New Delhi: In a landmark decision with significant implications for the global spyware industry, a US judge has ruled against Israel’s NSO Group, holding it liable for hacking WhatsApp and breaching its contract. The ruling, issued by US District Judge Phyllis Hamilton in Oakland, California, marks a major victory for WhatsApp.
The case, initially filed by WhatsApp in 2019, centred on NSO’s use of its Pegasus spyware to exploit a vulnerability in WhatsApp’s system. This breach allowed the unauthorized installation of Pegasus on approximately 1,400 devices belonging to journalists, human rights activists, and others. WhatsApp accused NSO of accessing its servers without permission to deploy this military-grade spyware.
Judge Hamilton’s summary judgment found NSO guilty of violating the Computer Fraud and Abuse Act (CFAA) and the Comprehensive Computer Data Access and Fraud Act. The court determined that NSO exceeded its authorisation by sending malicious messages through WhatsApp’s servers to compromise user devices. Crucially, the ruling also established that NSO breached its contract with WhatsApp by violating its Terms of Service.
The court’s decision directly refuted NSO’s key defenses. NSO argued that its software was used legitimately by law enforcement and intelligence agencies to combat crime and terrorism, and that its clients were responsible for any misuse. However, the judge rejected the claim that NSO lacked responsibility for the actions of its clients, finding that NSO’s role in licensing Pegasus and providing technical support made it liable.
The court also dismissed NSO’s arguments concerning the ambiguity of terms like “illegal,” “unauthorized,” and “harmful” in WhatsApp’s terms of service, and rejected the notion that WhatsApp had waived these provisions by not enforcing them against other users.
WhatsApp celebrated the ruling, with Will Cathcart, the head of WhatsApp, stating that the decision sends a clear message that illegal spying will not be tolerated. A spokesperson expressed gratitude to supporting organizations and reaffirmed WhatsApp’s commitment to protecting user privacy.
The ruling has been hailed as a significant victory by experts in the field. John Scott-Railton of Citizen Lab, a research group that first exposed Pegasus in 2016, called it a landmark decision with “huge implications for the spyware industry.” He emphasized that the ruling directly challenges the industry’s tendency to avoid accountability by claiming that the actions of their clients are beyond their control.
The case now moves to the trial phase, where damages will be determined. This ruling is not only a legal victory for WhatsApp but also represents a broader shift towards greater accountability for companies involved in the development and deployment of powerful surveillance technologies. It sets a precedent that could significantly impact the future of the spyware industry and encourage greater responsibility in the use of such technologies.
In 2019, WhatsApp initiated a landmark legal case against the NSO Group, a controversial Israeli cybersecurity firm, alleging serious violations of federal anti-hacking laws. This lawsuit marked a significant turning point in the global conversation surrounding spyware abuse and its impact on human rights and privacy.
The core of WhatsApp’s complaint centred on the NSO Group’s flagship spyware, Pegasus. WhatsApp accused NSO of using Pegasus to conduct a large-scale cyberattack targeting approximately 1,400 individuals worldwide. The victims included a diverse range of individuals, notably human rights activists, journalists, and political figures, highlighting the potential for widespread misuse of such sophisticated surveillance technology. The lawsuit effectively highlighted the dangers posed by powerful spyware in undermining fundamental freedoms and democratic processes.
