Back to News

Litigation and Other Formal Complaints Concerning Targeted Digital Surveillance and the Digital Surveillance Industry

This is a living resource document providing links and descriptions to litigation and other formal complaints concerning targeted digital surveillance and the digital surveillance industry. If you have additional resources to add to this document, please send to Siena Anstis: siena [at] citizen lab [dot] ca. This document was last updated on July 15, 2022.

NSO Group
Gamma Group
FinFisher
Amesys
Qosmos
DarkMatter
WiSpear

NSO Group

Company background

NSO Group is an Israeli-based company which develops and sells spyware technology. It is majority owned by Novalpina Capital, a European private equity firm. In the past few years, investigations into NSO Group have revealed some information about the company’s operations. A non-exhaustive list of resources follows:

Citizen Lab reports on NSO Group and Pegasus spyware

The Citizen Lab has studied NSO Group and the deployment of Pegasus spyware against civil society activists, journalists, scientists, and politicians in a number of reports available here.

Citizen Lab communications to NSO Group and funders

The Citizen Lab has sent numerous communications to NSO Group about the human rights and corporate social responsibility implications of its business practices:

Litigation against or implicating NSO Group

Proceedings

Jurisdiction Date started Status Proceedings
Israel 2022 Ongoing Israel passes a preliminary bill to investigate unlawful use of spyware by police, although, as reported by the Middle East Monitor, it has to survive three more votes to officially become law.
Spain 2022 Ongoing In May 2022, Gonzalo Boye, the lawyer representing many Catalan leaders including Carles Puigdemont and himself the victim of a series of Pegasus attacks, brought a suit in Madrid against NSO, Q Cyber Technologies, a subsidiary company in Luxembourg, OSY, and senior officers of these businesses.
Spain 2022 Ongoing In April 2022, Òmnium Cultural and the CUP party called on a Barcelona judge to investigate the violation of their rights, naming specifically NSO Group and several additional Spanish government agencies including the Civil Guard and National Police. In June 2022, Roberto Valverde, Barcelona’s public prosecutor specializing in IT-related crime, ruled that NSO Group could not be investigated in Spain, but allowed the CUP party’s other claims to
Spain 2022 Ongoing The Prime Minister of Spain, Pedro Sánchez, and the Defence Minister, Margarita Robles, reported that their phones had been infected with Pegasus spyware. The Spanish government reportedly filed a complaint with the National Court for further investigation in May 2022 and vowed to reform Spanish laws. In June 2022, the Spain’s High Court called the CEO of NSO Group to testify as a witness in the case.
Spain 2022 Ongoing Catalan victims of NSO Group’s Pegasus spyware have instituted complaints against NSO Group in Spain. In July 2022, a Spanish judge authorized an investigation into NSO Group.
Spain 2022 Ongoing Spain’s minister of the Presidency, Felix Bolanos, has stated that the government would undertake an “‘internal investigation’ within the National Intelligence Centre” into the use of Pegasus spyware in Spain. This was accompanied by an announcement that the Spanish rights ombudsman would also start an “independent” investigation.
France 2022 Ongoing complaint has been filed in France against NSO Group by the International Federation for Human Rights (FIDH), the Ligue des droits de l’homme (LDH) and Salah Hammouri, a French-Palestinian human rights defender.
IACHR 2022 Ongoing On 16 March 2022, the Inter-American Commission on Human Rights (IACHR) held a hearing into the unlawful surveillance of journalists and civil society in El Salvador.
European Union 2022 Ongoing The European Parliament has set up a committee of inquiry to “investigate the use of the Pegasus and equivalent surveillance spyware.” The scope of the committee’s work is set out in this decision.
Hungary 2022 Dropped The Budapest Regional Investigation Prosecutor’s Office has opened an investigation into the use of Pegasus spyware “under the suspicion of the crime of gathering unauthorized secret information.” The Hungarian National Authority for Data Protection and Freedom of Information also undertook an investigation into the use of Pegasus in Hungary but did not find any violations. The body’s reasoning is largely classified information and has not been reviewed by the public. In June 2022, the Hungarian prosecutors dropped the probe, citing “no unauthorized and secretive collection of information” or use of a concealed device.
