> Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles.
> NSO's technologies provide proportionate, lawful solutions to this issue.
Funny how the same technologies meant to protect children are also being used to intimidate researchers and kill dissidents and journalists. Nobody could possibly have foreseen this!
In regards to the whole NSO thing, I’m completely baffled how their principals and employees are not on a sanctions list and don’t have arrest warrants out for them. Consider how much trouble non-malicious hackers have gotten in for pointing out security holes publicly. What we have here is a company actively conducting espionage against some of the most valuable public companies in the United States. Even more egregious, they are targeting those companies’ customers, illegally.
Lemme see if I can communicate this without committing karmic suicide like the other responder.... putting an Israeli cybersecurity firm on a sanctions list, or issuing arrest warrants, is simply a political non-starter in the US. It would be career suicide for most Congresspeople to take such a position.
The parties responsible with sanctions and warrants are their clients.
It's the same as a social media platform dying. Kik's recent demise undoubtedly brought a bunch of teens onto similar apps while some maybe reverted back to Facebook.
The same legal machinations that are used to suppress free speech in the West, especially regarding Western military failures, are also being used to suppress reporting on Julian Assange's torture in Bellmarsh today.
We have well and truly slipped.
Apparently Canada has a digital rights advocacy group that is being intimidated through these meetings?
On the plus side, now we know their group exists. Hope they get some more funding now!
Found this tweet by reverse image searching and looking a few pages down in the results.
Back at that time she was the chief of the Romanian anti-corruption agency and she was doing a pretty good job, which was unfortunate for some of the local oligarchs and corrupt politicians who tried everything to bring her down. Afaik the Black Cube employees’ hacking actions were pretty lame, I remember reading that some of them had checked in at one of the most expensive Bucharest hotels during their operation, literally a couple of hundred meters away from one of the headquarters of our local counter-intelligence agency. I had been under the false impression that if you try to carry out such an action you at least try not to phisically show yourself in front of the people who are supposed to catch you.
Always annoys me when news reports leave that out.
Edit: IANAL, but quick take: WhatsApp might succeed, but their case would be much stronger if they had one or more of the victims as co-plaintiffs. As it is:
- Their CFAA claim can only cover unauthorized access to WhatsApp’s servers – but NSO didn’t hack those servers; the servers just fulfilled their normal job of acting as a relay for WhatsApp messages, except in this case the messages were designed to exploit other clients. A victim would be able to sue over unauthorized access to their phone itself. (WhatsApp does also have the terms-of-service complaint though.)
- WhatsApp can only seek damages for reputational harm the hacks caused to the company itself - not any kind of harm to the victims. However, they’re also seeking an injunction preventing NSO from continuing to exploit WhatsApp, which might be more interesting than damages if they can get it.
By that logic a website provider wouldn't have standing if they suffered an XSS attack (though any affected users would), which is interesting.
IANAL, but it looks like the CFAA defines offenses in terms of the "protected computer" that was accessed - for instance, unauthorized access to that computer, or stealing information from that computer, or damages that computer.
That seems weird, but the alternative would be weirder: if every computer in the chain were a violation, the ISP for each hop of the network connection would have standing together. It's hard to make a case that WhatsApp is different from a regular router which might also pass malicious messages.
Walking into an unlocked building is still breaking and entering. This is why people are tried for recording information but technically accessible but unauthorized-for-access pages.
Yes, if you weren't authorized to be in the building. But this is more like... walking into an open store and then punching another customer. You didn't exceed your access to the store; you just used your authorized access to do something the store owner wouldn't want you to do (and which constitutes a crime and a tort against someone else). That's not trespassing. However, if the store owner noticed, they could then tell you to leave, at which point remaining in the store would be trespassing.
Does the same apply to the CFAA? Well, it's not entirely clear. There's been a spate of precedents in the last decade, the most recent from just last month, and, well... they're a bit of a mess, including a circuit split which will have to be resolved by the Supreme Court eventually , and even within the Ninth Circuit, a "zigzagg[ing]" series of decisions  with ambiguous dividing lines.
In particular, unlike in the store analogy, NSO had to agree to a ToS before using WhatsApp, which NSO then violated. That definitely gives WhatsApp a claim for breach of contract. But do actions that violate a ToS also automatically "exceed authorized access" and give WhatsApp a CFAA claim? Not according to Ninth Circuit precedent, but potentially yes according to other circuits' precedents.
