back to article Spyware maker NSO can't claim immunity, Facebook lawyers insist – it's time to face the music

Attorneys for Facebook and its WhatsApp subsidiary have challenged a plea from spyware maker NSO Group to dismiss the high-level hacking case the two are fighting out, arguing it has immunity from prosecution. Facebook sued the Israel-based NSO Group and its affiliate Q Cyber Technologies last October in the US, alleging the …

  1. Anonymous Coward
    Anonymous Coward

    Sorry?

    An Israeli Spyware company claims it's immune because it was officially working for the Saudi government ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Sorry?

      Even if the courts bought that argument, NSO would have to show, or at least affirm, specifics to the court.

  2. Chris G Silver badge

    It's a pity

    These two can't collide and annihilate each other, a bit like anti-matter and matter, or in this case anti-matter and doesn't-matter.

  3. Doctor Syntax Silver badge

    Sometimes you come across cases where you want both sides to lose.

    1. DCFusor

      Indeed. One is reminded of Gilbert and Sullivan's line; "I've got a little list, of those who won't be missed".

      I wish it was a shorter list.

  4. HildyJ Silver badge
    Pirate

    Slime vs. Scum

    I gotta go with Zuck on this one. NSO profits by enabling evil.

    1. Androgynous Cow Herd

      Re: Slime vs. Scum

      So does Zuck.

    2. TeeCee Gold badge
      Meh

      Re: Slime vs. Scum

      The enemy of your enemy is your enemy's enemy and no more than that to you.

      Remember that, you're far less likely to be stabbed in the back.

  5. Jamie Jones Silver badge
    Facepalm

    Bollocks Bingo

    "Our products are used to stop terrorism, curb violent crime, and save lives."

    He forgot to mention catching pædophiles...

    1. the Jim bloke Silver badge
      Big Brother

      Re: Bollocks Bingo

      two out of three..

      Terrorism - whatever the government du jour defines.

      Violent crime - again, the right to use violence is restricted to the state, so non-state endorsed violence is criminal.

      Save lives - meh, maybe not.

      1. Yet Another Anonymous coward Silver badge

        Re: Bollocks Bingo

        >Save lives -

        Except for journalists

  6. redpawn Silver badge

    Anything outside the US

    is fair game. Nothing but tareists out there. We need Israel though, because Armageddon.

    1. FlippingGerman

      Re: Anything outside the US

      Ah yes, the never-ending battle between tareists and people-who-mentally-subtract-the-initial-weight-ists.

      1. Zippy´s Sausage Factory
        Coat

        Re: Anything outside the US

        The latter really do have a problem with going over fragile bridges, though, I'll allow them that.

  7. Anonymous Coward
    Anonymous Coward

    Pot? Meet Kettle...

    Isn't sucking the life out of its users FaceBook's whole reason to exist? Without their knowing more about their subjects.... sorry users... than they do themselves how else can they provide the right sort of adverts to those subjects?

    I hope that Zuck and Co loses big time and that he's personally bankrupted by this and all the other cases they have been flung at them.

    Mind you... Google is just as bad. The world would be a better place if they did not exist.

    1. daflibble

      Re: Pot? Meet Kettle...

      Can we not hope they both financially cripple each other to the point of disappearing

      1. Stratman

        Re: Pot? Meet Kettle...

        Can we not hope they both financially cripple each other to the point of disappearing

        My initial reaction was to agree, but further reflection tells me all the money would end up in lawyers' pockets. That's bad.

  8. General Purpose Bronze badge

    "NSO Group has argued it is immune because it only sells to governments"

    That seems a risky argument. If the court accepted the principle, wouldn't NSO then have to open its order book to prove the fact?

    1. Yet Another Anonymous coward Silver badge

      Re: "NSO Group has argued it is immune because it only sells to governments"

      Obviously not, since it only sells to governments it's immune from such requirements

  9. adnim

    end user

    is responsible.

    Stanley sell carpet knives.... Should they be prosecuted for every poor sod slashed?

    I only need a Linux command line to hack. Maybe Linus should be prosecuted.

    1. IGotOut Silver badge

      Re: end user

      If you sell alcohol to an intoxicated person in a pub, it's an offence.

      If you sell items to a person knowing they are going to be used to commit a crime it is an offence.

      1. adnim

        Re: end user

        Most people in a pub are intoxicated before they leave... The publican thinks I can sell more beer to this ass before he/she becomes a problem. Same in every industry... How old are you?

      2. adnim

        Re: end user

        is u someone that expects to be looked after? Or are YOU responsible for your actions?

