Human rights groups join WhatsApp suit against Israel spyware vendor

A coalition of human rights groups Wednesday joined WhatsApp’s lawsuit against Israeli spyware vendor NSO Group and accused the company of selling Pegasus surveillance software to government agencies to target human rights activists under the guise of terrorism laws. The groups filed an amicus brief before the U.S. Court of Appeals for the Ninth Circuit, alleging that NSO Group’s use of surveillance software violates free speech and privacy rights under international law. The rights coalition included Amnesty International, Committee to Protect Journalists, Internet Freedom Foundation, Paradigm Initiative, Privacy International, Red en Defensa de los Derechas Digitales, and Reporters Without Borders.

NGO attorney Kyle McLorg noted in the brief that surveillance technology “threaten[s]” rights to “free expression” and “privacy,” which “international law recognizes as foundational.” He further argued that states might not adopt counterterrorism measures to justify government intrusions, adding that these “justifications should be limited to situations in which the interest of the whole nation is at stake, rather than the interests of the government, a regime, or a power group alone.”

NSO Group has not responded to these allegations but previously argued that it is protected by the sovereign immunity doctrine. This doctrine shields foreign governments from lawsuits when national security issues are implicated because it supplies government and spy agencies with digital break-in tools “necessary for public safety.”

Advocacy Director at the Committee to Protect Journalists Courtney Radsch disagrees. “The repeated and extensive use of NSO Group’s Pegasus spyware to target journalists and their networks contradicts the claims that Pegasus is only used to combat terrorism or criminal activities.”

WhatsApp and parent company Facebook sued NSO last year in the Northern California District Court for hacking the WhatsApp server to plant Pegasus spyware on 1,400 user devices worldwide in violation of the U.S. Computer Fraud and Abuse Act (CFAA) and California Comprehensive Data Access and Fraud Act. These attacks targeted devices belonging to journalists, lawyers, religious leaders, and political dissidents.