The case against the NSO Group appears to scratch the surface of problematic commercial hacking tools sold at arms markets, which the U.S. government has only just begun trying to control.
The U.S. Court of Appeals’ ninth circuit rejected Israel-based NSO Group’s claim of immunity as a foreign sovereign, allowing a lawsuit brought by Facebook—and supported by press freedom and human rights groups—to move forward.
“The panel held that the Foreign Sovereign Immunity Act occupies the field of foreign sovereign immunity and categorically forecloses extending immunity to any entity that falls outside the Act’s broad definition of ‘foreign state,’” reads the ruling the court issued Monday. “The panel rejected [the] defendant's argument that it could claim foreign sovereign immunity under common-law immunity doctrines that apply to foreign officials.”
Facebook is suing NSO Group for accessing the servers of its end-to-end encrypted messaging service WhatsApp to infect customers with malware for surveillance purposes. NSO Group has said it sells its technology only to foreign governments and government agencies for legitimate law enforcement purposes but also that it is not privy to its clients’ operations.
But a global investigation by journalists and human rights organizations this summer showed dissidents and western world leaders including French President Emmanuel Macron were among the targets of the company’s Pegasus software. On Oct. 20 the Commerce Department announced it would start controlling the export of such tools and on Wednesday placed NSO Group and three other companies on its entities list.
The move bans U.S. persons from selling any source technology to the blacklisted company and sends an important message, but doesn’t go far enough, four lawmakers wrote in letters Friday to Commerce Secretary Gina Raimondo and Secretary of State Antony Blinken.
“While the entity listing will ensure that US technology exporters cannot supply these companies, we urge you to also work to ensure that American pension funds and 401Ks are not inadvertently complicit in subsidizing these abusive business models,” the lawmakers wrote. This could require new trade-related regulations and consideration of such companies for sanction under existing human rights regimes or a new targeted set of surveillance-related sanctions.”
The letters were signed by Reps. Anna G. Eshoo, D-Calif., Tom Malinowski, D-N.J., Katie Porter, D-Calif., and Joaquin Castro, D-Texas. They said more work is needed to ensure U.S. entities aren’t supporting autocratic regimes.
“Current export regulatory structures imposed on surveillance-related goods such as surveillance network-control systems, surveillance analytic systems, or network monitoring tools have failed to comprehensively prevent U.S. companies and investors from feeding these items into surveillance architectures that directly enable grave abuses,” the lawmakers wrote. “For example, these types of US-origin items have been linked to the ethnic profiling and concentration camps in Xinjiang, China. Therefore, we urge you to consider a set of stronger measures that would assure the American people that US companies are not complicit in digital repression.”
On Wednesday the Atlantic Council released a report showing the marketplace for intrusion technologies includes hundreds of companies, many of which are headquartered in allied countries including Israel and Sweden. The report’s authors concluded with high confidence that the companies from those countries, along with Turkey, are marketing hacking tools to U.S. adversaries.