      3. LucreLout

        Re: end user

        Ok, for the record I hope both firms and their legal advisors lose in some sort of Deus Ex Machina event, however.....

        If you sell alcohol to an intoxicated person in a pub, it's an offence.

        It may very well be an offence, but it is one that is practically never enforced - see any town center on any normal Friday night for details.

        If you sell items to a person knowing they are going to be used to commit a crime it is an offence.

        IF, and it is a big if, the company only sold to sovereigns then those countries could pass legislation allowing the use of their new toy, thereby making it legal.

        There's many reasons why I believe these companies are doing wrong, but they're not the reasons you give.

    2. doublelayer Silver badge

      Re: end user

      I sell nuclear weapons, aisle one. Assorted nerve gases are in aisle 2. Instructions on using them against others can be found in the racks near the register. Should I be blamed for everyone poisoned or converted into protoplasm?

      Knives have peaceful uses. Nukes don't. Spyware doesn't. Also, knives are legal. Nukes and spyware are not.

      1. adnim

        Re: end user

        They all harmless until used. sleep well in ignorance

        1. a pressbutton

          Re: end user

          Nah.

          I have knives in the kitchen.

          I do not have a nuke in the breadbin or nerve gas in the fridge. These things are not harmless until used.

          Much like my partner's pickled cabbage that popped open, stank out the larder and left a nasty residue that I swear glows just a bit.

        2. Anonymous Coward
          Anonymous Coward

          Re: end user

          Nuke is far from harmless even when it just sits on the floor. What ignorant fool claims that?

          Those things radiate significant amounts.

      2. LucreLout

        Re: end user

        Knives have peaceful uses. Nukes don't. Spyware doesn't. Also, knives are legal. Nukes and spyware are not.

        While I agree with your sentiments your reasoning is wrong.

        We bought nukes from America perfectly legally and have never used them in anger. What they do is ensure that we can't be invaded unless we choose to be, thereby reducing the chances of an invasion and increasing the peace.

        Spyware is legal - the intelligence agencies purchase it by the bucket load for their own use and simply award themselves exceptions in the law.

        Just because its illegal for YOU to own and use nukes or spyware doesn't make their ownership by states illegal, which must allow their controlled production somewhere in the world.

        1. doublelayer Silver badge

          Re: end user

          It is legal for militaries to own those things. It is not legal for companies or individuals to own such things. NSO is not a government or military organization. Its clients have included individuals. Your technicality does not change the situation at all.

          1. LucreLout

            Re: end user

            It is legal for militaries to own those things. It is not legal for companies or individuals to own such things. NSO is not a government or military organization. Its clients have included individuals. Your technicality does not change the situation at all.

            Technicality? FFS.

            Ok, for the slower among us, lets take it one step at a time.

            It is legal for militaries to own those things.

            Right, so you accept governmental ownership. Lets start there.

            For malware, backdoors, zero days, and many many other surveillance software to exist, such that the government can obtain it, someone somewhere must be allowed to create it.

            Public sector IT skills are, how can I put this politely, somewhat lacking. There's no use a state trying to craft all of its own means of compromising a system or device, they're going to have to buy it in from vendors. NSO is one of the vendors.

            Lets vary this a bit and look at conventional arms. Which government or governmental organisation is it you think makes tanks? I'll give you an example, the Challenger 2. Its made by a private company, under licence from the state.

            While it is legal for you to buy your own decommissioned tank in the UK, good luck testing the armour yourself. Yet that is what Vickers must do with every design or prototype.

            The rules for commercial grade weapons and security tooling that apply to you as a person do not apply to every company. That you think they do or think they should is simply not relevant.

            NSO is not a government or military organization. Its clients have included individuals.

            Your original post makes no mention of NSO, only knives, nukes, and exploits/malware.

            1. doublelayer Silver badge

              Re: end user

              Well, this needs some analysis. We'll start with the easy part:

              "Your original post makes no mention of NSO, only knives, nukes, and exploits/malware."

              Well spotted. I was referring to spyware. The article referred to spyware too, wouldn't you know. And the group making it was NSO. The original comment in this thread was making an analogy about holding NSO responsible. My reply was making a counter-analogy to that. I figured that link was obvious, but evidently not. For clarity, the rest of this comment will be discussing NSO and the legality of its spyware.

