Nov. 19, 2021
9th Circuit brings us a step closer to holding spy-tech companies accountable
The federal appellate court recently issued an important ruling that helps clear the way for accountability for the private companies that build the spy technologies used by repressive governments to violate human rights.
Authoritarians around the world are making big use of spyware -- commercial technology that helps those governments track, repress and sometimes murder human rights defenders, activists and journalists. The 9th U.S. Circuit Court of Appeals, however, recently issued an important ruling that helps clear the way for accountability for the private companies that build the spy technologies used by repressive governments to violate human rights. WhatsApp Inc. v. NSO Group Technologies, 2021 DJDAR 11550 (Nov. 8, 2021).
The court rejected a claim by NSO Group, whose technology has been implicated in spying on thousands of journalists and political dissidents, that it should enjoy legal protection reserved for foreign governments against lawsuits in the U.S. American messaging company WhatsApp brought the case against NSO Group accusing the Israeli cybersurveillance firm of breaking into WhatsApp's systems -- in violation of federal and state anti-hacking laws -- in order to surveill journalists, activists and other WhatsApp users.
The 9th Circuit held that the private surveillance technology company, despite having foreign government clients, does not qualify for foreign sovereign immunity against civil lawsuits in the United States. This ruling allows the case to proceed on the merits. This is a win for accountability and human rights, and is a strike back against companies across the globe who have created a multi-billion dollar spyware industry by marketing their software to authoritarian governments.
NSO Group is a private company that built and sells Pegasus, a software program that allows clients to infect and gain remote access to all the data on a person's mobile device. In the summer of 2021, news outlets and nonprofit civil society groups, as part of the Pegasus Project, acquired a list of more than 50,000 phone numbers of journalists, political dissidents, politicians and business executives around the world who may have been targeted by their governments using NSO Group's technology -- and dozens were confirmed to in fact have been targeted. The confirmed targets were, among others, several journalists and the fiancé of assassinated Saudi journalist Jamal Khashoggi.
The spyware is designed to exploit several vulnerabilities in iPhones and Androids to extract data. A device can even be infected by Pegasus without the owner having to do anything such as click on a link. In the case of the WhatsApp hack, which targeted approximately 1,400 users, individuals received what appeared to be a video call. After the phone rang, even if the user did not pick up the call, malicious code was transferred to the user's phone. Researchers at Citizen Lab determined that of those targeted via WhatsApp, over 100 users were human rights defenders and journalists across at least 20 countries.
After WhatsApp filed suit against the spyware firm, NSO Group argued that because their clients were foreign governments, the company was protected by foreign sovereign immunity, a long-standing legal doctrine limiting the ability of U.S. courts to exercise jurisdiction over foreign governments. Limiting when nation-states may be hauled into U.S. courts grants deference to and respects the autonomy of other countries, which can support international relations. Foreign sovereign immunity is codified in U.S. law in the Foreign Sovereign Immunities Act. The FSIA by its terms applies only to corporate entities owned by foreign governments. But there was an open question as to whether private corporations, whose clients are foreign governments, may invoke common law foreign sovereign immunity.
The 9th Circuit said no. The court held that Congress intended the FSIA to "occupy the field," that is, comprehensively address foreign sovereign immunity of entities including corporations, and thus the FSIA forecloses applications of immunity to corporations via common law. Thus, because NSO Group is a private company, it has no immunity and must face civil claims for the damages its profit-making spyware has racked up.
The cybersurveillance industry is massive, dangerous, and it has been growing. Currently, the market for these technologies is valued at approximately $12 billion annually, almost the same amount as the GDP of Nicaragua. The rise of the international spyware industry is deeply troubling because it is used to track, repress, and otherwise violate the human rights of those spied upon.
In 2011, the United Nations Human Rights Council published the Guiding Principles on Business and Human Rights, which was endorsed by the United States specifically for the purpose of reigning in the ability of U.S. companies to sell cybersurveillance technology to nation-states abroad. The principles provide that national governments should "take steps to prevent abuse abroad by business enterprises within their jurisdiction" and "to ensure the effectiveness of domestic judicial mechanisms when addressing business-related human rights abuses." The 9th Circuit has made one such important step -- without foreign sovereign immunity, NSO Group will have to defend itself on the merits -- and potentially face liability.
More recently, the U.S. government added NSO Group to the Entity List, limiting the ability of U.S. companies to export technologies that would facilitate NSO Group's cybersurveillance activities. The hope is that both in the United States and elsewhere, we can create a culture of consequences for companies whose technology is used in corrosive and dangerous ways on the world stage.
This 9th Circuit's decision hopefully signals a turning point in the unregulated and lawless proliferation of surveillance technology, not just for NSO Group, but for other companies as well. EFF has long argued that companies that build tools for repression must bear legal responsibility for the harms these tools facilitate.
Most immediately, this decision will hopefully support legal challenges to other companies such as DarkMatter, a surveillance technology company based in, and a vendor to, the United Arab Emirates. Like NSO Group, DarkMatter has also surveilled journalists, political dissidents, and members of civil society and will hopefully be held accountable for these harms. A case is currently pending in the Southern District of Florida against DarkMatter by Al Jazeera journalist Ghada Oueiss for the company's alleged collaboration with the Crown Prince of Saudi Arabia in hacking her mobile phone and releasing information in retaliation for her critical reporting.
The 9th Circuit's decision is a welcome development in the fight against the corrosive effects of a booming cybersurveillance industry. With more work, advocacy, and legal challenges, the United States judicial system may be able to take a more active role in protecting human rights and hindering those who may wish to grow rich off of authoritarianism.