In a landmark ruling on Friday, a Northern California federal judge found the developer of the powerful Pegasus spyware, NSO Group, liable for infecting devices belonging to 1,400 WhatsApp users. This ruling could potentially lead to substantial damages against NSO Group, a company known for its notorious spyware that has reportedly been utilized, and sometimes misused, by various government clients worldwide.
Despite the spyware being discovered on the phones of activists, journalists, and other members of civil society, no court had previously held NSO Group accountable for such abuses. The company has long maintained that its tools are intended for use by national security officials and law enforcement officers involved in intelligence matters and criminal investigations.
The legal action was initiated in 2019 when Meta-owned WhatsApp sued NSO Group, alleging that the company had exploited a bug in its systems to install spyware on some users’ devices. Among the victims of this malicious software were journalists, human rights activists, political dissidents, diplomats, and senior foreign government officials who were frequently targeted by Pegasus.
Over the course of two years, the Israeli spyware maker reportedly made multiple adjustments to the exploit in order to bypass the defenses put in place by WhatsApp. In her ruling, Judge Phyllis Hamilton determined that NSO Group had violated the federal Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act by enabling these hacks. The company was also found liable for breach of contract for violating WhatsApp’s terms of service.
WhatsApp expressed gratitude for the court’s decision, stating that NSO Group can no longer evade accountability for their unlawful activities. Advocates for spyware victims welcomed the ruling as a significant step towards holding spyware companies accountable for their actions.
A spokesperson for NSO Group did not immediately respond to a request for comment following the ruling. The judge criticized NSO Group for failing to produce complete Pegasus source code despite a court order, leading her to grant WhatsApp’s request for sanctions.
The court’s decision shed light on NSO Group’s internal workings, revealing that the company controlled data extraction from targets’ devices and the process of implanting spyware on them. NSO executives admitted to developing the exploits used in the WhatsApp hacks, and evidence presented in the case indicated that the company continued to develop new malware even after being sued by WhatsApp for violating anti-hacking laws.
The lawsuit has offered a rare glimpse into the operations of a secretive spyware manufacturer, challenging past assertions regarding the extent of NSO Group’s control over its spyware. Arguments to determine damages will commence in March, marking another phase in the legal battle between WhatsApp and NSO Group.