This is a living resource document providing links and descriptions to litigation and other formal complaints concerning targeted digital surveillance and the digital surveillance industry. If you have additional resources to add to this document, please send to Siena Anstis: siena [at] citizen lab [dot] ca. This document was last updated on December 12, 2018.

NSO Group
Gamma Group
Amesys
Qosmos
Other

NSO Group

Company background

NSO Group is an Israeli-based company which develops and sells a spyware called Pegasus. It is majority owned by Francisco Partners, a global private equity firm with offices in San Francisco and London that invests in the technology industry. In the past few years, investigations into NSO Group have revealed some information about the company’s operations. A non-exhaustive list of resources follows:

Citizen Lab reports on NSO Group and Pegasus spyware

The Citizen Lab has studied NSO Group and the deployment of Pegasus spyware against civil society activists, journalists, scientists, and politicians in a number of reports available here.

Citizen Lab communications to NSO Group and funders

The Citizen Lab has sent numerous communications to NSO Group about the human rights and corporate social responsibility implications of its business practices:

Litigation against or implicating NSO Group

Jurisdiction Date started Status Proceedings
Israel 2018 Ongoing Lawsuit brought by Omar Abdulaziz in Israel against NSO Group 

Omar Abdulaziz filed a lawsuit in Israel against NSO Group. According to the New York Times, it alleges that NSO Group helped the Saudi royal court take over his smartphone and spy on his communications with murdered Jamal Khashoggi. NSO Group issued a statement that its products were “licensed for the sole use of providing governments and law enforcement agencies the ability to lawfully fight terrorism and crime.” And that contracts to use NSO Group spyware “are only provided after a full vetting and licensing by the Israeli government”. The company also added that it does not tolerate “misuse” of its products and that if there is “suspicion of misuse”, the company investigates it and takes appropriate action, including suspending or terminating a contract. The lawsuit was filed by Alaa Mahajna, an Israeli lawyer, in cooperation with Mazen Masri, a lecturer at the City University of London. The lawyers said in the court papers that they intend to argue that the exposure of the collaboration between Abdulaziz and Khashoggi “contributed in a significant manner to the decision to murder Mr. Khashoggi.”

Israel &
Cyprus
2018 Ongoing Lawsuits brought by Mexican journalists and civil society activists and a Qatari citizen in Cyprus and Israel against NSO Group

Mexican journalists and civil society activists filed a lawsuit against NSO Group in Israel (a Qatari citizen also filed a suit against NSO Group in Cyprus). According to the New York Times, these lawsuits include documents and emails that directly challenge the company’s repeated assertions that it is not responsible for any illegal surveillance conducted by the governments that buy its spyware. These lawsuits were also filed by Alaa Mahajna and Mazen Masri.

Israel 2018 Ongoing Criminal prosecution against former NSO Group employee

In July 2018, the Israeli Justice Ministry said that a former employee of NSO Group has been charged with stealing intellectual property and trying to sell if for $50 million over the Darknet in a manner that could harm state security. The Justice Ministry said that, according to testimony gathered in the case, the former employee’s actions “endangered NSO and could have led to its collapse” and posed a threat to state security.

Mexico 2017 N/A Federal investigation by Mexican authorities into NSO Group in Mexico

A federal investigation by Mexican authorities into the misuse of spyware in Mexico was announced by the Mexican government in 2017. However, its efforts appear to have stalled. The New York Times reports that US authorities approached by the Mexican investigators believe it is a sham inquiry and refused to participate.

Potential legal action against or implicating NSO Group

Jurisdiction Date started Status Proceedings
Israel 2018 N/A Potential action by Amnesty International regarding NSO Group’s  Israeli export license

Amnesty International announced that it was taking legal advice in order to have revoked the export license of Israeli-based NSO Group after it was revealed that the company’s spyware was used in an attempt to spy on an Amnesty International staff member. A couple of weeks before, Amnesty International submitted an urgent request to the Israeli Minister of Defense, demanding that NSO Group’s defense export license be revoked in light of an attempted cyber attack on an Amnesty International staff member. The Israeli Defence Ministry refused to revoke the firm’s license.

