Israeli spyware maker NSO Group has taken a leaf out of Hollywood in an attempt to avoid any legal repercussions from making and selling tools that hack WhatsApp users' phones.
In a submission to the Ninth Circuit Appeals Court in California, what is normally a dry legal appeal reads like a spy thriller. “In October 2019, a team of Western European law-enforcement officials were closing in on their man,” it begins. “The target: an Islamic State terrorist who was planning an attack during the Christmas season.”
The terrorist, we discover, was using WhatsApp to communicate, and an “elite surveillance team” was keeping track. But… “Then, all of a sudden, the suspect’s phone went dark. WhatsApp sent him, along with around 1,400 other users, a warning that his messages were being monitored. So he ditched the phone, denying investigators their main source of intelligence. As one European official put it, ‘WhatsApp killed the operation.’”
Which is all very entertaining but WhatsApp sees things differently: it is sick of NSO Group developing software that exploits security vulnerabilities in its chat application to compromise people's phones, and then selling that software to authoritarian regimes to remotely hijack and snoop on devices. For every elite surveillance team tracking down a terrorist, there are a dozen bureaucrats reading the private messages of human-rights lawyers, journalists, and activists – not to mention recording their phonecalls, activating their camera and microphone, and pinging their real-time location, using NSO's exploits and remote-control tech. WhatsApp wants it to stop.
So, this time last year, the Facebook-owned company sued, accusing NSO of illegally hacking smartphones.
And the two have been at each others’ throats ever since. In April this year, NSO let it be known that Facebook has itself tried to license NSO’s spyware to track their own users. When NSO failed to turn up in court in the US state, Facebook claimed victory; and NSO accused it of lying and having failed to serve the legal documents.
Since then, the bulk of the legal arguments has been around NSO claiming that Facebook simply can’t sue it: first, because it doesn’t use the software, its clients do; second that it has legal immunity because it sells to governments; and third, because it doesn’t have an office in California anyway. Facebook, of course, does not agree.
The bulk of those claims were thrown out in July when District Judge Phyllis Hamilton decided NSO is not entitled to immunity as a foreign official, and can't claim immunity derived from its government customers, either.
Judge green-lights Facebook, WhatsApp hacking lawsuit against spyware biz NSO, unleashing Zuck's lawyersREAD MORE
She rejected other NSO claims about having legal access to WhatsApp’s servers, and also dismissed a Facebook claim that NSO has interfered with people’s access to digital services. In a sign that NSO is going to use its resources to fight every step of the way, however, this week’s appeal [PDF] to the Ninth Circuit revisits the legal immunity question.
NSO claims it does in fact have immunity and, Hollywood script aside, makes some notable allusions to US intelligence operations. NSO lives in a murky, powerful world, and appears to be signalling that it may be in everyone’s best interests if it is left to be, rather than be dragged through America's legal system.
“Foreign states, in Western Europe and throughout the world, frequently use technology like NSO’s to investigate criminals who use WhatsApp to plan acts of terrorism, child exploitation, bank robbery, weapons trafficking, and other serious crimes,” the filing noted. “WhatsApp does not like that. It takes steps to frustrate such investigations, both by warning the targets of investigations and by refusing to cooperate with authorities in the aftermath of attacks.”
It then repeats its previous argument: “Foreign states, not NSO, operate the technology and choose how and when to use it. NSO provides limited support, entirely at the direction of its foreign-state customers. And NSO’s home state, Israel, oversees and regulates every aspect of NSO’s business.”
It goes on: “By suing NSO for its conduct as an agent of foreign states, WhatsApp is asking US courts to meddle in the sovereign affairs of those states. This court should reject that request.” And then it notes that if the US legal system comes down on NSO, it could easily backfire on Americans abroad. Questioning Judge Hamilton’s decision, it argues: “First, the court held that no foreign official or agent can receive conduct-based immunity unless a foreign state would have to pay a judgment against the official. That limitation conflicts with the common law, the governing cases, and the US State Department’s approach to conduct-based immunity. It also undermines foreign state immunity and exposes US officials to retributive lawsuits abroad.”
Likewise American use of companies to spy on others abroad: “The court held that NSO, as a foreign corporation, could not receive what the court believed to be a distinct form of immunity called ‘derivative sovereign immunity.’ But derivative sovereign immunity is not distinct from conduct-based immunity, and it is not limited to American companies.
“To hold otherwise, as the district court did, violates the principles underlying conduct-based immunity and threatens the United States’ own reliance on private contractors for intelligence and military operations.”
There then follows another 60 pages of legal argument in which the same point is hammered home by sometimes tangential references to case law though the message is the same – and it is not really aimed at WhatsApp but instead all those with influence within the US government, administration, and legal system. It can be summed up in one question: Are you sure you want to open this can of worms?
The racy spy story at the start is just to get people’s attention. And it worked, because we wrote this story and you’ve just read it. ®