Spyware maker NSO Group cannot use its government clients to shield itself from litigation, a US appeals court ruled on Monday, a decision that allows WhatsApp's lawsuit against the Israel-based firm to resume.
NSO denies any wrongdoing. While WhatsApp claimed members of civil society had their phones infiltrated by Pegasus, NSO insisted it only sold its software to "licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime," and that using its software to surveil political opponents, advocacy groups, and journalists is contractually prohibited.
Despite such assertions, human-rights groups, such as Amnesty International and Citizen Lab, have said thin-skinned regimes still use Pegasus for political oppression. Pegasus spyware was reportedly found on the phone of Hatice Cengiz, fiancée of murdered journalist Jamal Khashoggi. The software has been implicated in the surveillance of a phone belonging to Amazon founder and Washington Post owner Jeff Bezos. On Monday, an Ireland-based advocacy group called Front Line Defenders said Pegasus spyware was found on the phones of six Palestinian human-rights advocates.
NSO tried last year to be excused from the WhatsApp lawsuit by claiming, among other things, it cannot be sued because it acted at the behest of foreign sovereign governments and thus inherits governmental immunity from prosecution.
In July, 2020, US District Judge Phyllis Hamilton mostly rejected NSO's arguments and indicated that the snoopware maker could be challenged in court. In October that year, NSO tried to appeal to a higher court, the US Ninth Circuit Court of Appeals.
Well, a year later, the US Ninth Circuit Court of Appeals has concluded that NSO is wrong. It was, as the appellate judges put it, "an easy case."
- Uncle Sam to clip wings of Pegasus-like spyware – sorry, 'intrusion software' – with proposed export controls
- US Dept of Commerce sanctions NSO Group, Positive Technologies, other makers of snoopware
- NSO Group's Pegasus malware was used to spy on Dubai princess's lawyers during child custody dispute
- That 'anti-NSO Pegasus spyware' download is actually a Trojan – so don't touch it
The appeals panel upheld the lower court decision [PDF], ruling that the Foreign Sovereign Immunity Act applies to entities defined under the law as foreign states and does not apply to foreign officials.
"Whatever NSO’s government customers do with its technology and services does not render NSO an 'agency or instrumentality of a foreign state,' as Congress has defined that term," the appeals panel said. "Thus, NSO is not entitled to the protection of foreign sovereign immunity."
The decision compounds the problems of the beleaguered spyware firm: last week, the US Department of Commerce sanctioned NSO, along with three other companies, for trafficking in intrusion software.
WhatsApp CEO Will Cathcart welcomed the ruling.
"We're grateful for the court’s decision today," he said, via Twitter. "This ruling is an important step in holding NSO accountable for its attacks against journalists, human rights defenders, and government leaders. Huge thanks to all the privacy NGOs and tech companies that have supported us in this."
NSO Group did not immediately respond to a request for comment. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Palo Alto Networks