Bloomberg Law
Privacy & Cybersecurity
LinkedIn
Deep Dive

Meta, Apple Spyware Lawsuits Test NSO’s Foreign Hacking Shields

June 15, 2022, 9:10 AM UTC
Andrea Vittorio
Andrea Vittorio
Reporter

Spyware maker NSO Group’s defense against legal challenges brought by Meta Platforms Inc.'s WhatsApp and Apple has sparked US Supreme Court interest, drawing attention to efforts to hold foreign governments responsible for state-sponsored hacking.

NSO is seeking to use the Foreign Sovereign Immunities Act, which limits lawsuits brought against foreign nations in US courts, as a liability shield. The Israeli company is claiming immunity under that law and a similar common law doctrine because governments leverage its spying technology to investigate terrorism and other crimes.

In separate litigation filed in California, Apple Inc. and Meta Platforms Inc.‘s WhatsApp messaging service are accusing NSO of violating the federal Computer Fraud and Abuse Act with its tool called Pegasus, which covertly extracts information from mobile phones. Pegasus has drawn scrutiny for allegedly being misused to surveil political dissidents, journalists, and human rights activists.

The cases raise a novel question for cyber accountability, since the government actors accused of deploying Pegasus aren’t being challenged directly. Apple and WhatsApp don’t name specific nations that are accused of spying on mobile phone owners or messaging app users as defendants. Instead, the lawsuits allege that NSO hacked into their systems to install spyware.

“It’s strange to have a Foreign Sovereign Immunities Act case where you don’t even know who the foreign sovereign is,” said Ingrid Wuerth, associate dean for research at Vanderbilt University’s law school.

NSO so far has failed in its drive to derail the WhatsApp case and is urging the Supreme Court to step in. The high court last week asked the Justice Department to weigh in on the statutory defense, while NSO awaits a federal district judge’s ruling on common law immunity in the Apple dispute.

Depending on their outcome, the cases could add momentum to legislative efforts to revise the foreign liability law to account for an age of state-sponsored cyberattacks by the likes of Russia or China. Lawmakers in Congress have introduced a proposal to update the immunity law to allow for US-based suits to recover damages for attacks orchestrated by a foreign government, though so far the legislation has seen little movement.

Naming Nations

The foreign immunity law has thwarted previous attempts to hold foreign nations liable for hacks, including when the Democratic National Committee sued Russia and Wikileaks over an attack on its email system and subsequent leak of information in the lead-up to the 2016 US general election.

The legal doctrine of foreign sovereign immunity first developed as common law, or legal precedent. Originally the US State Department was tasked with advising courts on whether immunity should apply when a foreign state or official claimed the shield. Congress adopted the Foreign Sovereign Immunities Act to make such decisions more uniform and insulated from the politics of international diplomacy, according to a Ninth Circuit opinion summarizing its history.

In the WhatsApp case, lower courts have ruled that NSO, as a business, doesn’t qualify for legal immunity granted to foreign governments under the Foreign Sovereign Immunities Act or under common law. NSO’s more recent motion to dismiss Apple’s case based on the common law immunity shield remains pending .

The Justice Department is likely to argue that NSO isn’t entitled to immunity, Wuerth said. The spyware company could make a stronger case for its defense if it were clear which governments it works with, she said. It remains to be seen whether more details about government use of Pegasus will come to light during the evidence-gathering phase of either lawsuit.

NSO didn’t respond to a request for comment on which governments have used its Pegasus technology to surveil WhatsApp users or Apple customers.

Drawing ‘No Distinction’

NSO says in response to Apple’s lawsuit that the legal claims were brought on behalf of the iPhone maker’s customers against NSO as a proxy for the spyware maker’s customers. Apple is standing in for its customers and makes “no distinction between NSO and its government customers,” according to NSO’s argument to dismiss the suit.

“NSO Group really wants to have it both ways,” said Mukund Rathi, an attorney and Stanton Fellow at the nonprofit Electronic Frontier Foundation.

“They want to avoid liability by saying ‘You should be suing the governments who did this to you,’” Rathi said. At the same time, NSO is trying “to claim immunity by saying ‘We are agents of these governments,’” he said.

From WhatsApp’s perspective, the attempts to hack its messaging platform look like they came from NSO technology without revealing who might be behind them, according to the company.

“We firmly believe that NSO’s operations violate US law,” WhatsApp spokesman Carl Woog said. “We remain determined to hold NSO accountable for the violations we’ve explained in our complaint.”

Apple didn’t respond to a request for comment.

The U.S. Commerce Department blacklisted NSO in November over spyware concerns. NSO is said to be considering shutting its Pegasus spyware unit or selling the company, Bloomberg News has reported.

Legislative Rewrite Pending

The Apple and WhatsApp suits against NSO allege violations of the Computer Fraud and Abuse Act, a federal anti-hacking law. A bill proposed in Congress known as the Homeland and Cyber Threat (HACT) Act would insert language similar to the computer fraud law into the foreign immunity law.

Lawmakers reintroduced the HACT Act in March 2021 after an earlier version of the legislation stalled without action in the House. It’s sitting before the House Judiciary Committee.

The bill (H.R. 1607) would let Americans bring claims in federal or state courts against foreign states that conduct cyberattacks against the US.

US companies also would be allowed to bring suits under the proposal, removing the procedural roadblock to suing foreign governments, according to a spokesman for bill co-sponsor Rep. Jack Bergman (R-Mich.).

Congress previously amended the 1976 foreign immunity law in 1996 and 2016 to deny its legal shield to nations blamed for acts of international terrorism against the US. With cyberattacks, attributing blame to a national government can be challenging, Wuerth said.

“It’s often difficult to figure out who’s behind hacking,” she said. “If you trace it back to a foreign sovereign, then you have an immunity problem.”

To contact the reporter on this story: Andrea Vittorio in Washington at avittorio@bloombergindustry.com

To contact the editors responsible for this story: Tonia Moore at tmoore@bloombergindustry.com; Jay-Anne B. Casuga at jcasuga@bloomberglaw.com

Learn more about Bloomberg Law or Log In to keep reading:

See Breaking News in Context

Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.

Already a subscriber?

Log in to keep reading or access research tools and resources.