In 2019, WhatsApp brough a civil action against NSO before a US district court in California seeking injunctive relief and damages. Plaintiff claimed that Pegasus is a surveillance software designed to infect the mobile devices of selected WhatsApp users and secretly collect information. It works on Android, iOS, and Blackberry operating systems. Unable to break WhatsApp’s end-to-end decryption, NSO developed Pegasus in order to access messages and other communications after they were decrypted on the targeted mobile devices. Once installed, Pegasus is capable of intercepting communications and data sent and received through WeChat, Skype, Facebook, Messenger, emails, and others.
WhatsApp contended that NSO infringed the US Computer Fraud and Abuse Act and the California Penal Code § 502), as well as WhatsApp’s Terms of Service.
NSO moved to dismiss asserting that it was entitled to sovereign immunity at common law (as opposed to FISA-based immunity). It was common ground that NSO only licenses Pegasus to state and state agencies (customers) after conducting an enhanced human rights due diligence process and taking other steps designed to mitigate, prevent, and address potential misuse.
NSO does not operate the technology, the customer itself does, nor does NSO have access to the customer’s data. Neither does NSO have any knowledge of the individuals whom states might be selecting for surveillance, nor the plot they are trying to thwart. Sovereign states normally are most unwilling to share this extremely sensitive information. In sum, states themselves operate Pegasus technology in the exercise of their sovereign powers.
Moreover, NSO’s exports must obtain a prior license by the Ministry of Defense of Israel, which conducts its own analysis of the countries of destination of the software from a human rights perspective.
According to a rule of customary international law, private entities, like NSO, are entitled to conduct-based sovereign immunity “to the extent they are entitled to perform and are actually performing acts in the exercise of sovereign authority of the State” (Article 2.1 (b) (iv) of the UN Convention on Jurisdictional Immunities of States and Their Properties). Although the United States did not adhere to this convention, most US scholars agree that it only codifies pre-existing rules of customary international law.
The district court admitted that NSO was an agent of foreign governments that acted entirely within its “official capacity”. It denied, however, that NSO was entitled to conduct-base immunity.
NSO appealed to the circuit court of appeals, which affirmed the lower court’s decision. The appeal court upheld that NSO did not qualify as a foreign state under the FISA. NSO moved to the US Supreme Court and petitioned for a writ of certiorari, which was also denied.
In a joint amicus curiae submission to the Supreme Court, the Solicitor General and the Legal Advisor of the Department of State adhered to the appeal court’s arguments and opined that certiorari should be denied. This opinion may reveal some frictions between the current US administration and Israel, which are supposed to be close allies in the Middle East and defense issues. The United States themselves were known to be Pegasus’ customers.
NSO’s attorneys noted that in some post-FISA decisions, US courts erroneously treated the FISA, rather than the common law, as the source of conduct-based immunity. I am not a US qualified lawyer nor an expert in US law but would side with NSO’s attorneys on that.
For example, in Butters v Vance International [225 f.3d 462 (4 th Cir.2000)], the Fourth Circuit granted sovereign immunity to a private security firm for employment decisions it made while providing security services in the territory of the United States for and under the direction of Saudi Arabia. The Circuit’s decision makes sense since the acts of the private security firm were entirely attributable to the foreign state.
The relevant difference between Butters and our case appears to be that in the former the private firm was incorporated in the United States while in the latter NSO was not. Since said customary rule on sovereign immunity does not make any distinction as to nationality or place of incorporation of private entities, it is difficult to understand why US courts do. These ongoing proceedings have the potential to jeopardize foreign states’ legitimate intelligence operations and interfere with US foreign policy, circumstances that both the Solicitor General and the Legal Advisor at the State Department seemed to have ignored when submitting their joint amicus.
Criminal complaints in Spain
It is known that a number of criminal complaints have been filed against NSO in Spain.
