbered by bureaucracy. The Wall Street Journal reports, “WhatsApp was a key tool of the young prince’s global charm campaign.” MbS “handed out his WhatsApp contact information to visiting dignitaries, businessmen, academics and some journalists so often that his phone streamed messages day and night,” which he would read and respond to regularly, the paper notes.
During a whirlwind tour of the United States in 2018, MbS met with influential figures including the media mogul Oprah Winfrey and Michael Bloomberg, now a Democratic candidate for president. He swapped phone numbers with Bezos during a dinner party in Los Angeles, which gave way to chats about business partnerships. Soon enough, the crown prince was referring to Bezos as “my friend.”
For billionaires, exchanging numbers must seem like a wonderful way for them to construct an ecosystem of influential friends. But it’s just as much a foolhardy way of stripping themselves of whatever enhanced protection their respective positions afford. As the journalist Richard Waters wrote in the Financial Times, attacks like the one Bezos allegedly suffered “play on weaknesses in the human operating system that can’t easily be patched”; electronic channels of communication, and the trust and personal networks they help build, are essential in the highest echelons of business and government. “For anyone aspiring to power and influence in the world, this prompts deeply uncomfortable questions,” Waters noted. “For instance, which is worse: that a future head of state hasn’t been sending you internet memes over WhatsApp, or that he has?”
Securing the intimate access granted by a phone number may seem like an unqualified good. Having the email address of a powerful person is one thing; it’s quite another to be able to make the Saudi crown prince’s hand vibrate. But the connection cuts both ways. It can, as Bezos and his investigators now suspect, amount to handing over the keys to your digital life.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.