Hungary 2022 Ongoing In January 2022, the Hungarian Civil Liberties Union (HCLU) announced it would launch legal action on behalf of six clients: Brigitta Csikász, Dávid Dercsényi, Dániel Németh and Szabolcs Panyi, all journalists; Adrien Beauduin, a Belgian-Canadian PhD student and activist; and a sixth person who requested anonymity.
European Commission 2022 Ongoing The HCLU lodged a complaint with the European Commission on behalf of Adrien Beauduin, the Belgian-Canadian activist targeted for surveillance while he studied in Hungary.
Israel 2022 Ongoing Following the lawsuits in Hungary (above), attorney Eitay Mack stated he would file a lawsuit in Israel with the country’s attorney general against both NSO Group and the Israeli Defense Ministry.
Poland 2022 Ongoing A Polish Senate Committee is investigating the use of Pegasus spyware in Poland and its use against critics of the government. In January 2022, Polish senators were planning to draft a law to regulate the use of surveillance technologies, but reporting suggests there is little chance of the law passing the lower chamber of parliament, which has reportedly been trying to block a further inquiry with subpoena power.
Poland 2021 Polish prosecutor Ewa Wrzosek, who was targeted with Pegasus spyware, filed a notification with a Polish court of an alleged cyber attack on her mobile phone. In September 2022, the court ordered the prosecutor’s office to conduct an investigation into Pegasus surveillance.
Azerbaijan 2021 Ongoing According to Azerbaijan Internet Watch, a number of complaints and lawsuits in relation to Pegasus surveillance have been launched in Azerbaijan following the Pegasus Project revelations.
United States 2021 Ongoing In November 2021, Apple filed a lawsuit against NSO Group in US federal court. Apple seeks a permanent injunction to prevent NSO Group from using Apple software, services, or devices. The company argues that an exploit originally identified by the Citizen Lab (FORCEDENTRY) was used to install the Pegasus spyware in the devices of some Apple users.
France 2021 Ongoing In July 2021, the Gulf Center for Human Rights filed a complaint in France against NSO Group, alleging that the company is “responsible for harm caused to human rights defenders in the Middle East and North Africa (MENA) region and beyond.”
India 2021 Ongoing A number of petitions were filed with the Supreme Court of India in 2021 in relation to the alleged use of Pegasus by Indian authorities against Indian citizens. In October 2021, the Court issued an order appointing an expert technical committee to be overseen by a retired judge of the Court. The committee was given the mandate to investigate and determine whether Pegasus was used on phones or devices of Indian citizens, among other mandates.
UK 2021 Ongoing In August 2021, Bindmans LLP announced that it “had been instructed to proceed with investigating claims that will potentially be brought by a number of individuals into the alleged misuse of NSO Group’s Pegasus malware by foreign governments.” The group of claimants includes human rights activists, academics, and leaders of civil society organizations. On April 19, 2022, Bindmans LLP announced that three claimants sent a pre-action letter in February 2022 to potential defendants.
France 2021 Ongoing The Paris Prosecutor’s Office opened an investigation into Pegasus on 20 July 2021 after receiving complaints from Mediapart and two of its reporters that they had been spied on by Morocco using the Pegasus spyware. Shortly after, an additional 17 journalists made complaints to the Paris Prosecutor’s Office. According to Reporters Without Borders (RSF), these journalists “know or have serious grounds for fearing” that governments spied on them using NSO Group’s Pegasus spyware in relation to their reporting work. RSF has referred their case to four UN Special Rapporteurs.
United States 2020 Ongoing Ghada Oueiss, a journalist with Al-Jazeera, filed a legal complaint in US federal court against a number of defendants including the crown princes of Saudi Arabia and the United Arab Emirates, as well as DarkMatter, an Emirati cybersecurity company. She alleges that they spearheaded an unlawful hack and leak operation against her. The complaint describes a “suspicious process” which is “associated with NSO Group’s Pegasus malware.” In March 2022, the US District Court for the Southern District of Florida dismissed the case. In April 2022, Oueiss appealed to the US Court of Appeals for the Eleventh Circuit.
Spain 2020 Provisionally suspended In 2020, a Barcelona court opened an investigation into the 2020 targeting of Roger Torrent and Ernest Maragall with Pegasus spyware.

