A federal judge in California has agreed with WhatsApp that the NSO Group, the Israeli cybersurveillance firm behind the Pegasus spyware, had hacked into its systems by sending malware through its servers to thousands of its users’ phones. WhatsApp and its parent company, Meta, sued the NSO Group back in 2019 and accused it of spreading malware to 1,400 mobile devices across 20 countries with surveillance as its purpose. They revealed back then some of the targeted phones were owned by journalists, human rights activists, prominent female leaders and political dissidents. The Washington Post reports that District Judge Phyllis Hamilton has granted WhatsApp’s motion for summary judgement against NSO and has ruled that it had violated the US Computer Fraud and Abuse Act (CFAA).
The NSO Group disputed the allegations in the “strongest possible terms” when the lawsuit was filed. It denied that it had a hand in the attacks and told Engadget back then that its sole purpose was to “provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.” The company argued that it should not be held liable, because it merely sells its services to government agencies, which are the ones that determine their targets. In 2020, Meta escalated its lawsuit and accused the firm of using US-based servers to stage its Pegasus spyware attacks.
Judge Hamilton has ruled that the NSO Group violated the CFAA, because the firm appears to fully acknowledge that the modified WhatsApp program its clients use to target users send messages through legitimate WhatsApp servers. Those messages then allow the Pegasus spyware to be installed on users’ devices — the targets don’t even have to do anything, such as pick up the phone to take a call or click a link, to be infected. The court has also found that the plaintiff’s motion for sanctions must be granted on account of the NSO Group “repeatedly [failing] to produce relevant discovery,” most significant of which is the Pegasus source code.
WhatsApp spokesperson Carl Woog told The Post that the company believes this is the first court decision agreeing that a major spyware vendor had broken US hacking laws. “We’re grateful for today’s decision,” Woog told the publication. “NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists and civil society. With this ruling, spyware companies should be on notice that their illegal actions will not be tolerated.” In her decision, Judge Hamilton wrote that her order resolves all issues regarding the NSO Group’s liability and that a trial will only proceed to determine how much the company should pay in damages.
