WhatsApp took NSO to court in 2019 in California saying the company had used its servers to hack 1,400 users of the messaging app Photo: Shutterstock

WhatsApp took NSO to court in 2019 in California saying the company had used its servers to hack 1,400 users of the messaging app Photo: Shutterstock

Israeli spyware firm NSO Group faces a lawsuit from WhatsApp in the US after an appeals court in California threw out a claim of immunity from the company, which has back-office entities in Luxembourg.

WhatsApp in 2019 had launched legal proceedings against NSO over allegations that around 1,400 users of the messaging app were hacked using the company’s spyware. WhatsApp says this included at least 100 civil society members, such as journalists or activists.

The Pegasus revelations this year provided evidence of the widespread use of NSO software by governments to spy on opposition groups, dissidents, activists and journalists. The leak included a list of 50,000 potential targets although it is not clear how many of them were actually hacked.

NSO Group has denied any wrongdoing, saying its customers include vetted government clients who buy the software to combat crime and terrorism. It said it doesn’t know how clients use the programme and sought immunity, which was denied.

Luxembourg prime minister Xavier Bettel (DP) in an interview last month that the country’s secret service had also purchased the technology. However, he later said that he had more generally spoken about surveillance software.

NSO can escalate the matter to the US supreme court. And the case is far from over. The next phase of the proceedings in California, where WhatsApp parent Meta is based, will establish whether NSO can be held responsible for the attacks.

Monday’s court decision came after the Biden administration on 3 November said it had put NSO on a commerce department blacklist for engaging in activities contrary to US foreign policy and national security.

Due diligence

Luxembourg’s foreign ministry earlier this year confirmed that NSO operates in the grand duchy, saying they carry out back-office activities. None of the entities are authorised to export cyber-surveillance products.

“Luxembourg will not, under any circumstances, tolerate that export operations from Luxembourg contribute to human rights violations in third countries and will ensure, if applicable, to take the necessary measures to remedy any violation of human rights and to prevent future violations,” foreign minister Jean Asselborn (LSAP) said in July.

NSO’s ties to Luxembourg prompted calls from activists for the country to adopt human rights due diligence laws, obligating countries to ensure human rights standards along their value and supply chains.

The country has a due diligence action plan, which is mostly based on voluntary commitments by companies, and has said it would wait for an EU proposal on a bloc-wide directive setting minimum due diligence standards. A public consultation on a draft from Brussels is currently ongoing.

Luxembourg from January 2022 will be a member of the for a period of three years.