In May 2022, judge José Antonio Cruz de Pablo temporarily suspended the investigation due to the lack of progress on rogatory information from Israeli authorities.

United States 2019 Ongoing On 29 October 2019, WhatsApp and Facebook filed a complaint against NSO Group/Q Cyber Technologies in the Northern District of California. The plaintiffs allege that, between April 2019 and May 2019, the defendants used WhatsApp servers located in the US and elsewhere to send malware to approximately 1,400 mobile phones and devices. The plaintiffs seek injunctive relief and damages pursuant to the Computer Fraud and Abuse Act and the California Comprehensive Data Access and Fraud Act (Penal Code section 502), as well as for breach of contract and trespass to chattels. A copy of the complaint is available here.

In April 2021, the US Court of Appeals for the Ninth Circuit rejected NSO’s claim of protection under sovereign immunity laws and allowed the suit to proceed. In April 2022, NSO Group appealed to the US Supreme Court. In June 2022, the Supreme Court asked the Justice Department to provide its view on whether NSO Group has sovereign immunity.

United Kingdom 2019 Ongoing Lawsuit brought by Ghanem Almasarir in the United Kingdom against the Kingdom of Saudi Arabia.

Ghanem Almasarir filed a civil legal claim for misuse of private information, harassment, and trespass to goods against the Kingdom of Saudi Arabia (KSA). Mr. Almasarir is a prominent Saudi dissident who has lived in the United Kingdom since 2003. He believes that the Saudi government used spyware known as Pegasus, acquired from NSO Group, and that they infected his mobile phones with this in order to modify, extract, and record all information stored on and communicated on these devices. He also believes that the spyware enabled the KSA to access the phones’ microphone and camera in order to see and hear what he was doing. Leigh Day, the firm representing Mr. Almasarir, prepared a press release available here. A claim was issued on 4 November 2019. In January 2020, the UK High Court said that the case could go ahead. In August 2022, the UK High Court dismissed Saudi Arabia’s attempt to use state immunity provisions to block the claim in relation to allegations of use of Pegasus spyware and allowed the case to proceed.

Israel 2019 Closed Petition appealing the Israeli Ministry of Defense’s decision to not revoke NSO Group’s export license in relation to the targeting of an Amnesty International staff member.

On May 14, 2019, Israeli petitioners appealed the Israeli Ministry of Defense (MoD)’s decision to not revoke NSO Group’s export license in relation to the targeting of an Amnesty International staff member. Amnesty International supported the petition and submitted an affidavit. In July 2020, a Tel Aviv court rejected this attempt to force the Israeli MoD to reject NSO Group’s license.

Israel 2018 Ongoing Lawsuit brought by Omar Abdulaziz in Israel against NSO Group. 

Omar Abdulaziz filed a lawsuit in Israel against NSO Group. According to the New York Times, it alleges that NSO Group helped the Saudi royal court take over his smartphone and spy on his communications with murdered Jamal Khashoggi. NSO Group issued a statement that its products were “licensed for the sole use of providing governments and law enforcement agencies the ability to lawfully fight terrorism and crime.” And that contracts to use NSO Group spyware “are only provided after a full vetting and licensing by the Israeli government”. The company also added that it does not tolerate “misuse” of its products and that if there is “suspicion of misuse”, the company investigates it and takes appropriate action, including suspending or terminating a contract. The lawsuit was filed by Alaa Mahajna, an Israeli lawyer, in cooperation with Mazen Masri, a lecturer at the City University of London. The lawyers said in the court papers that they intend to argue that the exposure of the collaboration between Abdulaziz and Khashoggi “contributed in a significant manner to the decision to murder Mr. Khashoggi.”

In June 2020, an Israeli judge rejected NSO Group’s motion to dismiss and their call to hold the trial in secret, and ordered NSO Group to pay Abdulaziz’s legal costs. NSO Group said they would appeal.

Israel &
Cyprus
2018 Ongoing Lawsuits brought by Mexican journalists and civil society activists and a Qatari citizen in Cyprus and Israel against NSO Group.

