Shortwave: Supreme Court Says NSO Group Must Fight Meta’s Lawsuit

This week, the Supreme Court of the United States (SCOTUS) rejected the NSO Group’s bid to have the court hear and reverse an appeal court’s ruling against the company’s argument it deserves immunity from Meta/WhatsApp’s lawsuit. As a result, Meta/WhatsApp’s suit can proceed over its claims that the NSO Group violated the “Computer Fraud and Abuse Act” when its spyware program, Pegasus, used vulnerabilities in WhatsApp to surveil over 1400 users. This action is currently before a U.S. District Court, and WhatsApp is further claiming that the NSO Group violated the “California Comprehensive Computer Data Access and Fraud Act” and committed a breach of contract and trespass to chattels.

Israel’s NSO Group had argued unsuccessfully in U.S. District Court and before the U.S. Court of Appeals for the Ninth Circuit that as an agent of foreign governments it deserved the same immunity foreign governments often enjoy in U.S. courts. Without explaining, SCOTUS denied the company’s writ of certiorari, sending the case back to the trial court. For whatever it’s worth, the Biden Administration argued against the NSO’s claim it was entitled to sovereign immunity.

And this is not the only suit the NSO Group faces. In late 2021, Apple announced it was also suing “to hold it accountable for the surveillance and targeting of Apple users.” The company is “seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.”

More recently, Columbia University’s Knight First Amendment Institute, 15 journalists and “other members of El Faro, one of the leading sources of independent news in Central America” “filed suit in U.S. federal court against NSO Group, the company whose malicious surveillance software was used to infiltrate their iPhones and track their communications and movements surreptitiously.”

The previously unknown NSO Group first came to the attention of policymakers and the public in 2019 for providing the surveillance technology related to the death of U.S. journalist Jamal Khashoggi and surveilling some of the journalists investigating and alleged victims of former movie studio head Harvey Weinstein. In 2021, a consortium of media outlets wrote a number of articles on the “Pegasus Papers,” “[a]n unprecedented leak of more than 50,000 phone numbers selected for surveillance by the customers of the Israeli company NSO Group shows how this technology has been systematically abused for years.”

In response, governments around the world have also increased their scrutiny of the NSO Group and competitors in the private surveillance world no doubt in small part to revelations that governments had used Pegasus to spy on other governments. Most notably, French officials were surveilled through Pegasus spyware placed on their phones by the Moroccan government. In November 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) added four companies, including the NSO Group, to the Entity List, which is essentially a blacklist of companies with which other companies cannot do business unless they don’t mind hazarding U.S. sanctions. And, the Biden Administration may not be done. Last fall, two agencies responded to House Democratic lawmakers and explained they are “preparing an Executive Order to prohibit U.S. Government operational use of commercial spyware that poses counterintelligence or security risks to the United States or risks of being used improperly.” A committee in the European Parliament is investigating the company and there is legislation pending that could severely curtail companies like the NSO Group in the EU.

Tech Crunch; Reuters; The Register; NBC News; Associated Press; New York Times

The United States (U.S.) Department of Justice (DOJ) announced “it has reached a key milestone in its settlement agreement with Meta Platforms Inc. (Meta), formerly known as Facebook Inc., requiring Meta to change its advertisement delivery system to prevent discriminatory advertising in violation of the Fair Housing Act (FHA)” and “Meta has now built a new system to address algorithmic discrimination.” The DOJ and U.S. Department of Housing and Urban Development (HUD) had filed suit against Facebook claimed the company “delivery algorithms introduce bias when delivering advertisements, resulting in a variance along sex and estimated race/ethnicity between the set of users who are eligible to see housing advertisements based on the advertiser’s targeted audience and the set of users who actually see the advertisement.”

The United States (U.S.) Federal Trade Commission increased fines for some violations of the FTC Act from $46,517 to $50,120.

The United Kingdom has “amended the Building Regulations 2010 to ensure that new homes constructed in England will be fitted with infrastructure and connections capable of delivering gigabit broadband - the fastest internet speeds on the market.”

The European Parliament said that “[c]ryptocurrencies, artificial intelligence, semiconductors and data sharing” will be on its agenda for 2023.

