Meta Platforms-owned WhatsApp scored a major legal victory in its fight against Israeli commercial spyware vendor NSO Group after a federal judge in the U.S. state of California ruled in favor of the messaging giant for exploiting a security vulnerability to deliver Pegasus.
“The limited evidentiary record before the court does show that defendants’ Pegasus code was sent through plaintiffs’ California-based servers 43 times during the relevant time period in May 2019,” United States District Judge Phyllis J. Hamilton said.
The order further lambasted NSO Group, stating it “repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery,” referring to the company’s failure to produce the Pegasus source code and for limiting the access to Israeli citizens present in Israel.
This information, per WhatsApp, included code only pertaining to an Amazon Web Services (AWS) server, and not the entire codebase that would reveal the full scope of its functionality.
“NSO’s lack of compliance with discovery orders raises serious concerns about their transparency and willingness to cooperate with the judicial process,” Judge Hamilton said.
The court also held NSO Group liable for breach of contract, concluding that the company had infringed on WhatsApp’s terms of service, which prohibit the use of the messaging platform for malicious or illegal purposes, such as reverse engineering, decompiling the software, or sending harmful code.
“This ruling is a huge win for privacy,” Will Cathcart, head of WhatsApp at Meta, said in a statement on X. “We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions.”
The case is expected to now proceed to a trial only on the issue of damages, Hamilton added.
WhatsApp originally filed the complaint against NSO Group in late 2019, accusing it of accessing its servers without permission to install the Pegasus tool on 1,400 devices in May of that year. The attacks leveraged a then zero-day vulnerability in the app’s voice calling feature (CVE-2019-3568, CVSS score: 9.8) to trigger the deployment of the spyware.
Then last month, court documents revealed as part of the lawsuit uncovered that NSO Group continued to weaponize WhatsApp to disseminate the spyware until May 2020.
NSO Group has repeatedly said that its offerings are exclusively designed to be used by government and law enforcement agencies to tackle serious crimes like terrorism, child pornography, and money laundering, as well as to rescue kidnapped children and assist with emergency search and rescue operations.
“The world’s most dangerous offenders communicate using technology designed to shield their communications, while government intelligence and law-enforcement agencies struggle to collect evidence and intelligence on their activities,” the company says on its website, emphasizing that its mission is to “create a better, safer world.”
However, evidence to the contrary has established that there have been several instances of Pegasus being misused by authoritarian regimes and other governments across the world to target activists, politicians, and journalists.
Apple, which filed a similar lawsuit against NSO Group in November 2021, has since sought to voluntarily dismiss the case on grounds that the market for commercial spyware has exploded since then and that various countermeasures are being added to deter and better flag such attacks.
These include the Lockdown Mode and the threat notifications the iPhone maker began sending to warn victims it suspects have been targeted by state-sponsored actors, the latter of which has been hailed as a “game changer for spyware accountability research” by the Citizen Lab’s John Scott-Railton.
