Access to Public Information, Privacy, Data Protection and Retention, Surveillance
Bartnicki v. Vopper
United States
Closed Contracts Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The Tel Aviv-Jaffa District Court dismissed an application brought by Amnesty International seeking a revocation of a license granted to NSO Group Technologies Ltd., a spyware software firm. Amnesty International approached the Court after a staff member was the victim of an attempted surveillance attack on their mobile phone which used spyware technology created and sold by an Israeli-based company. Amnesty International argued that the Israeli Defence Export Controls Agency (DECA) had an obligation under international human rights law to ensure that companies domiciled in Israel respect human rights and that – as the spyware was being used to target human rights defenders – the company’s license to distribute that spyware should be revoked. The Court held that DECA’s internal processes were “thorough and meticulous” in granting and monitoring licences to companies providing military and security systems, and that Amnesty International had failed to prove that the surveillance attack had occurred or that the company was responsible for any attacks.
In June 2018, a staff member of Amnesty International received a suspicious message on WhatsApp asking them to cover a protest in Saudi Arabia. The message included a link for the staff member to click on. At the time, Amnesty International – a global human rights organization, with a presence in over 70 countries – was actively involved in campaigning for the release of six women’s rights activists detained in Saudi Arabia. Amnesty Tech – Amnesty International’s division which focuses on technology and human rights [affidavit para. 6] – investigated the message and found that the link was connected to a domain known to distribute a form of spyware [affidavit para. 15]. The fact that the message appeared tailored to the staff member’s work at Amnesty International indicated that they had been targeted, which created a sense of fear and emotional distress, and a “chilling effect” on the individual staff member and the organization as a whole [affidavit para. 17]. If the attack had been successful it would have compromised the staff member’s privacy and the human rights work of Amnesty International [affidavit para 15].
According to Amnesty Tech, had the staff member clicked on the link, the mobile device would have been infected by Pegasus spyware owned by the NSO Group – a company based in Israel which manufactures surveillance tools for governments. Pegasus operates covertly and has “sophisticated targeting capabilities” which allows it to target “individuals’ private data, including the ability to secretly control a target’s mobile device” [affidavit para. 10]. It is generally installed on a target’s mobile phone when the user clicks on a link but can also be installed if the government using it has the target’s phone number. Once the spyware is installed, an operator has access to all data on the mobile phone including “contacts, photos, call history and previous text messages—regardless of encryption or other protections” and it can record communications and location data [affidavit para. 12]. The recording can be done by enabling the phone’s camera and microphone to record the surroundings which “essentially convert[s] the device into a sophisticated eavesdropping and tracking tool” [affidavit para. 12]. Although the NCO Group markets its surveillance tools as contributing to the fight against crime and terrorism, the tools are frequently used by governments with a history of abusing human rights [affidavit para. 27].
In November 2018, the Israeli section of Amnesty International wrote to the Israeli Defence Export Controls Agency (DECA) requesting that DECA revoke the defence export licence it had granted the NSO Group. The NSO Group had been granted a defence export license by DECA to export its digital surveillance software under Defence Export Control Law 5777-2007 because its spyware constitutes a security system and DECA had oversight over Pegasus because of “the potential security implications of the platform” [affidavit para. 10].
In 2019, Amnesty International brought an application before the Tel Aviv-Jaffa District Court, sitting as the Court for administrative matters, seeking an order against DECA to revoke NSO Group’s export licence.
Judge Rachel Barkaiof, Senior Judge at Tel Aviv-Jaffa District Court delivered the judgment. The primary issue before the Court was whether DECA had failed in its obligations to prevent violations of international human rights law.
Amnesty International submitted Pegasus was being used “to target and surveil human rights defenders and other civil society actors” [affidavit para. 19] and by “governments with long and well-documented histories of repression and abuse” [affidavit para. 23]. It referred to research conducted by itself and by Citizen Lab (an entity based at the University of Toronto examining the intersection between information and communications technology and human rights) which demonstrated frequent abuses of Pegasus spyware to target civil rights activists. One of Citizen Lab’s reports states that between August 2016 and August 2018, of the 45 countries using the spyware, at least six countries had abused the spyware to target civil society [affidavit para. 20].
In addition, Amnesty International argued that given the well-reported extensive misuse of the surveillance technology by several governments, “NSO Group at least had constructive notice of the foreseeable risk” and “actual notice” of misuse of its spyware [affidavit para. 26]. The organization submitted that the NSO Group had an obligation to respect human rights under the UN Guiding Principles on Business and Human Rights which requires businesses to conduct “human rights due diligence to identify, prevent, mitigate and account for its response to human rights risks and impacts, and be liable for risks to human rights from its actions and activities” [affidavit para. 40]. Amnesty International argued that these principles oblige the NSO Group to review the publicly-available information on potential government clients and determine whether that government has sufficient legal safeguards in place to prevent abuse of its spyware platforms. It submitted that there was no evidence that the NSO Group had done so, and added that the NSO Group had “failed to demonstrate that it has detected any risks, taken any subsequent measure to prevent or minimize these risks, or cancelled or blocked sales due to the foreseeable risk of its products being used against civil society, or upon evidence of such abuse” [affidavit para. 29].
Amnesty International submitted that DECA was obligated to take steps to ensure that the NSO Group – as a company domiciled in Israel – did not sell its products to “states with documented records of abusing the rights of human rights defenders” [affidavit para. 41]. It argued that Israel is bound by the International Covenant on Civil and Political Rights (ICCPR) to protect the rights to privacy (article 17) and freedom of expression (article 19), and that the use of Pegasus violates these rights by “arbitrarily or otherwise unlawfully invading individuals’ privacy on the basis of their opinion or activities protected under international human rights law” [affidavit para. 36]. In respect of digital surveillance, Amnesty International submitted that Israel is obliged to ensure its domestic legal framework provides for independent oversight – including by the judiciary – over the use of surveillance and that the system must require that any restrictions to human rights be necessary and proportionate [affidavit para. 37]. It argued that the attempted targeted attack on its staff member “demonstrates that existing due diligence frameworks, export control regimes, and other regulatory measures have failed to protect against human rights violations” [affidavit para. 39], and that, by failing to prevent the sale of NSO Group services to governments abusing those products, Israel (through DECA) was in breach of its duties under the ICCPR and the Guiding Principles [affidavit para. 41].
The NSO Group argued that the spyware was sold to governments to prevent crimes and counter terrorism, and that internal review mechanisms were in place to consider and respond to any alleged human rights abuses [affidavit para. 28].
In its brief order, the Court rejected Amnesty International’s application as it was “convinced that the process of control and handling applications for defence marketing and/or exportation licences is a sensitive, meticulous process” and that licenses are only granted after a “thorough and meticulous process” [p. 1]. The Court noted that DECA monitors the companies to which it has granted licenses and that it exercises suspension and revocation processes when human rights abuses are identified.
The Court held that Amnesty International had not demonstrated that an attempted surveillance attack had occurred, or that the NSO Group was responsible for such an attack.
Accordingly, the Court dismissed Amnesty International’s application.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
In refusing to interrogate the processes for granting and reviewing DECA licences, the Court did not engage with the arguments raised by Amnesty International on the obligations of states and companies to ensure that human rights are not violated abroad. The Court simply accepted DECA’s submission that their processes were thorough, and so provided no protection for human rights defenders whose privacy is violated through the use of Pegasus spyware by repressive governments.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.