Mexican journalists and civil society activists filed a lawsuit against NSO Group in Israel (a Qatari citizen also filed a suit against NSO Group in Cyprus). According to the New York Times, these lawsuits include documents and emails that directly challenge the company’s repeated assertions that it is not responsible for any illegal surveillance conducted by the governments that buy its spyware. These lawsuits were also filed by Alaa Mahajna and Mazen Masri.

Israel 2018 Ongoing Criminal prosecution against former NSO Group employee.

In July 2018, the Israeli Justice Ministry said that a former employee of NSO Group has been charged with stealing intellectual property and trying to sell if for $50 million over the Darknet in a manner that could harm state security. The Justice Ministry said that, according to testimony gathered in the case, the former employee’s actions “endangered NSO and could have led to its collapse” and posed a threat to state security.

Mexico 2017 N/A Federal investigation by Mexican authorities into NSO Group in Mexico.

A federal investigation by Mexican authorities into the misuse of spyware in Mexico was announced by the Mexican government in 2017. However, its efforts appear to have stalled. The New York Times reports that US authorities approached by the Mexican investigators believe it is a sham inquiry and refused to participate.

Gamma Group

Company background

Gamma Group describes itself as an international manufacturer of surveillance and monitoring systems with technical sales offices in Europe, Asia, the Middle East, and Africa. It provides advanced technical surveillance, monitoring solutions, and advanced government training, as well as international consultancy to National and State Intelligence Departments and Law Enforcement Agencies. Gamma Group manufactured and sold a line of spyware products known as FinFisher/FinSpy. As with NSO Group, investigations into this company have provided some insight into its operations. A non-exhaustive list of resources follows:

The Citizen Lab has studied Gamma Group and the deployment of FinFisher/FinSpy in several reports.

Litigation against or implicating Gamma Group

Jurisdiction Date started Status Proceedings
UK 2018 Ongoing Lawsuit brought by Bahraini activists in the UK against Gamma.

Bahraini activists have started a legal action against Gamma alleging that the company was involved in the sale of spyware products to the Bahraini government knowing they would be used to crack down on protests during the Arab spring. The claimants say that they were targeted with the FinFisher/FinSpy program, which was manufactured in the UK and sold to the Bahraini government. They also accuse Gamma of providing training to Bahraini government officials on how to correctly use the software, along with technical support and software updates. All allege that the Bahraini government attacked their computers while they were in the UK. The claimants say they were targeted in relation to their pro-democracy campaigning during the Arab spring. Hassan Mushaima, one of the claimants, was jailed for life in 2011 by a military court in Bahrain. The claimants are represented by Leigh Day.

US 2014 Affirmed dismissal by District Court Doe v. Federal Democratic Republic of Ethiopia, 851 F.3d 7 (D.C. Cir. 2017), reh’g denied, 2017 U.S. App. LEXIS 10084 (D.C. Cir. June 6, 2017)

The Electronic Frontier Foundation (EFF) filed a lawsuit in federal court in Washington, D.C. alleging that the government of Ethiopia, using FinFisher/FinSpy, illegally wiretapped and invaded the privacy of EFF’s client, a U.S. citizen on U.S. soil. The United States Court of Appeals for the District of Columbia Circuit ultimately concluded in March 2017 that Ethiopia was immune from suit absent an exception under the Foreign Sovereign Immunities Act, which did not arise here. In response to the decision, EFF argued that the court had “held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–as long as they do so by remote control” and that the decision was “extremely dangerous for cybersecurity.” Under this holding, there is no legal recourse if a foreign government “hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil.” For further analysis of this decision, see Lawfare and Motherboard.

Formal complaints against Gamma Group

Jurisdiction Date started Status Proceedings
OECD National Contact Points (NCPs) in UK & Germany 2013 OECD NCPs issued decisions OECD complaints by human rights groups against Gamma and Trovicor in UK and Germany.

In 2013, Privacy International, Reporters Without Borders, Bahrain Watch, the Business Center for Human Rights, and the ECCHR filed a formal complaint with the UK National Contact Point for the OECD, as well as the equivalent German Contact Point, against Gamma and Trovicor. The UK Contact Point accepted the complaint for consideration against Gamma. In 2014, the UK Contact Point determined that Gamma was in violation of human rights guidelines. The German Contact Point refused to investigate the allegations and was only willing to continue with mediation in relation to Trovicor’s risk management.

