Spyware vendors face growing backlash, legal setbacks
Selling spyware is controversial business. And for good reason: Though marketed as a means of catching criminals or terrorists, hacking tools have also been turned against reporters, dissidents and other members of civil society. (For a deep dive on those abuses, check out the stories published as part of “The Pegasus Project,” a sweeping investigative collaboration.) Growing awareness of those harms has put more and more pressure on the industry — and on government regulators. As we noted last week, the Commerce Department recently added two Israeli spyware firms, NSO Group and Candiru, to an important trading blacklist because of the ways in which their products have been misused. And in an important new decision, the U.S. Court of Appeals for the Ninth Circuit dealt a blow to firms’ efforts to avoid accountability in U.S. courts.
The opinion comes in a suit that WhatsApp, the messaging app owned by Meta (the new name for Facebook’s parent entity), brought against NSO Group in 2019. According to WhatsApp’s complaint, the spyware company allegedly transmitted malware over WhatsApp servers to more than 1,000 targets, from journalists to diplomats, in violation of state and federal law. In response, NSO Group argued that WhatsApp’s real grievance was with the foreign states that had purchased its hacking tools — and that the company should be entitled to immunity for any acts it took on behalf of its sovereign clients.
It’s not easy to sue a sovereign for hacking you. The Foreign Sovereign Immunities Act generally bars courts from hearing cases against foreign nations unless one of several exceptions applies. And, without plunging down a rabbit hole, suffice to say those exceptions are better designed to deal with, say, diplomats’ traffic accidents than transnational intelligence operations. (For those interested in more of the nitty-gritty, I’ve written a bit about the issue for Lawfare and the Harvard Law Review.) But the FSIA only governs states and state organs — think a state-run bank — so NSO Group couldn’t invoke the protections of the statute directly. Instead, the firm argued that an analogous common-law immunity should extend to firms that act for, but aren’t owned by, foreign governments. If that argument had succeeded, it could have provided spyware firms with an effectively impenetrable shield when their actions are challenged in U.S. courts.
But the Ninth Circuit turned that effort back, concluding that the FSIA “occupies the field” and “categorically forecloses extending immunity to any entity that falls outside the FSIA’s broad definition of ‘foreign state.’” Since NSO Group doesn’t fit the bill, it couldn’t invoke the benefits of sovereign immunity. That doesn’t mean, of course, that WhatsApp’s suit will ultimately succeed on the merits of its allegations. But the company will get a chance to pursue its claims, and the ruling offers some hope to other plaintiffs trying to get redress — like Ghada Oueiss, the Al Jazeera broadcaster trying to overcome similar hurdles in her suit in Florida federal court, which alleges that high-level Saudi officials hacked her with the help of the Emirati firm DarkMatter.
These lawsuits represent an important development in the effort to deter spyware abuses, and we plan to continue following them as they do or don’t progress.
Like what you’ve read? Sign up to get the full This Week in Technology + Press Freedom newsletter delivered straight to your inbox!
The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Legal Fellow Grayson Clary and Technology and Press Freedom Project Legal Fellow Gillian Vernick.