back to article NSO fails once again to claim foreign sovereign immunity in WhatsApp spying lawsuit

Spyware maker NSO Group cannot use its government clients to shield itself from litigation, a US appeals court ruled on Monday, a decision that allows WhatsApp's lawsuit against the Israel-based firm to resume. In 2019, Facebook and its WhatsApp subsidiary sued NSO claiming the firm's intrusion software, known as Pegasus, was …

  1. ShadowSystems

    "It's not our fault, honest Guv!

    We only built that nuclear bomb, we didn't deploy it, so we shouldn't be accountable for the actions of the people that did."

    "Oh, and we only sell nuclear bombs to legit third parties that pinky swear not to hurt anyone with them, so you can just let us go with a warning, right?"

    Replace "nuclear bomb" with a "brick of firecrackers" & it starts sounding like the whinging of most adolescents caught after trying to blow up the neighbor's cat.

    Take them out behind the barn, bend them over a hay bale, & take a stout stick to their behinds until you've run out of trees to turn into spanking switches.

    1. Clausewitz 4.0
      Devil

      Re: "It's not our fault, honest Guv!

      So you don't like arms. Remember they are used to protect your country.

      1. Jim Mitchell

        Re: "It's not our fault, honest Guv!

        Countries only protect their own arms manufacturers and dealers. NSO isn't ours.

      2. Anonymous Coward
        Anonymous Coward

        Re: "It's not our fault, honest Guv!

        Found the American.

        1. Totally not a Cylon

          Re: "It's not our fault, honest Guv!

          “It is the Soldier, not the minister

          Who has given us freedom of religion.

          It is the Soldier, not the reporter

          Who has given us freedom of the press.

          It is the Soldier, not the poet

          Who has given us freedom of speech.

          It is the Soldier, not the campus organizer

          Who has given us freedom to protest.

          It is the Soldier, not the lawyer

          Who has given us the right to a fair trial.

          It is the Soldier, not the politician

          Who has given us the right to vote.

          It is the Soldier who salutes the flag,

          Who serves beneath the flag,

          And whose coffin is draped by the flag,

          Who allows the protester to burn the flag.”

          ― Charles M Province

          1. Wellyboot Silver badge

            Re: "It's not our fault, honest Guv!

            The cost of freedom need only be tolerance - occasionally it's in the blood of soldiers.

          2. Anonymous Coward
            Anonymous Coward

            Re: "It is the Soldier..."

            This might indeed be an arguable case, at least to a degree, in what we might regard as a properly functioning state with a well-behaved military, and that has suffered from military threats from enemies opposed to those things you note that "the soldier" might protect people from. In western Europe, for example, memories of WWII or the cold war make the case - on the face of it - seem plausible enough.

            However I am not sure it would be so easy to advance the argument in a number of countries around the world, such as, to give a mere three examples of differing degree, Sudan, or Egypt, or North Korea.

          3. rob123456

            Re: "It's not our fault, honest Guv!

            That ditty is a slur against those journalists who risk physical harm and/or the ire of the rich and powerful,

            for doing their job.

          4. Potemkine! Silver badge

            Re: "It's not our fault, honest Guv!

            What a load of BS.

    2. Anonymous Coward
      Anonymous Coward

      Re: "It's not our fault, honest Guv!

      Replace "nuclear bomb" with a "brick of firecrackers" & it starts sounding like the whinging of most adolescents caught after trying to blow up the neighbor's cat.

      And what's the problem with that?

      Anon 'cos so many people have a sense of humour failure when it comes to the fluffy murderous little multiple rapists.

      For extra tastelessness: https://www.mostfungames.com/cat-a-pult.htm

  2. James12345

    What's the best end result Meta can aim for?

    Assuming Meta win the case, what can they hope for in the ruling? NSO are not a US firm, and could presumably just shut up shop in the US, but carry on operating outside the US.

    Is the main aim to prevent other US firms from dealing with NSO, so NSO won't be able to use any cloud or hosting firms? Aren't the US sanctions on NSO already the equivalent to this? Can a civil dispute between two firms affect other businesses?

    Or is this just a way for Meta to say it's not our fault that a flaw in our system let some third party attack you, so don't blame us, we're not the bad guys here?

    1. Chris G

      Re: What's the best end result Meta can aim for?

      I think the Whatsapp case is just highlighting NSO's business approach as an amoral company that will sell its software to anyone.

      Including nations and organisations the US does not necessarily approve of, that's why the sanctions.

      NSO's alleged contractual obligations are hardly likely to be enforceable by a relatively small company against foreign government agencies.

      1. James12345

        Re: What's the best end result Meta can aim for?

        So it's basically vexatious litigation, and should be thrown out of court?

        1. Clausewitz 4.0
          Devil

          Re: What's the best end result Meta can aim for?

          No litigation at all, just a show.

          Again, almost all Federal agencies over the world use that tools from NSO, USA included, and Intel community share quite a lot information between themselves.

          Also, they didn't SANCTIONED the company. They only said normal folks cannot buy from NSO.

          All Federal agencies CAN STILL buy from NSO - they just need one more stamp on a paper. No big deal.

          And that's why having security experts in your own ranks like CIA/NSA/Military does, is better than hiring an expensive third-party firm. And secrets are more well-kept and private.

