SIM Card Maker Gemalto Is Morally Obligated to Sue the NSA for Hacking

​Gemalto, the SIM card manufacturer and allegedly the target of one of the largest NSA hacks of all time, has announced that it's not going to sue the intelligence agency. But it should.

Last week, a report by The In​tercept based on classified documents leaked by the former NSA contractor Edward Snowden showed that the NSA had stolen million of encryption keys from G​emalto, which makes SIM cards, allowing the agency to scrape phone call and text message information from smartphones as they were connecting to cell networks worldwide. The documents also showed that the NSA conducted surveillance on specific employees of the firm.

"It's difficult to prove our conclusions legally, so we're not going to take legal action," Olivier Piou, Gemalto's CEO, said at a pr​ess conference this morning in Paris. "The history of going after a state shows it is costly, lengthy and rather arbitrary."

On that, he's wrong, experts say. The specificity of the documents, and the results of a hasty internal investigation by Gemalto provide actionable intelligence (that's a term the NSA likes, right?) that gives the company an unprecedented opportunity to take the NSA to court. And it may have a moral obligation to do so.

"We encourage Gemalto to take legal action wherever possible—whether in US courts or in Europe—against the NSA and GCHQ for attacking the company and the security of its users," Peter Micek, an attorney at digital rights nonprofit Access, told me.

Earlier this month, a federal judge in California ruled that ​ordinary citizens cannot sue the NSA for mass surveillance unless they can specifically prove when it happened without revealing state secrets. That's problematic in lots of ways, but Gemalto seemingly has the opportunity here to take the NSA to court and prove, with its own internal investigation, supplemented with already-leaked documents, that the NSA hacked it.

"It's rare that companies have such clear evidence to present in court," Micek said. "For example, despite revelation after revelation, remedy has been nearly impossible to reach for victims of NSA surveillance due to standing issues and national security claims… to rebuild trust, companies need to use every possible opportunity to haul the NSA into court—even just to get some discovery or clarify legal arguments."

He's right. The initial documents leaked by Snowden was evidence that the NSA was scraping call information from Verizon, and a followup revealed PRISM, in which the NSA had direct access to the servers of Google, Apple, Microsoft, Yahoo, and other major tech companies. The idea that any American-made tech could be subject to surveillance has scared off investors. In fact, the Chinese government just announced it would no longer do business with many American tech companies. While companies have condemned the NSA, few have actually taken the agency to court.

In France, the telecom company Orange is currently suing the NSA because it believes communications between its customers either were or would be collected. "We want to know more about the eventuality that Orange data may have been intercepted," a spokesperson said at back in December, 2013, when news about the suit first broke.

We haven't heard much more from Orange since then, because French courts have sealed the proceedings (I've reached out to Orange for an update and will modify the article if I hear back).

In US court, however, it seems less likely, though not impossible, that a court would completely seal the case. Gemalto confirmed to me in an email that it does not plan on pressing charges and would not comment further.

"​Existing cases against the NSA show that US courts are willing to entertain lawsuits despite the government's claim that state secrets are at issue," Micek said.

Twitter, for instance, ​has an ongoing suit with against the federal government in which it's trying to push for more transparency about when the government asks it to hand over user data. The proceedings of that case, and the allegations Twitter is making about the surveillance state, are mostly public.

Gemalto has a huge opportunity here, but it appears content to squander it.