NSO makes state sovereign immunity claim to defend from Facebook lawsuit

CEO Shalev Hulio tells US court his customers are only sovereign states or their intelligence and law enforcement agencies.

Facebook symbol  (photo credit: REUTERS)
Facebook symbol
(photo credit: REUTERS)
NSO Group will try to use a sovereign immunity claim to defend itself against a blockbuster lawsuit by Facebook in California, according to court documents obtained by The Jerusalem Post.
On October 29, Facebook-WhatsApp sued NSO for allegedly hacking around 1,400 of its clients’ WhatsApp accounts.
On Friday, NSO, an Israeli technology firm known for its Pegasus spyware, filed a motion to combat various procedural moves by Facebook in the case, but in the process also revealed that part of its litigation strategy will be an attempt to leverage a sovereign immunity defense.
Facebook responded on Sunday, saying that, “NSO Group has chosen not to appear or otherwise defend their actions in court. The dangerous proliferation of hacking tools sold and operated by NSO Group pose a clear threat to the safety of users everywhere,” and pledged to hold it accountable in US courts.
Conventionally, only states claim sovereign immunity from being sued for civil damages in another foreign country’s courts.
But there can be exceptions for parties linked to a foreign government to obtain an extension of that sovereign immunity.
Essentially, NSO claimed that since all of its work is for foreign governments and their security services, either it should be accorded a kind of derivative sovereign immunity, or the court must dismiss the case on the practical grounds that NSO cannot defend itself without revealing national security secrets of foreign countries.
In a first, NSO’s CEO Shalev Hulio went on record in an affidavit in describing aspects of the company’s activities.
In contrast, Hulio did not even appear in January at a hearing at the Tel Aviv District Court where Amnesty International was suing to get the Defense Ministry to revoke NSO’s export license due to its alleged facilitating of harassing human rights’ activists.
At the Israeli court hearing, NSO succeeded at convincing the judge to close the courtroom to the public.

Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter


In his affidavit, Hulio said, “NSO Group innovates cyber solutions that NSO Group does not itself use. NSO Group’s only customers are sovereign states and the intelligence and law enforcement agencies of sovereign states, which use NSO Group’s products in furtherance of their national security interests and to conduct law enforcement activities, such as combating terrorism and investigating and prosecuting child exploitation and other serious crimes.”
Next, he said, “NSO Group’s only activities are to assist its customers with implementing the system (at the customer’s facility) and to provide basic technical support—activities in which NSO Group completely follows the directions and specifications of its customers. None of NSO Group’s activities involve any support to any operational activity by any NSO Group customer.”
Finally, he added, “NSO Group products sold to foreign sovereigns cannot be used to conduct cybersurveillance within the United States.”
A STICKING point in the public debate and likely in the US case could be cutting through whether NSO can really “provide basic technical support” without at least indirectly touching on “any operational activity.”
Another key question, even if NSO gets past that first issue is whether NSO can be held responsible for what its clients do using a broad theory of negligence – the same way that those dealing in hazardous materials can be held liable for all sorts of indirect and unintended impacts from those materials.
Here, NSO’s problem could be if Facebook alleges that if not for NSO producing a hazardous cyber tool of sorts, its clients could not have been hacked by NSO’s clients.
Finally, NSO may argue that if none of its technology was used in US territory that US courts should stay out of the issue even if it impacts a US company Facebook, and NSO, which previously had a corporate US presence.
Facebook has alleged that NSO used malicious code being transmitted over WhatsApp servers from April 29 to May 10 to infect around 1,400 specific devices.
The lawsuit also mentioned specific WhatsApp accounts being created in Cyprus, Israel, Brazil, Indonesia, Sweden and the Netherlands to achieve the hack, and mentioned malicious servers owned by Choopa, Quadranet and Amazon Web Services.
Without formally admitting to Facebook’s specific lawsuit, NSO sources have indirectly admitted to the Jerusalem Post in the past that hacking a service like Facebook’s WhatsApp to stop bad guys is part of why they need to exist.
They suggested to the Post that the most interesting question regarding Facebook is not whether NSO hacked WhatsApp, as described in the lawsuit, but rather what this hack means.
If the hack occurred, Facebook and individual users might have a right to civil damages. But might the hack have been worth it if it saved lives?
NSO sources explained that part of the company’s entry into this area of business was that many governments – often European ones – lacked the technology or were legally restrained from finding needed evidence on the cellular phones of terrorists, drug lords or pedophiles.
If NSO can help stop terror attacks by hacking WhatsApp, NSO sources would ask: Shouldn’t the company be desired?
Moreover, NSO sources have told the Post (also reported in the Wall Street Journal) that since the Facebook case was launched, a probe by a European country into an ISIS terror plot was blown up when the lawsuit tipped up the ISIS agent who then “went dark.”
The specific procedural issue under debate is about Facebook’s claim that NSO failed to respond to the lawsuit in the time allotted and that a default judgment it obtained from the California court against NSO is valid.
In contrast, NSO said that Facebook failed to follow a specific rule for serving a foreign company via the company’s foreign government and that the State of Israel had told Facebook that it must modify aspects of the service documents it sent to initiate the lawsuit against NSO.
Israel is backing NSO strongly in the Tel Aviv case and can be expected to assist NSO also in the California case.