In a significant ruling on Friday, a U.S. District Judge found Israel’s NSO Group liable for hacking in a lawsuit filed by Meta Platforms’ WhatsApp. The case revolves around NSO’s alleged exploitation of a vulnerability in WhatsApp’s messaging platform to install spyware, allowing unauthorized surveillance of users worldwide.
Judge Phyllis Hamilton of the U.S. District Court for the Northern District of California granted WhatsApp’s motion, declaring NSO Group responsible for hacking and breach of contract. The case will now move forward with a trial focused solely on the issue of damages, according to the judge’s ruling.
WhatsApp Celebrates Legal Victory Against NSO Group
Will Cathcart, the head of WhatsApp, celebrated the ruling as a significant victory for privacy. In a social media post, he emphasized that the five-year-long legal battle was driven by WhatsApp’s firm belief that spyware companies must be held accountable for their illegal actions. Cathcart added, “Surveillance companies should be on notice that illegal spying will not be tolerated.”
A WhatsApp spokesperson also expressed gratitude for the decision, stating, “We’re proud to have stood up against NSO, and thankful to the many organizations that were supportive of this case. WhatsApp will never stop working to protect people’s private communications.”
A Landmark Ruling for Cybersecurity and Privacy Protection
Cybersecurity professionals have hailed the judgment as a critical step in holding spyware companies accountable. Experts noted that the ruling directly challenges the defense used by companies in the spyware industry, which often claims they are not responsible for how their tools are used. One expert commented, “Today’s ruling makes it clear that NSO Group is responsible for breaking numerous laws with its actions.”
NSO Group Accused of Using Pegasus to Spy on Activists, Journalists, and Dissidents
The lawsuit was initiated by WhatsApp in 2019, after it accused NSO Group of exploiting a vulnerability in its app to install Pegasus spyware on users’ devices. According to WhatsApp, the hack enabled the surveillance of 1,400 individuals, including journalists, human rights defenders, and political dissidents.
NSO Group, in its defense, argued that Pegasus was a tool used by law enforcement and intelligence agencies to combat crime and protect national security, targeting terrorists, child predators, and serious criminals. However, WhatsApp claimed that the intrusion violated user privacy and international law.
Legal Challenges and Appeals
NSO Group has faced legal setbacks throughout the case. The company appealed a 2020 ruling that denied it “conduct-based immunity” — a legal principle that shields foreign officials from lawsuits while performing official duties. In 2021, the 9th U.S. Circuit Court of Appeals upheld the denial, emphasizing that NSO’s actions went beyond immunity protections under the Foreign Sovereign Immunities Act.
In 2023, the U.S. Supreme Court also rejected NSO Group’s appeal, allowing the lawsuit to continue and making it clear that the company could not avoid responsibility for its alleged illegal activities.
Implications for the Spyware Industry
John Scott-Railton, a senior researcher at Citizen Lab, a Canadian internet watchdog, called the ruling “landmark,” with far-reaching consequences for the spyware industry. Citizen Lab first uncovered the use of NSO’s Pegasus software in 2016, sparking global concerns about surveillance technologies and their misuse.
The court’s decision sends a clear message to the spyware industry: companies providing surveillance tools must be held accountable for their actions, particularly when those tools are used to violate privacy laws and target vulnerable individuals.
This ruling represents a significant shift in the legal landscape for tech companies, spyware manufacturers, and privacy advocates, setting a precedent for future cases involving the illegal use of surveillance technology.
For more on the implications of the NSO Group lawsuit and the growing global debate on spyware, visit the Electronic Frontier Foundation and Citizen Lab.