Supreme Court Denies NSO Group’s Attempt To Avoid Lawsuit Filed By WhatsApp

A couple of years before criticism of Israel-based NSO Group reached critical mass, the malware merchant was sued by WhatsApp. According to the messaging service (now owned by Meta), its servers were used (without its permission and in violation of the terms of service) to deliver powerful spyware to targets of NSO Group customers (which included a disturbingly large number of habitual human rights abusers).

As the lawsuit moved forward, things got interesting. Court filings revealed NSO's malware had been delivered via WhatsApp servers located in California. (Much later, it was discovered this was the result of the FBI performing a test drive of a Pegasus variant offered by NSO that would allow the targeting of US phone numbers - something that isn't an option with the standard spyware.) Filings also showed current FBI director Chris Wray (who won't shut the fuck up about encryption despite his deliberate refusal to be intellectually honest about his proposed solutions") was a defender of encryption when he was still in the private sector, advocating on WhatsApp's behalf during a legal battle with the DOJ, which hoped to force WhatsApp to weaken encryption to facilitate DOJ wiretap orders.

NSO Group claimed it was immune from this lawsuit for a couple of reasons. First, it said it could not be held directly responsible for the actions of its customers. If courts decided it could be held responsible for irresponsible malware sales to questionable governments, the company raised a secondary defense: it was entitled to sovereign immunity if the court decided NSO was a suitable litigation stand-in for its foreign customers.

Neither argument worked. In November 2021, the Ninth Circuit Appeals Court denied sovereign immunity to NSO Group, pointing out very reasonably that NSO is not a foreign state." It is a foreign company, but that's not nearly the same thing as being a foreign entity worthy of immunity. The appeal was denied, preventing NSO Group from escaping this lawsuit.

Another appeal followed. NSO Group asked the Supreme Court to review this denial by the Ninth Circuit. The Supreme Court, in its most recent cert order [PDF], has decided NSO Group hasn't raised an issue it feels like addressing. (h/t The Register)

NSO Group will have to continue facing WhatsApp's lawsuit. Adding 18 months of disturbing revelations, sanctions, investigations, additional lawsuits, and negative press to the proceedings definitely isn't helping NSO's case. It made poor decisions about who to sell to, something that may have been aggravated by the Israeli government's attempts to convert a private company into a tool of international diplomacy.

The downside here is that WhatsApp is using the CFAA to pursue its claims against NSO. While it would seem obvious that utilizing WhatsApp's servers and service to deliver malware violates terms of use agreements, this lawsuit asks courts to broadly define unauthorized access" to include merely unexpected uses of WhatsApp. WhatsApp has the ability to shutter accounts that spread malware, including dummy accounts run by foreign government agencies. What it shouldn't be doing is asking federal courts to expand already broad definitions of unauthorized access - something that has the potential to harm security researchers and their invaluable work.