Microsoft, Google and several other major tech firms on Monday filed a legal brief supporting an El Salvadoran journalist whose staff was targeted with powerful mobile spyware, arguing he should be allowed to sue the software developer in U.S. court.
In March, a California federal judge dismissed the lawsuit brought by Carios Dada and other plaintiffs located overseas against Israeli spyware maker NSO Group, saying they had no standing to sue in the United States because the case was “entirely foreign.”
The amicus brief argues that Google, Microsoft and other U.S. technology companies supporting the plaintiffs have worked closely with policymakers to enhance cybersecurity and collectively spend billions annually to bolster it, partially by working to monitor and disrupt spyware.
The dismissal is now being appealed, apparently spurring the technology companies’ brief asserting that they have a “strong interest in ensuring that entities who facilitate covert access to their products are held accountable in U.S. courts.”
“Even if NSO’s spyware tools were not being used to target U.S. citizens and officials, the proliferation of these tools would still inflict substantial harm on important U.S. interests,” the brief said, noting that the spyware undermines customers’ faith in their products and threatens national security.
The plaintiffs had asked the judge to force NSO Group to return and erase all information accessed through the hacks and name the clients which sought the Pegasus spyware used in them.
Pegasus targets thousands in civil society
Dada co-founded and directs the Salvadoran news outlet El Faro, which was investigating its government’s hidden ties to violent gangs when his and several staffers’ phones were infected with the zero-click Pegasus spyware.
Pegasus is manufactured by NSO and was allegedly installed on the phones of 22 El Faro employees between June 2020 and November 2021, according to digital forensic researchers.
The lawsuit, the first filed by journalists against the spyware manufacturer in a U.S. court, centers on the fact that El Faro staffers’ phones were allegedly hit with 226 Pegasus infections.between June 2020 and November 2021, according to the Knight First Amendment Institute at Columbia University, which brought the case.
NSO Group is also currently being sued by Meta-owned WhatsApp, which asserts about 1,400 of its users also were hacked by Pegasus and that U.S.-based Amazon Web Services unknowingly stored Pegasus code for years.
In addition to Google and Microsoft, GitHub, LinkedIn and Trend Micro joined in filing the amicus brief supporting the lawsuit’s plaintiffs as their appeal of the dismissal unfolds.
The brief cites a July 2021 Amnesty International and Forbidden Stories investigation known as the Pegasus Project, which published more than 50,000 phone numbers found in a leaked database. Some of the numbers were thought to have been hacked with Pegasus.
The organizations found phone numbers belonging to 14 heads of state — including from France, Iraq, Morocco, Pakistan and Egypt — along with 600 government officials and more than 180 journalists in the database, the brief said. Pegasus can only be installed if attackers possess a given target’s phone number.
A majority of phones analyzed as part of a study of a relatively small subset of the database‘s list of numbers contained evidence of Pegasus spyware, the brief noted.
“NSO admits to having sold Pegasus to approximately 40 different governments around the world,” the brief said, noting that the company claims it works hard to vet its clients for human rights abuses in part by only allowing its spyware to be used only by law enforcement and intelligence agencies, primarily in counterterrorism efforts.
However, the brief noted, the fact that the database included targets with no connection to crime or terrorism, also including executives, religious leaders and academics, show “these protections — if they ever existed — have failed to prevent abuse.”
“It appears that, once a government purchased Pegasus from NSO, it could use the tool to hack and spy on whomever it wanted,” the brief added.
Google and Microsoft’s motives
Microsoft explained its reasons for filing the brief on a website blog penned by its associate general counsel for cybersecurity policy and protection, who said the company has long demonstrated its belief that cyber mercenaries such as NSO Group “don’t deserve immunity.”
“Despite measures taken by governments, regulators, and tech companies, the impact of these actors on the security of users continues to increase as the market expands,” the blog post said. “More must be done.”
NSO Group has consistently used Microsoft technology to attack its users, the blog post added, arguing that those users deserve “legal recourse” even if they are located abroad.
Google’s heads of security policy and security legal also published a blog post Monday, saying that while spyware usually only impacts a small number of users, “its wider impact ripples across society by contributing to threats to free speech, the free press and the integrity of elections worldwide.”
Many victims of spyware hacks use U.S.-based platforms such as Android or iOS from abroad, the post said.
“Our filing argues that victims of spyware-enabled attacks should be able to take legal action in the U.S. against spyware vendors under existing anti-hacking laws — even if they were hacked abroad,” the post said. “This is imperative to narrow the attack vectors exploited by spyware vendors.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.