The NSO Group has made a fresh bid in an American appeals court to get WhatsApp’s lawsuit against it dismissed. The controversial cybersecurity firm has argued that it is entitled to “foreign sovereign immunity” as it “exclusively [original emphasis]” acts as an agent of foreign sovereigns. The district court, which had dismissed NSO’s appeal to dismiss WhatsApp’s lawsuit, had said that such immunity only extends to companies incorporated in the US, a ruling that the NSO Group has challenged.

WhatsApp had sued the NSO Group in October 2019 for exploiting a since-then fixed vulnerability in the messaging app that allowed attackers to plant NSO’s Pegasus in users’ phone just by ringing their target’s device. WhatsApp had informed 1,400 users who were affected by this attack, including 121 Indians. Most of the Indian victims who have been identified are linked to the Bhima Koregaon case. In response, the NSO Group has always maintained, including in responses to MediaNama, that it only markets and sells its products to governments and authorised law enforcement agencies including intelligence agencies.

NSO has filed its appeal to get the lawsuit dismissed in the Ninth Circuit Court of Appeals, similar to an Indian high court, and has argued that the Northern District of California, which rejected the firm’s plea to dismiss the suit, did not have the jurisdiction to do so.

Is the Israeli Defence Ministry privy to NSO Group’s activities?

Given Pegasus’s “effectiveness”, NSO Group submitted that its export is regulated under Israel’s Defence Export Control Law which authorizes the Israeli Ministry of Defence to grant or deny any licences between NSO and its foreign-sovereign customers. This reiterates NSO’s own past assertions and the claims that Amnesty International had made in its lawsuit against the Israeli Defence Ministry to get NSO Group’s export licence revoked.

This lawsuit that was ultimately dismissed by an Israeli court earlier this year since the judge was satisfied with the rigour of the defence licensing process and subsequent monitoring of the licensees. She did not even consider the question of whether or not NSO Group “possesses a defense marketing and/or export licence”.

However, in November 2019, Israel’s security cabinet minister Zeev Elkin today denied any Israeli government involvement in sale of Pegasus by NSO Group, stating that “NSO Group is a private player” and “there is no Israeli government involvement”.

As per NSO’s appeal, the Israeli Defence Ministry also mandates that NSO require its users to certify that Pegasus “will be used only for prevention and investigation of terrorism and criminal activity”. Moreover, as per this appeal, the Ministry can deny or revoke export licences if it determines that Pegasus was used for unauthorised reasons, such as violation of human rights, by a foreign country. This is particularly interesting because multiple reports have suggested that a close confidant of slain Saudi journalist Jamal Khashoggi, Omar Abdulaziz, a Saudi activist and Canadian permanent resident, was targeted back in 2018. On whether Khashoggi himself was targeted, NSO’s CEO Shalev Hulio has categorically denied it.

WhatsApp’s lawsuit had also argued that NSO Group operates via local agents, citing the clandestine sale of Pegasus to officials from Ghana’s National Communications Authority through a company called Infraloks Development Limited. In May, three former directors were sentenced to a total of 16 years in prison for their role in “clandestinely” purchasing Pegasus from NSO Group and embezzlement of $4 million of state funds.

All this suggests the Israeli government, through its Defence Ministry, is acutely aware of who all are NSO Group’s clients. And since all NSO Group only markets and sells to government agencies, it stands to reason that the Israeli government is aware of which countries and which agencies use Pegasus, along with any local agents who might be mediating the deals and signing contracts (as in the Ghanaian case). We have reached out to NSO Group and Israeli Defence Ministry for comment.

Interestingly, one of NSO Group’s founders, Omri Lavi, also co-founded Kaymera, a company that creates super-secure phones for government officials. Thus, NSO Group and Kaymera offer complementary products. According to Forbes, Kaymera and NSO’s offices are located next to each other.

Pegasus’s capabilities

Pegasus “enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device”, NSO Group submitted to the court. “Governments can use Pegasus to intercept messages, take screenshots, or exfiltrate a device’s contacts or history,” it said.

Pegasus, which has been around since at least 2016, can also remotely turn on phone’s camera and microphone to capture activity in phone’s vicinity and use GPS functions to track a target’s location and movements, as per its product description. Read more about it here.

In the appeal, the NSO Group reiterated its earlier claim that Pegasus is built with technical safeguards that prevent it from accessing any device with an American number or any device within the geographic boundaries of the US. Earlier, an NSO Group spokesperson had, in a statement, told MediaNama, “We stand by previous statements that NSO Group products cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology which enables targeting phones with US numbers.”

NSO Group’s arguments in the appeal

State actors determine how products are used: Foreign states operate NSO Group’s technology and “choose how and when to use it”, the firm said in its appeal. “NSO’s foreign-state customers—not NSO—determine whether to install Pegasus on a mobile device, and then the government customers install Pegasus and monitor the device,” the company said. “NSO provides limited support, entirely at the direction of its foreign-state customers.”

Vice had earlier reported that an at-the-time NSO employee had abused his access to target a love interest. He had reportedly travelled to the UAE to do on-site support for a client (which would have to be a government client since NSO only sells to governments and their agencies) but was caught as he logged into the system out of normal hours. Consequently, the employee was fired.

WhatsApp is suing us because it can’t sue governments: Since NSO acts “entirely in an ‘official capacity’ as an agent[] of foreign governments”, the company has accused WhatsApp of trying to get American courts “to meddle in the sovereign affairs” of other nations.

The NSO Group has accused WhatsApp of taking a “backdoor approach” (interesting choice of words from NSO there) in its lawsuit against the Israeli company since it cannot directly sue the government who conduct the investigations.

Alerts to affected WhatsApp users killed investigations: The NSO Group cited a Wall Street Journal report from January as per which WhatsApp’s decision to inform users about compromised phones killed a European law enforcement’s investigation into an ISIS agent since the suspect’s phone went dark. It cited at least two other cases where ISIS terrorists used WhatsApp to communicate before carrying out terrorist attacks in London and WhatsApp subsequently refused to turn over the terrorists’ messages or to assist in apprehending them.

Read more: