Congress should shield tech companies from lawsuits relating to spyware that exploits their platforms or abuses their security infrastructure, a Washington think tank proposes in a new report.

A safe-harbor law would encourage firms to invest in detecting spyware and alerting victims when their devices have been attacked, according to the report from the Atlantic Council. 

Apple, Meta and Google have sophisticated threat hunting teams in place and have made spyware findings known to victims and the public. The proposed legislation, the report says, essentially would incentivize the tech industry to continue aggressively rooting out the surveillance tools. 

Companies should be eligible for safe harbor if they set up threat notification and detection programs, share information about spyware targeting with researchers and advocacy groups, quickly patch vulnerabilities and provide enhanced security features, the Atlantic Council says.

The law should apply to messaging platforms like WhatsApp and iMessage; mobile operating systems like iOS and Android; and cloud service providers and companies providing security services, the report says. 

Tech companies’ spyware hunting efforts are “voluntary and appear to be remarkably effective, but there's nothing to codify them and ensure that if they experience any form of blowback from those measures, they are protected from that,” report author Sara Ann Brackett said.

Messaging platforms like Signal — which does not have a dedicated threat hunting team — also would benefit from a shield law because better-resourced companies might be more likely to share information about potential exploits involving those apps, Brackett said.

Most spyware lawsuits filed to date have targeted manufacturers of the surveillance tools.

Salvadoran journalists are now suing the NSO Group for targeting their phones with zero-click spyware. 

In 2019, WhatsApp also sued the NSO Group, alleging that the spyware company attacked its infrastructure to target 1,400 users’ devices.

In May, a California jury ordered NSO to pay $168 million to WhatsApp for facilitating the targeting.