Microsoft is joining forces with other major tech companies taking legal action against one of the world's leading spyware vendors.
The amicus brief supports an ongoing lawsuit between Facebook and the spyware vendor NSO Group, whose spyware has been used to hack thousands of devices.
Microsoft Lends Support to Battle Against Spyware Vendor
In October 2019, Facebook and WhatsApp filed a lawsuit against the notorious spyware vendor, NSO Group. The lawsuit claimed that the NSO Group was exploiting a WhatsApp vulnerability to install its flagship spyware tool, known as Pegasus, on target devices.
NSO Group initially dismissed the allegations. Central to its rebuttal was that as the spyware vendor dealt with foreign governments, it should be afforded immunity from any lawsuits or prosecution under the Foreign Sovereign Immunity Act (FSIA).
In July 2020, Phyllis Hamilton, Chief Judge of the United States District Court of the Northern District of California, dismissed the NSO Group's claims and confirmed that the lawsuit could progress.
Fast forward to December 2020. Microsoft, Google, Cisco, VMware, and the Internet Association have filed an amicus brief [PDF] supporting Facebook's legal case against the NSO Group.
Microsoft Corporate Vice President Tom Burt explained the reasons behind the companies support in a Microsoft On the Issues blog post.
We believe the NSO Group's business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions.
"Cyber Mercenaries Don't Deserve Immunity"
The blog post breaks down opposition to providing the NSO Group with immunity into three critical areas.
First, "their presence increases the risk that the weapons they create fall into the wrong hands." As we've seen all too many times, powerful espionage tools like Pegasus never remain in the hands of the developer. Inevitably, they'll end up in use by criminals or even by other governments against their citizens or political targets.
Second, "private-sector companies creating these weapons are not subject to the same constraints as governments." Governments developing offensive cyber weapons are subject to international law and regulations against the targeting of civilians, journalists, and officials.
Third, "companies like the NSO Group threaten human rights whether they seek to or not." Private-sector offensive actors like the NSO Group develop powerful offensive tools and offer them for retail, regardless of who the tool will be used against.
Pegasus has been used thousands of times in recent years to target journalists and political dissidents and is linked to the brutal murder of Saudi journalist Jamal Khashoggi.
The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of U.S. law. Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they're trying to achieve.