WhatsApp, owned by Meta Platforms, achieved a significant legal victory against Israeli spyware vendor NSO Group. A federal judge in California ruled in favor of WhatsApp, finding that NSO exploited a security vulnerability to deliver its Pegasus spyware.
United States District Judge Phyllis J. Hamilton stated, "The limited evidentiary record before the court does show that defendants' Pegasus code was sent through plaintiffs' California-based servers 43 times during the relevant time period in May 2019."
The court also criticized NSO Group for repeatedly failing to comply with discovery orders. NSO did not provide the Pegasus source code and restricted access to Israeli citizens located within Israel. Judge Hamilton noted, "NSO's lack of compliance with discovery orders raises serious concerns about their transparency and willingness to cooperate with the judicial process."
Legal Breach and Privacy Win
The court found NSO Group in breach of WhatsApp's terms of service, which prohibit malicious activities such as reverse engineering, decompiling, or sending harmful code through the platform.
Will Cathcart, the head of WhatsApp at Meta, praised the decision on X (formerly Twitter), saying, "This ruling is a huge win for privacy. We spent five years presenting our case because we firmly believe that spyware companies should not hide behind immunity or avoid accountability for their unlawful actions."
The case will now move forward to determine damages, according to Judge Hamilton.
Background of the Case
WhatsApp first filed its complaint against NSO Group in 2019, accusing the company of accessing its servers without authorization to deploy Pegasus spyware on 1,400 devices in May of that year. The attacks exploited a zero-day vulnerability in WhatsApp’s voice calling feature (CVE-2019-3568, CVSS score: 9.8) to install the spyware.
Court documents revealed last month that NSO Group continued to use WhatsApp to disseminate spyware until May 2020.
NSO has consistently claimed that its technology is intended solely for government and law enforcement agencies to combat terrorism, child exploitation, money laundering, and other serious crimes. According to its website, NSO’s mission is to "create a better, safer world." The company states, "The world's most dangerous offenders communicate using technology designed to shield their communications, while government intelligence and law enforcement agencies struggle to collect evidence and intelligence on their activities."
Misuse of Pegasus Spyware
However, Pegasus spyware has been repeatedly misused by authoritarian regimes and governments worldwide to target activists, journalists, and politicians, as evidenced in numerous reports.
Apple, which filed a similar lawsuit against NSO in 2021, recently sought to voluntarily dismiss its case, citing the rapid growth of the commercial spyware market and advancements in countermeasures. Apple has since introduced features like Lockdown Mode and threat notifications to alert victims targeted by state-sponsored actors. These measures have been praised by experts like John Scott-Railton of Citizen Lab, who called them a "game changer for spyware accountability research."
This ruling marks another milestone in holding spyware vendors accountable for their actions and protecting user privacy globally.