JACK GUEZ/AFP via Getty Images
show image

Laurie Clarke


WhatsApp’s spyware lawsuit against NSO Group could change cyber espionage laws forever

Almost six months after it was served with a lawsuit by WhatsApp, the controversial Israeli spyware company NSO Group took its first substantive action in relation to the court case last week – it filed a motion to dismiss it on several grounds. WhatsApp alleges that NSO Group is responsible for hacking the accounts of over 1,000 of its users, including those of human rights activists, academics, journalists and lawyers. But NSO Group is manoeuvring to have the case thrown out before it ever reaches a jury trial. 

The company’s arguments for dismissing the case include the issue of personal jurisdiction and whether a US court has the right to try an Israeli company with limited operations in the States. But more interestingly, the company is seeking to claim what’s known as derivative sovereign immunity. The US Foreign Sovereign Immunities Act (FSIA) of 1976 – a version of which exists in most countries – means that foreign nation states are mostly immune from civil suit or criminal prosecution in the US. In England, the doctrine was first applied to monarchs, and stemmed from the idea that the king could do no wrong. Essentially, NSO Group is arguing that because its only clients are nation states, it should be sheltered by a derivative version of the law that protects states from being held legally liable by foreign courts.

WhatsApp has asked the court to rule that NSO violated US federal law and California state law against computer fraud, breached their contracts with WhatsApp and “wrongfully trespassed” on Facebook’s property. In its most recent court filing, NSO Group says that despite licensing its spying technology, Pegasus, to government law enforcement and intelligence agencies, and assisting with “training, setup, and installation”, it did not operate the technology. “Government customers do that, making all decisions about how to use the technology,” NSO said in its legal filing. “If anyone installed Pegasus on any alleged “target devices” it was not [the] defendants [NSO Group]. It would have been an agency of a sovereign government.” NSO Group claimed that in order to challenge the conduct, WhatsApp must declare the “sovereign acts” of those governments to be illegal. “For that reason,” the company said in the filing, “permitting this litigation to proceed would infringe critical national security and foreign policy concerns of sovereign governments”.

The company’s argument for derivative sovereign immunity is considered a novel one by legal experts. “It’s not an entirely frivolous argument,” says Chimène Keitner, professor of international law at UC Hastings College of the Law in California, “but it’s certainly one that may have many hurdles to get through.” Not least because the company has not yet named any particular country that bought and operated its software – something that according to legal experts makes the argument unlikely to fly in court. 

But if NSO Group’s derivative sovereign immunity argument succeeds – and even if it doesn’t – it could have seismic ramifications for how cyber espionage is legislated against on the international stage. This is because NSO Group’s argument shines a light on an increasingly contentious issue – the question of whether foreign nation states can and should be held accountable for levelling cyber attacks against US citizens. 

At present, under the FSIA, there are a few exceptions where a foreign nation can be tried by a US court. These include for commercial activities, unlawful acts that occurred on American soil, and acts of terrorism that occurred on US soil. However, courts have tended to rule that foreign states can’t be held accountable for cyber attacks. “The courts have found, very counter-intuitively, that if a state implants spyware on the computer of a US citizen, turns on the webcam and the microphone and records everything happening in their home, that is not a tort [a wrongful act resulting in legal liability] that entirely occurs in the United States, and that the foreign sovereign has absolute immunity for doing so,” says Scott Gilmore, an international human rights lawyer at Hausfeld. 

Because an international cyber attack is orchestrated by someone sitting at a computer in a different country, US courts have historically ruled that this type of crime doesn’t fall under one of the exceptions to the FSIA. But demands to change this, and add a cyber-attack exception to the sovereign immunity doctrine, is something lawyers and activists are increasingly pushing for.

Gilmore speaks about growing friction in the law – a “sort of an ironic tension” – where the US Department of Justice has for years been issuing criminal indictments to foreign governments for state-sponsored industrial espionage and the hacking of American computers. The only issue is, these are mostly symbolic gestures given that the defendants aren’t going to be extradited to the United States. “The problem is that with regards to the actual victims of these hacking campaigns, who are American individuals and businesses, the courts have been telling them so far ‘You don’t have any recovery or compensation and you can’t hold these states accountable’,” says Gilmore. 

