Judges strike skeptical note of NSO Group’s argument to dismiss case from El Salvadoran journos

A panel of U.S. judges considering an appeal of a ruling that went against El Salvadoran journalists suing NSO Group over alleged infections of their phone by the company’s Pegasus spyware appeared more skeptical Thursday of the vendor’s arguments than those of the reporters.

Judge James Donato of the District Court for the Northern District of California granted NSO Group’s motion to dismiss the suit last year in Dada et al v. NSO Group, concluding that a different court venue would make more sense for a case involving an Israeli company and plaintiffs who almost exclusively lived and worked outside the United States.

The three judges in the appeal focused many of their questions, however, on where the “misconduct” occurred, with the plaintiffs making the argument that it happened via Apple servers in California and the defendants arguing that the allegations of misconduct would have occurred in El Salvador.

The case is one of several where jurisdictional questions have thrown up hurdles to spyware victims’ legal challenges.

Judge Michael Simon on Thursday brought up a since-abandoned case that Apple itself brought against NSO Group in the same district, the location of which was tied to the tech giant’s headquarters.

“The actual misconduct, the hacking, occurred there, which is the same hacking at issue in this case, even if the harm sort of transpired elsewhere,” Simon said. “The misconduct at issue seems to actually have a locus in California.”

Attorney Paul Watford, arguing on NSO Group’s behalf, answered that the situation was different because “Apple was the target of the defendant’s conduct, allegedly,” and that “here, the target of the defendant’s conduct is allegedly against these El Salvadoran journalists in El Salvador. That’s where the misconduct occurred.”

But Judge Jennifer Sung followed up, pointing out that the plaintiffs say they were harmed because of something that happened in the Northern District of California. In addition to other reasons tied to hosting a trial with multiple parties, “that’s why it made sense to me” that the plaintiffs “would choose Northern California,” Sung said.

Watford pushed back that the location of Apple servers is “not the nub of the dispute,” but rather that “this litigation involves attacks on foreign journalists in foreign countries by foreign actors.”

Elaborating on behalf of the plaintiffs, Knight First Amendment Institute attorney Carrie DeCell said the allegations are fundamentally linked to the defendants’ use of Apple ID accounts, vulnerabilities in Apple software and the infection of iPhones through Pegasus. 

“So it is abundantly clear,” she said, “that we have alleged that defendants targeted Apple both in the plan of the exploits and then the deployment of Pegasus.”

A group of large tech companies, including Microsoft and Google, filed a friend of the court brief with the defendants arguing that they, the U.S. government and state of California have a valid stake in the case over the cybersecurity of their products.

“The United States and California … have fundamental interests in preventing the proliferation of such spyware tools that threaten national security and in protecting U.S. technology companies from hackers (both foreign and domestic) exploiting their products and services,” it states.