WhatsApp’s most recent court filing in its lawsuit against cyber surveillance company NSO Group claims to connect IP addresses used by the firm to servers in the US, as part of an attempt to quash NSO Group’s claims that its operations don’t touch US soil. This was a key plank of NSO Group’s argument to dismiss the case that was filed earlier in April.
WhatsApp brought the lawsuit against NSO Group in October 2019, claiming that the company’s Pegasus spyware was used to hack more than a thousand users, including prominent human rights lawyers, activists, journalists and academics.
WhatsApp’s most recent filing attaches evidence that it claims shows an IP address used by NSO Group is linked to a server located in Los Angeles and owned by US company QuadraNet Enterprises. The filing claims that the company’s California-based server was used “more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019″.
“It’s going to be hard for NSO to credibly claim that there is no US nexus to their operations when they were busy paying for server space in American data centers,” John Scott-Railton, a researcher at Citizen Lab who has extensively investigated the activities of NSO Group, wrote in a Twitter thread about the new court filing.
WhatsApp claims that another of NSO Group’s IP addresses is linked to a server owned by Amazon in Frankfurt, Germany. It alleges that a number of subdomains – including sip.nsogroup.com, sip.qtechnologies.com, and sip.2access.xyz – were hosted on this server from at least 2 January 2019, to at least 24 November 2019, a time period covering the dates of the attacks.
This evidence is intended as a refutation of NSO Group’s claims that the court case should be dismissed on grounds of personal jurisdiction (i.e. the case shouldn’t be tried in US courts because the Israeli company doesn’t have significant operations there). Legal expert Chimène Keitner previously told NS Tech that this would be a strong argument given that the US Supreme court has in recent years curtailed the reach of US personal jurisdiction. However, WhatsApp’s most recent court evidence could offer a rebuttal of this argument by establishing a substantive connection between NSO Group and the US.
WhatsApp provided a number of other counter arguments on the issue of personal jurisdiction. The new court filing states that NSO consented to this jurisdiction by accepting WhatsApp’s terms of service and “directed its conduct at California”.
The company maintains that NSO violated California’s Computer Data Access and Fraud Act “by “knowingly” and “wilfully” targeting WhatsApp’s systems to disseminate malware”. The filing also notes that NSO Group used to be funded by Francisco Partners, a Californian private equity firm. (The company was subsequently sold to UK based private equity firm Novalpina Capital in February 2019).
The filing also states that by using QuadraNet’s servers, the company entered into a contract that included a Californian choice-of-law clause. It says “NSO knew or should have known that the QuadraNet server was based in California”, adding: “Tellingly, NSO does not deny that it contracted QuadraNet, or that the QuadraNet server was used in the attack”. WhatsApp also cites its own reputational and financial damage that was allegedly incurred by NSO Group as a result of the attack.
WhatsApp’s court filing also repudiates another of the reasons NSO Group provided for dismissing the case. NSO Group argued that it should be sheltered by a derivative version of the US Foreign Sovereign Immunities Act (FSIA), a piece of legislation that prevents foreign governments being tried in US courts. NSO Group argued that because all of its clients were nation states which used the technology autonomously (with NSO group only assisting with “training, setup, and installation”), the group should be treated as an arm of the state and therefore unable to be tried in the US court.
In WhatsApp’s filing, the company argues that NSO Group cannot claim the status of a nation under the FSIA. To support this claim it refers to the 2010 Supreme Court’s decision in the Samantar v. Yousef case, in which it was stated that Congress’ purpose in enacting FSIA was exclusively to uphold state immunity, not other sovereign immunities such as the immunity of state officials. The WhatsApp filing reads that “the FSIA only confers immunity on the “foreign state” itself, “as the Act defines that term””. The filing goes on to say “Here, NSO is a for-profit commercial company – decidedly not a foreign state”.
NSO Group’s motion to dismiss the case didn’t specifically invoke the FSIA, but instead argued that it was “entitled to derivative sovereign immunity”. This concept is not clearly legally defined, and is not mentioned in the FSIA. In support of its argument, NSO referenced the 2000 judgment in Butters v. Vance Intern., Inc., in which it was decided that a US company was entitled to “derivative immunity under the FSIA” for acts carried out following Saudi Arabia’s orders.
However, this is difficult to reconcile with the ruling in the case to which WhatsApp refers, the result of which was echoed in the 2014 Republic of Argentina v. NML case, where the Supreme Court found that “any sort of immunity defense made by a foreign sovereign in an American court must stand on the [FSIA] text”. WhatsApp’s filing argues that “no established law recognizes the novel immunity NSO seeks”. It also rejects NSO Group’s claim that WhatsApp’s issue is with its sovereign clients, rather than the group itself, saying “this suit seeks to enjoin wrongdoing by NSO – not any other actor”.
Legal experts told NS Tech at the time that the argument for derivative sovereign immunity was unlikely to be effective because NSO Group had not named any particular nation state that they had sold their spyware to. This is a point that WhatsApp raises. The court filing reads that in his declaration, NSO Group CEO Shalev Hulio “fails to identify any specific foreign sovereign for whom NSO worked – let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role”. Whatsapp concludes that this is “plainly insufficient”.
“NSO says “our clients do the hacking, not us”. This filing shows NSO purchasing & operating the servers doing the hacking. This makes the company look much more like hacking-as-a-service than software developers,” writes Railton. “If NSO runs these infection servers then they must have logs of the connections. Sounds like they should be able to know exactly who was targeted, down to the victim device IP and time.”
Sign up to Emerging Threats, our weekly cyber security newsletter
An NSO spokesperson said: “Our products are used to stop terrorism, curb violent crime, and save lives. NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States. Our past statements about our business, and the extent of our interaction with our government intelligence and law enforcement agency customers, are accurate. We have no further comment on this matter at this time, but please note that per the court schedule, we will be filing a brief in response to these latest filings by WhatsApp in the coming days.”
The ongoing court filings represent an escalating tit-for-tat. NSO Group’s most recent filing alleges that Facebook approached the company about using its Pegasus spyware software in its VPN product Onavo Protect. Instead of denying this claim outright, Facebook released a statement saying that this was inaccurately represented. NS Tech published an in-depth analysis of the legal arguments involved in the case, and how it could force a change in the laws governing international cyber surveillance, earlier this month.