chevron-down Created with Sketch Beta.
June 03, 2024 HUMAN RIGHTS

No Convenient Forum? Spyware Companies’ Efforts to Kick Victims’ Cases out of U.S. Court

By Mayze Teitler and Carrie DeCell

Commercial spyware is a dictator’s dream come true. Spyware can give attackers total access to a device’s contents—text messages, photos, contacts, emails, applications, and so forth—and can enable remote activation of its microphone and camera. Spyware thus turns devices that the Supreme Court has described as “a pervasive and insistent part of daily life” into pervasive surveillance tools. 

Spyware companies have avoided litigation by arguing that the U.S. is an inconvenient forum due to the transnational deployment of spyware.

Spyware companies have avoided litigation by arguing that the U.S. is an inconvenient forum due to the transnational deployment of spyware.

ADOBE STOCK

Repressive regimes have used spyware to surveil and intimidate dissidents, activists, journalists, and political opposition figures around the world, violating a host of human rights in the process. Seeking to hold spyware companies accountable for their abuses, some victims have sued them in U.S. court, as have U.S. technology companies whose products have been hijacked to deliver spyware to their users. In response, spyware companies have raised a litany of procedural defenses, from foreign sovereign immunity to lack of personal jurisdiction. One company recently invoked the common law doctrine of forum non conveniens (FNC), arguing that the United States is an inconvenient forum for claims based on the transnational deployment of spyware.

Spyware attacks not only violate the right to privacy but also threaten the freedoms of expression, of association, and of the press, and democracy more broadly. Reporters, security researchers, and advocacy groups have called attention to these attacks for years. Security researchers at Citizen Lab and Amnesty International’s Security Lab, among others, detected spyware attacks targeting pro-democracy protesters and activists in Thailand; human rights lawyers and investigative journalists in India; political opposition figures in Poland; Lama Fakih, a prominent Lebanese activist and Human Rights Watch director; and affiliates of the murdered Washington Post columnist Jamal Khashoggi. Multi-outlet journalism initiatives like the “Pegasus Project” and the “Predator Files” have conducted in-depth investigative reporting to bring these kinds of attacks to public attention.

Concerned that the proliferation of foreign commercial spyware poses threats to both U.S. national security and international human rights, the Biden administration has taken direct action against spyware companies. First, it added multiple spyware companies to the Department of Commerce’s “Entity List,” restricting their use of U.S. technology as part of an export control regime designed to prevent the proliferation of dangerous weapons. Then, it issued an executive order restricting the U.S. government’s own use of foreign commercial spyware that poses national security threats or has been linked to human rights abuses.

Meanwhile, several lawsuits attempting to hold spyware companies accountable for their role in these abuses are currently pending in U.S. courts. For example, journalists and members of the Salvadoran newsgroup El Faro sued Israeli spyware company NSO Group, whose Pegasus spyware was used to infect their phones hundreds of times between June 2020 and November 2021—a period during which the outlet published multiple stories critical of the Salvadoran government. (Am. Compl., Dada v. NSO Group, No. 3:22-cv-07513 (N.D. Cal. Dec. 16, 2022).) (We, along with our colleagues at the Knight First Amendment Institute at Columbia University, represent the plaintiffs in that case.) Loujain al-Halthloul, a human rights activist who led the campaign to win women the right to drive in Saudi Arabia, sued Emirati spyware company DarkMatter, which allegedly hacked her device to enable real-time monitoring of her location and communications, ultimately leading to her arrest, detention, and torture. (Am. Compl., AlHathloul v. DarkMatter Grp., No. 3:21-CV-01787-IM (D. Or. Mar. 16, 2023).) Hanan Khashoggi, the widow of Jamal Khashoggi, sued NSO Group, alleging that its spyware was used to surveil her communications with her husband for nearly a year leading up to his murder. (Khashoggi v. NSO Group., No. 123CV779LMBLRV, 2023 WL 7094558 (E.D. Va. Oct. 26, 2023).) Apple and WhatsApp have also sued NSO Group, claiming that the company exploited their products to deliver its spyware to their users. (See Compl., Apple v. NSO Group, No. 3:21-cv-09078-JD (N.D. Cal. Nov. 23, 2021); Compl., WhatsApp v. NSO Group, No. 4:19-cv-07123-PJH, 472 F. Supp. 3d 649 (N.D. Cal. Oct. 26, 2023).)

The defendant spyware companies have raised numerous procedural objections in each of these cases. In the WhatsApp case, NSO Group litigated a claim to foreign sovereign immunity all the way to the Supreme Court, insisting that it sells its spyware only subject to Israeli government approval and only to other government clients; the Ninth Circuit rejected that claim, and the Supreme Court rejected the defendants’ petition for certiorari. (WhatsApp Inc. v. NSO Grp. Techs. Ltd., 17 F.4th 930, 940 (9th Cir. 2021), cert denied, NSO Grp. Techs. Ltd. v. WhatsApp Inc., 143 S. Ct. 562 (2023).) DarkMatter initially prevailed on a motion to dismiss the AlHathloul case for lack of personal jurisdiction, and it has moved again to dismiss AlHathloul’s amended complaint. Most recently, NSO Group argued that the courts should dismiss the WhatsApp, Apple, and Dada cases on grounds of FNC.

