The U.S. civil litigation discovery process has been known as a double-edged sword, allowing for extensive fact-finding while also imposing significant costs and risks to the privacy, security, freedom of expression, and other values and interests of parties. This dichotomy is especially true for spyware litigation.
Take the historic jury verdict delivered in May that ordered NSO Group, an Israeli spyware maker, to pay over $167 million in damages to Meta’s WhatsApp. NSO group was found liable for targeting Meta’s U.S.-based servers to install Pegasus spyware on WhatsApp’s users devices. The verdict, which has been lauded as a major victory in the global fight against the proliferation of commercial spyware, was the culmination of a bitter five-year legal battle that included disputes over questions of sovereign immunity, as well as discovery of highly sensitive information pertaining to the identities of NSO’s victims.
The verdict came just a few months after another Big Tech giant, Apple, filed to drop a similar case against NSO, largely due to challenges with the discovery process. The company cited the risks of threat intelligence information being disclosed to NSO and other threat actors during the process, as well as the alleged attempts by the Israeli government to prevent NSO’s disclosure of important documents about Pegasus spyware in the WhatsApp v. NSO case. Tech companies like Apple risk revealing too much information about how they are protecting their customers from spyware, while being unable to obtain discovery themselves.
These challenges associated with the discovery process in spyware cases can teach civil society, legal advocates, judges, and policymakers a number of important lessons about how to minimize the inherent risks associated with such a process, while successfully utilizing the information that can be gained from it.
An Overview of the U.S. Discovery System
The United States is known for having the most expensive civil legal system in the world, at least in part due to its uniquely deep and broad discovery process. Discovery in U.S. civil litigation (also called disclosure in other countries) is where parties exchange legal demands for information that may be relevant to their case and used at trial. In other countries, discovery is often limited both in terms of tactics and scope, and there is also a greater emphasis on cost-effectiveness and efficiency. In the United States, however, a number of instruments are allowed for compelling production of various types of evidence by the parties pertaining to broad categories of matters potentially relevant to the litigation. For example, a party to a legal case in the United States may seek discovery through deposition (out of court oral examination under oath), interrogatories (out of court written questions which must be answered in writing and under oath), subpoena (court order compelling a person to testify or produce certain evidence), as well as the use of specialized experts. By contrast, in countries such as Germany or the United Kingdom, the pre-trial discovery stage is either virtually non-existent, or requires more limited oral and documentary disclosures.
This extensive process presents unique challenges, particularly in the digital age where there are vastly larger amounts of data than ever before. Locating, compiling, sorting, storing, producing, or challenging the production of digital data can be extremely resource-intensive and can prove financially devastating, especially for small organizations without significant legal budgets. Overly intrusive or broad discovery demands may also expose sensitive information and significantly interfere with fundamental human rights, such as the right to privacy or the right to the freedom of speech, and may silence an individual or an organization seeking to challenge those in power. For those reasons, invasive discovery requests can sometimes be considered a form of Strategic Lawsuit Against Public Participation (SLAPP), a type of legal action designed to retaliate against those advocating for issues of public concern. Such retaliatory measures can be used by both parties in a case, including against third parties.
These risks are especially prominent in litigation related to the use of spyware. Such litigation may involve spyware companies, tech platforms, individual victims, researchers, and civil society advocates, as well as foreign intelligence services, exploit developers, and criminal hacking groups or other non-state actors. Spyware companies, as well as their government clients or exporters, also extend significant resources to preserve the secrecy of their operations and technologies, while trying to silence their victims, critics, and those seeking to expose their abuses. The consequences of some of these parties and non-parties accessing discovery materials could extend far beyond the interests of a particular group of defendants or plaintiffs, and directly impact human rights, national security, and the security of billions of digital devices worldwide.
Spyware Litigation Discovery and the Risks to Civil Society
Big Tech, academia, and civil society alike supported WhatsApp when it first brought its case against NSO Group because it represented a bold step to finally hold the powerful commercial spyware industry accountable in court. Although the action focused on the harms to WhatsApp as a company and did not directly involve the software’s users targeted by the NSO’s Pegasus spyware, WhatsApp referred to the victims — over 100 of whom were members of civil society — during the pre-trial stages. Access Now, a non-profit focused on digital civil rights, along with other NGOs, also submitted an amicus brief when NSO initially appealed the case to the 9th Circuit, highlighting the stories of several civil society victims and the importance of WhatsApp’s action as potentially the only chance at justice these individuals had.
NSO, in the words of the District Court Judge Phyllis Hamilton, “repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery.” Nevertheless, NSO leveraged the discovery process to try to obtain sensitive information not only about WhatsApp but also third parties, such as civil society victims and security researchers.
