NSO Group’s efforts to shut down a lawsuit filed by Whatsapp has been dealt a legal blow after two judges seem unconvinced by dismissal push.
The court case over the Pegasus malware is continuing. You might recall that, back in 2019, WhatsApp (owned by Facebook) filed a lawsuit against NSO Group. NSO Group is known for creating malware and selling it to private companies and various government entities.
Generally speaking, Malware developers simply say that they are not responsible for the damage caused by the malware they create. Instead, the liability falls to their clients they sell to. It’s a pretty dodgy way to evade liability while still causing harm onto the world to say the least. The problem is, legally testing this theory has been problematic at best.
There’s a chance that this might actually change, however. This is thanks to the lawsuit filed by WhatsApp against NSO Group. At the center of it is the Pegasus malware designed to break WhatsApp security. The malware has been used to target journalists and activists in various countries around the world. Estimates suggest that as many as 100 human rights organizations and 1,400 journalists and activists were targeted by the malware. So, in a nutshell, if the allegations are proven in court, it’s pretty hard to win over public support.
NSO Group, for their part, are trying everything they can to dismiss the lawsuit. One of their arguments is that they fall under the doctrine of sovereign immunity. An angle of that is that, because they work for the government, they can’t be sued. It turns out, the problem is that the judges haven’t received direction from the government on that front. So, they are finding it difficult to take the organization at their word on that. From Politico:
During arguments on Monday before the 9th U.S. Circuit Court of Appeals, all three judges on the panel seemed to be leaning against granting NSO’s request to force dismissal of the suit over the firm’s Pegasus snooping software.
Two judges on the panel suggested it would be premature or mistaken for the courts to dismiss the case based on the doctrine of sovereign immunity without the U.S. government declaring that such action was needed to protect foreign countries relying on NSO’s software.
“I find the argument that your clients are making in this case remarkable,” Judge Danielle Hunsaker said.
“Shouldn’t we have some sort of a signal from the State Department, from the executive branch, about — to guide those considerations instead of just as a court sort of leaping out into a whole brand new area that from that perspective nobody’s ever gone … without any lead from the executive branch?” asked Hunsaker, who was appointed by President Donald Trump.
Judge Mary Murguia, an appointee of President Barack Obama, pressed NSO’s lawyer Jeffrey Bucholtz about whether the firm ever asked the State Department to weigh in against the suit. He didn’t say definitively whether the company did so, declaring that there was no such evidence in the record and that he was unaware of the firm doing so “in any formal way.”
It more or less sounds like the judges are asking the government to vouch for this claim. Basically, they are asking, “OK US government, are you with these guys?”
That alone potentially opens up a whole can of worms in and of itself. If the US government covers for this organization, they might very well salvage the situation, but they also flat out admit that they hired an organization to create malware in an effort to break into people’s computers. If that is the case, would that be considered classified information? Furthermore, it raises the question of whether or not the US government is breaking journalists and activists communication encryption for spying purposes which would be a bit of a scandal.
Given the risks that would involve, assuming they are involved at all, it might actually be a better course of action to let the company burn to the ground.
On the flip side, if the US government has no involvement with this company, then this question might ultimately sink the case for the company unless the organization finds some other Hail Mary shot to salvage the situation.
At any rate, it’s starting to sound like WhatsApp and Facebook might be well on the way to winning this case. If so, then it does send a message to malware vendors that, yes, there is legal liability for creating malware over top of the moral implications. It’s hard to argue that such a precedent is necessarily a bad thing.
Drew Wilson on Twitter: @icecube85 and Facebook.