November 22, 2022
In 2019, WhatsApp filed a complaint in federal court against NSO Group, the world’s most notorious spyware vendor, claiming that NSO used WhatsApp servers without authorization to send malware to approximately 1,400 WhatsApp users’ devices, thereby violating statutory and common-law duties and breaching WhatsApp’s Terms of Service.
This litigation is of unique importance because, as Professor David Kaye, the director of the International Justice Clinic, put it in the Amicus Brief filed to the Ninth Circuit Court concerning this case, “[there is no] governmental or private mechanisms aside from bringing suits like the one before this Court, that are available to prevent or redress the serious violations of free speech, association, and privacy enabled by tools like NSO’s.”
NSO argued that foreign sovereign immunity extends to it because it’s retained by foreign government clients, and the US court thus lacks jurisdiction. Both the District Court and Ninth Circuit Court of Appeals dismissed NSO’s argument. NSO appealed, submitting a writ of certiorari to the Supreme Court in April this year. In June, the Supreme Court invited the Solicitor General to express the United States’ views on whether the Supreme Court should grant or deny the cert, an appropriate request given the government’s longstanding role in sovereign immunity claims.
Following this request, scholars and civil society provided their views to the Solicitor General, supporting the denial of cert. Prof. David Kaye with the support of the International Justice Clinic reiterated in his letter that “no foreign government has stepped forward to assert immunity on NSO’s behalf,” which was originally touched upon by Professor William Dodge, a foreign sovereign scholar who had weighed in on the case earlier. The digital rights NGO, Access Now, and coalition partners drew attention to a long list of credible reports on the abuse of Pegasus spyware.
On Monday, in a filing with the Court, the Solicitor General concluded in its brief that “NSO plainly is not entitled to immunity here” and recommended that the Supreme Court deny the cert. We appreciate this conclusion as well as its reasoning highlighted in the brief—which aligns with the scholars’ and civil society’s inputs. Namely, first, “neither the United States nor any foreign sovereign has supported NSO’s claim to immunity,” and second, the United States “noted its commitment to using available policy tools to ‘hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad.” (Brief at 15 – 16). The United States had done this in 2021 by adding NSO Group to the Entity List, which is a list of entities causing harm to national security or foreign policy interest of the U.S.
Though the submission itself is not binding, the Solicitors General’s opinion is powerful enough – and compelling, given the government’s long-standing role in sovereign immunity claims – for the Supreme Court to deny the cert application with confidence. Upon the denial, the case would be remanded to the District Court to proceed with the discovery, which would shed light on NSO Group’s extremely secretive business practices, enabling more individuals and companies to seek remedy for the violations caused by the NSO Group’s product. In that sense, it is a major turning point in efforts to bring accountability to transnational uses of spyware.