That said, many of those precedents turned on the question of whether it makes sense to apply a "hacking" statute to something that's clearly not hacking. In this case, there undoubtedly is hacking involved, and the court may not draw as fine distinctions as I have regarding what exactly was being hacked.
By the way, like in the store analogy, WhatsApp could notify NSO that they're banned from accessing their service altogether, and ignoring that would result in a CFAA violation according to Ninth Circuit precedent. And indeed it seems that WhatsApp has banned NSO now. But they apparently didn't do so prior to the conduct the lawsuit complains about, so that isn't a factor in this case.
 (about Ninth Circuit precedent) https://reason.com/2019/09/09/scraping-a-public-website-does...
 (about circuit split) https://technology.findlaw.com/modern-law-practice/circuit-s...
My understanding is that Saudi Arabia has poor diplomatic relations with Israel.
It reminds me of Canadian telecoms. While they officially compete to extract more cash from customers, they’ll also call each other up and share infrastructure instead of duplicating builds.
E.g. Telus built towers in its territory, and Bell did in its, and they just share them. Much cheaper than redundant builds and customers usually won’t notice when everyone in the car loses reception at the same time.
Then there’s the stuff that they just do through signalling. Huh, our “competitor” is going to start charging for incoming SMS and the billing vendor that we all use just rolled it out as a new feature. Great!
Anyone who can protect the rulers from the people is in excellent terms with the rulers. The rest is just posturing.
Wait... is it CFAA? That would be... an interesting door to open!
Found the complaint, yep!
> Plaintiffs bring this action for injunctive relief and damages pursuant to the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502, and for breach of contract and trespass to chattels.
I like the idea of using the CFAA like this, of that becoming a thing.
Had to find the complaint cause none of the articles I could find on it mentioned the CFAA, which is weird since that's news.
(sorry, wrote this before you fleshed out your comment, but presumably it's helpful to someone else)
I’m sure your wife is a lovely lady. But NSO Group is a hostile intelligence asset. They actively undermine Americans and American security interests, here and abroad.
It’s not only reasonable for American companies to block them and their affiliates, it would also be reasonable for their travel to the country to be restricted (or monitored in the way a known spy would be).
I am not so sure. People who knowingly work for organizations that help plots to torture, murder and dismember journalists are not "lovely". She might not have known about it before, but she does now, and yet she still works for them.
You've conveniently omitted your work place information, else one could guilt trip you for continuing to work for your employer despite their worst acts being widely known. We shouldn't support this kind of specious virtue signaling, maybe the lady genuinely worked/works there for the company's publicly stated good intentions.
Also, how the Sauds use the tech is beyond NSO's, and especially the lady's control. Just like how the Sauds use American defense tech to wage war on Yemeni civilians - defense tech subsidized by the American taxpayer - that is you. And still, you continue to live in, and pay taxes to the US, instead of moving to a non-exporter of arms, like Greenland. All while casting blame on a lady working for an Israeli tech firm. For Shame!
If they had announced they were blacklisting those governments as customers, maybe they could've partly repaired their reputation, but that would destroy their entire business model, so they don't and won't. Their total addressable market is strictly capped. They need every government in the world as a prospective customer, else their business probably isn't financially sustainable. Ethics stop where sales start. In response to all of the reporting, they actually do claim to now be factoring ethics into their sales decisions, but the rigor behind it seems extremely questionable, to say the least. 
There is absolutely no other employer someone could work for (besides those in the same niche, like Hacking Team, or military contractors that work with such governments) which is anywhere near as unethical as companies like NSO. Not Facebook, not Google, not even CIA/NSA/FBI, probably.
Also, you can't liken living in a country with a government who you know does unethical things to working for an employer who you know does unethical things.
>The company has established an ethics committee, which decides whether it can sell its spyware to countries based on their human rights records as reported by global organizations like the World Bank’s human capital index, and other indicators. NSO would not sell to Turkey, for example, because of its poor record on human rights, current and former employees said.
>But on the World Bank index, Turkey ranks higher than Mexico and Saudi Arabia, both NSO clients. A spokesman for Israel’s Ministry of Defense, which needs to authorize any contract that NSO wins from a foreign government, declined to answer questions about the company.