This bodes well for NSO Group’s argument, but could this case prompt a step change in how the US responds to state-sponsored cyber espionage? Gilmore believes that the right constellation of court decisions and appeals could place this case before the US Supreme Court. And if the ruling was that foreign states have immunity to hack Americans, “I think this would squarely put the issue before Congress,” says Gilmore, “that there has to be a legislative solution that would give Americans the right to recover reparations from the foreign states that do this kind of activity”. 

In the US, there is a swathe of somewhat draconian legislation that prohibits espionage as a matter of domestic law, including for example, the Economic Espionage Act and the Computer Fraud and Abuse Act – the one that WhatsApp is alleging NSO Group transgressed. However, when it comes to international law, things get murkier. “The mainstream view is that international law is indifferent to espionage,” says Dr Russell Buchan, senior lecturer in international law at the University of Sheffield School of Law. “That view is that it’s neither lawful or unlawful under international law.” 

Recent hacking cases in which sovereign immunity has been invoked include a federal judge in New York’s ruling to exempt Russia from the 2016 cyber-attack on the DNC, and a Washington D.C. court of appeals’ ruling in 2017 that an American citizen couldn’t sue the Ethiopian government for hacking into his computer and monitoring him with surveillance tech. In 2018, a federal judge dismissed a lawsuit brought by a Republican fundraiser alleging the Qatari government orchestrated the hacking of his emails, saying the sovereign nation couldn’t be sued for an overseas cyberattack. However, in this case, the judge called on Congress to update the law, saying given “the growing prevalence of attacks in cyberspace, it may be an appropriate time for Congress to consider a cyberattack exception” to the FSIA. 

Critics of the current treatment of cyber espionage under the FSIA are emboldened by the fact that the act has been amended to reflect changing times before. It was amended in 1996 to allow victims of terrorism to sue foreign states that had been designated by the State Department as “State Sponsors of Terrorism”. After the September 11 attacks, family members of victims attempted to pursue a civil litigation case against Saudi Arabia, but because the country wasn’t a designated State Sponsor of Terror, the case was thrown out in 2015. However, this prompted Congress to enact new legislation – the Justice Against Sponsors of Terrorism Act in 2016 – that would allow victims to hold foreign states accountable where the terrorist act occurred on US soil. 

In the NSO case, there are other reasons that the derivative sovereign immunity argument might be unsuccessful. The doctrine of sovereign immunity is “the cornerstone principle of international relations…by preventing the interests of one state being litigated before foreign courts”, says Buchan. “But in recent years, international law has tried to restrict the application of the doctrine of statehood.” This is because, competing with the interests of sovereignty, is the interest for due process to take place. If it’s decided that a court is jurisdictionally incompetent under international law to litigate an issue, it essentially means justice can’t be sought. “Sovereign immunity does not transform an otherwise illegal activity into a legal activity or lawful activity,” clarifies Keitner. “It simply prevents a particular court from inquiring into the matter at all.” 

If NSO’s derivative sovereign immunity argument falls flat, there are other reasons the case might never make it to a jury trial. The most pressing issue, in Keitner’s opinion, is that of personal jurisdiction, and whether US courts have the right to litigate the Israeli company. It’s “the idea that they [NSO Group] don’t have a sufficient US presence for a US Court to exercise jurisdiction over them,” says Keitner. “And that’s going to be an argument because US Supreme Court cases in recent years have really ratcheted back the reach of US personal jurisdiction.” Despite the fact that WhatsApp lays out in its complaint the US connections it believes gives the US Court jurisdiction over NSO Group, Keinter believes “there will be a fight about personal jurisdiction.” This aside, there are other reasons WhatsApp might struggle to succeed on its central contention – that NSO Group violated the Computer Fraud and Abuse Act. 

Perhaps WhatsApp never expected the case to go to trial anyway. “There’s been some suggestion that a main goal of this case, if not the main goal, was just to show the public that Facebook and WhatsApp are not the bad actors here in terms of privacy violations,” says Keitner. A Facebook spokesperson told NS Tech: “We look forward to proving our case against NSO in court and seeking accountability for their actions.”

The case is already bringing up fascinating and complex issues around how cyber hacking is viewed – and legislated against – on the international stage. “Hopefully this is going to precipitate a change in how cyber weapons or cyber tools are marketed internationally. At the moment people think it’s just code and software, but actually it can be a weapon,” says Buchan. “It’s a potentially blockbuster case.”