 

Gamma Group and FinFisher/FinSpy

Company background

Gamma Group describes itself as an international manufacturer of surveillance and monitoring systems with technical sales offices in Europe, Asia, the Middle East, and Africa. It provides advanced technical surveillance, monitoring solutions, and advanced government training, as well as international consultancy to National and State Intelligence Departments and Law Enforcement Agencies. Gamma Group manufactured and sold a line of spyware products known as FinFisher/FinSpy. As with NSO Group, investigations into this company have provided some insight into its operations. A non-exhaustive list of resources follows:

The Citizen Lab has studied Gamma Group and the deployment of FinFisher/FinSpy in several reports.

Litigation against or implicating Gamma Group

Jurisdiction Date started Status Proceedings
UK 2018 Ongoing Lawsuit brought by Bahraini activists in the UK against Gamma

Bahraini activists have started a legal action against Gamma alleging that the company was involved in the sale of spyware products to the Bahraini government knowing they would be used to crack down on protests during the Arab spring. The claimants say that they were targeted with the FinFisher/FinSpy program, which was manufactured in the UK and sold to the Bahraini government. They also accuse Gamma of providing training to Bahraini government officials on how to correctly use the software, along with technical support and software updates. All allege that the Bahraini government attacked their computers while they were in the UK. The claimants say they were targeted in relation to their pro-democracy campaigning during the Arab spring. Hassan Mushaima, one of the claimants, was jailed for life in 2011 by a military court in Bahrain. The claimants are represented by Leigh Day.

US 2014 Affirmed dismissal by District Court Doe v. Federal Democratic Republic of Ethiopia, 851 F.3d 7 (D.C. Cir. 2017), reh’g denied, 2017 U.S. App. LEXIS 10084 (D.C. Cir. June 6, 2017)

The Electronic Frontier Foundation (EFF) filed a lawsuit in federal court in Washington, D.C. alleging that the government of Ethiopia, using FinFisher/FinSpy, illegally wiretapped and invaded the privacy of EFF’s client, a U.S. citizen on U.S. soil. The United States Court of Appeals for the District of Columbia Circuit ultimately concluded in March 2017 that Ethiopia was immune from suit absent an exception under the Foreign Sovereign Immunities Act, which did not arise here. In response to the decision, EFF argued that the court had “held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–as long as they do so by remote control” and that the decision was “extremely dangerous for cybersecurity.” Under this holding, there is no legal recourse if a foreign government “hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil.” For further analysis of this decision, see Lawfare and Motherboard.

Formal complaints against Gamma Group

Jurisdiction Date started Status Proceedings
OECD National Contact Points (NCPs) in UK & Germany 2013 OECD NCPs issued decisions OECD complaints by human rights groups against Gamma and Trovicor in UK and Germany

In 2013, Privacy International, Reporters Without Borders, Bahrain Watch, the Business Center for Human Rights, and the ECCHR filed a formal complaint with the UK National Contact Point for the OECD, as well as the equivalent German Contact Point, against Gamma and Trovicor. The UK Contact Point accepted the complaint for consideration against Gamma. In 2014, the UK Contact Point determined that Gamma was in violation of human rights guidelines. The German Contact Point refused to investigate the allegations and was only willing to continue with mediation in relation to Trovicor’s risk management.