In one of them, a noted Catalan separatist lawyer, whose mobile device was reportedly infiltrated by Pegasus, accused a former director of the Spanish Intelligence Agency (CNI) and NSO of alleged unlawful data access and disclosure of secrets as defined in Article 197 of the Spanish Penal Code (roughly equivalent to the California Penal Code § 502).
In July 2022, the media reported that the court admitted the complaint against NSO based on the: “creation and provision of the Pegasus program to third parties”, as well as for all those “actions and omissions” of the company that could be susceptible to “contribute voluntarily and consciously to the verification of the infection, access and extraction of information” from the devices. The complaint and relating judicial documents are expected to be served on NSO’s domicile in Israel through rogatory letters transmitted by diplomatic channels.
Other Catalan separatist leaders, who too allege that their mobile devices have been infected with Pegasus, have reportedly filed similar criminal complaints. Apparently, the different competent criminal courts are reluctant to join the proceedings. The separatists claim they were victims of a massive illegal espionage scheme, known in the media as the “Catalangate”, conceived to counter the Catalan independentist aspirations. They relied on a technical report on Pegasus’ capabilities and operational aspects prepared by a Canadian university that placed the blame of the alleged unlawful surveillance on the Spanish central government: “We also judge it unlikely that a non-Spanish Pegasus customer would undertake such extensive targeting within Spain…”.
The same report deduced that Spain’s CNI and Spain’s Ministry of Interior were Pegasus’ customers. For its part, the Spanish government assured that the CNI performs all its functions under the rule of law. They underscored that the selection of individuals for secret surveillance as well as the methods for carrying it out are subject to prior judicial approval by a special magistrate of the Spanish Supreme Tribunal (ST) in accordance with Organic Law 2/2002 (Sole article). The magistrate’s decisions are naturally classified.
The explanatory report (“exposición de motivos”) appended to that law explains that the government can only restrict the right of an individual to privacy when confronted with national security threats. Law 11/2002 also speaks of “threat or aggression against the independence or territorial integrity of Spain” (bold added).
It is unlikely that these criminal proceedings in Spain will get to the trial stage. It is surprising that the court did not reject that complaint “in limine” on its own motion. The acts performed by CNI directors as such are fundamentally non-justiciable and classified. The doctrine of political question (“acto político”) is applicable in civil law countries. In fact, the ST recently applied it to dismiss a criminal action.[1] It is intriguing to know what view did take the prosecutor on this.
While the CNI selects the persons for secret surveillance and the methods for carrying it out, intelligence policies and objectives are defined by the central government in an annual document called “Intelligence Directive” which will be classified (Article 3 Law 11/2002).
It must be said here again that NSO does not operate Pegasus, states themselves do so in the exercise of their sovereign powers. For the sake of brevity, I refer to the arguments on this specific issue set forth when discussing the WhatsApp V NSO case above.
Under the circumstances, it would be illogical and biased if the Spanish court dismisses the complaint against the former CNI director while it decides to proceed against NSO only.
Pre-sale human rights due diligence
In conducting its pre-sale human right due diligence, NSO most probably considered that Spain is an EU and NATO member, and a democratic country by all standards. Spain’s intelligence laws, namely Law 11/2002 and Organic Law 2/2002, although not perfect, conform to modern legislations patterns.
Organic Law 2/2002 expressly provides, as discussed, that any measure involving secret interception of electronic communications of an individual requires prior approval by the ST. The CNI’s requests for approval must contain a reasoned opinion as to the necessity and proportionality of the targeted interception.
Law 11/2002, for its part, provided for the establishment of a parliamentary commission with powers to oversee the CNI’s activities and examine relating classified documents, with a few named exceptions as for example the materials obtained from foreign intelligence agencies (Article 11). This commission was convened after the “Catalangate” with parliamentarians from Catalan and Basque secessionist political parties in attendance.
