On Monday, amici curiae Cisco Systems Inc., Google LLC, GitHub Inc., Internet Association, LinkedIn Corporation, Microsoft Corp., and VMware Inc. asked the Ninth Circuit to uphold a lower court decision denying two Israeli cybersecurity companies sovereign immunity after they were sued for accessing WhatsApp users’ devices using spyware. The amicus brief contended that the trial court’s determination was correct because extending immunity to such companies drastically would expand the risks posed by powerful cybersecurity tools usually employed for malfeasance.
The case originated in October 2019 when Facebook’s WhatsApp sued NSO Group Technologies Ltd. and Q Cyber Technologies Ltd. (collectively NSO) for violating the messaging application’s terms of use, and, moreover, the Computer Fraud and Abuse Act and state law. Law Street Media reported that WhatsApp accused NSO of illegally delivering malicious code to cell phones and granting NSO unauthorized access to those devices in order to intercept users’ messages, allegedly for foreign government clientele.
In time, Facebook, which manages cybersecurity for WhatsApp, discovered the vulnerabilities NSO used and filed suit against the Israeli companies. NSO moved to dismiss the complaint, arguing that the doctrine of sovereign immunity should preclude litigation because it was acting on behalf of foreign governments. According to the amicus filing, the district court declined NSO’s request, finding that it was not eligible for such protection as a private entity.
The amici argue that NSO’s appeal should be denied because “expanding immunity to private cyber-surveillance companies would greatly increase access to and use of cyber-surveillance tools,” resulting in more risk, catastrophic monetary losses, and civil disruption. The filing explained that although such tools, known as zero-day vulnerabilities, sometimes are benevolently unveiled, other times they are used by private enterprises for profit, “either by using it directly or selling it to someone who will,” to the detriment of public and private victims alike.
Ultimately, the amici contended, “(p)rivate companies should remain subject to liability when they use their cyber-surveillance tools in violation of U.S. law, regardless of who their customers are.” In turn, the parties asked the appellate court to let the current ruling stand.
Google is represented by in-house counsel. Orrick, Herrington & Sutcliffe LLP represents Microsoft Corp., Cisco Systems Inc., GitHub Inc., LinkedIn Corporation, VMware Inc., and the Internet Association in the matter.