Tech Giants Tell Courts to Drop Spyware Loophole

Major tech companies say spyware victims should be able to sue attackers in the US even if the attack physically happens outside the country. They say its particularly important for highly targeted attacks.

The companies have put out their position by filing an amicus brief in an ongoing case involving Israeli cyber intelligence firm NSO Group, makers of the infamous Pegasus spyware. An amicus brief is where people not directly involved in a case, usually subject matter experts, provide an opinion or information to help the court.

The case was brought by a news organization based in El Salvador which says its staff were monitored by Pegasus spyware, likely as an attempt to disrupt their work uncovering stories. They want NSO Group to tell them who was using Pegasus to spy on them and what information they uncovered.

International Borders An Issue

That's now led to a legal dispute about how geography affects the law. Although NSO is based in Israel, it has a presence in the US despite effectively being economically blacklisted by the government.

However, NSO argues that it can't be sued in the US in this case because the attacks took place outside the country. A district court agreed and dismissed the case, leading to a higher court appeal.

The amicus brief challenges that argument. It was filed by Big Cloud Consultant, Github, Google, LinkedIn, Microsoft and Trend Micro. They say they have an interest in the relevant law because spyware often targets their products.

Zero Day Bugs Targeted

According to the tech companies, the US has a national security interest in spyware, while individual states have an interest in protecting companies which operate in their jurisdiction. They argue that this, plus the fact that Internet attacks don't take any notice of state or national borders, means the physical location of the attacks shouldn't be enough to dismiss cases. (Source: scribd.com)

In a blog post about the amicus brief, Google noted that around half of zero day attacks (those done before a bug fix is publicly released) are carried out by or on behalf of commercial spyware makers. (Source: blog.google)

What's Your Opinion?

Do you agree with the amicus brief? Should spyware manufacturers be held responsible for how their customers use the software? Should it be possible to sue companies in the US even if an attack happens outside the country?