Outgoing District of Columbia Attorney General Karl A. Racine announced that “Google will pay $9.5 million to resolve allegations that it deceived and manipulated consumers to gain access to their location data, including making it nearly impossible for users to stop their location from being tracked.”

France’s Commission Nationale de L'Informatique et des Libertes (CNIL) “imposed an administrative fine of 8 million euros on [Apple] because it did not collect the consent of iPhone's French users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals” and “imposed a penalty of 60 million euros on [Microsoft], in particular for not allowing the users to refuse cookies as easily as accepting them.”

The United States (U.S.) Consumer Financial Protection Bureau (CFPB) releasedan annual report and CFPB Director Rohit Chopra asserted that “TransUnion, Equifax, and Experian routinely top the list of complaints submitted by consumers…[and] [w]e will be exploring new rules to ensure that they are following the law, rather than cutting corners to fuel their profit model.”

Deutsche Telekom AG, Orange S.A., Telefónica, S.A., and Vodafone Group Plc notified the European Commission (EC) that they are seeking approval to form a joint venture that “will offer a privacy-led, digital identification solution to support the digital marketing and advertising activities of brands and publishers.”

The United States (U.S.) Federal Communications Commission “launched a proceeding to strengthen the Commission’s rules for [telecommunications carriers] notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).”

The United States (U.S.) the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) issued “a technical rule to improve and modernize aspects of the Protected Critical Infrastructure Information (PCII) Program, which provides legal protections for cyber and physical infrastructure information submitted to DHS.”

France’s Commission Nationale de L'Informatique et des Libertes (CNIL) reminded stakeholders that “[a]s of 27 December 2022, data exporters and importers will no longer be able to rely on the previous standard contractual clauses from the European Commission (EC) and will either have to use the clauses updated in 2021 or use another transfer tool.” In June 2021, the EC “issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).”

“McCarthy's fast start: Big Tech is a top target” — Axios

“Serbian government reports ‘massive DDoS attack’ amid heightened tensions in Balkans” — The Record

“Facebook Starts Effort to Boost Equity in Housing Ads” — Wall Street Journal

“Exclusive: Russian hackers targeted U.S. nuclear scientists” — Reuters

“Come to the ‘war cry party’: How social media helped drive mayhem in Brazil” — Washington Post

“CES 2023: Tech legislation is shifting from antitrust focus to broadband, cybersecurity” — Marketwatch

“US tech giants say Indian panel’s recommended competition act ‘absolutist and regressive’” — Tech Crunch

“WhatsApp Launches a Tool to Fight Internet Censorship” — WIRED

“Schools sue social networks, claim they “exploit neurophysiology” of kids’ brains” — Ars Technica

“German finance regulator warns of 'Godfather' malware attacks” — Reuters

“Congress tightens screws on Chinese tech purchases, collaboration” — Roll Call

“Kyiv argues Russian cyberattacks could be war crimes” — Politico EU

“Facebook’s Bridge to Nowhere” — New York Times

“England just made gigabit internet a legal requirement for new homes” — The Verge

“Meta's Oversight Board tells company to allow 'death to Khamenei' posts” — Reuters

“Beijing Signals Two-Year Internet Crackdown May Be Coming to an End” — Wall Street Journal

“The attack on Brazil's Congress was stoked by social media — and by Trump allies” — NPR

“EU Commissioner says he will remind TikTok CEO to respect EU rules” — Reuters

“China-Australia lithium tie-up highlights symbiotic bond, ‘mutual respect’ amid green energy drive” — South China Morning Post

§ 16 January

o   The United Kingdom’s House of Commons Treasury Committee will hold a formal meeting (oral evidence session)on the crypto-asset industry.

§ 17 January

o   The United Kingdom’s House of Lords Communications and Digital Committee will hold a formal meeting (oral evidence session)on the Online Safety Bill.

§ 26 January

o   The United States Federal Communications Commission will hold an open meeting.

§ 1 February 2023

o   The Colorado Attorney General will hold a rulemaking hearing on the draft regulationsproposed to implement the “Colorado Privacy Act.”

§ 29 and 30 April 2023

o The G7 Digital and Technology Ministers' Meeting will take place.

Photo Credits