Sorry?
An Israeli Spyware company claims it's immune because it was officially working for the Saudi government ?
Attorneys for Facebook and its WhatsApp subsidiary have challenged a plea from spyware maker NSO Group to dismiss the high-level hacking case the two are fighting out, arguing it has immunity from prosecution. Facebook sued the Israel-based NSO Group and its affiliate Q Cyber Technologies last October in the US, alleging the …
Isn't sucking the life out of its users FaceBook's whole reason to exist? Without their knowing more about their subjects.... sorry users... than they do themselves how else can they provide the right sort of adverts to those subjects?
I hope that Zuck and Co loses big time and that he's personally bankrupted by this and all the other cases they have been flung at them.
Mind you... Google is just as bad. The world would be a better place if they did not exist.
Ok, for the record I hope both firms and their legal advisors lose in some sort of Deus Ex Machina event, however.....
If you sell alcohol to an intoxicated person in a pub, it's an offence.
It may very well be an offence, but it is one that is practically never enforced - see any town center on any normal Friday night for details.
If you sell items to a person knowing they are going to be used to commit a crime it is an offence.
IF, and it is a big if, the company only sold to sovereigns then those countries could pass legislation allowing the use of their new toy, thereby making it legal.
There's many reasons why I believe these companies are doing wrong, but they're not the reasons you give.
I sell nuclear weapons, aisle one. Assorted nerve gases are in aisle 2. Instructions on using them against others can be found in the racks near the register. Should I be blamed for everyone poisoned or converted into protoplasm?
Knives have peaceful uses. Nukes don't. Spyware doesn't. Also, knives are legal. Nukes and spyware are not.
Knives have peaceful uses. Nukes don't. Spyware doesn't. Also, knives are legal. Nukes and spyware are not.
While I agree with your sentiments your reasoning is wrong.
We bought nukes from America perfectly legally and have never used them in anger. What they do is ensure that we can't be invaded unless we choose to be, thereby reducing the chances of an invasion and increasing the peace.
Spyware is legal - the intelligence agencies purchase it by the bucket load for their own use and simply award themselves exceptions in the law.
Just because its illegal for YOU to own and use nukes or spyware doesn't make their ownership by states illegal, which must allow their controlled production somewhere in the world.
It is legal for militaries to own those things. It is not legal for companies or individuals to own such things. NSO is not a government or military organization. Its clients have included individuals. Your technicality does not change the situation at all.
Technicality? FFS.
Ok, for the slower among us, lets take it one step at a time.
It is legal for militaries to own those things.
Right, so you accept governmental ownership. Lets start there.
For malware, backdoors, zero days, and many many other surveillance software to exist, such that the government can obtain it, someone somewhere must be allowed to create it.
Public sector IT skills are, how can I put this politely, somewhat lacking. There's no use a state trying to craft all of its own means of compromising a system or device, they're going to have to buy it in from vendors. NSO is one of the vendors.
Lets vary this a bit and look at conventional arms. Which government or governmental organisation is it you think makes tanks? I'll give you an example, the Challenger 2. Its made by a private company, under licence from the state.
While it is legal for you to buy your own decommissioned tank in the UK, good luck testing the armour yourself. Yet that is what Vickers must do with every design or prototype.
The rules for commercial grade weapons and security tooling that apply to you as a person do not apply to every company. That you think they do or think they should is simply not relevant.
NSO is not a government or military organization. Its clients have included individuals.
Your original post makes no mention of NSO, only knives, nukes, and exploits/malware.
Well, this needs some analysis. We'll start with the easy part:
"Your original post makes no mention of NSO, only knives, nukes, and exploits/malware."
Well spotted. I was referring to spyware. The article referred to spyware too, wouldn't you know. And the group making it was NSO. The original comment in this thread was making an analogy about holding NSO responsible. My reply was making a counter-analogy to that. I figured that link was obvious, but evidently not. For clarity, the rest of this comment will be discussing NSO and the legality of its spyware.