UK 2012 Judicial review granted Privacy International complaint against HM Revenue and Customs (HMRC) in the UK

Privacy International began investigating Gamma and the export of FinFisher/FinSpy spyware. After discovering that Gamma’s FinSpy was subject to the UK export control regime and that Gamma had only submitted a Control List Classification enquiry asking the government whether or not it needed an export license for the product in July 2012, Privacy International submitted a dossier of evidence against Gamma to HMRC and called for an investigation. HMRC is responsible for overseeing the enforcement of export regulations in the UK. HMRC refused to provide any details regarding any investigation into Gamma’s export practices, arguing that it was statutorily barred from doing so. In May 2013, Privacy International filed for judicial review of HMRC’s decision. In May 2014, the Administrative Court declared that HMRC acted unlawfully and “irrationally” in issuing blanket refusals into the status of any investigation into the potentially illegal export of FinFisher. The court quashed HMRC’s decision and ordered it to consider Privacy International’s request again.

Germany 2014 Denied Privacy International and the European Center for Constitutional and Human Rights criminal complaint against Gamma in Germany

In October 2014, Privacy International and the European Center for Constitutional and Human Rights submitted a criminal complaint calling for an investigation into Gamma in Munich, Germany. In December 2014, public prosecution authorities in Munich decided not to launch investigatory proceedings against Gamma’s employees.

Amesys

Company background

Amesys (renamed Nexa Technologies) is a French company that makes communications equipment and other related equipment for aerospace, defence, marine, energy, and the telecommunications industry, including surveillance equipment. A non-exhaustive list of resources on this company follows:

Litigation against or implicating Amesys

Jurisdiction Date started Status Proceedings
France 2017 Ongoing Criminal investigation into Amesys and the sale of surveillance equipment to Egypt

In November 2017, the International Federation for Human Rights (FIDH) and the Ligue française des droits de l’Homme (LDH), with support from the Cairo Institute for Human Rights Studies (CIHRS), requested an investigation into the sale of surveillance equipment by this French company to Egypt and the potential role of this equipment in widespread oppression under the Al Sissi regime in Egypt. In December 2017, the Paris Prosecutor acknowledged the gravity of the allegations, giving Egyptian victims the opportunity to become civil parties to the case and testify in France as well as enable FIDH and LDH to become civil parties.

France 2011 Ongoing Criminal investigation into Amesys and the sale of surveillance equipment to Libya

In October 2011, FIDH and LDH filed a complaint alleging the complicity of Amesys and its executive managers in acts of torture for having signed and executed a commercial agreement for the provision of surveillance technology to the Libyan regime in 2007. In May 2012, a formal criminal investigation was opened in France. After subsequent litigation over this decision to open an investigation, in January 2013, the Chamber of Criminal Investigation of the Court of Appeal upheld the initial order to open the investigation.

Qosmos

Company background

Qosmos is a French technology company that specializes in Deep Packet Inspection-based IP classification and network intelligence technology. A non-exhaustive list of resources on this company follows:

Litigation against or implicating Qosmos

Jurisdiction Date started Status Proceedings
France 2012 Ongoing Criminal investigation into Qosmos and sale of equipment to Syria

FIDH and LDH filed a criminal complaint before a Paris court urging for an investigation into the involvement of French companies supplying surveillance equipment to Bashar El-Assad’s Syrian government. The complaint named Qosmos, a French company, in particular alleging that it is complicit in human rights abuses, including torture, by the Syrian government by providing it with surveillance equipment. In April 2014, a full judicial investigation was brought against Qosmos by the Paris Court for complicity in torture. In April 2015, an investigative judge declared Qosmos an “assisted witness”.

Other

Jurisdiction Date started Status Proceedings
US 2018 Closed Broidy Capital Management, LLC et al v. State of Qatar et al.

Elliot Broidy, a top fundraiser for Donald Trump, filed a lawsuit against the state of Qatar and Washington lobbyist Nick Muzin as well as others blaming them for hacking his computers and leaking unflattering information to the media. In August 2018, the Qatari state and Muzin were dismissed from the suit.

* * *

If you have tips on additional litigation or formal complaints against digital surveillance companies not covered in this document, please email Siena Anstis: siena [at] citizenlab [dot] ca.