UK 2012 Judicial review granted Privacy International complaint against HM Revenue and Customs (HMRC) in the UK.

Privacy International began investigating Gamma and the export of FinFisher/FinSpy spyware. After discovering that Gamma’s FinSpy was subject to the UK export control regime and that Gamma had only submitted a Control List Classification enquiry asking the government whether or not it needed an export license for the product in July 2012, Privacy International submitted a dossier of evidence against Gamma to HMRC and called for an investigation. HMRC is responsible for overseeing the enforcement of export regulations in the UK. HMRC refused to provide any details regarding any investigation into Gamma’s export practices, arguing that it was statutorily barred from doing so. In May 2013, Privacy International filed for judicial review of HMRC’s decision. In May 2014, the Administrative Court declared that HMRC acted unlawfully and “irrationally” in issuing blanket refusals into the status of any investigation into the potentially illegal export of FinFisher. The court quashed HMRC’s decision and ordered it to consider Privacy International’s request again.

Germany 2014 Denied Privacy International and the European Center for Constitutional and Human Rights criminal complaint against Gamma in Germany.

In October 2014, Privacy International and the European Center for Constitutional and Human Rights submitted a criminal complaint calling for an investigation into Gamma in Munich, Germany. In December 2014, public prosecution authorities in Munich decided not to launch investigatory proceedings against Gamma’s employees.

FinFisher

FinFisher GmbH is a Munich-based company that describes itself as having “the mission to provide first-class cyber solutions and knowledge for successful operations against organized crime.” The FinFisher spyware kit was previously said to have been produced by Gamma Group. FinFisher GmbH was formed sometime in 2013 and Gamma Group alleges that it stopped selling the product as of 2012.

Formal complaints against FinFisher

Jurisdiction Date started Status Proceedings
Germany 2019 Ongoing Criminal complaint made by Gesellschaft für Freiheitsrechte e.V., Reporters Without Borders Germany, the European Center for Constitutional and Human Rights, and Netzpolitik.org against the CEO of FinFisher GmbH and related entities.

The organizations argued that the Munich-based companies sold the FinSpy spyware to Turkey without an export license and that this assisted in the surveillance of opposition members and journalists by the Turkish government. Public prosecutors in Munich reportedly opened an investigation. On October 14, 2020, DW reported that “German Customs Investigation Bureau (ZKA) searched 15 residential and business premises in Germany and abroad last week with connections to the Munich-based surveillance software firm FinFisher.”

In March 2022, FinFisher ceased business operations and filed for insolvency.

Amesys

Company background

Amesys (renamed Nexa Technologies) is a French company that makes communications equipment and other related equipment for aerospace, defence, marine, energy, and the telecommunications industry, including surveillance equipment. A non-exhaustive list of resources on this company follows:

Litigation against or implicating Amesys

Jurisdiction Date started Status Proceedings
France 2017 Ongoing Criminal investigation into Amesys and the sale of surveillance equipment to Egypt.

In November 2017, the International Federation for Human Rights (FIDH) and the Ligue française des droits de l’Homme (LDH), with support from the Cairo Institute for Human Rights Studies (CIHRS), requested an investigation into the sale of surveillance equipment by this French company to Egypt and the potential role of this equipment in widespread oppression under the Al Sissi regime in Egypt. In December 2017, the Paris Prosecutor acknowledged the gravity of the allegations, giving Egyptian victims the opportunity to become civil parties to the case and testify in France as well as enable FIDH and LDH to become civil parties.

In June 2021, four Amesys and Nexa Technologies executives were indicted by investigating judges of the crimes against humanity and war crimes unit of the Paris Judicial Court for complicity in torture in the Libyan portion of the investigation and complicity in torture and enforced disappearance in the Egyptian portion. These indictments arose out of this 2017 complaint, as well as the 2011 complaint described below.

France 2011 Ongoing Criminal investigation into Amesys and the sale of surveillance equipment to Libya.