I didn't say the CIA/NSA weren't unethical; just that they're probably not as unethical as NSO. But I could also be unaware of awful things CIA/NSA have done which are worse than what is publicly known, in which case I cede the point.
It's not. They aided this regime, and other regimes, and chose to do so. And they knew that they weren't just selling them a few cars or some designer handbags, but actively aided in operations against everybody the house of Saud considers an enemy, and knew - just like anybody else who did some cursory googling - about the regime's targeting of any civilian opposition and protests, handing out gruesome "penalties" which can only be described as state sponsored murder, mutilation and torture.
>and especially the lady's control
She decides where she works. This is the old "I was only following orders, and wasn't even directly involved in any of the evils" excuse deep down.
>Just like how the Sauds use American defense tech to wage war on Yemeni civilians - defense tech subsidized by the American taxpayer - that is you. And still, you continue to live in, and pay taxes to the US, instead of moving to a non-exporter of arms, like Greenland.
I am not living in the US, but a country that still exports arm to the Saudis, so I kind of get your point. However, there is considerable societal backslash against this here, me being tiny part of it, to the point where the government "froze" such exports for the time being.
Your "just fuck off then to a nicer country" argument is built on a false premise anyway. You fix things in your society that are wrong, and you don't get to tell those people who raise concerns, which is the first step in fixing things, to just fuck off to some other nation.
So I would say NSO is just another outfit of money-grubbing intelligence-industrial complex SOBs, who happen to be mostly Israelis rather than US citizens.
NSO can be justifiably blamed for selling to a regime like Saudi Arabia, but it can't be blamed for undermining 'Americans and American security interests' when the American government itself does not see SA's actions as contrary to 'American security interests'.
NSO could at least argue that they did not predict beforehand that SA would go to such lengths - Khashoggi himself did not expect it - but the US obviously knew after the fact. Yet, the US keeps selling weapons to SA and applied no penalty.
We can't expect NSO Group to take a stricter view of 'American security interests' than the US government does.
No, but we as people can take a stricter view. The people working for companies like NSO Group are torture and murder facilitators, plain and simple. There is no legitimate use case for products like these in a democracy. Police forces working under rule of law are not in need of these products.
The agencies are willing to invest far more in 'breaking computer security' than in 'finding lethal injection drugs for people who are anyway in custody' . 'Breaking security' is a priority to them in the way 'finding lethal drugs' never was.
That does not get NSO Group off the hook, they did agree to work with SA in the first place - but I suspect we'll just discover there are other outfits (and inhouse talent) out there, and that lasting change requires looking also at the demand and infrastructure sides.
It would be hard to even make the case that the murder was good for Saudi Arabian interests. It was apparently done for Mohammad bin Salman and it's a stretch to say that the interests of Mohammad bin Salman are categorically the interests of Saudi Arabia.
Saudi Arabia has been an extremist, terrorist plutocratic religious dictatorship since the house of saud was influenced by the terrorist philosopher Wahabbi.
Bin Salman matches the character of the average Saudi, I've spent a great deal of time there.
In life, Khashoggi may have been a critic of Saudi Arabia, but I don't think he was an existential threat to Saudi Arabia's ability to be an effective ally to America or Israel.
Do desk drawers help with that?
The US is truly great at claiming things are bad while _controlling those things_ at the same time.
For what it's worth _personally_ I believe that NSO is a bad company and US regulation needs to change - but those things need to change together at the same time.
rolling with that line of thinking, it seems that anyone who takes a job at a company is somehow involved with promoting that company's mission.
i'm really struggling to see how this would apply to e.g. an accountant at facebook (or NGO group), but whatever.
Yes, that is literally the meaning of working for a company. If the company created a job opening and hired a person, they did so because they have reason to believe that this employee will promote the company's mission.
As to your example, an accountant at Facebook is most definitely promoting the company's mission. I would argue that if a person is against the company's mission, then there is a serious ethical issue with them taking the job.
What they can do —like in this case— is to sue in civil court. What they can also do is to kick the people that they are suing away from their platform for violating their terms. It’s actually not rare (several people involved with Cambridge Analytica were locked out of their account) so “aggressive” is a stretch, but that kind of side-show is representative of the internal tone of the discussion.
A friend talked about “their large legal team” and, yes, that’s more to the point. Said legal team has a lot of friends familiar with Den Hague so I wouldn’t be surprised if your wishes become reality.
