Meta’s Lawsuit Against NSO Goes Forward – The Fight Against NSO Spyware Gains Strength

The murky world of government spyware has never been the same after the Pegasus Project leaked in July 2021 a list of over 50,000 phone numbers believed to be people of interest to clients of the leading spyware company NSO – all of whom are possible victims of its Pegasus spyware.

Since then, many stories about NSO and its activities have been written, including an update from Forbidden Stories, which coordinated the reporting on the Pegasus Project. There have been revelations about the spyware being deployed in India, found on phones used by the British Government, and of surveillance of politicians and journalists in the EU. The New Yorker wrote an in-depth feature about NSO, including numerous interviews with its executives and staff about its activities and methods.

In one of the latest developments in the fight against NSO Spyware, the US Supreme Court ruled that the NSO does not have the benefit of foreign sovereign immunity.

NSO Made the US Entity List

Even more serious than this glare of often negative publicity is the US government’s response to the revelations of NSO’s activities around the world. In November 2021, the US Commerce Department added NSO and three other companies to its “Entity List” for “engaging in activities that are contrary to the national security or foreign policy interests of the United States.” There were some serious implications of this move. As The New York Times explained:

The ban would prohibit American firms from selling technology to NSO Group and its subsidiaries. Dell and Microsoft were alerted earlier that NSO Group would be added to the blacklist, according to two people briefed on the calls but unauthorized to speak publicly about them.

Being unable to buy US software is obviously a big problem. Another is that the US move caused NSO’s credit rating to drop, bringing financial complications with it. The spyware company’s woes did not end there. A few weeks after the Entity List decision by the US government, Apple sued NSO, “to hold it accountable for the surveillance and targeting of Apple users.”

Its lawsuit described NSO as “notorious hackers – amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.” Apple sought a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

Meta Also Goes After NSO

This wasn’t the first time a major computer company had taken legal action over NSO’s alleged surveillance of users. In October 2019, WhatsApp sued the company, claiming that NSO had used WhatsApp to spy on more than 1,400 people in 20 countries. The New Yorker profile contains a brief description of the exploit, which one WhatsApp engineer described as “brilliant. I mean, when you look at it, it feels like magic”:

The exploit triggered two video calls in close succession, one joining the other, with the malicious code hidden in their settings. The process took only a few seconds, and deleted any notifications immediately afterward. The code used a technique known as a “buffer overflow,” in which an area of memory on a device is overloaded with more data than it can accommodate.

That’s an indication of the sophistication of spyware, which is often installed on a target phone without any action required on the part of the user – what is known as a “zero-click infection”.

NSO was also innovative in its response to the WhatsApp lawsuit. First, it claimed that it simply licenses its spyware to government law enforcement and intelligence agencies, and did not operate the software itself. More boldly, it invoked something called “foreign sovereign immunity”. This refers to the fact that in customary international law, foreign governments are entitled to some degree of immunity from foreign lawsuits.

NSO was trying to invoke foreign sovereign immunity to shield itself from WhatsApp’s legal attack by claiming that it was acting for unidentified foreign governments when it installed its Pegasus software.

This line of argument alarmed many: if successful, it could effectively render immune to US prosecution companies that committed crimes on behalf of foreign governments. Even the US Solicitor General filed an amicus brief, urging the US Supreme Court to deny NSO’s petition to review its sovereign immunity claim. Fortunately, the US Supreme Court has just rejected that line of arguing, and ruled that WhatsApp’s lawsuit can go ahead.

Spyware Companies Should be Held Accountable

NSO has been the main focus of interest in the wake of the leak in 2021, but it is by no means the only company selling powerful spyware to governments. When NSO was added to the US Entity List, so were three others working in the same sector: Candiru, another Israeli company, Positive Technologies from Russia, and Computer Security Initiative Consultancy of Singapore. An article on the Committee to Protect Journalists site has a special report providing a useful update on the current spyware situation around the world.

One avenue for controlling the use of spyware is to make the companies that create it responsible for its use. That is what is at stake in both the WhatsApp and Apple lawsuits. If those actions are successful, it is likely that companies such as NSO will be more circumspect in who they sell their software to, and how they allow it to be used.

Another approach to tackling spyware is to put pressure on governments to impose a moratorium on the export, sale, transfer, servicing and use of these digital surveillance tools. That’s the idea behind the Geneva Declaration on Targeted Surveillance and Human Rights, which was unveiled in September 2022. Although it is unlikely that the Declaration will have much immediate impact, it performs the useful function of underlining the importance of privacy, and the need for robust data protection, including against sophisticated spyware of the kind deployed so successfully by NSO and others in recent years.

Featured image by Jastrow.