              Now, let's talk about tanks. Lots of considerations. The first one is easy: making a tank causes no damage to anybody. Operating it might, but creating one is not much different from manufacturing some other type of vehicle. Malware creation often involves finding vulnerabilities in a system through penetration, which happens to be illegal. So manufacturing a tank has no intrinsic criminal elements but manufacturing malware does. For the analogy, manufacturing nukes or nerve gases may not in themselves be dangerous activities, but they would be contrary to various laws in most nations, including, for the nerve gases, the Geneva protocols.

              Now, when tanks are made for militaries, they are made at the specific request of the military, under a contract. Sometimes it's a contract from an international military and the laws permit this. This means the production of the tank can be attached for determining responsibility to the manufacturer and the military that is on the other side of the contract. If the manufacturer does something illegal that the military has the right to allow them to do, the military can essentially make that legal. NSO did not create their products under contract, and they can claim no such immunity.

              Certain countries may modify the laws allowing them to create and use malware. That does not make it legal in the way you're arguing. If Israel wrote a law allowing their government to create malware, which they have done, it doesn't give NSO the permission to do so unilaterally--only places controlled by or under contract to certain parts of the Israeli government have the special permission. If Israel's government did allow NSO to make the malware under that special legislation, which they don't appear to have done, it wouldn't make it legal for them to sell it to other governments or individuals. And if Israel's laws allowed NSO to do anything they wanted including break into systems to create malware for any purpose, which is not at all the case, it would not stop those actions from being illegal in other countries such as the U.S., which they are. If I start my own country, and my laws say that I can hack into your bank account and steal all the contents, I can still be arrested should I ever leave my country, because bank theft isn't legal where you are.

      3. EnviableOne Silver badge

        Re: end user

        been to a nuclear power station recently ....

        1. doublelayer Silver badge

          Re: end user

          Nuclear power ≠ nuclear weapons. No, really. You can't just pick up a power station and use it as a bomb if you like. There is a very good reason that possession of things like enriched uranium or plutonium are tightly controlled and monitored--they aren't needed for generating power but are needed for making weapons.

  10. Inventor of the Marmite Laser

    To misquote a Mad Magazine feature:

    Spyware vs. Spyware

  11. The_Idiot

    On a side note...

    "... contractors working with the US government qualify for immunity. But US law doesn't recognize such immunity for those working with foreign governments."

    Ah. The 'that's different' legal position. Got it.

  12. Pascal Monett Silver badge

    Missing something here

    I can find nothing about the NSO Group having US offices. So, when Facebook filed a lawsuit, it was filing against a company in a foreign country.

    Despite the US Government's best (and continued) attempts, US law does not apply internationally, so how can a US court claim jurisdiction on this ?

    And why does NSO Group care ? It's not like it is going to open offices in the US, so they cannot be made to pay any fine that the trial might impose on them.

    Is there a special case here, or can anyone in any country file against a foreign company now ?

    Because I seem to recall that, when the LHC was going to be fired up for the first time, somebody in the US filed a complaint that it might create a black hole that would swallow the Earth and the judge in charge said, among other things, that he didn't have jurisdiction over Switzerland.

    So why here ?

    1. diodesign (Written by Reg staff) Silver badge

      "I can find nothing about the NSO Group having US offices"

      NSO has a US presence, just about - it is a bit flimsy. From the original complaint, according to Facebook:

      "NSO Group had a marketing and sales arm in the United States called WestBridge Technologies, Inc. "

      Also:

      "Between 2014 and February 2019, NSO Group obtained financing from a San Francisco–based private equity firm, which ultimately purchased a controlling stake in NSO Group."

      Then there was some rearranging of ownership.

      C.

      1. Pascal Monett Silver badge

        Re: "I can find nothing about the NSO Group having US offices"

        Thank you for that information. Curiously, NSO Group's website makes no mention of office locations, contrary to just about every other commercial website I have even seen. I even googled "NSO Group locations", but that gave me either their own website (which is useless for that), or links to things that only mentioned that it is an Israeli company.

        Now I understand that the lawsuit has jurisdiction. Thanks again.

    2. Alan Brown Silver badge

      Re: Missing something here

      "Despite the US Government's best (and continued) attempts, US law does not apply internationally,"

      "long arm statutes" have been ruled as applying anywhere.

      IE: if you "do business with" an entity (corporate or individual) in a US state, then you fall under the laws of that state and the USA for the purposes of that business.

      It's the same in most parts of the world.

    3. doublelayer Silver badge

      Re: Missing something here

      This argument has been made frequently and it's always wrong. The U.S. presence has been proven, but the fact remains that it would be legal to launch a court case against them even if they didn't have a U.S. presence. I wrote a comment about this last time there was a step in this case, so I've taken the liberty of copying that comment below. It remains accurate.

