UK Court Says Dissident Can Sue Saudi Arabian Government For Hacking His Phone With NSO Malware

Lie down with dogs, get put in the position of producing potentially damning evidence. That's the lesson NSO is going to learn if this lawsuit goes any further.

Israeli tech firm NSO Group has sold its malware to plenty of questionable customers and, thanks to an endless stream of revelations about misuse of its phone exploits, has been targeted by lawsuits, sanctions, and government investigations.

It's not being sued directly but it will likely be asked to answer questions about its oversight of Saudi Arabia's (mis)use of its malware to target the sort of people NSO claims it does not approve of targeting. As the Guardian reports, a UK asylum beneficiary has been allowed to move forward with his lawsuit against the Saudi government for hacking his phone.

A British judge has ruled that a case against the kingdom of Saudi Arabia brought by a dissident satirist who was targeted with spyware can proceed, a decision that has been hailed as precedent-setting and one that could allow other hacking victims in Britain to sue foreign governments who order such attacks.

The case against Saudi Arabia was brought by Ghanem Almasarir, a prominent satirist granted asylum in the UK, who is a frequent critic of the Saudi royal family.

At the centre of the case are allegations that Saudi Arabia ordered the hacking of Almasarir's phone, and that he was physically assaulted by agents of the kingdom in London in 2018.

The University of Toronto's Citizen Lab was instrumental in assisting Almasarir with building his case against the Saudi government. Its investigation of his hacked phone determined the source of the hacking to be a Saudi Arabian government entity, something it concluded with high confidence." The lawsuit was filed in 2019 (well before the NSO became zeitgeist material), granted permission to continue in 2020, and now has been given another UK judicial thumbs up two years later.

The decision is almost certainly going to be appealed by the Saudi government, which still believes it is entitled to sovereign immunity for the alleged acts, which include a physical assault apparently perpetrated in London.

If it appears likely the Saudi government will actually have to go to trial, it will be interesting to see how NSO Group reacts. It certainly doesn't want any of its internal dirty laundry exposed in open court. It could try to pressure the Saudi government into settling with Almasarir. But even if it does that, it won't stop what's likely coming, thanks to this ruling.

The decision could have profound implications for other individuals targeted or hacked by NSO's spyware within the UK.

They include Lady Shackleton and Princess Haya, the former wife of Dubai's ruler Sheikh Mohammed bin Rashid al-Maktoum. Both were hacked by the sheikh using NSO spyware during lengthy court proceedings between Haya and her former husband in London.

If this case shows local courts might be viable options for targets of NSO spyware, more lawsuits are sure to follow. And every new lawsuit presents an opportunity for the public to more closely examine NSO's sales, internal policies, handling of suspected misuse, and perhaps even the capabilities of exploits that have yet to be discovered by security researchers or malware targets.

This could prove to be a reckoning with snowball potential. Whatever moves NSO may be making now to (perhaps) exit the malware business won't help it avoid scrutiny of its past actions.