Nothing prevents those individuals who were victim of alleged unlawful interception (or those who have reasons to believe that they were) from submitting their case to that Commission but this can only take note of the situation without having any power to order any remedy or reparation for the injury caused (which is logical given the principle of separation of powers). My recommendation for the Spanish government would be to establish an independent commission with judicial office to provide adequate redress to potential victims’ complaints, in the fashion, for example, of the G-10 Commission in Germany.[2]
For its part, Organic Law 2/2002 also provides for (i) time limits for the duration of secret measures of surveillance, normally three months that can be renewed with the approval by the ST and (ii) the destruction of gathered data that is considered irrelevant for the required purposes.
After considering the political climate in Spain and these statute provisions, NSO surely concluded that (1) overall, the latter provided adequate safeguards to prevent abuses of power in detriment of the right of individuals to privacy and (2) the risks of potential misuse of its technology were low.
This case shows how a proper pre-sale human rights due diligence may become an effective defensive shield in court.
A potential move to the ECtHR
If these criminal actions are ultimately dismissed in their entirety (and local judicial remedies are exhausted), complainants can move to the ECtHR and attempt to blame Spain for breaching its positive obligations to protect the right of individuals to private life under Article 8 ECHR. Perhaps this is the ultimate intention of complainants as part of their efforts to internationalize the Catalan independence cause and expose Spain as a country that does care about human rights.
However, as a matter of iron principle, the ECtHR consistently recognized that member states may restrict the right of individuals to privacy under Article 8 in the interest of national security. To this end, the ECtHR has laid down the safeguards that democratic states must observe when conducting lawful cyber intelligence operations.[3]
The ECtHR’s scope of review in these cases is quite narrow though. The ECtHR cannot and will not look into the merits and property of the alleged specific secret measures of surveillance raised in the complaint. The ECtHR in the first place will likely uphold that states can conduct secret surveillance for legitimate intelligence purposes.
Then the ECtHR will probably undertake a thorough examination of Spanish law in abstract and decide whether this provides adequate safeguards to prevent abuses of power in detriment to the right of individuals to privacy. This is to determine “the quality of the law” in the court’s own words. On this basis, the court normally decides whether a member state is complying with Article 8.
Under the circumstances, even if Spain is found in violation of Article 8, which seems unlikely in my view, the ECtHR’s judgment will have little practical effects beyond attracting media attention and reputational consequences. Complainants can also obtain costs and damages provided they were requested in the original complaint. The Spanish central government will also be under certain pressure to address the matter in future legislative reforms in order to avoid new negative human rights rulings in future.
Complainants may also argue that Pegasus is extremely invasive and that states using it would therefore be in violation of Article 8. My view is that the ECtHR will be unimpressed by this argument. The court cannot but conclude that states themselves operate Pegasus technology in the exercise of their sovereign powers.
In the well-known and recent “Big Brother v United Kingdom” case, the ECtHR ruled that bulk data interception was compatible with Article 8.[4] Here the United Kingdom conducted massive data interception with the assistance of the powerful PRISM and UPSTREAM systems, which are designed and operated by the United States National Security Agency (NSA). This issue came to the public knowledge after Edward Snowden’s revelations about NSA’s activities.
Then the ECtHR found that British law, specifically the 2000 Regulation of Investigatory Powers Act (RIPA), lacked an “independent body” to pre-authorize bulk interception of data and lacked “end to end” safeguards to ensure that interferences with Convention rights were necessary and proportional. On this basis, the ECtHR held that “there has been a violation of Article 8 of the Convention …”. The court granted costs to complainants. For many, from the perspective of complainants and data privacy advocates, this outcome before the ECtHR can be considered at best a Pyrrhic victory.
[1] Resolution (“auto”) of November 26, 2020. Second Chamber of the Supreme Tribunal. Case 20084/2020.
[2] ECtHR “Weber and Saravia v Germany” of 29 June 2006.
[3] For example, in situations of targeted interception “Weber and Saravia v Germany” of 29 June 2006; in situations of bulk interception “Big Brother Watch and Others v the United Kingdom” of 25 May 2021.
[4] Big Brother Watch and Others v the United Kingdom, as in footnote 3.
Some thoughts on international law 