It looks like they sold software that could breach whatsapp security. Where can I read more (something that's understandable) about how this is export restricted?
If it was export restricted, who is responsible for enforcing the law?
>4. A. 5. Systems, equipment, and components therefor, specially designed or modified for the generation, command and control, or delivery of "intrusion software".
Click on your country and it should point you to the relevant authority for your government.
As I understand it, VUPEN was buying exploits before the exploit section was added to the Wassenaar agreement. They attempted to dodge the agreement by moving the company from France to Singapore (which is not a Wassenaar signatory), but then Singapore still added the exploit section to their laws . VUPEN shut down before that law change anyway, due to bad press from the Hacking Team leaks.
Who is tracking / investigating what just happened? How would they even know?
Would getting an export license even be possible?
For you selling to Zerodium, it would be the government agency in your country in charge of managing export controls. Unless you are bragging about it on social media, it is unlikely that they would know about you selling the exploit. As long as Zerodium doesn't tell your country about you selling the exploit, it will be very difficult for your country to find out (unless they investigate where you are getting tens of thousands of dollars from).
For Zerodium reselling, it primarily falls under the US Department of Commerce’s Bureau of Industry and Security (BIS). If they are selling to somebody nasty the Department of State's Bureau of International Security and Nonproliferation could be involved, along with Homeland Security. Since Zerodium is very public about buying and selling exploits, they are certainly on the radar of these agencies. If they don't see Zerodium applying for export licenses, they will investigate.
>Would getting an export license even be possible?
Contact your local government. It might be difficult to do so as an individual, so you could need to form a small company.
I think this law changes everything when it comes to trading exploits.
What would they get in taxes from that million bucks? Export controlled things still get sold all the time, look at any country with a weapons industry. The goal of licensing is to control who they get sold to, not to stop them from being sold.
NSO are of the same level of people as those who sold cattle prods to Saddam after knowing how their tool would be used.
Any of those would have been sufficient to ensure I wouldn't work for them for any amount of money, and I'd quit if I found out about them after I was employed.
Honestly, that's blood money.
Using your logic, the murdered journalist took blood money.
If you work for pretty much any major company in the world, you are receiving "blood money". If you are working for the US government or any major government, you are receiving "blood money".
Can you point me to a company that is "without sin"?
2. Not many people would conflate working for washington post and helping to kill civilians in the middle east. But perhaps if shown enough evidence they would maybe do so and act accordingly. So knowledge, like the knowledge in this article, enabled the OP to make an ethical decision.
3. Your comment doesn't help anyone. Because you have discounted degrees of harm ("any major company in the world", "any government") and this then undermined the small bit of knowledge imparted (the WP link). The nett effect is a call to inaction.
Is it ethically acceptable to join a weapon manufacturer? A drug cartel? The SS?
You always have to draw a line somewhere.
Lockheed because it is primarily a military contractor.
Boeing because one half is military contractor and the other half is cost cutting at the cost of lives.
The lawsuit seeks to have NSO barred from accessing or attempting to access WhatsApp and Facebook’s services...
I think torched is the right word. As in, NSO will be torched, and having them on your resume is not gonna be a good thing.
I personally don't believe them but she does :)
I really dislike NSO to the point I don't join my wife on company vacations but she is her own person and I support her choises. She is not in software and the finance and accounting market here isn't nearly as nice.
You can support her as a person but you should not support her choice to work for a clearly unethical company who has actively contributed to the violation of human rights and murder of innocents.
That explains how Saudis got access to NSO products.
My wife is in finance, it was this or an abusive boss and constant unpaid overtime.
For what it's worth I think it's the same as working for any weapons producing company (a big no no for me but plenty of people there who are very idiological)
>My wife is in finance, it was this or an abusive boss and constant unpaid overtime.
Or not working at all, considering you are so "privileged". Or working for some NGO, probono even, if it's about finding meaning in life and not about paying the bills.
Or working as a walmart greeter or meter maid or orderly in a hospital. I'd rather work my really shit orderly job I used to work years ago, than work for scum like NSO.
Given she works in finance, she sounds educated enough and privileged enough to find a nice job that does not involve deliberately targeting and killing civilians. Maybe less "prestigious" or paying less, but still enough to make a nice living on your double income.
I am not buying your excuse, even tho you and your wife might be buying it yourself. Rationalization can be a problem.
