Blog
Regulating Spyware Through Criminal and Civil U.S. Law
Photo from rawpixel
Spyware refers to a class of malicious software that can secretly infiltrate computer systems and monitor the activities of their users. There is a booming international market for spyware: between 2011 and 2023, at least 74 governments purchased spyware or digital forensics technology from private companies. One such company, NSO Group, recently made headlines as its Pegasus software was found on the phones of activists, journalists, and government officials worldwide. Pegasus has been found to use “zero-click” exploits, meaning it can be installed on a target’s device without requiring the victim to download or click on anything. Once installed, the software is able to record and report data from a phone’s location sensors, camera, microphone, memory and hard drive. The Pegasus Project, an investigation led by 17 media organizations, revealed that Jamal Khashoggi and his close family members’ devices had been “infected” with Pegasus shortly before his brutal murder by the Saudi government.1 The Project has found that a number of authoritarian governments have purchased the software to target political dissidents. In response, a growing number of legal cases seek to hold NSO group accountable for its software’s role in those harms.
One recent case was filed by Whatsapp in 2019 against NSO Group. Whatsapp alleged that NSO Group exploited a weakness in the communication platform’s software and downloaded itself into the mobile devices of 1400 users.2 More than a hundred of these3 were confirmed to be human rights activists and attorneys, journalists and diplomats.4 NSO group had allegedly found a flaw in Whatsapp’s end-to-end encryption system which enabled it to access the messages, locations, and calls of targeted devices. Whatsapp claims that its terms of service were violated by the malware, and requested damages and permanent injunctive relief to block the defendants from accessing Whatsapp and Facebook computer systems. The plaintiffs brought four causes of action: a violation of Section 1030 of the Computer Fraud and Abuse Act (CFAA), of Section 502 of the California Comprehensive Computer Data Access and Fraud Act, breach of contract and trespass.5 This article will focus on the first claim, and more particularly on the suitability of the CFAA to combat malicious uses of spyware. The Electronic Communications Privacy Act (ECPA) will also be examined as an alternative solution to litigate wrongful uses of spyware at the federal level, using Whatsapp v. NSO Group as a case study.
The CFAA
Whatsapp asserted claims against NSO Group under CFAA 18 USC §1030(a)(2), §1030(a)(4) and §1030(b),6 which in broad terms stipulate that “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains [information from any protected computer]”7 is guilty of an offense. A “protected computer” is one that is “used in or affecting interstate or foreign commerce or communication.”8
Observers have questioned whether the CFAA is the correct tool for litigating the harms alleged in Whatsapp v. NSO Group. Indeed, Whatsapp is wading into “[u]uncharted legal waters,” as the courts have not yet settled a case where an encrypted communications platform sued a private company for bypassing its encryption.9 One of Whatsapp’s main arguments is that NSO Group breached its terms of service, which NSO Group agreed to numerous times when it created various Whatsapp accounts that were then used to reverse-engineer the Whatsapp app.10 This could fulfill the CFAA’s requirement that the plaintiff’s computer be accessed “without authorization or exceed[ing] authorized access”. This is a tricky argument, however, as the devices that were accessed were those of the targeted Whatsapp users, and not Meta’s servers. Furthermore, the Ninth Circuit has held that breaching a terms of service agreement is not sufficient in itself to violate the CFAA without, for instance, ignoring an earlier cease-or-desist letter.11 In this case, nothing indicates that Whatsapp sent such a letter or attempted to block NSO Group’s Whatsapp accounts, which means that they will not be able to base their CFAA violation claim on the terms and services violation alone.12
NSO Group has also argued that it should not be held responsible for how governments choose to use its software. Indeed, many of the alleged victims were situated in countries whose governments are known customers of NSO Group. For example, Whatsapp’s claims are based in part on users in Bahrain, the United Arab Emirates, and Mexico, which is considered a “ravenous client” of NSO Group.13 It seems likely that the nation-state customers, rather than NSO Group itself, were primarily responsible for choosing where and how to deploy Pegasus.14 Some experts believe that holding software manufacturers liable for the use of that software by a third party “could create a new, very broad precedent."15 Nonetheless, the U.S. District Court for the Northern District of California found that NSO Group had “retained some role” in the use of its spyware, “even if it was at the direction of their customers”.16
Perhaps ironically, NSO Group has also argued that it should be protected by foreign sovereign immunity under the 1976 Foreign Sovereign Immunities Act (FSIA) as it acted on behalf of nation-states. It has stated that it was acting as an “agent” for foreign governments, which would entitle it to “derivative sovereign immunity.”17 This argument was rejected by a California district court and then the U.S. Appeals Court for the Ninth Circuit,18 with a petition for certiorari denied.19 Thus, private entities acting as agents for foreign governments may not seek common law immunity under the FSIA. This seemed to be a predictable outcome, not least because NSO Group has been placed on the U.S.’s Entity List for being “contrary to U.S. national-security and foreign-policy interests”.20
The ECPA
Another statute that could be used to prosecute spyware companies is Title I of the Electronic Information Privacy Act, otherwise known as “the Wiretap Act.” Whilst this statute was not used in Whatsapp’s claim against NSO Group, it could be an effective tool in similar cases. It makes it illegal for “any person” to “intentionally intercept [...] any electronic communication”, and to use21 or disclose22 illicitly intercepted information.23 There is no requirement that the infected device be a “protected computer”, which makes the Wiretap Act an ideal legal instrument to prosecute malicious uses of spyware against ordinary members of civil society. Indeed, the U.S. Department of Justice has stated that “[p]rosectors should consider whether the Wiretap Act applies whenever a case involves spyware users and manufacturers."24 The interception has to be done with a “device”, and at the same time as the transmission of the concealed information.25 It is also irrelevant whether the defendant was conducting a “personal investigations into crime or malfeasance."26 NSO Group has repeatedly claimed that its software is used for straight-forward law enforcement, and it sometimes is: European investigators have used Pegasus in efforts to take down a global child-abuse ring and prevent terrorist attacks;27 and Mexican authorities used the software in the investigation of El Chapo, the infamous drug lord.28 Nonetheless, Pegasus has been sold to a number of authoritarian regimes, and even made accessible to Mexican drug cartels by some Mexican government officials.29 If the company can be prosecuted for the misuse of its software by its customers, then its primary mission of law enforcement will not shield it from scrutiny.
