Israeli spyware vendor NSO Group was handed a major loss on Nov. 8, just days after being placed on a U.S. sanctions list, when a federal appeals court denied the company’s sovereign immunity claims—paving the way for the firm to face legal liability in the United States.
Facebook initially sued NSO Group in 2019 for allegedly hacking WhatsApp, sending malicious code to about 1,400 of its users for the purpose of surveilling their phones and devices. According to Facebook, the users included attorneys, journalists, human rights activists, and diplomats.
NSO moved to have the lawsuit dismissed on sovereign immunity grounds, arguing that its product was used by foreign governments. The case made its way up to the Court of Appeals for the 9th Circuit, which denied NSO’s motion in a Nov. 8 decision—ruling that U.S. sovereign immunity laws apply to foreign state entities, but not to individuals or private companies.
“An entity must be a sovereign or must have a sufficient relationship to a sovereign to claim sovereign-based immunity,” the 9th Circuit said. “Without such status or relationship, there is no justification for granting sovereign immunity.”
The 9th Circuit ruling means Facebook can move its lawsuit against NSO forward to the discovery stage, where potentially more damning information about the Israeli spyware firm may be revealed.
NSO has continued to deny any wrongdoing, although the company faced another round of negative publicity over the past week.
“[NSO Group] has enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent,” the department said in a statement. “Such practices threaten the rules-based international order.”
An NSO spokesperson said the company is “dismayed” by the decision, since its technologies “support U.S. national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”
NSO will present information regarding its “rigorous” compliance and human rights programs, “which already resulted in multiple terminations of contacts with government agencies that misused our products,” the spokesperson said.
Observers don’t think the latest U.S. actions are necessarily a death knell for NSO, which also faces investigations in Israel, France, Hungary, and elsewhere. While damaging to its reputation, the U.S. sanctions don’t preclude NSO Group from doing business in the United States—rather, they require U.S. companies to receive approval before selling products or services to NSO.
However, the sanctions coupled with the litigation coming down the pipeline likely spell the end of NSO’s hope to go public, according to Yale Law School professor Scott Shapiro.
“The campaign to remove the sanctions against NSO and a second company, Candiru, will seek to persuade the Biden administration that their activities remain of great importance to the national security of both countries, the officials said,” the NY Times reported.
“They also said that Israel would be willing to commit to much tighter supervision on licensing the software.”