It's a lot easier to pursue existential philosophical musings after your mortgage is paid and your kids are fed.
Weapons are created so they can be pointed at living things, regardless of who they work for. I'm not defending NSO but let's not pretend selling exploits is any different to e.g. a Tazer or rifle manufacturer.
The sanctioned use of weapons is against belligerents. The intentional killing or torture of civilians or prisoners is a human rights violation, or a war crime during warfare.
Many people are patriots and defend their country's interests.
As far as I can tell NSO were mercenaries, not patriots.
I'm pretty sure these people are mercs without morals.
Being a little assertive with your marketing will get you a couple of warnings and temporary bans but systematic efforts, after Facebook sent Cease & Desist letters, etc. will. Being one of the very few able to hack WhatsApp, refusing to submit the generous bug bounties but instead using that to get US journalists killed… that will get you at the top of the naughty list.
I understand that, without details, OC’s wife might be an innocent accountant, someone motivated by good values but misinformed or an active and knowledgeable participant to gruesome abuses. We can agree that Facebook doesn’t know yet. I would understand why once the problem is detected, Facebook might want to take precautions and only revise their individual bans later.
(Put the URL in bitly then submit to outline)
So, yeah, if you regularly read more than the free allocation for each of those publications in a month, you should consider paying for them. Which ones you "need" is your call.
They made their own bed, they can lie in it. I actively work around paywalls, and have ZERO guilt about it. Your business model failed, and I give zero shits. I want to know what's happening, and am willing to pay $10/month to to fix that across ALL of you that were affected. If you can't solve it entirely, I don't care. Take my $10/month, split it, and shut up or quit bitching.
Attention @dang and other HN admin people, this is a constant annoyance. It's time to deal with it. I totally get your position, and your limitations, but it happens EVERY DAY. It is NOT going away, and it's getting worse. It is very clearly making HN less useful.
Is there someone more infutiential than me that could post an "Ask HN" thread that people might rally around? Feeling enflamed, but not particularly influential. Alternatively, is there a way for me to msg @dang personally? (mentioned specifically because I personally applaud and respect his past history and responses)
I sent this to the email address you suggested:
"Please see https://news.ycombinator.com/item?id=21393799
I wish to keep my relative anonmity as "tyingq" on HN, but feel pretty passionate about this submission:
I respect @dangs historical appreciation for real complaints, and would REALLY appreciate his reply and advice in the thread.
...with my full appreciation of your opinion and limitations... really.
I fully think the WHOLE community wants to know."
Paywalls are honestly hurting HN, every day...really.
Whether their conclusion is accurate though is dubious.
There’s no planet on which the DOJ pursue legal action against an Israeli state sponsored actor like NSO.
As for NSO being founded during a different administration: jamaal Kashoggi wasn’t assassinated during that administrations time in power.
1. Do the regimes buy the software and set it up themselves, or does NSO set it up and they use the service provided?
2. If the former is there a route to go for Saudi, Mexican, UAE, Bahraini... governments?
I wonder how much of that hinges on the fact that the messages had to transit WhatsApp servers, even if they didn’t actually hack any WhatsApp infrastructure.
By that same logic, it seems like an SMS exploit targeting a handset could make you liable to AT&T as well.
This seems fine to me. Take a different common carrier like the US post office - using the mail to carry out a crime can lead to the additional (and oft-prosecuted) additional crime of mail fraud.
I am almost willing to support criminal aspects in this case. Extrajudicial killing was a predictable result in giving these tools to repressive governments.
Exploiting SMS destroys the trust custumers place in the messaging system. This causes damage to all telecommunication services.
Take the Saudis for example. They have a desire to hack phones, an unlimited budget for hacking tools, and no ethics. The market will create other players to capture the millions of dollars they have on the table, and they’ll do it out of reach of the courts.
WhatsApp is facing brand damage because people are hearing that they can get hacked (and in some cases, possibly die) if they use their software. Their two options are to either invest in better security, or use the legal system. I think it’s better for everyone if the only option is for companies to actually fix their software.
If WhatsApp paid whatever NSO does to acquire bugs, nobody would sell to NSO.
This is the same reason that Apple recently increased their bounty. Nobody was giving bugs to Apple because the grey market paid more.
Even if it wasn't effective in practice, entering this lawsuit can be seen as a message to users that WhatsApp is serious about protecting people's privacy.
