WhatsApp has prevailed against Israeli spyware maker NSO Group in a US lawsuit over NSO’s abuse of the messaging app to enable the infiltration of the phones of journalists, activists and dissidents with its Pegasus hacking tool.
A judge in the Northern District of California ruled on Friday that NSO breached hacking laws and the terms of its service agreement with WhatsApp by using the messaging platform to inject more than 1,000 devices with its Pegasus spyware.
The ruling in the civil case did not address the rights of the individuals whose phones had been hacked, but it hands a victory to technology groups seeking to prevent their platforms from being abused by groups targeting their users.
It is also a win for Apple, Amazon and other tech giants that supported WhatsApp’s case.
“The court finds no merit in the arguments raised” by NSO Group, judge Phyllis Hamilton ruled. The summary judgment means an upcoming trial will cover only the question of damages, rather than whether NSO can be held liable for its actions.
“After five years of litigation, we’re grateful for today’s decision,” WhatsApp said. “NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists and civil society.”
NSO Group did not immediately respond to a request for comment.
Pegasus can read encrypted messages stored on a phone, turn on its camera and microphone remotely and track its location. Its use has been tied to human rights abuses and the US Department of Commerce has blacklisted the Israeli company.
The legal case was launched after a 2019 Financial Times report that coincided with WhatsApp’s discovery that its services had been hacked by NSO and Pegasus.
The ruling said NSO Group did not dispute that it “must have reverse-engineered and/or decompiled the WhatsApp software” in order to hack phones, but had raised the possibility that it did so before agreeing to WhatsApp’s terms of service.
However, the judge found, “common sense dictates that [NSO] must have first gained access” to the WhatsApp software and NSO had offered “no plausible explanation” for how it could have done so without agreeing to the terms of service. It ruled in favour of WhatsApp’s claim that NSO had violated federal and state hacking laws.
The judge also found that NSO had “repeatedly failed to produce relevant discovery”, including in relation to the Pegasus source code.
“This sets a precedent that will be cited for years to come,” said John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab who has investigated the use of Pegasus.
“This is the most-watched case about mercenary spyware and everyone is going to take note. I predict this will have a chilling effect on other shady spyware companies’ efforts to enter the US market, and investors’ interest in backing their hacking,” he said.
