Advertisement

Legal barriers complicate justice for spyware victims

Some recent court rulings show the difficult road of anti-spyware litigation, but those in the fight also see signs of promise.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
The NSO Group company logo is displayed on a wall of a building next to one of their branches in the southern Israeli Arava valley near Sapir community centre on February 8, 2022. NSO Group currently has 39 legal cases against it due to the fallout around its Pegasus spyware product. (Photo by MENAHEM KAHANA / AFP)

Last month, Apple sought to drop its lawsuit against spyware industry leader NSO Group, citing a number of difficulties with advancing the case. This month, WhatsApp parent company Meta asked a judge to punish the same company for not complying with orders to hand over its source code. And for years, many victims have failed to get courts to take action against spyware manufacturers or countries that deployed the invasive technology against them.

For litigants who seek remedies against spyware makers and users in court, it all points to this conclusion: Taking legal action against spyware is very hard, beset by oft-overwhelming hurdles.

That’s not to say that it’s a pointless tactic, advocates say, nor that it’s hopeless. Some cases have had good outcomes for plaintiffs. And some cases still show promise for them. The U.S. Supreme Court, for instance, dealt a setback last year to NSO Group’s attempt to get the Meta case dismissed, and U.K. courts twice in recent weeks have allowed spyware cases to go forward, against Bahrain and Saudi Arabia.

“We’re still learning what works to stem the harmful proliferation of mercenary spyware. Part of that will be to get accountability for victims,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which works to uncover spyware abuses. “Clearly there’s a role for litigation and the justice system as one of those lines of change.

Advertisement

“Up until now, however, a lot of victims have struggled to get their cases to move forward, and keep moving,” he continued. “Some of that traces back to forms of immunity that spyware companies and their government customers seek to shield themselves with.”

One of the most high-profile plaintiffs is Hanan Elatr, the widow of slain Washington Post journalist Jamal Khashoggi. A federal court in Virginia almost precisely one year ago dismissed her case against NSO Group over allegations that Saudi Arabia spied on her and her husband prior to his murder, a legal result that she told CyberScoop was “very disappointing for me.” But a three-judge panel heard arguments in an appeal of that ruling Wednesday.

“There is no justice for Jamal,” she said, adding that the murder “also did destroy my life and my family’s life.

“At least, at least, I have to start to bring justice for him by starting with the tools that led to him,” she said. Other avenues for that justice have been flustered, she said. “This is the only hope I have, the last hope.”

Despite the disappointment of the earlier ruling in her case, a case advancing against Saudi Arabia in the United Kingdom gave her hope. Furthermore, she said, “I do trust the justice system here in the United States.”

Advertisement

Citizen Lab keeps a running log of both open and closed legal actions against spyware makers or cases that otherwise implicate them, a tally that runs nearly 60 instances long and dates back to 2011. The vast majority, 39, are against NSO Group.

One of the many hurdles is how courts interpret the 1976 Foreign Sovereign Immunities Act, which established the standards governing when foreign governments may be subject to U.S. court jurisdiction. For example, a U.S. court decided in 2017 that a Maryland man who sued the Ethiopian government over allegations that it had infected his computer with spyware and committed other privacy violations could not do so because of the 1976 law.

“Suing a company is easier than suing a state” because of the courts’ interpretation of that law, said David Kaye, a law professor at University of California-Irvine and former United Nations special rapporteur on freedom of opinion and expression. In arguments in a petition the Supreme Court ultimately denied last year, “NSO Group kind of failed in its effort to present itself as an agent of a state that should also get the same kinds of protections as a state,” Kaye said.

Other jurisdictional problems have arisen in spyware cases, though, even when they aren’t targeting specific countries’ governments. In March, a U.S. court dismissed a lawsuit filed in California against NSO Group by El Salvadoran journalists who said they were victims of the company’s technology, with the judge citing the legal doctrine of “forum non conveniens,” under which a court declines to take up a case that it finds more suitable for another court — such as in Israel, the headquarters of NSO Group, or El Salvador.

The Knight First Amendment Institute at Columbia University, which represents the journalists, is appealing the ruling, saying that despite the judge’s logic, the case belongs in California given the abuse of Apple’s servers, among other reasons.

Advertisement

“We hope that the district court’s decision is reversed, because we think U.S. courts have a crucial role to play in protecting all of us from the dangers that these spyware manufacturers pose, and we think they’re well situated,” said Stephanie Krent, staff attorney with the institute.

The Virginia court cited similar reasons as the California court when it dismissed a suit against NSO Group brought by Elatr.

