Court Tosses Lawsuit Against NSO Group Brought By Murdered Journalist Jamal Khashoggi’s Widow (original) (raw)

from the may-eventually-find-justice-but-not-by-going-this-route dept

Jamal Khashoggi, a dissident journalist often critical of the Saudi government, was murdered by Saudi government agents while inside the Saudi consulate in Istanbul, Turkey. He wasn’t just murdered. His body was dismembered. All of this was captured by hidden recording devices placed by the Turkish government in the Saudi consulate.

The Saudi government is — or at least, was — a customer of Israeli exploit developer, NSO Group. For years, NSO Group sold its powerful phone malware to some of the world’s most notorious human rights abusers. On that list is the Saudi government — a point it drove home by luring legal US resident (and Washington Post journalist) Jamal Khashoggi to its consulate for the sole purpose of erasing him from human existence.

NSO knew who it was selling to. It just didn’t care. It didn’t care until several months of increasingly negative coverage forced multiple countries to issue sanctions, open investigations, and — in the case of its homeland — finally restrict which countries it could sell to.

This has also led to NSO being sued multiple times by people targeted by its spyware as well as by US tech companies whose infrastructure and communication services were used to infect targeted devices.

NSO Group will be walking away from at least one lawsuit, though. Hanan Elatr, Khashoggi’s widow, sued NSO, along with Q Cyber Technologies, another malware manufacturer. Elatr alleged multiple injuries stemming from the infection of her two phones by NSO’s Pegasus malware, a zero-click exploit. These infections were confirmed by Toronto’s Citizen Lab, which has uncovered dozens of similar infections of journalists, dissidents, government critics, and human rights advocates over the past few years.

Among the violations listed in Elatr’s suit are violations of Virginia’s Computer Crimes Act and the CFAA. On top of that, there are counts of negligence and intentional infliction of emotional distress. Elatr alleges her phones were infected to make it easier for the Saudi government to locate Jamal Khashoggi, an effort that ultimately resulted in his murder by Saudi security personnel.

Unfortunately, as horrific as this crime was, there’s no reason to believe NSO Group was complicit, at least not in the legal sense. NSO Group’s business model is unethical. But it’s not illegal. And it can’t be held directly responsible for the acts of its customers, especially when there’s a lot of missing connective tissue between selling malware to the Saudi government and the Saudi government deciding to murder someone on foreign soil.

Sure, NSO is obviously aware it’s been selling oppression enhancement software to some of the worst people on earth. And while it’s capable of comprehending the damage it’s helping create, it is not (at least I hope it isn’t) conspiring with foreign governments to commit acts of brutality.

Whether or not NSO can even be considered legally culpable in any way for acts of violence by its customers isn’t up for debate in this case. The real problem with this lawsuit is there’s nothing connecting NSO Group, the Saudi government, and the murder of a journalist on (technically) Saudi soil located in Istanbul, Turkey. On top of that, most of the detected infections of Hanan Elatr’s phones appeared to have been initiated by the United Arab Emirates government, another one of NSO’s detestable customers.

NSO moved to dismiss the lawsuit, first by claiming it had “derivative sovereign immunity” as a foreign company. The court notes this argument just doesn’t work, having already been rejected by the Ninth Circuit Appeals Court when NSO attempted to escape the lawsuit brought by WhatsApp. The Foreign Sovereign Immunities Act (FSIA) does not cover private companies. It’s as simple as that.

More to the point is the lack of jurisdiction. It doesn’t really matter what either party argues. There’s nothing tying any of them to Virginia other than Elatr’s current residence in Virginia. Since the alleged phone infections occurred in 2018, when Elatr was located in Dubai working as a flight attendant for Emirates Airlines, none of the alleged injuries were sustained in Virginia.

Despite alleging that the surveillance was ongoing in this district, and that NSO Group “and its clients” targeted plaintiff, the Complaint fails to include any non-conclusory allegations regarding how long and where plaintiff had been living in the district, and how NSO Group specifically participated in the surveillance of her phones while she was in Virginia, as opposed to the conduct that may have happened while she was overseas or travelling for work as flight attendant for Emirates Airlines. Nor does the Complaint allege facts that counter defendants’ argument that non-party Saudi and Emirati governments were using the Pegasus technology to surveil plaintiff.

On top of that, there’s no evidence NSO Group had anything to do with the targeting of Elatr. It provided the malware, but the targeting was done by foreign governments that aren’t named as defendants. (Sovereign immunity would likely apply if they were.)

While the court doesn’t particularly care for NSO Group’s repeated assertions it’s indistinguishable from the Israeli government in terms of immunity, it also says it can’t be sued in Virginia. It may not even be able to be sued at all by Khashoggi’s widow, no matter where the legal action is filed, because it did not infect her phones, nor did it directly engage in surveillance of her devices.

Khashoggi’s widow will have to seek justice elsewhere. But given the shamelessness of the Saudi government and its unwillingness to take responsibility for a murder it ordered, it’s unlikely going after the murderers directly is going to result in anything more than years of frustration.

Filed Under: cfaa, hanan elatr, jamal khashoggi, liability, saudi arabia, spyware, surveillance
Companies: nso group, q cyber technologies