Published by The Lawfare Institute
in Cooperation With
On April 2, private surveillance company NSO Group filed a motion to dismiss WhatsApp’s lawsuit over the alleged hacking of 1,400 cellphones running the WhatsApp application. Among the laundry list of arguments made by NSO Group, the most salient was the surveillance company’s contention that its business with foreign governments entitled it to immunity from suit in U.S. court. WhatsApp, the end-to-end encrypted messaging application owned by Facebook, filed its opposition brief shortly after, challenging NSO Group’s theories for immunity.
NSO Group’s briefs attempt to claim foreign sovereign immunity in two distinct ways. First, NSO Group pairs the Foreign Sovereign Immunities Act (FSIA), the law that limits whether a foreign state can be sued in U.S. court with Federal Rule of Civil Procedure 19 (Rule 19), the rule that governs the joinder of parties in civil lawsuits. The brief suggests that, together, these provisions disqualify this lawsuit entirely. According to NSO Group, permitting this lawsuit to continue would prejudice the interests of NSO Group’s sovereign clients who are immune from suit under the FSIA. Second, as a fallback, NSO Group asserts immunity for itself. NSO Group argues that it enjoys common law derivative immunity as the agent of sovereign governments that allegedly purchased its Pegasus malware and then used NSO Group services to spy on WhatsApp users.
NSO Group also appended to its motion to dismiss a short statement by CEO Shalev Hulio that was meant to demystify both its company policy and its relationship to sovereign clients. According to Hulio, NSO Group conditions the use of its Pegasus malware on an agreement that its “government customers” will not use the technology for “human right violations” but, instead, for law enforcement purposes and for combating terrorism. Further, Hulio denied that NSO Group manages the operation of its Pegasus technology once the software has been licensed to its clients, explaining that NSO Group offers only “technical support” and does so “entirely at the direction of their government customers.”
Though NSO Group has yet to name any of its sovereign clients, this statement by Hulio fits thematically with the foundational claim being made in NSO Group’s briefs: We didn’t hack WhatsApp; our clients did. This claim supports both of NSO Group’s immunity theories—first, that NSO Group’s foreign sovereign clients are indispensable to the resolution of this case; and, second, that any hacking attributable to NSO Group was at the direction of its sovereign customers.
FSIA and Rule 19
NSO Group never actually asserts sovereign immunity for itself under the FSIA. Indeed, any claim to derivative immunity for NSO Group under the FSIA, 28 U.S.C. §§ 1602-1611, is a nonstarter. Only foreign states and their “agenc[ies] or instrumentalit[ies]” qualify for immunity under the FSIA. Section 1603(b) of the FSIA defines an “agency or instrumentality of a foreign state” as an entity:
- which is a separate legal person, corporate or otherwise, and
- which is an organ of a foreign state or political subdivision thereof, or a majority of whose shares or other ownership interest is owned by a foreign state or political subdivision thereof, and
- which is neither a citizen of a State of the United States as defined in section 1332 (c) and (e) of this title, nor created under the laws of any third country.
The two parties agree that NSO Group fails to meet the second prong of this definition—it is “a for-profit commercial company” that is neither an organ of nor owned by a foreign state.
Rather, NSO Group introduces the FSIA in service of another tactic altogether. NSO Group argues that including its clients—sovereign governments that purchased NSO malware—is necessary to this case, where their absence disqualifies the lawsuit. Here’s how that tactic is meant to play out: First, NSO Group argues that it did not hack WhatsApp; its sovereign clients did. Second, since sovereign governments caused WhatsApp’s alleged injuries, they are required parties to this lawsuit. Third, as required parties, WhatsApp must join these governments to the lawsuit under Rule 19. Fourth, if the governments must be joined as required parties, but are immune under the FSIA (and thus are immune from suit in U.S. courts), then the entire lawsuit should be dismissed because a judgment in their absence will be prejudicial.
As NSO Group notes in its reply brief, Republic of Philippines v. Pimentel, a case where the Republic of the Philippines was interpled in order to resolve its claim to disputed assets, lends some support to such an argument. Under Pimentel precedent, NSO Group correctly recognizes that “a case may not proceed when a required-entity sovereign is not amenable to suit.”
Nevertheless, its reliance on Pimentel is wanting.