Setting a precedent here might force remaining actors to stay shady instead of acting in the open, which would make it harder for them to operate (so they'd be less effective).
However, I have no idea what other consequences a precedent here might have. Definitely interesting.
Security is a multilayer problem. Technology is just a part of it. Regulations and lawsuits are a big part of it as well.
Note: I'm in the medical field and this is not my expertise.
My point is once end to end encryption is enabled -- no MITM vulnearabilities should exist. Kind of like how password managers protect your password -- not even they can see it.
I think this is indicative that Facebook doesn't enable true end to end encryption so they can read messages themselves but advertise that they don't to attract the privacy dollar.
[Edit: I don't think I mean channel but the terminology for what I'm saying eludes me]
I can't comment on voting patterns, but while GDPR was being prepared, and after it was released, there was an endless barrage of posts claiming how it was flawed, lead to the ruin of technology companies in Europe etc, and it should be replaced by something else (anything else, at some point in the future - and in the meanwhile please stop getting in the way of tech companies trying to make a profit)
Frankly I would not be surprised if there was indeed a reflexive downvote effect that is not caused by a shady conspiracy but rather people like me who are tired of posts like that.
"WhatsApp sues Israel's NSO for allegedly helping spies hack phones around the world"
For completeness, I do think the commenters pointing out a slightly nonstandard weirdness in the phrase "Israel's NSO"—like the one comparing to "America's Google"—have a fair point. (Exercise for the curious: have there ever been many titles like that?) But it was not the determining factor.
I found a few "China's Huawei", "China's Tencent" and "China's Baidu".
Also, the article has nothing to do with Israel besides the company being located there. Don't try to politicize everything.
Would HN have censored "China's Huawei?" Obviously not, it's the typical bias concerning western governments and allies that seems to be getting more blunt as time goes on the website.
Also, many readers have followed this story and know what NSO is. There's no title that fits the bill for everyone.
Google tells me that "NSO" is "Nurse Malpractice" for the entire first page fold. I assume it's similarly unhelpful in other regions for other people. 'Cmon, it's not a big, recognized, entity. Wait a year and the problem will be even more apperent.
The principle that it's good for readers to work a little is bedrock on HN. We want users who figure things out for themselves. That spurs the intellectual curiosity HN exists for.
If you have an issue with how they named their company, you could write to their CEO and let him know that he is using 3 letter entity names improperly. Unless you want the community to pick a new name to bestow upon them, I’m not sure what you expect from us.
Or we could all just simultaneously guess what popular 3 letter NSO acronym it really is?
Seriously, that's a lame answer. There's almost certainly another "NSO" company with more past or future notoriety/revenue/whatever. Why be ambiguous when that's not actually their name? The name is , "NSO Group".
Also, NSO's founders were members of the Israeli Intelligence Corp (source: Wikipedia). Given the military links it would be reasonable to include its origin. News outlets would likely do the same for a Chinese company.
"Israelie Security Firm NSO" would totally clarify it for me.
That of course is not true.
Just NSO sounds like some government agency I had forgotten about.
I don't see any reason to have a policy about this one way or the other, but in most cases there's no need to say which country a well-known company is from. There are a couple instances of "China's Huawei" from over a year ago, but that's negligible compared to the number of headlines about Huawei overall.
Please read the site guidelines and follow them when posting here.
A USA company selling stuff to USA state agencies won't be prosecuted by USA courts because that use presumably isn't criminal in US law; you could have legal challenges to the agency itself but in general the seller can assume that it's the responsibility of USA gov't if they break their own laws.
An Israeli company selling stuff to foreign agencies that gets used "elsewhere" on other citizens won't be prosecuted by USA courts because they don't have jurisdiction and it's none of their business if some other government decides to wiretap or torture-murder some of their citizens in their territory with the assistance of that stuff.
But if a foreign government hacks a phone of someone on USA soil, then that's a crime in USA and it doesn't matter if it was legal under their laws or they had proper warrants or whatever, USA law doesn't have an exception for that unless that wiretapping was done in cooperation with USA authorities under whatever procedures they consider appropriate. And if some company is complicit with assisting that crime then it can be targeted by USA courts, if it can reach their people or assets somehow.
I.e. it's not that "doing this is unaccaptable as such", but "doing this in USA requires permission from USA - we had it, you did not".