The case is a test of whether sovereign immunity can be extended to cybersurveillance firms working for foreign governments.
SAN FRANCISCO (CN) — Three Ninth Circuit judges signaled Monday that they are unlikely to upend centuries of legal precedent by granting sovereign immunity to an Israeli software firm whose cybersurveillance tool was used by foreign governments to spy on some 1,400 journalists and activists.
NSO Group Technologies is probably best known for Pegasus, a piece of spyware that can hack a mobile device without detection. It invades the device through a malicious code lurking in text messages sent via WhatsApp, Telegram, or other messaging services. Once implanted on the device, Pegasus can control a phone’s microphones and cameras while extracting the personal and location data of its owner — for example by scraping browser history and contacts, grabbing screenshots, and infiltrating communications.
In October 2019, WhatsApp and its owner Facebook sued NSO, claiming it infiltrated the messaging platform to spy on devices used by lawyers, human rights activists, journalists and diplomats. WhatsApp claims NSO accomplished this by using WhatsApp’s servers to initiate calls that could infect devices with malware once the call was complete — even if the intended target never picked up the phone.
In July 2020, U.S. District Judge Phyllis Hamilton refused to dismiss WhatsApp’s case, finding NSO is not protected by sovereign immunity as a private company even if it acts as an agent of its foreign sovereign customers.
At oral argument Monday, NSO attorney Jeffrey Bucholtz had a hard time convincing U.S. Circuit Judges Mary Murguia, a Barack Obama appointee and Donald Trump appointees Ryan Nelson Dani Hunsaker to overturn Hamilton’s ruling.
Murguia asked Bucholtz whether NSO had requested a suggestion of immunity from the State Department, part of the two-step procedure for a court to determine whether a foreign state is entitled to foreign sovereign immunity from its jurisdiction.
“How do we grant the immunity you’re asking for where there’s no apparent example of the executive branch ever suggesting immunity for a private foreign corporation?” she asked.
Bucholtz said Judge Hamilton had not asked for the State Department’s view on whether it would recognize NSO’s immunity, adding that the novelty of WhatsApp’s case could account for why there are no previous examples of the executive branch weighing in on lawsuits against private foreign corporations acting as agents of foreign sovereigns.
“They know they can’t sue NSO’s foreign state customers,” he said. “So they sue the company that provides IT support to the foreign states. It’s as if the United States conducted a military operation in some other country and somebody didn’t like how the United States conducted the operation and sued the company that sold the missiles or the bullets and sought to get around the United States’ immunity in that way.”
Hunsaker pushed back. “I find the argument your clients are making here remarkable,” she told Bucholtz. “In the over 200-year history of our country we have no example of foreign sovereign immunity being granted to a private company.”
Bucholtz compared the case to the Fourth Circuit’s ruling Butters v. Vance International, where a private company hired to provide security for the wife of the king of Saudi Arabia was granted immunity from an employee’s gender discrimination lawsuit.
“It’s not quite right to say there’s no example,” Bucholtz said. “But it’s equally notable there’s not a single example of any court ever or the executive branch saying entities are not eligible for conduct-based immunity.”
Hunsaker replied, “One explanation for why that hasn’t happened is because everybody knew or assumed that when you’re talking about sovereign immunity you’re talking about a sovereign, not a private actor.”
Bucholtz urged the panel to consider Doğan v. Barak, in which the Ninth Circuit held that foreign officials are entitled to immunity when acting in their official capacity ratified by a sovereign government.
“In Doğan, the government had come out and made a statement regarding a suggestion of immunity, that seems quite significant in terms of distinguishing this case from Doğan,” Murguia said.
NSO does not decide which foreign states use their tools or how they choose their targets, Bucholtz said, but merely installs the software, trains the governments on how to use it, and provides IT support — further attenuating its liability. “If anyone did it, it’s the foreign states,” he said.
Recent years have seen a flurry of litigation against the cyberarms firm including by Amnesty International and a Saudi dissident who claims a Pegasus hack of his phone led to the killing of his friend, Saudi journalist Jamal Khashoggi.
Last year, Citizen Lab at the University of Toronto reported Pegasus spyware had been implanted on the personal phones of 36 Al-Jazeera journalists, producers, anchors and executives.
A host of tech companies and advocacy groups filed amicus briefs in the WhatsApp case, cautioning that cybersurveillance tools like Pegasus “dramatically increase systemic cybersecurity risk” and pose a danger to human rights advocates.
“Cybersurveillance tools like NSO’s Pegasus are powerful, and dangerous. Such tools depend on vulnerabilities in code that allow one person to access another person’s device, network, or system. If those tools are misused, the results can be disastrous,” attorney Mark Farris wrote on behalf of the group that includes Microsoft, Cisco, LinkedIn, and GitHub.
The Electronic Frontier Foundation pointed out that NSO’s foreign client list “remains shrouded” and that to “promote transparency in international affairs, immunity doctrine should shield only actions undertaken by a state or its organs or owned enterprises — not actions laundered through a private entity like NSO.”
Representing WhatsApp, former Deputy Solicitor General Michael Dreeben attacked NSO’s strategy of seeking to obtain a novel and unprecedented form of immunity for its actions that is usually only accorded to individuals who represent foreign states.
“NSO seeks to expand that concept in a radical new direction that would cover corporate contractors. There is no support of that form of immunity under the common law in the history of the United States,” he said.
Dreeben noted foreign states typically come forward to protect their operations by seeking a suggestion of immunity from the State Department.
“Here we don’t have anything like that. NSO has not even identified the multiple foreign clients it claims it works for. It’s entirely opaque,” he said, adding that NSO does not serve as agent of a foreign state, but “operates as a private commercial enterprise whose main concern is to earn profits for its own shareholder. And in that context it doesn’t serve as an agent of anybody, it’s a corporation.”
Bucholtz said a ruling in favor of WhatsApp could leave more technology companies open to lawsuits in foreign courts if they contract with the United States in their national security investigations abroad. “The shoe could easily be on the other foot,” he said.
The panel took the case under submission.