NSO

Israel's NSO Group liable for hacking WhatsApp, says US judge

The hack exposed the surveillance of more than 1,400 users, including journalists, human rights activists, and dissidents

A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance on more than 1,400 users, including journalists, human rights activists, and dissidents.
U.S. District Judge Phyllis Hamilton in Oakland, California, granted a motion by WhatsApp and found NSO liable for hacking and breach of contract.
1 View gallery
רוגלה פגסוס NSO
רוגלה פגסוס NSO
NSO
(Shutterstock)
The case will now proceed to a trial only on the issue of damages, Hamilton said. NSO Group did not immediately respond to an emailed request for comment.
Will Cathcart, the head of WhatsApp, said the ruling is a win for privacy.
"We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions," Cathcart said in a social media post.
"Surveillance companies should be on notice that illegal spying will not be tolerated."
A WhatsApp spokesperson said they were grateful for the decision.
"We’re proud to have stood up against NSO and thankful to the many organizations that were supportive of this case. WhatsApp will never stop working to protect people’s private communication", he said.
Cybersecurity experts welcomed the judgment.
John Scott-Railton, a senior researcher with Canadian internet watchdog Citizen Lab — which first brought to light NSO’s Pegasus spyware in 2016 — called the judgment a landmark ruling with “huge implications for the spyware industry.”
“The entire industry has hidden behind the claim that whatever their customers do with their hacking tools, it's not their responsibility,” he said in an instant message. “Today's ruling makes it clear that NSO Group is in fact responsible for breaking numerous laws.”
WhatsApp in 2019 sued NSO seeking an injunction and damages, accusing it of accessing WhatsApp servers without permission six months earlier to install the Pegasus software on victims' mobile devices. The lawsuit alleged the intrusion allowed the surveillance of 1,400 people, including journalists, human rights activists and dissidents.
NSO had argued that Pegasus helps law enforcement and intelligence agencies fight crime and protect national security and that its technology is intended to help catch terrorists, pedophiles and hardened criminals.
NSO appealed a trial judge's 2020 refusal to award it "conduct-based immunity," a common law doctrine protecting foreign officials acting in their official capacity.
Upholding that ruling in 2021, the San Francisco-based 9th U.S. Circuit Court of Appeals called it an "easy case" because NSO's mere licensing of Pegasus and offering technical support did not shield it from liability under a federal law called the Foreign Sovereign Immunities Act, which took precedence over common law.
The U.S. Supreme Court last year turned away NSO's appeal of the lower court's decision, allowing the lawsuit to proceed. In July of this year, the British newspaper The Guardian published an article stating that the Israeli government deleted NSO files to sabotage WhatsApp's lawsuit and prevent the disclosure of confidential information related to the Pegasus software's activities.