    2. Jonathan Richards 1 Silver badge

      Re: What's the best end result Meta can aim for?

      > what can they hope for in the ruling?

      The legal process isn't like a bran tub where you pay for a ticket and dip for a prize. The original complaint must state the relief sought from the court. As nearly as I can tell "WhatsApp sought an injunction restraining NSO from accessing WhatsApp’s servers, violating WhatsApp’s terms, and impairing WhatsApp’s service. WhatsApp also sought compensatory, statutory, and punitive damages."

      Source: Case: 20-16408, 12/16/2020, ID: 11930616, DktEntry: 32 [eff.org PDF]

      1. Clausewitz 4.0
        Devil

        Re: What's the best end result Meta can aim for?

        Indeed. From here: Because the State Department had not issued NSO “a suggestion of immunity,”... (page 21 / 11)

        Basically, NSO screwed itself up while redacting the contracts.

        In Law, you cannot assume. Need to put it in ink and signed, specially if you want to be immune to prosecution, and it is your wish to continue to sell to trigger-happy clients.

  3. Doctor Syntax Silver badge

    If the foreign government argument stuck wouldn't that just be a basis for espionage cases?

    1. eldakka

      > If the foreign government argument stuck wouldn't that just be a basis for espionage cases?

      IANAL, but I think 'espionage' as I think you are saying only applies to state secrets. E.g. Government agencies, military, defence industries. Is hacking a civilian social media company considered 'espionage'?

  4. Paul Smith
    FAIL

    Much as I think NSO sucks...

    This case sucks more.

    If I make hammers, and you used a hammer for nefarious purposes, how is that my problem?

    If Meta win the case, then what? And if they lose? So what?

    The only people who benefit from this are lawyers.

    1. eldakka

      Re: Much as I think NSO sucks...

      > If I make hammers, and you used a hammer for nefarious purposes, how is that my problem?

      If you build an IED and sell it to a terrorist organisation, how do you think you'd be treated under the law?

      Pegasus is a specific-purpose software, architected, designed, implemented and sold specifically as a surreptitious spyware/hacking tool. It is in no way, shape or form comparable to a hammer, or even general purpose dual-use network analysis/security tools like nmap etc. It's only reason for existing is to hack others.

      1. Clausewitz 4.0
        Devil

        Re: Much as I think NSO sucks...

        QUOTE: "If you build an IED and sell it to a terrorist organisation, how do you think you'd be treated under the law?"

        Replace with:

        If you build a Missile and sell it to a government, and even showed it at a fair, how do you think you'd be treated under the law?"

        That's the trick

      2. Anonymous Coward
        Anonymous Coward

        Re: Much as I think NSO sucks...

        "it's in our T&C's that the IED is for novelty purposes only and may not contractually be used to cause damage. Gib me sovrun immunity!"

  5. ChrisHS

    If I make hammers

    But the hammer is actually a specially crafted remote controlled bomb.

    The target accepted it as they needed a hammer & though that's what was given.

    You knowingly sold it to be misused (bang) rather than used (tapa-tap-tap) & couldn't care less.

  6. Clausewitz 4.0
    Devil

    Not just the hammer problem

    Seems like they reverse-engineered the NAIL (WhatsApp) to be able to produce the HAMMER (Pegasus), while accepting a clause from the NAILS PRODUCER (WhatsApp owner) saying you could not Reverse Engineer their NAILS.

  7. Pseu Donyme

    re: soverign immunity

    Surely this also means that the contractual arrangements to limit their government customers' use of the product are unenforceable.

    1. eldakka

      Re: re: soverign immunity

      > Surely this also means that the contractual arrangements to limit their government customers' use of the product are unenforceable.

      That's a good point. Effectively, the only remedy NSO has to a customer nation-state breaching their contract is to terminate the software license. They have no other recourse, such as monetary damages or restraining orders, if the nation-state chooses to invoke sovereign immunity.

      However, if NSO has the ability to 'reach out' and actively disable the software in use by such a nation-state, wouldn't that imply they have greater control, and thus visibility of, the use nation-states put their software to than they claim?

      The only way I could see NSO having a 'physical' ability to prevent a nation-state from using their software on license revocation would be some sort of rolling key with limited (e.g. 30-day) lifetimes, so that the user would have to receive a new key on a regular basis to keep the software activated, such that NSO would just cease sending the new keys.

      But while a nation-state could invoke sovereign immunity, that would have knock-on consequences in respect to their credibility. Other corporations, and countries, would be more hesitant to enter into agreements with a nation that has a history of invoking sovereign immunity to protect itself from it's own contractual breaches.

      1. Clausewitz 4.0
        Devil

        Re: re: soverign immunity

        QUOTE: "would be some sort of rolling key with limited"

        Would you (NSO) give your bread and butter to any nation-state full of savvy hackers/crackers/psychos to decompile / reverse engineer your product?

        Most likely, they just rent their servers in a newly-setup cloud infrastructure.

        The proof is they recently added country code +44 in their blacklist, so the tool cannot proceed with atacks in UK, measure done after some diplomatic SNAFU, I believe.

        Nation-states sometimes goes to great lengths to obtain technologies deemed vital for national security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like