Several large tech companies, including Microsoft, Google, and LinkedIn filed Monday an amicus brief in the US Court of Appeals for the Ninth Circuit in Facebook’s lawsuit against Israeli surveillance company NSO.

NSO creates cyber-surveillance tools, which it then sells to foreign governments and other customers. Those customers can use the tools to track individuals’ locations, read their texts, and gather other private information. NSO sought immunity from any laws which make it illegal to access devices without proper authorization, such as the Computer Fraud and Abuse Act. To justify this immunity, NSO sought to expand common-law foreign sovereign immunity to cover private company actions on behalf of foreign governments.

Facebook filed suit in October 2019, alleging NSO had developed a tool to spy on WhatsApp messages from diplomats, human rights activists, and political dissidents. In July 2020, US District Judge Phyllis Hamilton allowed the lawsuit to proceed, despite NSO’s request to dismiss the lawsuit. 

On Monday, tech companies Microsoft, Google, Cisco Systems, GitHub, LinkedIn Corporation, VMware, and Internet Association filed an amicus brief in the lawsuit. In the brief, the companies warned that NSO’s tools were “powerful, and dangerous.” The companies also argued that allowing NSO and similar companies to use cyber-surveillance tools across US systems created large-scale, systemic cybersecurity risk. They claim that expanding immunity to companies such as NSO  would increase the number of companies and governments with access to surveillance tools and would increase the use of such tools. The increased access to and use of the surveillance tools would, in turn, cause “extensive damage” to US cybersecurity and its citizens’ privacy.

Because of this, the companies argued that private companies should be liable for using cyber-surveillance tools in violation of US law, regardless of their customers’ identities. In the brief, Microsoft Corporate Vice President of Customer Security and Trust Tom Burt stated:

Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve. We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks.