By: Desiree Murray* 

We often resolve our disputes through litigation, a costly approach but often the only course of action for plaintiffs seeking relief. How ought litigants deal with the grave harms imposed on them by the private surveillance industry? The private surveillance industry is marked with extensive barriers to successful litigation, including lack of knowledge of the harm, lack of judicial oversight and remedies, problematic causes of action, weak enforcement, or limited data preservation. The cost is often not worth the high risk of an unfavorable outcome. Civil society organizations and private individuals who file suit are consistently left unpleased with the outcome and frequently financially distressed. 

The June 2019 report to the Human Rights Council on the private surveillance industry by the Special Rapporteur on freedom of expression highlighted the absence of remedies for targeted surveillance. The landmark report substantially relied on input from States and civil society through formal submissions and a two-day consultation convened in Bangkok, Thailand. It was widely agreed in Bangkok that successful litigation was more than just difficult but often practically impossible. 

The June report calls for an “immediate international moratorium on the sale and transfer of the tools of the private surveillance industry until rigorous global and national safeguards are put in place to regulate it and guarantee legitimate use by government and non-state actors.” Among the global and national safeguards needed to ensure proper oversight and constraint would be the assurance, in law, of legitimate causes of action and enforcement mechanisms to make the lengthy and costly litigation process a viable option for relief. 

Litigation or formal complaints have been filed in at least eight countries including Israel, Cyprus, Mexico, the United Kingdom, the United States, Germany, France, and Pakistan. In December 2018, Citizen Lab published a comprehensive overview in this area,  a living resource specifically related to litigation in the digital surveillance industry. The guide highlights the different types of litigation and the alarming number of losses against private companies and State actors. 

At least one State has set domestic precedent by granting a foreign state sovereign immunity involving spyware. In Doe v. Ethiopia, the United States Court of Appeals, District of Columbia Circuit (D.C. Circuit), an Ethiopian-born, U.S. citizen and human rights activist living in the United States sued Ethiopia (and lost under the Foreign Sovereign Immunities Act) for monitoring his Skype calls over a four-month period after his computer was infected with FinSpy spyware. The case is discussed at length in the report and the annex.

It is particularly concerning that States lack the domestic legal structure to provide relief in these situations. There are many other barriers to successful litigation including struggling to convince States to open investigations to urging States to have organized and fair investigations once they commence. This gap is highlighted by the fact that complainants may obtain successful outcomes in mechanisms like the Organization for Economic Cooperation and Development (OECD), which has a process for complaints, and no change is implemented due to the lack of enforcement.  As noted in the report and in Privacy International’s Submission for the report, Privacy International has used two OECD National Contact Points, one in Germany and one in the United Kingdom, to file formal complaints against Gamma International and Trovicor GmBH for their role in the Bahraini government’s targeted surveillance of political opponents. The complaint asked the German contact to “ascertain whether [Trovicor] breached the OECD Guidelines for Multinational Enterprises by exporting surveillance products to Bahrain, where the authorities use such products in human rights abuses, including the arrest, detention and torture of political opponents and dissidents.” However, the German National Contact Point rejected the complaint on the basis that the evidence of Trovicor’s presence in Bahrain was not sufficient. 

In a virtually identical complaint to the U.K. National Contact Point, multiple civil society organizations alleged similar violations against Gamma International, the firm that produced FinFisher. Unlike the German National Contact Point, the U.K. contact accepted the complaint and released an Initial Assessment in June 2013. The fact that identical complaints raised drastically different outcomes raises general concerns about the discretion in determining whether or not a human rights violation occurred. 

The Initial Assessment by the U.K. National Contact Point found that there was evidence that suggested the company’s product may have been used against Bahraini activists, and this “substantiates the issues in respect of the company’s obligations to do appropriate due diligence and to address impacts.” The final report found Gamma International clearly in violation of human rights guidelines. The report focused on the voluntary OECD Guidelines for Multinational Enterprises which generally requires enterprises to consider established policies in countries they operate and consider views of other stakeholders. An important factor in this analysis was the information available to Gamma International about human rights risks of supplying this technology to Bahrain. Gamma International failed to respond to the U.K. National Contact Point and made no visible changes to meet the recommendations. Thus, the report concluded that the company made no effort or progress to implementing standards to protect and promote human rights. While this decision is the most successful OECD complaint because it actually finds human rights violations, the lack of enforcement under this mechanism makes the holding incredibly less significant.

            Nothing in the digital surveillance space currently encourages individuals targeted by malicious software to seek relief through litigation or formal complaints. The International Covenant on Civil and Political Rights requires not only that States respect and ensure enjoyment of human rights, it also requires that victims of violations have access to an “effective remedy” subject to “competent judicial, administrative or legislative tribunal” with power to enforce. (Article 2(3), ICCPR.). Neither an effective remedy nor a competent authority with power to enforce has been identified. The strategic barriers and the lack of transparency in government export laws and practices discourage civil society from continuing to use litigation mechanisms as an option to fight human rights abuses by private surveillance companies.

While seeking legal remedies for affected individuals remains limited, a recent lawsuit by WhatsApp against the NSO Group suggests the new possibility of legal actions against the private surveillance companies. In October 2019, WhatsApp filed a complaint in the U.S. District Court for the Northern District of California against the Israeli surveillance company, alleging that the company’s spyware has been used to hack into the phones of 1,400 of WhatsApp users including human rights defenders, journalists and other members of civil society across the world. The lawsuit, which does not name the customers of the company (government end users) who were using the spyware to target individuals but holds the NSO Group liable for violating the Computer Fraud and Abuse Act and other state-level statutes, is the first of its kind brought by a tech company against another. If successful, the lawsuit could encourage other tech companies to pursue similar actions against surveillance companies for exploiting their vulnerabilities, and signal the beginning of checks in an industry that has been largely unregulated.

*Desiree Murray is a former Clinic student at UCI Law International Justice Clinic 

Limitations of Legal Actions against Private Surveillance Companies