On Monday, December 21, 2020, Google, Microsoft, Cisco, Github, LinkedIn, VMWare, and Internet Association filed a joint amici curiae brief in support of Facebook in NSO Group Technologies Limited, et al v. WhatsApp Inc., et al. The case is on appeal from the U.S. District Court, Northern District of California, concerning a lawsuit filed by WhatsApp, owned by Facebook, alleging that NSO Group’s spyware was used to hack multiple devices through a vulnerability in WhatsApp’s messaging service. NSO Group previously argued that it should enjoy sovereign immunity since its tools are sold to foreign governments.
The amicus brief argues that permitting companies like NSO Group to deploy cyber-surveillance tools across U.S. systems would generate large-scale, systemic cybersecurity risk. The brief first contends that “[a] robust, unchecked, commercial market for cyber-surveillance tools would dramatically increase the number of governments and private companies with access to them” and, thus, “significantly increase the frequency with which they would be used.” Expanding immunity, as NSO Group suggests, would encourage more companies to create such spyware tools since “U.S. courts operates as a deterrent to business models that depend on violating U.S. law.”
The brief further argues that a “growing commercial market for cyber-surveillance-as-a-service raises systemic cybersecurity risk in several ways.” Both the developers of the spyware tools and their foreign government clients are vulnerable to hacks and leaks. The brief highlights the private sector hack of Hacking Team, one of NSO Group’s competitors, whereby Hacking Team’s clients and Hacking Team’s source code were exposed. In further support of this argument, the brief posits that the targets of the spyware tools can observe and then reverse-engineer the tools for their own purposes. “Not only would increased use of these tools allow increased opportunities for observation and reverse-engineering, but the selection of targets may be less discerning.”
The brief’s final argument contends that increased systemic risks would cause extensive damage. “Even limited use of these tools can cause massive disruption and expense.” Because damage from spyware attacks “often cascades downstream. . . hundreds or thousands of companies may need to engage in incident response processes and mitigation steps with respect to millions of users.” Further, the brief states that “some of the damage done by cyberattacks can never be undone, even after the vulnerability is identified.” Hackers may continue to have access to information downloaded from a device through spyware, such as a user’s credentials. The targets of these spyware tools are often unaware that their credentials and information are compromised. Unless users are aware that their data is compromised, they will not know to initiate a reset.
In a blog post, Microsoft wrote that “[p]rivate companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve.” NSO Group’s tools have been linked to the death of Washington Post journalist Jamal Khashoggi. However, NSO Group has denied hacking Khashoggi.
Microsoft and Google join Facebook’s legal battle against hacking company NSO, VentureBeat (December 22, 2020)
Cyber Mercenaries Don’t Deserve Immunity, The Official Microsoft Blog (December 21, 2020)
WhatsApp Inc., et al v. NSO Group Technologies Limited, et al (Case No. 20-16408)
Amici Curiae Brief in WhatsApp Inc., et al v. NSO Group Technologies Limited, et al
Photo Credit: VDB Photos / Shutterstock.com