      Not really true [the argument that NSO can't be charged in the U.S.]. There are two places laws can be applied:

      1. In the nation of the perpetrator.

      2. In the nation where the crime took place.

      If I am an Australian citizen, but I go to India and commit a crime then leave for Australia, I can be sent back to India to face my charges. The same applies if I am in Australia and use a network to commit a crime in India. So if it can be proven that improper access was obtained to computers in the U.S., then the U.S. courts have a claim to jurisdiction about that crime. Now, there are other provisos about that. For criminal matters, you get into the area of extradition, but this is a civil matter. So, if NSO is found guilty, they can manage not to pay the bill. However, if they don't pay, they may be restricted against operating or storing money in the U.S. as the U.S. can then be required to confiscate the money to pay the judgement.

      This rule applies in any country pair. If an American company violates a law in another country, let's use GDPR as an example, they can be sued in the courts where the violation took place. It does not matter if they have a local subsidiary. It does not matter if they have anything physical in that country. It does not matter if any of their employees has ever set foot in that country. If they violated the law there, they can be sued there. The same logic applies to this case.

      1. Aleph0

        Re: Missing something here

        But if it's true that NSO's spyware can't be used within the US or against US-registered numbers (as they write in thair reply to El Reg) that leaves only the country of the perpetrator, doesn't it?

        Sorry but I fail to see the legal basis for suing in the US. If this passes, the family of everyone that's been killed by US-made weapons sold to foreign governments would have standing to sue the weapon manufacturer in the US...

        1. doublelayer Silver badge

          Re: Missing something here

          If it's true that the malware can't be used against any U.S. number or any other device in the U.S., then they can't be guilty and would inevitably win the court case. However, you have to take into account several parts of your comment that aren't necessarily the case. I'm going to chop it into its components and go over each one:

          "But if it's true that [it can't be used against anything in the U.S.]": This is supposition, and Facebook is alleging that it can and it was. If they have at least a little bit of evidence, this supposition would be destroyed.

          "NSO's spyware can't be used within the US or against US-registered numbers (as they write in thair reply to El Reg)": Watch out for misleading language. It's possible that they check for U.S. numbers in their malware and block them. It doesn't make sense to me that they would, but let's assume they do. They could still attack a U.S.-owned server, which has no number, a phone with an international number that is operated inside the U.S., which would not have a U.S. number but would still be under the jurisdiction of American law, or network traffic going into or out of the U.S., which wouldn't be attached to a number. Any of those would continue to be illegal under American law.

          "that leaves only the country of the perpetrator, doesn't it?": No, it doesn't. If a crime took place, and NSO played a part, then they can be charged in either location. The victims concerned come from various countries, but both a company and an individual in the U.S. have claimed to be victims. Either a crime took place, in which case the country of the victims, in this case the U.S. has some jurisdiction, or no crime took place, in which case the case cannot occur anywhere. NSO can decide to ignore the court case, claiming they can't be sued there, but their ability to do that doesn't make it illegal to sue them there.

          "If this passes, the family of everyone that's been killed by US-made weapons sold to foreign governments would have standing to sue the weapon manufacturer in the US...": This is arguable, but it probably would not. The claims here differ from the claims that could be made against a weapons manufacturer, as follows:

          Facebook alleges that NSO penetrated their systems in order to create a tool. The manufacture of weapons does not in itself involve committing a crime, depending on what weapons we're talking about.

          It is alleged that NSO knowingly supplied their malware to people who would use it unlawfully (and basically there's no other way). If a weapons manufacturer knowingly sold weapons to a group on an international terrorist list or to someone who informed them they were going to use it for illegal purposes, then they definitely could be legally sued for that. Sadly, there are various organizations that should be on those lists but are not, leaving loopholes that weapons manufacturers are eager to exploit. However, selling weapons to international militaries is not considered illegal, even if their use later by those militaries is.

          However, even though these legal situations are a little different, there are parallels here that are somewhat useful. There have been some court cases arguing that weapons manufacturers and other outfits (places like defense consulting), have knowingly assisted committing crimes, including war crimes. I am not an expert on any of these and cannot supply all the details, but these cases are probably mostly in one of a few legal grey areas. I would not be at all unhappy if this case sets a precedent that cases against crimes of that nature can go ahead with more frequency.

    4. EnviableOne Silver badge

      US law does not apply internationally

      CLOUD Act

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021