Introduction
A US federal court has delivered a landmark ruling in favor of WhatsApp, a subsidiary of Meta Platforms, in its legal battle against NSO Group, the Israeli company behind the Pegasus spyware. This decision represents a significant legal setback for NSO Group and marks a crucial step towards holding creators of mercenary spyware accountable for the damage inflicted by their tools.
Description
A US District Judge [3] [5], Phyllis Hamilton of the Northern California District Court, found NSO Group liable for violating hacking laws and breaching contractual agreements by exploiting a vulnerability in WhatsApp’s servers. This exploitation allowed the deployment of malware on the devices of over 1,400 individuals, including journalists [4] [5] [8], human rights activists [3] [4] [5] [6] [8], political dissidents [6] [8], and senior government officials [6] [8].
The court determined that NSO Group exploited an audio-calling vulnerability, enabling a zero-click exploit to install the spyware without the victim needing to answer the call [4]. This action constituted a breach of both the federal Computer Fraud and Abuse Act (CFAA) and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA) [3], as well as WhatsApp’s terms of service [2] [3] [4] [6] [7], which prohibit malicious use of the platform [2] [7].
Judge Hamilton granted WhatsApp’s motion for summary judgment [3] [4], noting that NSO Group did not contest the necessity of reverse-engineering or decompiling WhatsApp software to install Pegasus [2]. However, she raised questions about whether this occurred before NSO’s acceptance of WhatsApp’s terms of service, emphasizing that common sense suggests NSO must have accessed WhatsApp first [2], as the company failed to provide a plausible explanation for how it could have done so without agreeing to the terms [2].
The court also expressed concerns regarding NSO’s noncompliance with discovery orders, particularly its failure to produce the Pegasus source code and internal communications related to WhatsApp vulnerabilities [2], raising issues about the company’s transparency and cooperation with the judicial process.
Will Cathcart [2] [3] [5] [6], head of WhatsApp [1] [2] [5] [6], hailed the decision as a historic victory for privacy and accountability in the face of illegal surveillance, reinforcing the notion that spyware companies cannot escape responsibility for their actions. A spokesperson for WhatsApp welcomed the ruling, asserting that NSO can no longer evade accountability for its unlawful actions against WhatsApp and civil society [2].
The case is set to proceed to trial in March 2025 [2], where a jury will determine the damages NSO Group should pay to WhatsApp [2]. NSO Group had previously claimed that Pegasus was intended for use against terrorists and criminals to aid law enforcement and national security efforts [3]. However, the court’s ruling is expected to influence other spyware companies and signal a decline in impunity for such entities [1].
The spyware gained notoriety in 2021 following investigations by Amnesty International and the University of Toronto’s Citizen Lab [8], which revealed its misuse against human rights defenders and journalists [8], leading to widespread unlawful surveillance and human rights abuses [8]. Legal experts emphasize that the era of impunity for such companies is over [8], and they will be held responsible for their illegal actions against individuals and civil society [8]. Cybersecurity advocates view the ruling as a potential turning point for the spyware industry [5], reinforcing the message that these companies are accountable for their actions and cannot deflect blame onto their customers [5].
Conclusion
The court’s ruling against NSO Group is a pivotal moment in the fight against the misuse of spyware, setting a precedent for holding such companies accountable for their actions. This decision is likely to have far-reaching implications for the spyware industry, signaling a shift towards greater accountability and transparency. As the case moves towards trial, it underscores the importance of legal frameworks in mitigating the risks posed by surveillance technologies and protecting the rights of individuals and civil society.
References
[1] https://cyberscoop.com/judge-grants-ruling-in-favor-of-whatsapp-against-spyware-firm-nso-group/
[2] https://techcrunch.com/2024/12/23/whatsapp-scores-historic-victory-against-nso-group-in-long-running-spyware-hacking-case/
[3] https://www.gadgets360.com/apps/news/whatsapp-wins-ruling-nso-group-us-court-pegasus-spyware-liable-hacking-7313246
[4] https://gizmodo.com/nso-group-found-liable-for-hacking-whatsapp-users-in-huge-win-for-privacy-2000542405
[5] https://americanlawreporter.com/2024/12/23/judge-rules-against-nso-group-in-whatsapp-spyware-case/
[6] https://www.infosecurity-magazine.com/news/spyware-maker-nso-group-whatsapp/
[7] https://www.cybersecurity-review.com/whatsapp-scores-historic-victory-against-nso-group-in-long-running-spyware-hacking-case/
[8] https://www.idropnews.com/news/court-rules-pegasus-spyware-maker-liable-for-attacks-on-1400-whatsapp-users/232874/