First, NSO Group is a long way from proving that its government-clients are required parties under Rule 19(a)(1). NSO’s clients would be required parties only if excluding them would give WhatsApp insufficient relief, or if excluding the sovereign clients would prevent them from protecting some interest they may have in the lawsuit. Though NSO claims that WhatsApp’s complaint seeks to enjoin its clients, WhatsApp was clear in their opposition brief that they only seek relief from NSO Group. Further still, NSO Group has yet to name any of its sovereign clients or describe the nature of their interests in this lawsuit. And given that NSO Group was allegedly facilitating covert state espionage, it seems unlikely that NSO Group will name its sovereign clients.
Second, NSO Group is gaming Rule 19 and the Pimentel precedent—the court might view this unfavorably. In Pimentel, the Republic of the Philippines was named in the suit from the very beginning. It then asserted sovereign immunity under the FSIA for itself, a sovereign nation. Here, NSO Group (the defendant) appears to be pulling sovereign governments into the fray in order to use their immunity as a shield where WhatsApp, under the most probable reading of their original complaint, has not named these governments. Considering these factors, the court may well find NSO Group’s intertwined FSIA and Rule 19 argument to be too clever by half.
Derivative Immunity Under Common Law
NSO Group also asserts that it may enjoy derivative immunity, not under the FSIA, but under common law. As both parties recognize, claims of common law derivative immunity are relatively commonplace for domestic contractors working with the U.S. government. But the law is murkier where common law derivative immunity is asserted by a private company working in service of foreign governments.
NSO Group cites the U.S. Court of Appeals for the Fourth Circuit’s opinion in Butters v. Vance International. In Butters, the court found that Vance International, a security firm working with the Saudi government, was derivatively immune from suit—not under common law doctrine, but under the FSIA. NSO Group, however, relies on a parallel line of analysis by the Butters court: Before holding that Vance International was derivatively immune under the FSIA, the court also suggested that derivative sovereign law under common law—already available to private contractors for the U.S. government—should be extended to private contractors for foreign governments. Yet WhatsApp maintains that this portion of the opinion was merely dicta—since the Butters court reached its holding under the FSIA, the discussion about extending common law sovereign immunity to agents of foreign governments was surplus. In other words, the court’s detour into common law sovereign immunity is not precedential—not in the Fourth Circuit and especially not in the Ninth Circuit.
Even more, WhatsApp contends that the Supreme Court’s opinion in Samantar v. Yousuf “abrogat[ed]” Butters. Samantar made it clear that common law immunity and immunity under the FSIA are distinct doctrines. Further, per Samantar, if a foreign state or its “agency or instrumentality” wishes to assert immunity under the FSIA, it must do so under the plain terms of the statute. The Fourth Circuit’s Butters opinion ignored the “agencies or instrumentalities” provision of the FSIA altogether. The Fourth Circuit seems to have taken for granted that the FSIA immunized Vance International, without considering, for example, whether Vance International had Saudi-majority ownership. And, despite NSO Group’s protestations, the court is overwhelmingly likely to find that FSIA has limits.
In an attempt to preserve Butters’s relevance, NSO Group tries to cast the opinion as orthogonal to Samantar. NSO Group argues that there is no such thing as derivative sovereign immunity under statutory law. For that reason, NSO argues, Butters had to have been about common law derivative foreign immunity and not about the FSIA. This would mean that Samantar left Butters’s holding unaffected. And though this authority is from the Fourth Circuit, NSO Group might use Butters to persuade the Ninth Circuit to similarly extend the doctrine of domestic derivative common law immunity to private contractors of foreign governments. But here’s the rub: The Fourth Circuit plainly wrote that Vance was entitled to “derivative immunity under the FSIA”—that is, statutory law and not common law. Though the Butters opinion does speak supportively of derivative foreign immunity under common law, the most plausible reading of Butters is that this mention of derivative foreign immunity was merely narrow dicta that never grew into a concrete doctrine.