Now, let's talk about tanks. Lots of considerations. The first one is easy: making a tank causes no damage to anybody. Operating it might, but creating one is not much different from manufacturing some other type of vehicle. Malware creation often involves finding vulnerabilities in a system through penetration, which happens to be illegal. So manufacturing a tank has no intrinsic criminal elements but manufacturing malware does. For the analogy, manufacturing nukes or nerve gases may not in themselves be dangerous activities, but they would be contrary to various laws in most nations, including, for the nerve gases, the Geneva protocols.
Now, when tanks are made for militaries, they are made at the specific request of the military, under a contract. Sometimes it's a contract from an international military and the laws permit this. This means the production of the tank can be attached for determining responsibility to the manufacturer and the military that is on the other side of the contract. If the manufacturer does something illegal that the military has the right to allow them to do, the military can essentially make that legal. NSO did not create their products under contract, and they can claim no such immunity.
Certain countries may modify the laws allowing them to create and use malware. That does not make it legal in the way you're arguing. If Israel wrote a law allowing their government to create malware, which they have done, it doesn't give NSO the permission to do so unilaterally--only places controlled by or under contract to certain parts of the Israeli government have the special permission. If Israel's government did allow NSO to make the malware under that special legislation, which they don't appear to have done, it wouldn't make it legal for them to sell it to other governments or individuals. And if Israel's laws allowed NSO to do anything they wanted including break into systems to create malware for any purpose, which is not at all the case, it would not stop those actions from being illegal in other countries such as the U.S., which they are. If I start my own country, and my laws say that I can hack into your bank account and steal all the contents, I can still be arrested should I ever leave my country, because bank theft isn't legal where you are.
Nuclear power ≠ nuclear weapons. No, really. You can't just pick up a power station and use it as a bomb if you like. There is a very good reason that possession of things like enriched uranium or plutonium are tightly controlled and monitored--they aren't needed for generating power but are needed for making weapons.
I can find nothing about the NSO Group having US offices. So, when Facebook filed a lawsuit, it was filing against a company in a foreign country.
Despite the US Government's best (and continued) attempts, US law does not apply internationally, so how can a US court claim jurisdiction on this ?
And why does NSO Group care ? It's not like it is going to open offices in the US, so they cannot be made to pay any fine that the trial might impose on them.
Is there a special case here, or can anyone in any country file against a foreign company now ?
Because I seem to recall that, when the LHC was going to be fired up for the first time, somebody in the US filed a complaint that it might create a black hole that would swallow the Earth and the judge in charge said, among other things, that he didn't have jurisdiction over Switzerland.
So why here ?
NSO has a US presence, just about - it is a bit flimsy. From the original complaint, according to Facebook:
"NSO Group had a marketing and sales arm in the United States called WestBridge Technologies, Inc. "
Also:
"Between 2014 and February 2019, NSO Group obtained financing from a San Francisco–based private equity firm, which ultimately purchased a controlling stake in NSO Group."
Then there was some rearranging of ownership.
C.
Thank you for that information. Curiously, NSO Group's website makes no mention of office locations, contrary to just about every other commercial website I have even seen. I even googled "NSO Group locations", but that gave me either their own website (which is useless for that), or links to things that only mentioned that it is an Israeli company.
Now I understand that the lawsuit has jurisdiction. Thanks again.
"Despite the US Government's best (and continued) attempts, US law does not apply internationally,"
"long arm statutes" have been ruled as applying anywhere.
IE: if you "do business with" an entity (corporate or individual) in a US state, then you fall under the laws of that state and the USA for the purposes of that business.
It's the same in most parts of the world.
This argument has been made frequently and it's always wrong. The U.S. presence has been proven, but the fact remains that it would be legal to launch a court case against them even if they didn't have a U.S. presence. I wrote a comment about this last time there was a step in this case, so I've taken the liberty of copying that comment below. It remains accurate.
