US Supremes deny Pegasus spyware maker's immunity claim
NSO maintains that it's all legit
The US Supreme Court has quashed spyware maker NSO Group's argument that it cannot be held legally responsible for using WhatsApp technology to deploy its Pegasus snoop-ware on users' phones.
Facebook and its WhatsApp subsidiary sued the notorious Isreal-based software company in 2019, alleging that NSO exploited a zero-day bug in WhatsApp to remotely drop Pegasus on about 1,400 smartphones belonging to attorneys, journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials in multiple countries.
Pegasus, of course, is the now-infamous malware that NSO claims is only sold to legitimate government agencies — not private companies or individuals — and can only be used "for the purpose of preventing and investigating terrorism and other serious crimes," despite numerous reports from Citizen Lab, Google, and the media of the malicious code being used to spy on journalists, activists, and politicians by their opponents.
Once installed on a victim's device, Pegasus can, among other things, secretly snoop on that person's calls, messages, and other activities, and access their phone's camera without permission.
In response to Facebook's lawsuit, NSO asked the courts to dismiss the lawsuit on the grounds that the immunity of foreign states from prosecution also applies to non-governmental vendors. After the lower courts rejected its argument, NSO appealed to the US Supreme Court, which today denied [PDF] its case, thus kicking it back to the Court of Appeals.
NSO, for its part, maintains that Pegasus' use was — and is — all aboveboard.
"Meta has repeatedly impeded law enforcement's ability to lawfully investigate criminals' use of WhatsApp to commit serious crimes and acts of terror," an NSO spokesperson told The Register. "We are confident that the court will determine that the use of Pegasus by its customers was legal."
Previously, the US Solicitor General filed an amicus brief [PDF] advising the Supreme Court not to hear the spyware developer's case, noting "NSO plainly is not entitled to immunity here."
The high court's decision paves the way for future lawsuits brought by journalists and others illegally targeted by spyware, said Carrie DeCell, senior staff attorney at the Knight First Amendment Institute at Columbia University.
"Today's decision clears the path for lawsuits brought by the tech companies, as well as for suits brought by journalists and human rights advocates who have been victims of spyware attacks. The use of spyware to surveil and intimidate journalists poses one of the most urgent threats to press freedom and democracy today."
- Google warns of commercial Heliconia spyware hitting Chrome, Firefox, Microsoft Defender
- NSO Group CEO steps down, 100 employees let go too
- We're likely only seeing 'the tip of the iceberg' of Pegasus spyware use against the US
- NSO claims 'more than 5' EU states use Pegasus spyware
Late last year, the Knight Institute filed a lawsuit against NSO on behalf of journalists and other members of the leading Central American news organization El Faro — the first such lawsuit filed by journalists against NSO in a US court.
The complaint alleges that NSO Group and its parent company, Q Cyber Technologies, violated US laws by helping to deploy Pegasus spyware to remotely access journalists' iPhones.
Over the summer, the embattled software developer announced a reorganization in which it replaced its CEO and axed about 100 workers, citing "a difficult period with a lot of obstacles and challenges." ®