Facebook Can Pursue NSO Lawsuit, Appeals Court Rules

The bad news keeps coming for the Israeli surveillance specialist NSO Group, after an important US court ruling went against it.

The 9th US Circuit Court of Appeals in San Francisco on Monday rejected a claim by NSO that it was immune from being sued, because it had acted as a foreign government agent.

This ruling gives Facebook the permission to continue its malware lawsuit against the Israeli firm, which was also blacklisted last week by the US Commerce Department when it was placed on the US entity list.

US blacklist

Being placed on the Entity List, means that exports to the firm from US companies are now restricted.

The US took the decision because of the furore surrounding NSO’s Pegasus spyware.

In December 2020 a report by Citizen Lab at the University of Toronto alleged that dozens of Al Jazeera journalists had been hacked with the help of Pegasus, by exploiting a vulnerability in the iPhone operating system.

But things really kicked up a gear in July this year, when the Pegasus Project (a collaboration of more than 80 journalists and media organisations) alleged that NSO’s Pegasus had been used “to facilitate human rights violations around the world on a massive scale.”

It allegedly uncovered evidence that revealed that the phone numbers for 14 heads of state, including French President Emmanuel Macron, Pakistan’s Imran Khan and South Africa’s Cyril Ramaphosa, as well as 600 government officials and politicians from 34 countries, had appeared in a leaked database at the heart of the investigative project.

In September the investigative website Mediapart alleged that traces of Pegasus spyware had even been found on the mobile phones of at least five current French cabinet ministers, deepening the diplomatic fallout.

WhatsApp lawsuit

But before all that, Pegasus allegedly made its first appearance in May 2019, when WhatsApp urged all its users to update their software to fix a vulnerability that was being actively exploited to implant advanced surveillance tools on users’ devices.

In October 2019 Facebook and WhatsApp filed a lawsuit against NSO, alleging that NSO was behind the cyberattack in May 2019 that infected devices with advanced surveillance tools (Pegasus).

A further twist came in March 2020 when NSO failed to show up in the American court after efforts were made to serve legal papers against it.

A California court clerk entered a notice of default against the Israeli firm.

NSO responded and asked the US court to sanction Facebook for allegedly failing to abide by international law with regards to its lawsuit against the surveillance software maker.

NSO alleged it had not been served in accordance with international law known as the Hague Convention.

Appeals ruling

But now NSO’s legal headaches have increased further, after the US appeals court ruling, which means that Facebook can pursue its malware lawsuit against the firm, Reuters reported.

In a 3-0 decision on Monday, the Court of Appeals in San Francisco rejected privately owned NSO’s claim it was immune from being sued because it had acted as a foreign government agent, Reuters reported.

NSO for its part, has always maintained that it sells its Pegasus software to governments and agencies for the purpose of tracking down terrorists and other criminals.

NSO was reportedly appealing a trial judge’s July 2020 refusal to award it “conduct-based immunity,” a common law doctrine protecting foreign officials acting in their official capacity.

Upholding that ruling, Circuit Judge Danielle Forrest reportedly said it was an “easy case” because NSO’s mere licensing of Pegasus and offering technical support did not shield it from liability under federal law, which took precedence over common law.

“Whatever NSO’s government customers do with its technology and services does not render NSO an ‘agency or instrumentality of a foreign state,’” Forrest was quoted by Reuters as writing. “Thus, NSO is not entitled to the protection of foreign sovereign immunity.”

The case will return to US District Judge Phyllis Hamilton in Oakland, California.

Asked for comment on the decision, NSO was quoted by Reuters as saying in an email that its technology helps defend the public against serious crime and terrorism, and that it “stands undeterred in its mission.”

WhatsApp spokesman Joshua Breckman in an email reportedly called the decision “an important step in holding NSO accountable for its attacks against journalists, human rights defenders and government leaders.”