Commercial spyware is a dictator’s dream come true. Spyware can give attackers total access to a device’s contents—text messages, photos, contacts, emails, applications, and so forth—and can enable remote activation of its microphone and camera. Spyware thus turns devices that the Supreme Court has described as “a pervasive and insistent part of daily life” into pervasive surveillance tools.
Repressive regimes have used spyware to surveil and intimidate dissidents, activists, journalists, and political opposition figures around the world, violating a host of human rights in the process. Seeking to hold spyware companies accountable for their abuses, some victims have sued them in U.S. court, as have U.S. technology companies whose products have been hijacked to deliver spyware to their users. In response, spyware companies have raised a litany of procedural defenses, from foreign sovereign immunity to lack of personal jurisdiction. One company recently invoked the common law doctrine of forum non conveniens (FNC), arguing that the United States is an inconvenient forum for claims based on the transnational deployment of spyware.
Spyware attacks not only violate the right to privacy but also threaten the freedoms of expression, of association, and of the press, and democracy more broadly. Reporters, security researchers, and advocacy groups have called attention to these attacks for years. Security researchers at Citizen Lab and Amnesty International’s Security Lab, among others, detected spyware attacks targeting pro-democracy protesters and activists in Thailand; human rights lawyers and investigative journalists in India; political opposition figures in Poland; Lama Fakih, a prominent Lebanese activist and Human Rights Watch director; and affiliates of the murdered Washington Post columnist Jamal Khashoggi. Multi-outlet journalism initiatives like the “Pegasus Project” and the “Predator Files” have conducted in-depth investigative reporting to bring these kinds of attacks to public attention.
Concerned that the proliferation of foreign commercial spyware poses threats to both U.S. national security and international human rights, the Biden administration has taken direct action against spyware companies. First, it added multiple spyware companies to the Department of Commerce’s “Entity List,” restricting their use of U.S. technology as part of an export control regime designed to prevent the proliferation of dangerous weapons. Then, it issued an executive order restricting the U.S. government’s own use of foreign commercial spyware that poses national security threats or has been linked to human rights abuses.
Meanwhile, several lawsuits attempting to hold spyware companies accountable for their role in these abuses are currently pending in U.S. courts. For example, journalists and members of the Salvadoran newsgroup El Faro sued Israeli spyware company NSO Group, whose Pegasus spyware was used to infect their phones hundreds of times between June 2020 and November 2021—a period during which the outlet published multiple stories critical of the Salvadoran government. (Am. Compl., Dada v. NSO Group, No. 3:22-cv-07513 (N.D. Cal. Dec. 16, 2022).) (We, along with our colleagues at the Knight First Amendment Institute at Columbia University, represent the plaintiffs in that case.) Loujain al-Halthloul, a human rights activist who led the campaign to win women the right to drive in Saudi Arabia, sued Emirati spyware company DarkMatter, which allegedly hacked her device to enable real-time monitoring of her location and communications, ultimately leading to her arrest, detention, and torture. (Am. Compl., AlHathloul v. DarkMatter Grp., No. 3:21-CV-01787-IM (D. Or. Mar. 16, 2023).) Hanan Khashoggi, the widow of Jamal Khashoggi, sued NSO Group, alleging that its spyware was used to surveil her communications with her husband for nearly a year leading up to his murder. (Khashoggi v. NSO Group., No. 123CV779LMBLRV, 2023 WL 7094558 (E.D. Va. Oct. 26, 2023).) Apple and WhatsApp have also sued NSO Group, claiming that the company exploited their products to deliver its spyware to their users. (See Compl., Apple v. NSO Group, No. 3:21-cv-09078-JD (N.D. Cal. Nov. 23, 2021); Compl., WhatsApp v. NSO Group, No. 4:19-cv-07123-PJH, 472 F. Supp. 3d 649 (N.D. Cal. Oct. 26, 2023).)
The defendant spyware companies have raised numerous procedural objections in each of these cases. In the WhatsApp case, NSO Group litigated a claim to foreign sovereign immunity all the way to the Supreme Court, insisting that it sells its spyware only subject to Israeli government approval and only to other government clients; the Ninth Circuit rejected that claim, and the Supreme Court rejected the defendants’ petition for certiorari. (WhatsApp Inc. v. NSO Grp. Techs. Ltd., 17 F.4th 930, 940 (9th Cir. 2021), cert denied, NSO Grp. Techs. Ltd. v. WhatsApp Inc., 143 S. Ct. 562 (2023).) DarkMatter initially prevailed on a motion to dismiss the AlHathloul case for lack of personal jurisdiction, and it has moved again to dismiss AlHathloul’s amended complaint. Most recently, NSO Group argued that the courts should dismiss the WhatsApp, Apple, and Dada cases on grounds of FNC.