Tech titans throw weight behind WhatsApp allegations in NSO surveillance lawsuit

Major firms are joining ranks against NSO.
Microsoft; cyber peace institute
(Getty Images)

Facebook’s lawsuit against Israeli software surveillance firm NSO Group just got a big boost from tech titans across the U.S.

Microsoft, alongside Google, Cisco, GitHub, LinkedIn, VMWare and the Internet Association, filed an amicus brief Monday to join the lawsuit, which alleges that NSO Group exploited a vulnerability in WhatsApp last year to spy on thousands of users, such as journalists, dissidents and human rights activists.

More filings from other companies and organizations are expected in the coming days. Access Now, Amnesty International, the Committee to Protect Journalists, Internet Freedom Foundation, Paradigm Initiative, Privacy International, Reporters Without Borders and Red en Defensa de los Derechos Digitales (R3D), are expected to file another amicus brief in support of WhatsApp on Wednesday, CyberScoop has learned.

The suit, which Facebook’s WhatsApp filed last year, is currently under appeal in U.S. Court of Appeals for the Ninth Circuit.


The Israeli firm’s lawyers have argued in previous filings that the case cannot be heard in a U.S. court of law and that it should be granted a derivative of sovereign immunity, since its clients are foreign sovereign nations.

Microsoft’s President, Brad Smith, announced last week that his firm and others would be throwing their hats in the ring to fight NSO Group’s efforts to suppress the case. According to Microsoft and the other firms that joined the brief, the suit should be heard in order to hold accountable NSO Group and other companies like it that develop and sell invasive surveillance products around the world.

“We believe the NSO Group’s business model is dangerous and that such immunity would enable it and other [private-sector offensive actors] to continue their dangerous business without legal rules, responsibilities or repercussion,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote in a blog on the amicus brief. “The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of U.S. law.”

The allegations against NSO Group are extensive — NSO Group products are alleged to have been behind targeted surveillance of journalists in Morocco and dissidents in Togo, and are alleged to have targeted human rights activists in other countries around the world. Just this week researchers at Citizen Lab alleged that operators with suspected links to the governments of Saudi Arabia and the United Arab Emirates have targeted Al Jazeera journalists with NSO spyware as well.

But alleged victims and human rights advocates have not succeeded in getting NSO Group’s alleged abuses reined in yet. An Amnesty International effort seeking to block NSO’s export license fell apart recently in Israel, for instance, while the WhatsApp case has been drawn out in tit-for-tat court filings for over a year. But the added attention and interest from Microsoft, Google and other powerful tech companies, enshrined in the amicus brief, could spell a new arc in the story, digital rights advocates say.


John Scott-Railton, a senior researcher at Citizen Lab who frequently researches alleged NSO abuses, said the fact that other powerful corporations beyond just Facebook are getting involved may send shockwaves through the commercial spyware and hack-for-hire industry.

The filing is “a remarkable show of solidarity, and a clear signal to the spyware industry that the big platforms have just begun to lean into the fight,” Scott-Railton said. ”Investors in spyware companies are probably questioning whether they bet on the right horse this morning.” 

An NSO Group spokesperson did not return multiple requests for comment.

A larger reckoning

NSO Group has previously said it does not itself operate its products and has claimed its software can only be used to target terrorists and criminals.


Microsoft suggested this kind of argument is not enough.

“Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve,” Burt wrote. “Even if the tools are sold to governments who use them for narrowly targeted attacks, there are a variety of ways they can still fall into the wrong hands … companies like the NSO Group threaten human rights whether they seek to or not.”

WhatsApp lawyers said in a filing last week that “granting NSO immunity here would be a boon to the marketplace for private actors with sweeping powers and little transparency.”

Some digital rights organizations applauded Microsoft’s filing, but cautioned that the proof would be in the pudding for the companies involved.

“[W]e are happy to see that big tech players, like Microsoft, Google, LinkedIn and others are intervening and finally publicly speaking out against spyware vendors like the NSO Group,” said Natalia Krapiva, tech legal counsel at Access Now. “Reckless private firms like NSO Group give a black eye to the entire tech sector, and expose gaps in regulation. It’s right for tech platforms to assert their stake in this lawsuit, but we’re watching to ensure they keep this line when legislatures step up.”


Sophia Cope, a senior staff attorney at the Electronic Frontier Foundation, — which also filed a separate amicus brief in support of WhatsApp this week — said some of the companies that filed the amicus brief with Microsoft would do well to reflect on their own hand in contributing to or perpetuating human rights abuses.

“[I]t’s heartening to see technology companies stand up for cybersecurity and admonish private cyber-surveillance firms like NSO Group for enabling ever greater numbers of immoral and irresponsible governments to spy on human rights activists, journalists, and other members of civil society,” Cope said. “But we also urge all technology companies to sincerely engage in due diligence and make the tough call not to sell their products or services to governments that are likely to use them to violate human rights.”

The flurry of amici briefs comes just as the U.S. State Department is weighing whether to make Saudi Crown Prince Mohammed bin Salman immune in a separate case, a move that could lead to him being dismissed as a defendant in a hack-and-leak case that implicates NSO Group, according to The Washington Post.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts