The terrorist, we discover, was using WhatsApp to communicate, and an “elite surveillance team” was keeping track. But… “Then, all of a sudden, the suspect’s phone went dark. WhatsApp sent him, along with around 1,400 other users, a warning that his messages were being monitored. So he ditched the phone, denying investigators their main source of intelligence. As one European official put it, ‘WhatsApp killed the operation.’” Which is all very entertaining but WhatsApp sees things differently: it is sick of NSO Group developing software that exploits security vulnerabilities in its chat application to compromise people's phones, and then selling that software to authoritarian regimes to remotely hijack and snoop on devices. For every elite surveillance team tracking down a terrorist, there are a dozen bureaucrats reading the private messages of human-rights lawyers, journalists, and activists – not to mention recording their phonecalls, activating their camera and microphone, and pinging their real-time location, using NSO's exploits and remote-control tech. WhatsApp wants it to stop.
Over the years, PI and our global network of partners have documented and challenged the growing push towards identity systems around the world - leading to some of the world’s largest biometric databases, as well as other technologies that can be used to track and profile individuals and communities.
So, this time last year, the Facebook-owned company sued, accusing NSO of illegally hacking smartphones.
And the two have been at each others’ throats ever since. In April this year, NSO let it be known that Facebook has itself tried to license NSO’s spyware to track their own users. When NSO failed to turn up in court in the US state, Facebook claimed victory; and NSO accused it of lying and having failed to serve the legal documents.
ImmunitySince then, the bulk of the legal arguments has been around NSO claiming that Facebook simply can’t sue it: first, because it doesn’t use the software, its clients do; second that it has legal immunity because it sells to governments; and third, because it doesn’t have an office in California anyway. Facebook, of course, does not agree. The bulk of those claims were thrown out in July when District Judge Phyllis Hamilton decided NSO is not entitled to immunity as a foreign official, and can't claim immunity derived from its government customers, either.
Judge green-lights Facebook, WhatsApp hacking lawsuit against spyware biz NSO, unleashing Zuck's lawyersthe Ninth Circuit revisits the legal immunity question. NSO claims it does in fact have immunity and, Hollywood script aside, makes some notable allusions to US intelligence operations. NSO lives in a murky, powerful world, and appears to be signalling that it may be in everyone’s best interests if it is left to be, rather than be dragged through America's legal system.
“Foreign states, in Western Europe and throughout the world, frequently use technology like NSO’s to investigate criminals who use WhatsApp to plan acts of terrorism, child exploitation, bank robbery, weapons trafficking, and other serious crimes,” the filing noted. “WhatsApp does not like that. It takes steps to frustrate such investigations, both by warning the targets of investigations and by refusing to cooperate with authorities in the aftermath of attacks.”
Foreign agentIt then repeats its previous argument: “Foreign states, not NSO, operate the technology and choose how and when to use it. NSO provides limited support, entirely at the direction of its foreign-state customers. And NSO’s home state, Israel, oversees and regulates every aspect of NSO’s business.”
It goes on: “By suing NSO for its conduct as an agent of foreign states, WhatsApp is asking US courts to meddle in the sovereign affairs of those states. This court should reject that request.” And then it notes that if the US legal system comes down on NSO, it could easily backfire on Americans abroad. Questioning Judge Hamilton’s decision, it argues: “First, the court held that no foreign official or agent can receive conduct-based immunity unless a foreign state would have to pay a judgment against the official. That limitation conflicts with the common law, the governing cases, and the US State Department’s approach to conduct-based immunity. It also undermines foreign state immunity and exposes US officials to retributive lawsuits abroad.”
Likewise American use of companies to spy on others abroad: “The court held that NSO, as a foreign corporation, could not receive what the court believed to be a distinct form of immunity called ‘derivative sovereign immunity.’ But derivative sovereign immunity is not distinct from conduct-based immunity, and it is not limited to American companies. “To hold otherwise, as the district court did, violates the principles underlying conduct-based immunity and threatens the United States’ own reliance on private contractors for intelligence and military operations.”
There then follows another 60 pages of legal argument in which the same point is hammered home by sometimes tangentially references to case law though the message is the same – and it is not really aimed at WhatsApp but instead all those with influence within the US government, administration, and legal system. It can be summed up in one question: Are you sure you want to open this can of worms?
The racy spy story at the start is just to get people’s attention. And it worked, because we wrote this story and you’ve just read it. ®