For example, one major point of contention during the discovery process was the identities of the individuals whose Android phones were targeted by NSO’s exploitation of WhatsApp’s vulnerabilities. NSO attempted to challenge whether those victims were indeed members of civil society, as opposed to criminals or terrorists, which would have allegedly made them legitimate targets of hacking. Unsatisfied with obtaining thousands of documents from WhatsApp, NSO sought additional discovery from an uninvolved party — the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. The research group has been responsible for the lion’s share of investigations uncovering NSO’s spyware abuses around the world, including the very first documented case of Pegasus spyware use against an Emirati human rights defender, Ahmed Mansoor. When WhatsApp discovered that NSO exploited vulnerabilities in the tech company’s app to target users with Pegasus spyware, the Citizen Lab helped identify cases where the attack’s suspected targets were members of civil society, such as human rights activists and journalists.
Over the course of many months, NSO submitted multiple discovery requests to the Citizen Lab seeking to compel deposition and document production related to the identities of the civil society victims and the organization’s research methods, arguing that this information was essential for NSO’s defense against WhatsApp’s lawsuit. Needless to say, this arbitrary “fishing expedition” sought information that was extremely sensitive and, in fact, protected under the University of Toronto’s research ethics protocols. The Citizen Lab had an obligation to protect the confidentiality of their research subjects, which is why they used every legal means possible to resist such requests. However, many researchers and civil society organizations investigating spyware lack the protections and resources offered by a major university to defend themselves against such invasive discovery requests. This seriously risks chilling public interest spyware research and accountability efforts and discouraging victims from participating in such measures.
NSO’s tactics were especially worrisome given the company’s history and its customers’ retaliation against researchers and advocates who expose its abuses and seek justice. In fact, one confirmed target in the WhatsApp Pegasus hack was a British lawyer representing a group of Mexican journalists and government critics and a Saudi dissident living in Canada, suing NSO in Israel for the targeting of their phones. We consider these cross-border attacks to be transnational repression and a tool of digital authoritarianism.
Another prominent British lawyer, Rodney Dixon, was targeted with Pegasus spyware in 2019, likely in retaliation for representing his clients Matthew Hedges, a British doctoral student jailed in the United Arab Emirates, and Hatice Cengiz, the fiancée of the murdered Saudi journalist Jamal Khashoggi. Cengiz’s device was also infected with Pegasus, likely in response to her seeking accountability for Khashoggi’s brutal murder by Saudi agents in Turkey.
But the retaliation goes beyond just spyware. There are several reported cases of lawyers and researchers, including at the Citizen Lab, being targeted with social engineering and other types of intelligence operations aimed at gathering sensitive information about the lawsuits against NSO as well as information that could discredit NSO’s and their clients’ critics and forensic researchers. Given this context, NSO’s (ab)use of discovery against the Citizen Lab appeared even more sinister.
Ultimately, the district court judge was not convinced by NSO’s arguments, denying NSO’s discovery requests sent to the Citizen Lab and labelling them irrelevant and disproportionate to the needs of the case. However, this example demonstrates how spyware companies may turn the tables against their victims and researchers and subject them to invasive discovery requests that require significant amounts of legal resources and risk chilling digital security research and human rights activities.
Spyware Litigation Discovery Poses National Security Risks
Invasive discovery requests can also discourage major companies, such as Apple, from pursuing legal action out of concern that it will endanger sensitive threat intelligence information, highly sought after not just by the spyware companies themselves, but also by foreign government adversaries and hostile non-state actors.
It is no accident that threat intelligence teams at major tech platforms defending against governmental hacking typically also work on mercenary spyware. This is because the exploits leveraged by mercenary spyware like NSO Group’s Pegasus include capabilities that could compete with those that were “previously thought to be accessible to only a handful of nation states.” Moreover, exploits used by mercenary spyware companies have repeatedly been found in use by hostile foreign intelligence services. For example, Google found that exploits used by NSO Group and Intellexa (the maker of Predator spyware) were reused by APT29, a cyber espionage group attributed to Russia’s Foreign Intelligence Service. Whether these spyware companies are doing business with the same exploit sellers as Russia or the exploits are being leaked, this indicates that the spyware industry is uncomfortably close to hostile foreign intelligence activity.
The operations and detection techniques of tech platforms’ threat intelligence teams are proprietary and closely-guarded. This is because information — such as the ways that protocols, crashes, and logs are scrutinized for evidence of exploit testing and hacking activity — can all be used by any threat actor conducting attacks across their platforms to develop hacking techniques and methods of evading detection.
Discovery in cases where platforms’ threat teams have identified, tracked, and blocked an advanced threat actor or exploit could provide an unprecedented window into how these teams frustrate espionage attempts, including against targets such as heads of states. Since business activities of mercenary spyware companies, criminal hacker groups, and foreign intelligence operations are constantly in progress, depending on the category of information, it may reasonably be expected to provide immediate benefit to ongoing efforts by multiple hostile foreign intelligence services, mercenary spyware companies, exploit developers, and criminals to commit illegal intrusions that evade detection. For example, as the WhatsApp v. NSO record revealed, NSO Group continued to develop and deploy the techniques to help their customers hack WhatsApp users even after the legal case was filed.