Further, even if the court held that Butters successfully extended domestic derivative immunity for the U.S. government’s contractors to foreign governments’ private contractors, NSO Group may still fall short. For derivative immunity, courts require that U.S. government contractors employed no discretion in their allegedly unlawful conduct and “completely followed government specifications.” NSO Group would be hard-pressed to satisfy this test under the facts currently alleged by WhatsApp, which include allegations that NSO Group reverse-engineered WhatsApp’s application and parroted WhatsApp network traffic in order to hack the subject devices. If these sovereign governments had this know-how, they likely would not have hired NSO Group in the first place. That said, the statement by Hulio that NSO Group’s support services were offered completely at the direction of its clients does foreshadow an attempt to evince that argument.
Conduct-Based “Foreign Official” Immunity
Beyond Butters, courts do recognize conduct-based derivative immunity for agents of foreign states, albeit almost always for government officials and employees, not private contractors. Courts have not definitively ruled on whether common law foreign immunity would even extend to a private contractor like NSO Group. Nevertheless, Samantar details how this common law immunity—sometimes called “foreign official” immunity—is granted. In a two-step process, agents of foreign states must first request immunity from the U.S. State Department, and if that fails, only then do courts have the authority to determine whether an agent has immunity. There is no evidence that NSO Group has requested immunity from the State Department. If an actor makes such a request and is denied, the question of immunity would fall to the court.
There is, however, some confusion in the courts as to which approach for determining agent immunity actually governs. For example, Samantar endorses an approach that instructs the courts to consider whether it is “the policy of the State Department to recognize” the asserted “ground of immunity.” Alternatively, many circuits, including the Ninth Circuit, apply § 66(f) of the Second Restatement of the Foreign Relations Law of the United States, which puts forward a three-part test for determining whether a foreign actor receives common law immunity: (1) whether the actor was a public minister, official, or agent of the foreign state; (2) whether the acts were performed in an official capacity; and (3) whether exercising jurisdiction would serve to enforce a rule of law against the foreign state.
WhatsApp argues that NSO Group cannot satisfy prong three of § 66(f) because WhatsApp is going after only NSO Group and not its clients. In WhatsApp’s view, there is no risk in the suit that U.S. courts will disrespect another government’s sovereignty; if WhatsApp’s injunction succeeds, American law will extend only over NSO Group. Though WhatsApp does not cite this case in its brief, Rishikof v. Mortada offers some preliminary support to its position. In Rishikof, the U.S. District Court for the District of Columbia suggested that a low-level Swiss delivery man who had run over and killed an American would not have been immune from suit if the plaintiff, instead, had sued the delivery man only in his personal capacity—not jointly and severally with the Swiss government. Under that counterfactual, applying U.S. law against just the delivery man would not be tantamount to applying U.S. law against Switzerland. WhatsApp is making an analogous argument here, applying U.S. law against NSO Group is not the same as applying it to the firm’s sovereign clients.
The Rishikof analogy is not perfect. NSO Group is not a low-level delivery man, but instead is a contractor of foreign governments that facilitates intelligence gathering. Immunity usually is granted when a foreign agent acts in service of core sovereign functions—such as military or intelligence gathering operations (for example, Doe 1 v. Buratai, Matar v. Dichter, Doğan v. Barak)—whether by suggestion of the State Department or under the court’s own analysis. Enjoining NSO Group from hacking WhatsApp certainly affects such a sovereign prerogative. The U.S. might similarly balk at being told by a foreign court which contractor it can or cannot use in conducting espionage.
But WhatsApp may be able to rebut this argument. WhatsApp will likely contend that any impingement on these governments’ ability to conduct espionage is probably too small and indirect to meaningfully affect this sovereign function—NSO Group’s sovereign clients can presumably use their own government intelligence operatives or different contractors to conduct espionage without the help of NSO Group. And customary international law, which informs common law sovereign immunity doctrine, might even support that conclusion. But this issue is far from cut and dry.
We will have to wait and see how the district court deals with these open questions: First, whether derivative immunity under common law applies to private contractors like NSO Group; and, second, whether NSO Group’s role as intelligence gatherer implicates the delicate comity interests between the U.S. and other sovereign governments—as it traditionally has when foreign officials have been sued for similar conduct. It’s possible that WhatsApp may have cornered NSO Group already—NSO Group will, at minimum, have to name its clients to properly get derivative immunity or to prove that it did not do any hacking itself. But it may be reluctant to do so since such a move could hurt its future business prospects. Even if NSO Group wins against WhatsApp’s injunction, it might come at the cost of revealing the sovereign governments with which it does business.