Spyware slinger NSO to Facebook: Pretty funny you're suing us in California when we have no US presence and use no American IT services...

Israeli spyware maker NSO Group has rubbished Facebook's claim it can be sued in California because it allegedly uses American IT services and has a business presence in the US.

Last October, Facebook and its WhatsApp subsidiary sued the software developer and its affiliate Q Cyber Technologies in California, claiming that the firms made, distributed, and operated surveillance software known as Pegasus that remotely infects, hijacks, and extracts data from the smartphones of WhatsApp users.

NSO Group then filed a motion to dismiss the hacking lawsuit, arguing that it can't be sued in the US: it has immunity because its customers are governments. The social network last week responded by insisting the concept of sovereign immunity doesn't apply to contractors working for foreign governments and NSO's software relied on servers provided by Los Angeles-based telecom service provider QuadraNet.

NSO's latest legal salvo, filed on Thursday this week in a California court, challenges these claims. A spokesperson for the biz said its court submission, in conjunction with a sworn statement from NSO Group CEO Shalev Hulio, should dispel "several misleading assertions" made by Facebook's lawyers.

“One of these assertions relates to QuadraNet, a California-based telecommunications company," NSO's spokesperson said in an emailed statement. "As we have argued to the court, neither NSO Group nor Q Cyber ever had a contractual arrangement with QuadraNet."

Hulio in his statement said, "neither defendant [NSO or Q Cyber] has ever entered into any contract with QuadraNet."

WhatsApp security manager Claudiu Gheorghe in a previous filing identified 720 malicious attacks on WhatsApp from the IP address 104.223.76.220, a server in California provided by QuadraNet and allegedly run by NSO.

QuadraNet did not immediately respond to The Register's request to clarify the account holder for that IP address.

NSO's spokesperson reiterated the claim that the biz does not operate its Pegasus software for its clients. And its legal filing says as much: "If Pegasus messages did pass through QuadraNet servers, they would have been sent by NSO’s customers, not NSO."

Spyware maker NSO can't claim immunity, Facebook lawyers insist – it's time to face the music

READ MORE

NSO's latest filing insists Facebook wrongly dismissed the possibility of immunity. Though the immunity statute applies only to governments, NSO claims it "is entitled to derivative sovereign immunity," based on a 2000 case (Butters v. Vance) in which the Fourth Circuit held that a private agent of Saudi Arabia was derivatively immune.

"[Facebook and WhatsApp] challenge the alleged use of Pegasus to message WhatsApp’s users, which was done entirely by foreign sovereigns," the NSO paperwork states. "Plaintiffs’ theory would punish people who offer goods and services to the government when the cause of action is based on the government’s use of the product. But suppliers are not stripped of derivative immunity for building tools, nor for helping governments maintain them so that they can be used when needed."

The snoop-ware maker also insists it can't have violated America's Computer Fraud and Abuse Act because it had authorization to send messages via WhatsApp – messages which just so happened to be bobby-trapped to install its Pegasus malware on victims' devices. It claims the CFAA applies only to unauthorized access, not to malicious content.

"Plaintiffs assert that NSO formatted WhatsApp messages to hide data WhatsApp did not want users to send," the filing says. "But NSO was authorized to send messages, so violating WhatsApp’s limits on the contents of those messages is not accessing WhatsApp’s servers without authorization."

The biz further contends that any bypassing of technical restrictions would not qualify as a CFAA violation, likening its actions to the way hiQ Labs bypassed technical restrictions LinkedIn put in place to stop web scraping. The Ninth Circuit last year ruled that web scraping does not meet the CFAA definition of unauthorized access.

"[A]ll NSO allegedly did was send the wrong kind of message over WhatsApp’s servers. That is not a CFAA violation," the filing states.

As to Facebook's claim that NSO "access[ed] server-side call settings and alter[ed] the technical architecture routing calls through its servers," that shouldn't even be considered because it was not mentioned in the initial complaint, the spyware biz's filing insists.

What's more, Facebook had claimed NSO "had a marketing and sales arm in the United States called WestBridge Technologies, Inc," which NSO rejects. The Israel-based biz maintains that it doesn't exercise control over Maryland-based WestBridge, a sales and marketing outfit that sells to US government agencies. Also none of the current directors of NSO or Q Cyber reside in the US.

So, in short, NSO says it has no US presence – no management, no sales arm in America – and uses no US IT services, so how can it be sued in the US state of California?

Facebook declined to comment on the ongoing lawsuit. ®