Some of the barriers are more strategic in nature, although there is some overlap with the difficulties presented when attempting to sue a foreign entity. Israel has reportedly taken steps to shelter NSO Group against U.S. courts by seizing documents about its Pegasus spyware to keep the firm from having to comply with disclosure requirements in the WhatsApp case. 

NSO Group also has sought to turn the tables on its opponents. It has requested information in court from organizations like Citizen Lab, and Apple cited potential disclosure of sensitive company information as potentially harmful to its efforts to defend its customers and one of the reasons it sought to withdraw its suit. NSO Group supported the withdrawal, but for different reasons.

It’s “ironic” and “unfortunate” that Apple had a “philosophical and business interest” and “moral right” to file the suit only to have to withdraw it to protect technical information, said Sophia Cope, senior staff attorney at the Electronic Frontier Foundation, which has litigated against and joined other suits against spyware makers and users. 

Advertisement

While the Supreme Court ruled that NSO Group had to hand over its source code to Meta earlier this year, the two sides are still in dispute over it, along with other discovery requests. Meta urged the court to issue a summary judgment in its favor because NSO hadn’t complied, which NSO  called “ludicrous.”

“It’s certainly clear that their strategy is to block, delay and postpone as much as possible,” Krent said. 

Yet another barrier can be the laws under which plaintiffs are seeking victory. The 1986 Computer Fraud and Abuse Act, the main U.S. anti-hacking law, has a number of thresholds plaintiffs have to meet, such as demonstrating $5,000 in damages.

“When Congress passed that law, they were originally thinking, ‘You have a hacker breaching the system of a corporation, and maybe wiping the hard drives of all these computers, and so you, the company, has to spend all this money buying new computers or hiring someone to re-network everything,’” Cope said. With an invasion of privacy that comes with spyware use, it is possible to demonstrate someone has suffered damages, but “it’s a little more challenging to show you had monetizable damage.”

Kaye is bullish about the prospects of the Meta suit against NSO Group, which he said was bolstered by a sound legal strategy, a track record of wins such as the Supreme Court ruling and an atmosphere that’s unfavorable for NSO Group in courts that might not not want to allow abuses to continue. U.K. courts, meanwhile, have proven more fertile terrain for spyware victims to pursue answers, as two recent rulings show. 

Advertisement

Another U.K. court ruling demonstrated the value of information that can come out of the cases: Court documents released in 2021 showed that the ruler of Dubai deployed NSO Group spyware to infiltrate the cell phones of his ex-wife and others, including a member of the House of Lords who had been representing the ex-wife.

There are limits to what can be disclosed in those cases, but the prospect of disclosure is a threat to the spyware business model, Cope said. 

“At the end of the day, if NSO Group and companies like it are aware that they may have to disclose information about their customers and about their practices to the public or even under protective orders to other attorneys and to the court, it makes the value proposition that they’re selling to those customers less appealing, right?” she said. “Because the number one thing they’re selling is secrecy. So if lawsuits are successful at chipping away at that, that could change the calculus for this type of spyware and the popularity of it overall.” 

NSO Group said in a statement provided to CyberScoop that “NSO has consistently argued that a foreign technology company licensed lawful-intercept technology to foreign governments, which then used the technology to monitor foreign criminals and terrorists in foreign countries for those countries’ own national security and other sovereign interests.” It also has denied that government clients used its technology against Khashoggi or his family.

Cope said another potential avenue to pursue abusers of spyware opened up last year with a court ruling involving the Alien Tort Statute, which allows foreign citizens to file lawsuits in U.S. courts over certain violations of international law. The ruling offered a pathway for plaintiffs to pursue legal action against companies that aid and abet human rights abuses, she said — and Cope’s group has already cited that ruling in opposing a motion to dismiss a lawsuit against a spyware maker, DarkMatter.

Advertisement

Krent said the ideal scenario is convincing a judge to make sound law, but failing that, there can be other valuable elements about filing suit as long as it’s non-frivolous, including putting a focus on the issue for Congress and the media. 

The legal battle against spyware could be a long one with other parallels, such as litigation against tobacco companies or environmental litigation, Scott-Railton said.

“I am optimistic that some victims will find justice and there will be paths to accountability,” he said. “But like so many other efforts to hold companies accountable for putting profits ahead of people, it’s going to take time, and progress won’t be linear.”

Tim Starks

Written by Tim Starks

Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he's covered cybersecurity since 2003. Email Tim here: tim.starks@cyberscoop.com.

Latest Podcasts