A US judge ruled against Israel’s NSO Group on Friday, holding it responsible for hacking WhatsApp and breaching its contract. The lawsuit accused NSO of exploiting a flaw in WhatsApp to install spyware called Pegasus. The case will now proceed to trial to determine the damages NSO must pay.
WhatsApp filed the lawsuit in 2019, claiming the company accessed its servers without permission to install Pegasus on approximately 1,400 devices. These devices belonged to journalists, human rights activists, and others.
The judgment
In a summary judgment, US district judge Phyllis Hamilton in Oakland, California, held Israeli surveillance company NSO Group Technologies, also known as Q Cyber Technologies, responsible for hacking Meta’s WhatsApp using its advanced military-grade spyware, Pegasus.
The court found that NSO violated the Computer Fraud and Abuse Act and the Comprehensive Computer Data Access and Fraud Act by sending malicious messages through WhatsApp servers to compromise user devices. Additionally, it ruled that NSO breached its contract by violating WhatsApp’s Terms of Service.
The summary judgment dated December 20 states, as quoted by Live Law:
“Thus, the Court grants summary judgment in plaintiffs’ favour on the CFAA claim under both section (a)(2) and (a)(4), on theory that defendants exceeded their authorisation. Defendants appear to fully acknowledge that the WIS sent messages through WhatsApp servers that caused Pegasus to be installed on target users’ devices and that the WIS was then able to obtain protected information by having it sent from the target users, through the WhatsApp servers, and back to the WIS… defendants argue that Pegasus was operated by their clients, and thus defendants did not collect any information. Defendants further argue that terms such as ‘illegal,’ ‘unauthorised,’ and ‘harmful’ as used in terms of service are vague and ambiguous. Finally, the defendants argue that plaintiffs waived those contractual provisions by failing to enforce them against any other users. The Court finds no merit in the arguments raised by the defendants.”
WhatsApp’s reaction
“We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions,” said Will Cathcart, head of WhatsApp. “Surveillance companies should be on notice that illegal spying will not be tolerated,” he added.
A WhatsApp spokesperson expressed gratitude for the decision, stating, “We’re proud to have stood up against NSO and thankful to the many organizations that were supportive of this case. WhatsApp will never stop working to protect people’s private communication.”
NSO’s defence
NSO argued that its software is used by law enforcement and intelligence agencies to combat crime and terrorism.
The company appealed a trial judge’s 2020 decision denying it “conduct-based immunity,” a legal doctrine shielding foreign officials acting in their official capacity.
In 2021, the San Francisco-based 9th US Circuit Court of Appeals upheld the ruling, describing it as an “easy case” since NSO’s licensing of Pegasus and provision of technical support did not exempt it from liability under the Foreign Sovereign Immunities Act, which overruled common law.
The US Supreme Court declined to hear NSO’s appeal last year, allowing the lawsuit to proceed.
‘Landmark ruling’
John Scott-Railton, a senior researcher with Citizen Lab, described the ruling as a landmark decision with “huge implications for the spyware industry.” He stated, “The entire industry has hidden behind the claim that whatever their customers do with their hacking tools, it’s not their responsibility. Today’s ruling makes it clear that NSO Group is in fact responsible for breaking numerous laws.” Citizen Lab was the first to expose NSO’s Pegasus spyware in 2016.
The lawsuit
The case originated in 2019 when WhatsApp filed a lawsuit against NSO Group, accusing it of violating federal anti-hacking laws. The lawsuit alleged that NSO’s flagship spyware, Pegasus, was used in a widespread attack targeting 1,400 individuals, including human rights advocates and journalists.