Similarly, the non-public methods and technologies used by researchers like the Citizen Lab, Amnesty International Security Lab, or commercial research organizations are of strong interest to hacking groups, foreign intelligence services, and mercenary spyware customers past, present, and future. Exposing these methods could provide immediate benefit to many groups engaged in illegal or abusive activities.
Even if all of the parties and their representatives in spyware litigation will seek to strictly adhere to the protective orders that may be issued to safeguard the sensitive discovery information from being shared with third parties, merely by possessing this information, their systems become an attractive target for state and non-state-affiliated hackers. Similarly, depending on their home jurisdiction, parties or their representatives may face direct pressure or be compelled to provide information to foreign governments.
Discovery as an Opportunity for Justice
Despite significant challenges and risks associated with the discovery process in U.S. spyware litigation, the WhatsApp v. NSO case also shows that it can present tremendous opportunities for victims, researchers, and advocates, which makes pursuing such litigation worthwhile.
One of the trial’s most surprising outcomes was that despite NSO’s (and allegedly the Israeli government’s) attempts to avoid discovery, WhatsApp was nevertheless able to obtain a wealth of valuable information from NSO about its technology and operations. For example, the depositions of NSO’s Vice President Ramon Eshkar, Chief Operating Officer Yaron Shohat, and Research and Development Vice President Tamir Gazneli revealed that the product understood as “Pegasus” is not just one piece of technology or a physical box, but a whole package of products and services that NSO provides to its government customers.
The parts of the depositions that made it into the public record show that Pegasus includes the hardware installed at the government customer’s premises, such as the laptop containing the user interface software where the customer enters the phone number of the desired targets, as well as servers that allow the user interface to work and contain storage of the hacked information. Most importantly, it includes the so-called zero-day vulnerability installation vector developed by NSO that allows government customers to seamlessly gain access to various types of data and functions of the target’s device (depending on the vector used) from their user interface with a push of a button. This ultimately confirms what many researchers have suspected about the capabilities of Pegasus and the fact that NSO, not their customers, are responsible for the installation and extraction process of the Pegasus system.
Such information can be of a significant value to researchers, litigators, judges, activists, as well as policymakers. For example, in debates around regulating spyware technologies, not enough attention has been paid to the actual technical characteristics and operation of the spyware, primarily due to the spyware industry’s secrecy and lack of transparency over governments’ operations of spyware products. NSO and other companies exposed by researchers and journalists for selling repressive technologies have also used defamation and threats of defamation lawsuits to challenge claims about the capabilities of their products and the extent to which they or their customers are responsible for operating it.
Regardless whether a given spyware legal case results in a victory for the plaintiff, the information that arises from the litigation discovery process can shed light on the spyware’s technical capabilities and operation, as well as the spyware products’ prices, the company’s profits, and the identity of its customers — all of which could be incredibly valuable for research, advocacy, and regulation.
Managing the Risks of Spyware Litigation
The U.S. legal system’s extensive discovery process makes spyware litigation a double-edged sword, posing costly challenges to plaintiffs and third parties while exposing their sensitive information. It can also offer an opportunity to obtain crucial evidence that may lead to a victory in the courtroom, but also to successful regulation and curbing of the spyware industry. There are ways to minimize the risks while increasing the benefits.
First, judges, while respecting the defendants’ fair trial rights, should be aware of the unique digital and national security risks that invasive discovery requests pose to victims, researchers, and civil society organizations exposing the abuses of spyware. Spyware companies may be perversely incentivized to use the justice system to go on fishing expeditions and intimidate the community exposing the industry’s abuses. It is also crucial to understand the risks of the foreign intelligence services, exploit developers, and criminals benefiting from discovery materials to learn how sophisticated spyware is detected and how researchers, civil society, and tech platforms operate.
Second, spyware researchers, human rights organizations, lawyers, companies, and the victims themselves must be prepared for potentially invasive discovery requests if they become involved in litigation related to the use of spyware, directly or indirectly. To mitigate risks, they should ensure their data and security policies are in order, and that they have sufficient technical and legal capacity to respond to such requests — even if they plan to oppose them.
Third, funders and donors that provide funding for spyware research or advocacy need to ensure that there are sufficient resources included for anti-SLAPP defense, including fighting off overbroad and retaliatory discovery requests. Law firms and law school legal clinics can also play a major role in providing pro bono support in these cases to non-profits and individual victims who cannot afford an appropriate legal defense.
Finally, journalists, researchers, lawyers, activists, and policymakers should rely on evidence obtained through discovery and disclosure processes in spyware litigation to inform their reporting, investigations, and lawsuits, as well as policy and lawmaking to ensure accurate and evidence-based reporting, advocacy, and policies. Sanctions authorities should also keep a close eye on disclosures to better identify irresponsible actors and their malicious technologies.
Taken together, these steps will help ensure that the discovery process in spyware litigation cases contributes to justice and accountability and avoids putting victims, researchers, and other vulnerable parties and their sensitive information at risk.