In October 2011, FIDH and LDH filed a complaint alleging the complicity of Amesys and its executive managers in acts of torture for having signed and executed a commercial agreement for the provision of surveillance technology to the Libyan regime in 2007. In May 2012, a formal criminal investigation was opened in France. After subsequent litigation over this decision to open an investigation, in January 2013, the Chamber of Criminal Investigation of the Court of Appeal upheld the initial order to open the investigation. In June 2021, four Amesys and Nexa Technologies executives were indicted by investigating judges of the crimes against humanity and war crimes unit of the Paris Judicial Court for complicity in torture in the Libyan portion of the investigation and complicity in torture and enforced disappearance in the Egyptian portion. These indictments arose out of this 2017 complaint, as well as the 2011 complaint described below. These indictments arose out of this complaint, as well as the 2011 complaint described above.

Qosmos

Company background

Qosmos is a French technology company that specializes in Deep Packet Inspection-based IP classification and network intelligence technology. A non-exhaustive list of resources on this company follows:

Litigation against or implicating Qosmos

Jurisdiction Date started Status Proceedings
France 2012 Dismissed Criminal investigation into Qosmos and sale of equipment to Syria.

FIDH and LDH filed a criminal complaint before a Paris court urging for an investigation into the involvement of French companies supplying surveillance equipment to Bashar El-Assad’s Syrian government. The complaint named Qosmos, a French company, in particular alleging that it is complicit in human rights abuses, including torture, by the Syrian government by providing it with surveillance equipment. In April 2014, a full judicial investigation was brought against Qosmos by the Paris Court for complicity in torture. In April 2015, an investigative judge declared Qosmos an “assisted witness.

In December 2020, a Paris judge dismissed the case due to insufficient evidence to establish causal link between surveillance equipment and acts of torture and crimes against humanity by the Syrian regime.

DarkMatter

Company background

DarkMatter is an Emirati cybersecurity firm. In 2019, Reuters published a detailed investigation into the company and an Emirati government surveillance program called “Project Raven,” which was moved to DarkMatter in 2016. Reuters described how American contractors were used to undertake surveillance on behalf of the Emirati regime through DarkMatter. 

Litigation against or implicating DarkMatter

Jurisdiction Date started Status Proceedings
US 2021 Ongoing Loujain AlHathloul, a Saudi human rights activist, filed an action against DarkMatter in the US District Court for the District of Oregon. The lawsuit is supported by the Electronic Frontier Foundation, and alleges that DarkMatter and three of its former executives illegally hacked into AlHathloul’s phone to secretly track communications and her location.
US 2020 Ongoing Ghada Oueiss, a journalist with Al Jazeera, filed a lawsuit against DarkMatter (as well as a number of other defendants, including Saudi and Emirati princes) in the United States District Court for the Southern District of Florida. Oueiss alleges an unlawful “hack and leak” operation against her, which was “spearheaded by the crown princes of Saudi Arabia and the United Arab Emirates…and their co-conspirators in the U.S. and elsewhere.”

In March 2022, the US District Court for the Southern District of Florida dismissed the case. In April 2022, Oueiss appealed to the US Court of Appeals for the Eleventh Circuit.

US 2021 Closed In September 2021, the US Department of Justice announced that three former US intelligence community and military personnel officials agreed to pay over $1.68 million to resolve criminal charges that arose from providing hacking-related services to a foreign government. The individuals were known to have worked for DarkMatter.

WiSpear

Company background

WiSpear is a Cyprus-based company which provides “end-to-end WiFi surveillance solutions” and was founded by Tal Dilian (Dilian previously owned another surveillance company, Circles, which he then sold to NSO Group). WiSpear came into the public spotlight after several articles in Forbes where Dilian provided details regarding the company’s controversial “spy van,” described as “a car full of next-generation snooping kit that can infect Apple and Google phones from as far away as 500 metres.”

Litigation against or implicating WiSpear

Jurisdiction Date started Status Proceedings
Cyprus 2019 to 2021 Closed After Dilian gave an interview to Forbes about WiSpear’s “spy van”, the local authorities opened a police investigation against Dilian and two other individuals, as well as the company itself. In November 2021, the Attorney-General announced that it was dropping charges against the individual defendants. That same month, the Office of the Commissioner for Personal Data Protection in Cyprus announced that WiSpear would pay a fine of $1 million euros for GDPR-related violations in relation to the “spy van” case.

* * *

If you have tips on additional litigation or formal complaints against digital surveillance companies not covered in this document, please email Siena Anstis: siena [at] citizenlab [dot] ca.