§2512 of the Wiretap Act states that “any person who intentionally manufactures [...] any electronic [...] device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications” and that the device will be “transported in interstate or foreign commerce”. It thus seems that spyware manufacturers could be held liable for their client’s actions, especially where those clients are governments with a known track record of human rights abuses. In 2014, §2512 of the Wiretap Act was successfully used to prosecute a Danish citizen residing in Pakistan for commercializing the “Stealthgenie” program, which helped individuals spy on their romantic partners.30
The statute contains several exceptions and defenses, notably if the defendant was “acting under color of law."31 However, government employees are not necessarily “acting under color of law,"32 and an exception-to-the-exception applies if the interception is done “for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State."33 Furthermore, §2512 of the Wiretap Act doesn’t apply to “an officer, agent, or employee of [...] the United States, a State, or a political subdivision thereof, in the normal course of [their] activities."34 Nonetheless, it is unclear whether this defense applies to foreign governments acting in their law enforcement capacities if they target U.S. residents or use U.S. infrastructure.35 Thus, the Wiretap Act seems to be an effective legal instrument to prosecute the excessive and dangerous uses of spyware.
Concluding remarks
Spyware is becoming increasingly effective and complex. The current legislation is not equipped to adequately regulate malicious uses of spyware, especially where spyware companies are mere proxies for surveillance operated by foreign governments. This has clear democratic repercussions, as journalists and activists are common targets. The most adequate legislative tools so far in the United States seem to be the ECPA and the CFAA. Whatsapp is wading into novel legal waters in its CFAA claim against NSO Group, bringing to the surface several unanswered legal issues. It might be more prudent to litigate under the ECPA, which is broader and also regulates manufacturers of spyware devices.
1 Audrey Travère, The Rise and Fall of NSO Group, FORBIDDEN STORIES (July 19, 2021).
2 Whatsapp Can Sue Israeli Firm NSO Group, US Appeals Court Rules, ALJAZEERA (Nov 8, 2021).
3 Whatsapp Inc. v NSO Group Technologies Limited, GLOBAL FREEDOM OF EXPRESSION COLUMBIA UNIVERSITY (last visited Nov 22, 2023).
4 Ben Kochman, Facebook Enters Uncharted Legal Waters With Spyware Suit, LAW 360 (Nov 8, 2019).
5 Whatsapp Inc. v NSO Group Technologies Ltd. supra note 3.
6 Jonathon W. Penney & Bruce Schneier, Platforms, Encryption, and the CFAA: The Case of WhatsApp v. NSO Group, 36 BT L. REV. 469, 482 (2021).
7 18 U.S.C. §1030.
8 18 U.S.C. §1030(e)(2).
9 Kochman, supra note 4.
10 Respondents Br. in Opposition to Certiorari, page 5, May 03, 2022.
11 Kochman, supra note 4.
12 Andy Greenberg, Whatsapp’s Case Against NSO Group Hinges On A Tricky Legal Argument, WIRED (Oct 29, 2019).
13 Travère, supra note 1.
14 Kochman, supra note 4.
15 Ben Kochman, 4 Cybersecurity Cases to Watch in 2023, LAW 360 (Jan 2, 2023).
16 GLOBAL FREEDOM OF EXPRESSION COLUMBIA UNIVERSITY, supra note 3.
17 Respondents Br. note 10 at 7.
18 WhatsApp Inc. v. NSO Grp. Techs. Ltd., 17 F.4th 930, 933 (9th Cir. 2021).
19 Id.
20 Respondents Br. note 10 at 2.
21 18 U.S.C. §2511(1)(d).
22 18 U.S.C. §2511(1)(c), (e).
23 18 U.S.C. §2511(1)(a), (b).
24 H. Marshall Jarrett et al., Prosecuting Computer Crimes 59 (Office of Legal Education 2010).
25 Id. at 60.
26 Id. at 62.
27 Ronen Bergman & Mark Mazzetti, The Battle for the World’s Most Powerful Cyberweapon, N.Y. TIMES (Jan 28, 2022).
28 Id.
29 Siena Anstis, Ronald J. Deibert, Émilie LaFlèche & Jonathon W. Penney, Submission of the Citizen Lab to the United Nations Working Group on Enforced or Involuntary Disappearances, OSGOODE HALL LAW SCHOOL OF YORK UNIVERSITY 10 (2022).
30 Sara Mckune & Robert Deibert, Who's Watching Little Brother? A Checklist for Accountability in the Industry Behind Government Hacking, MUNK SCHOOL OF GLOBAL AFFAIRS, UNIVERSITY OF TORONTO 12 (2017).
31 18 U.S.C. §2511(2)(c).
32 THE O.L.E., supra note 24 at 82.
33 18 U.S.C. §2511(2)(d).
34 18 U.S.C. §2512(2)(b).
35 Mckune & Deibert, supra note 30 at 12.