FNC is a common law doctrine that gives a court discretion to dismiss a case properly before it when litigation would be more suitable in a foreign forum. FNC dismissal is a rare exception, not the norm. Nonetheless, NSO Group has argued that Israel is the more appropriate forum for cases currently pending against the company in the United States. NSO Group argued, among other things, that secrecy provisions in Israeli export control law weigh against hearing the cases in the United States and that the company’s placement on the Entity List makes the United States an inconvenient forum. (Defs’ MTD for FNC at 12–13, WhatsApp; Def’ts’ [sic] Supp. Memo. ISO Renewed MTD at 1–2, 6–7, Apple; NSO’s MTD [Corrected] at 7–9.) These arguments strain credulity, and the courts in the WhatsApp and Apple cases have rightly rejected them.

Allowing defendants to evade liability for violations of U.S. law by invoking foreign countries’ secrecy laws would effectively nullify U.S. law in cases of transnational human rights violations. The application of the FNC doctrine has always been problematic in human rights litigation because it can deny any forum for redress in transnational cases even when those cases have a substantial connection to the United States. If cases can’t proceed in U.S. court, they often will not proceed anywhere. Furthermore, countries may be reluctant to hold transnational actors responsible for rights violations to avoid economic fallout or to obscure the fact that their own conduct is implicated in the abuses. (Variations of these and related arguments have been advanced by others, including Erin Foley Smith and Kathryn Lee Boyd.)

Dismissing cases on FNC grounds based on foreign secrecy concerns would be even more troubling—particularly cases involving foreign commercial spyware companies. According to the Carnegie Endowment for International Peace, 74 governments reportedly entered into contracts with commercial spyware companies between 2011 and 2023. And as the New York Times, Haaretz, and others have reported, many spyware companies contract extensively—and sometimes exclusively—with government and law enforcement clients, almost always pursuant to strict confidentiality clauses. Some companies are required to coordinate with their home countries on their sales and licensing efforts and to keep that coordination confidential as well. These governments are thus often implicated in the conduct at issue in spyware lawsuits. If spyware companies can foreclose U.S. litigation by invoking the secrecy concerns of government clients or countries where they operate, spyware victims likely will never receive the redress to which they might otherwise be entitled under U.S. law.

In addition, U.S. government efforts to limit the abuse of commercial spyware should not shield spyware companies from liability. NSO Group has cited its placement on the Entity List as a pragmatic concern that should weigh against allowing the case to proceed in the United States, arguing that the regulatory action restricts its ability to work with U.S. law firms and discovery vendors. Regardless of whether Entity List placement does, in fact, impose such restrictions, concluding that it makes the United States too inconvenient a forum to litigate would be self-defeating. It would allow listed entities to evade U.S. legal liability for the conduct that got them listed in the first place.

The United States has expressed a strong interest—through public statements and longstanding court precedent—in allowing the victims of human rights violations with a U.S. nexus to assert their rights in U.S. courts. This interest is even stronger in spyware cases. Extensive reporting revealed that spyware companies exploit the products and services of U.S. technology companies, such as Apple and WhatsApp, to develop and deliver their malware. In addition to the domestic interest in preventing the abuse of U.S. companies and products to deploy spyware, the Biden administration has expressed clearly the U.S. government’s interest in limiting the abuse of commercial spyware, citing strong national security and human rights concerns. It can’t be true that the forum government’s expressed interest in constraining the use of spyware immunizes spyware companies from liability in that country.

It is appropriate, then, that the courts which have considered FNC arguments in these cases have viewed them with skepticism. NSO Group’s latest argument, for example, over-credits the secrecy concerns of other countries, including those whose own conduct may be implicated in the suit. And they seek to convert U.S. regulatory restrictions—an expression of forum state interest in the dispute—into a liability shield. These regulatory restrictions align with the cases brought against spyware companies in a broader effort to stem the significant human rights harms resulting from the use of their technologies. U.S. courts must hold these rights-abusing actors to account.

Mayze Teitler

Legal Fellow, Knight First Amendment

Mayze Teitler is a legal fellow at the Knight First Amendment, where they focus on spyware, the surveillance of incarcerated people, and government transparency. Their recent writing has appeared in Just Security and Tech Policy Press. 

Carrie DeCell

Senior Staff Attorney, Knight First Amendment Institute

Carrie DeCell is a senior staff attorney at the Knight First Amendment Institute. Her litigation focuses on freedom of speech on social media, government surveillance of speech at the border, and digital-age threats to freedom of the press.

Entity:
Topic: