NSO Group’s attempt to get WhatsApp’s lawsuit thrown out has failed, and the case – which alleges the spyware company hacked 1,400 of the messaging service’s users – can proceed to trial. US District Judge Phyllis Hamilton rejected most of NSO Group’s arguments to get the case dismissed, paving the way for a high stakes legal battle with potentially seismic repercussions.
WhatsApp alleges that NSO Group’s ‘zero-click’ Pegasus technology exploited a vulnerability in the messaging service to hack the phones of human rights activists, political dissidents, lawyers, journalists and government officials.
NSO Group argued that the case shouldn’t make it to court on several grounds. It said that because it was the supplier, rather than the operator, of the technology, and that its only customers were foreign governments, it should be protected under the Foreign Sovereign Immunities Act (FISA) or a derivative version of it. But this argument was tossed out, with Hamilton saying that “as private foreign entities, [NSO Group and parent company Q Cyber Technologies] do not qualify as foreign states and cannot directly avail themselves of the FSIA”.
In regards to derivative sovereign immunity, Hamilton said that because the contractor was not incorporated in the United States, it didn’t qualify. She argued “there is no compelling reason to extend derivative sovereignty”.
“This is stunning rebuke to NSO Group’s business model of cross-border hacking in the service of foreign powers,” says Scott Gilmore, an international human rights lawyer at Hausfeld. “NSO Group tried to shelter behind the fact that its clients were foreign governments, but the court rejected the notion that [the company] enjoyed the same sovereign immunity as its clients. Those governments – and whatever immunity they might assert – do not factor into this case, because the court can order NSO Group to stop hacking WhatsApp’s servers without actually ordering a foreign government to do anything in particular.”
WhatsApp alleges that customers of NSO Group include the Kingdom of Bahrain, the United Arab Emirates, and Mexico. This assertion is supported by research from Citizen Lab, the academic research group that has extensively studied NSO’s activities, and human rights groups like Amnesty International.
NSO Group also argued that the case should be dismissed on grounds of personal jurisdiction, but it was ruled that there was sufficient grounds to hold the trial in California in the US.
Pegasus allegedly operates by sending malware through WhatsApp’s servers to a user’s device. NSO Group aimed to have the case rejected on the basis that the company didn’t break the California Fraud and Abuse Act (CFAA). The company argues that, as a WhatsApp user, it had permission to access WhatsApp’s computers and servers to send messages. WhatsApp argues that the company had permission to send messages, but not to access technical settings and circumvent the company’s security via malicious code.
Hamilton said that while WhatsApp wasn’t able to argue that NSO Group had no authorisation to access its systems, the group’s use of the service “exceeds authorized access because defendants had permission to access a portion of the computer in question (the WhatsApp servers) but did not have permission to access other portions”.
Experts in hacking law told Wired in October that WhatsApp’s argument that NSO broke the CFAA may struggle to fly because it wasn’t clear which “unauthorised access” was alleged in this case – particularly as WhatsApp, rather than its hacked users, was the plaintiff. Arguing for the violation based on terms of service alone was a tenuous link, one expert told the publication. This latest ruling implies that WhatsApp’s argument that NSO Group violated the CFAA could in fact be persuasive in court.
“The court correctly ruled that NSO Group’s hacking was a far cry from sending an email without the boss’s permission: the court found that NSO Group bypassed WhatApp’s technical restrictions – the very definition of hacking,” says Gilmore. In addition to alleging NSO violated the CFAA, WhatsApp has brought state-level charges against NSO including breach of contract and interfering with their property.
WhatsApp was mostly successful in rebutting NSO Group’s arguments, but one of their allegations wasn’t fully substantiated. Hamilton said that WhatsApp’s argument that NSO Group’s activities had caused “actual harm […] to WhatsApp’s computers or servers” wasn’t supported by enough evidence. She has provided the company with a 21-day window in which to provide some.
The next steps
What happens next? “NSO Group will almost certainly appeal the decision: the foreign sovereign immunity issues are novel and these types of rulings are often considered immediately appealable,” says Gilmore. “The battleground will soon be the Ninth Circuit court of appeals, a court whose precedents control Silicon Valley.”
If the court case goes ahead, NSO Group could soon be forced to produce sensitive commercial information about its customers, how its technology is deployed and against who. NSO Group CEO Shalev Hulio recently disclosed to German newspaper Die Zeit that it was possible for the company to view who state actors were targeting with its technology when carrying out an internal investigation.
A spokesperson for the company said in a statement: “When conducting investigations on potential misuses of the technology by customers in accordance with our Human Rights Policy, then and only then, we demand that our customers provide us with information relevant to the investigation – as they are contractually required. We then review the specific information supplied to determine whether the system was used in compliance with our policies or not.”
Demands to produce such information in the Whatsapp lawsuit is “going to cause huge problems for the states that are standing behind NSO,” says Dr Russell Buchan, senior lecturer in international law at the University of Sheffield School of Law. “The diplomatic fallout could be colossal and it could be embarrassing for certain states.”
If the company is forced to divulge this information, it will probably seek to keep it out of the public eye. Gilmore told NS Tech: “They could seek a protective order from the court to to hide that information – whether that would be granted is hard to say. If NSO Group were to try to seal information on a foreign government hacking a major US internet company, I would expect that there would be a First Amendment battle over the public’s right to know.”
Buchan says that states would perhaps come forward to argue that the case be made private on national security grounds. “I would predict that that’s probably where the next battleground lies,” he says. A recent Israeli court case brought against NSO Group by Amnesty International was allowed to be conducted behind closed doors. (The court ruled that NSO Group’s license shouldn’t be revoked by the Israeli Ministry of Defence.)
In a statement to Techcrunch, WhatsApp said: “We are pleased with the Court’s decision permitting us to move ahead with our claims that NSO engaged in unlawful conduct. The decision also confirms that WhatsApp will be able to obtain relevant documents and other information about NSO’s practices.”
A spokesperson from NSO Group said the following: “Our legal team is reviewing the court’s decision, so we are not in a position to comment in detail at this time. Our technology is used to save lives and prevent terror and crime worldwide, and we remain confident that our conduct is lawful.”
This article was updated to include comment from NSO Group.