Not really true [the argument that NSO can't be charged in the U.S.]. There are two places laws can be applied:
1. In the nation of the perpetrator.
2. In the nation where the crime took place.
If I am an Australian citizen, but I go to India and commit a crime then leave for Australia, I can be sent back to India to face my charges. The same applies if I am in Australia and use a network to commit a crime in India. So if it can be proven that improper access was obtained to computers in the U.S., then the U.S. courts have a claim to jurisdiction about that crime. Now, there are other provisos about that. For criminal matters, you get into the area of extradition, but this is a civil matter. So, if NSO is found guilty, they can manage not to pay the bill. However, if they don't pay, they may be restricted against operating or storing money in the U.S. as the U.S. can then be required to confiscate the money to pay the judgement.
This rule applies in any country pair. If an American company violates a law in another country, let's use GDPR as an example, they can be sued in the courts where the violation took place. It does not matter if they have a local subsidiary. It does not matter if they have anything physical in that country. It does not matter if any of their employees has ever set foot in that country. If they violated the law there, they can be sued there. The same logic applies to this case.
But if it's true that NSO's spyware can't be used within the US or against US-registered numbers (as they write in thair reply to El Reg) that leaves only the country of the perpetrator, doesn't it?
Sorry but I fail to see the legal basis for suing in the US. If this passes, the family of everyone that's been killed by US-made weapons sold to foreign governments would have standing to sue the weapon manufacturer in the US...
If it's true that the malware can't be used against any U.S. number or any other device in the U.S., then they can't be guilty and would inevitably win the court case. However, you have to take into account several parts of your comment that aren't necessarily the case. I'm going to chop it into its components and go over each one:
"But if it's true that [it can't be used against anything in the U.S.]": This is supposition, and Facebook is alleging that it can and it was. If they have at least a little bit of evidence, this supposition would be destroyed.
"NSO's spyware can't be used within the US or against US-registered numbers (as they write in thair reply to El Reg)": Watch out for misleading language. It's possible that they check for U.S. numbers in their malware and block them. It doesn't make sense to me that they would, but let's assume they do. They could still attack a U.S.-owned server, which has no number, a phone with an international number that is operated inside the U.S., which would not have a U.S. number but would still be under the jurisdiction of American law, or network traffic going into or out of the U.S., which wouldn't be attached to a number. Any of those would continue to be illegal under American law.
"that leaves only the country of the perpetrator, doesn't it?": No, it doesn't. If a crime took place, and NSO played a part, then they can be charged in either location. The victims concerned come from various countries, but both a company and an individual in the U.S. have claimed to be victims. Either a crime took place, in which case the country of the victims, in this case the U.S. has some jurisdiction, or no crime took place, in which case the case cannot occur anywhere. NSO can decide to ignore the court case, claiming they can't be sued there, but their ability to do that doesn't make it illegal to sue them there.
"If this passes, the family of everyone that's been killed by US-made weapons sold to foreign governments would have standing to sue the weapon manufacturer in the US...": This is arguable, but it probably would not. The claims here differ from the claims that could be made against a weapons manufacturer, as follows:
Facebook alleges that NSO penetrated their systems in order to create a tool. The manufacture of weapons does not in itself involve committing a crime, depending on what weapons we're talking about.
It is alleged that NSO knowingly supplied their malware to people who would use it unlawfully (and basically there's no other way). If a weapons manufacturer knowingly sold weapons to a group on an international terrorist list or to someone who informed them they were going to use it for illegal purposes, then they definitely could be legally sued for that. Sadly, there are various organizations that should be on those lists but are not, leaving loopholes that weapons manufacturers are eager to exploit. However, selling weapons to international militaries is not considered illegal, even if their use later by those militaries is.
However, even though these legal situations are a little different, there are parallels here that are somewhat useful. There have been some court cases arguing that weapons manufacturers and other outfits (places like defense consulting), have knowingly assisted committing crimes, including war crimes. I am not an expert on any of these and cannot supply all the details, but these cases are probably mostly in one of a few legal grey areas. I would not be at all unhappy if this case sets a precedent that cases against crimes of that nature can go ahead with more frequency.