SAN FRANCISCO, Calif. (CN) — An Israeli spyware firm recently blacklisted by the Biden administration cannot invoke immunity reserved for foreign sovereigns to dodge WhatsApp’s claims of infiltrating its messaging platform to send surveillance malware to over 1,000 devices belonging to journalists, activists and others.
NSO Group Technologies is best known for Pegasus, a hacking tool that recently landed it on the Commerce Department’s “entity list” for “engaging in activities that are contrary to the national security or foreign policy interests of the United States.”
Pegasus invades a device through a malicious code lurking in text messages sent via WhatsApp, Telegram, or other messaging services. Once implanted on the device, Pegasus can control a phone’s microphones and cameras while extracting the personal and location data of its owner — for example by scraping browser history and contacts, grabbing screenshots, and infiltrating communications.
The company’s clients include Saudi Arabia, the United Arab Emirates, India and Morocco.
In a statement, the Commerce Department said Pegasus has “enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent."
In October 2019, WhatsApp and its owner Facebook sued NSO claiming it installed its spyware on devices used by lawyers, human rights activists, journalists and diplomats. WhatsApp claims NSO used WhatsApp’s servers to initiate calls with the devices being targeted that could infect them with malware once the call was complete — even those who never picked up the phone.
On Monday, three Ninth Circuit judges affirmed a federal judge’s ruling last year that found NSO is not protected by sovereign immunity as a private company even if it acts as an agent of its foreign sovereign customers.
NSO argued it was entitled to “conduct-based immunity,” a common law doctrine that shields foreign officials acting in their official capacity.
The panel's unanimous opinion, penned by Donald Trump-appointed U.S. Circuit Judge Danielle Forrest, declined to even consider applying common law. The panel found NSO Group’s claims doomed to failure under the Foreign Sovereign Immunity Act, which governs all foreign sovereign immunity claims brought by entities.
“Concluding that the FSIA governs all foreign sovereign immunity claims brought by entities, as opposed to individuals, makes this an easy case,” Forrest wrote. “NSO does not contend that it meets the FSIA’s definition of ‘foreign state,’ and, of course, it cannot. It is not itself a sovereign. NSO is a private corporation that provides products and services to sovereigns — several of them.”
U.S. Circuit Judge Mary Murguia, a Barack Obama appointee, and U.S. Circuit Judge Ryan Nelson, a Trump appointee, joined Forrest's opinion.
The judges rejected NSO’s reasoning that it should benefit from the immunity extended to foreign governments because it provides technology for national security and “law enforcement” purposes.
“Whatever NSO’s government customers do with its technology and services does not render NSO an ‘agency or instrumentality of a foreign state,’ as Congress has defined that term,” Forrest wrote. “Thus, NSO is not entitled to the protection of foreign sovereign immunity. And that is the end of our task.”
Sophia Cope, a senior attorney with the Electronic Frontier Foundation who wrote an amicus brief in the case, said the EFF is thrilled the court settled the open question of whether private companies that work for foreign governments can invoke sovereign immunity.
"The Ninth Circuit said no. It held that Congress intended the statute to comprehensively address immunity of corporations and thus the FSIA forecloses applications of immunity to corporations via common law," Cope said in an email.
"EFF has for years called for more accountability against technology companies that facilitate human rights abuses by foreign governments," she added. "Cybersurveillance companies like NSO Group shouldn’t be making a profit from spying on journalists, human right activists, and others deemed political enemies of foreign states. These companies must be held responsible for their role in not only violating digital rights — but also the very real-world consequences of that spying, including unlawful arrest, torture, and even extrajudicial killings. The Ninth Circuit’s ruling brings them one step closer."
WhatsApp’s lawyer declined to comment, and a lawyer representing NSO Group did not respond to an email seeking comment Monday.
The ruling further marred an already manic Monday for NSO: The nonprofit Frontline Defenders revealed the Pegasus spyware had been discovered on the electronic devices of six Palestinian human rights activists after hacks that began in July 2020.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.