Israeli spyware vendor NSO Group was handed a major loss on Nov. 8, just days after being placed on a U.S. sanctions list, when a federal appeals court denied the company’s sovereign immunity claims—paving the way for the firm to face legal liability in the United States.
NSO Group faces legal and regulatory actions in numerous jurisdictions over what’s been dubbed the Pegasus scandal—where the company allegedly allowed authoritarian governments to use its Pegasus software to spy on journalists, human rights activists, and dissidents.
Developed by former members of the elite Israeli Unit 8200—comparable to the U.S. National Security Agency—the Pegasus software allegedly infects iPhones and Androids, enabling operators to extract messages, photos, and emails; record calls; and activate microphones in secret.
Facebook initially sued NSO Group in 2019 for allegedly hacking WhatsApp, sending malicious code to about 1,400 of its users for the purpose of surveilling their phones and devices. According to Facebook, the users included attorneys, journalists, human rights activists, and diplomats.
NSO moved to have the lawsuit dismissed on sovereign immunity grounds, arguing that its product was used by foreign governments. The case made its way up to the Court of Appeals for the 9th Circuit, which denied NSO’s motion in a Nov. 8 decision—ruling that U.S. sovereign immunity laws apply to foreign state entities, but not to individuals or private companies.
“An entity must be a sovereign or must have a sufficient relationship to a sovereign to claim sovereign-based immunity,” the 9th Circuit said. “Without such status or relationship, there is no justification for granting sovereign immunity.”
The 9th Circuit ruling means Facebook can move its lawsuit against NSO forward to the discovery stage, where potentially more damning information about the Israeli spyware firm may be revealed.
NSO has continued to deny any wrongdoing, although the company faced another round of negative publicity over the past week.
On Nov. 3, the Department of Commerce added NSO to its list of entities engaged in activities contrary to U.S. national security interests, citing many of the same allegations contained in media reports about the Pegasus scandal.
“[NSO Group] has enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent,” the department said in a statement. “Such practices threaten the rules-based international order.”
An NSO spokesperson said the company is “dismayed” by the decision, since its technologies “support U.S. national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”
NSO will present information regarding its “rigorous” compliance and human rights programs, “which already resulted in multiple terminations of contacts with government agencies that misused our products,” the spokesperson said.
Observers don’t think the latest U.S. actions are necessarily a death knell for NSO, which also faces investigations in Israel, France, Hungary, and elsewhere. While damaging to its reputation, the U.S. sanctions don’t preclude NSO Group from doing business in the United States—rather, they require U.S. companies to receive approval before selling products or services to NSO.
However, the sanctions coupled with the litigation coming down the pipeline likely spell the end of NSO’s hope to go public, according to Yale Law School professor Scott Shapiro.
“NSO was hoping to go public at a valuation of about $2 billion, and I would think this would be a big red flag for investors and kind of messes up the ability of the founders to exit,” Shapiro said on the Nov. 8 Cyberlaw Podcast.
Citing two unnamed senior Israeli officials, The New York Times reported on Nov. 8 that Israel’s government will lobby the Biden administration to remove NSO from its sanctions list.
“The campaign to remove the sanctions against NSO and a second company, Candiru, will seek to persuade the Biden administration that their activities remain of great importance to the national security of both countries, the officials said,” the NY Times reported.
“They also said that Israel would be willing to commit to much tighter supervision on licensing the software.”