In a landmark decision, a federal judge in Northern California has ruled that Israeli spyware developer NSO Group is liable for its role in infecting the devices of 1,400 WhatsApp users with its infamous Pegasus spyware. The ruling marks the first time the company has been held accountable in court for abuses of its powerful surveillance tools.
The decision paves the way for potentially significant damages against NSO Group, whose Pegasus spyware has been repeatedly linked to surveillance of activists, journalists, political dissidents, and diplomats. Despite long-standing claims that its tools are exclusively for use by national security and law enforcement agencies, the spyware has been found on the devices of members of civil society worldwide.
The WhatsApp Case
Meta-owned WhatsApp filed a lawsuit against NSO Group in 2019, accusing the company of exploiting a vulnerability in its platform to deploy spyware. According to the lawsuit, NSO targeted users over two years, repeatedly modifying its exploits to bypass WhatsApp’s defenses. Victims included journalists, human rights activists, diplomats, and foreign government officials.
Judge Phyllis Hamilton ruled that NSO Group violated both the federal Computer Fraud and Abuse Act (CFAA) and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA). Additionally, the company was found liable for breach of contract by violating WhatsApp’s terms of service.
“After five years of litigation, we’re grateful for today’s decision,” WhatsApp said in a statement. “Spyware companies like NSO can no longer avoid accountability for their unlawful actions against our platform, civil society, and individuals.”
A Blow to Spyware Impunity
The ruling has been hailed as a victory for spyware victims and advocates. Natalia Krapiva, senior tech legal counsel at Access Now, described the decision as “a major win not just for WhatsApp but for victims worldwide whose lives have been devastated by Pegasus and similar spyware.” She added that this case signals the end of impunity for spyware companies undermining digital security and human rights.
The court also sanctioned NSO Group for failing to provide the complete Pegasus source code, a key requirement in the case. Instead, NSO offered limited access to source code within Israel, prompting the judge to side with WhatsApp’s request for sanctions.
Unveiling Pegasus’ Inner Workings
The lawsuit revealed unprecedented insights into NSO Group’s operations. Depositions from senior executives confirmed that NSO controlled every aspect of Pegasus’ deployment, from data extraction to delivery. Contrary to previous claims, the filings revealed that NSO—not its clients—managed the spyware’s installation and operation.
Evidence also showed that NSO continued developing malware targeting WhatsApp accounts even after being sued for violating anti-hacking laws. The spyware used a “WhatsApp Installation Server” (WIS) to send malicious files through WhatsApp’s servers, enabling Pegasus to infect target devices.
Looking Ahead
Arguments over damages are set to begin in March 2024. The case is expected to have far-reaching implications for the spyware industry, sending a strong message to companies developing surveillance tools that their actions will face legal scrutiny.
“This ruling shows that spyware companies are not above the law,” said Krapiva. “It is a step forward in protecting digital security and human rights.”
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
