Court finds Pegasus spyware maker NSO Group liable for hacking 1,400 WhatsApp users


Before 2020, approximately 1,400 mobile devices were infected with Pegasus malware, which was used to surveil WhatsApp users. Last week, the US district court found NSO Group accountable for violating key computer crime laws, marking a major victory for WhatsApp and spyware victims.

WhatsApp and Facebook filed a lawsuit against NSO Group, which also goes by the name Q Cyber Technologies, on October 29th, 2019. The social networks accused the commercial spyware vendor of using its Pegasus malware to hack and spy on users.

The court confirmed that NSO Group violated the federal Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act and breached WhatsApp's terms of service.

ADVERTISEMENT

Pegasus is a sophisticated spyware tool often used by governments and authorities to secretly track and control phones. Its invasive nature and use against journalists, political activists, officials, and other high-risk targets raised many privacy and human rights concerns.

“NSO has spent 5 years trying to claim that they are above the law. And engaged in all sorts of maneuvering. With this order, the music stopped, and NSO is now without a chair,” John Scott-Railton, senior researcher at Citizen Lab, posted on X.

Will Cathcart, Head of WhatsApp at Meta, said that this ruling is a huge win for privacy.

We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions. Surveillance companies should be on notice that illegal spying will not be tolerated,” Cathcart posted on X.

US District Judge Phyllis J. Hamilton in Oakland said that his order resolves all issues regarding liability, and a trial will proceed only on the issue of damages.

NSO Group did not turn over important evidence, such as the source code of its surveillance software. According to the court document, NSO Group’s clients used “a modified version of the WhatsApp Application,” dubbed WIS (WhatsApp Installation Server), which deliberately targeted WhatsApp’s servers in California.

ADVERTISEMENT

“The WIS, among other things, allows defendants’ clients to send “cipher” files with “installation vectors” that ultimately allow the clients to surveil target users,” the document reads.

NSO Group argued that WhatsApp “cannot prove when they reverse-engineered or decompiled” the WhatsApp program, and this could’ve happened before “any agreement to the terms of service.” Also, NSO pointed fingers at their clients, arguing that Pegasus is operated by them, therefore the company did not collect any information.

Niamh Ancell BW jurgita Stefanie Paulina Okunyte
Get our latest stories today on Google News

“They offer no plausible explanation for how they could have gained access to the software without agreeing to the terms of service,” the judge noted.

The Pegasus code was sent through WhatsApp’s California-based servers 43 times during the relevant time period in May 2019.

The WhatsApp exploit, disclosed in May 2019, was only one of the vectors for Pegasus, and spyware can be placed on phones via other means. According to Citizen Lab, Pegasus is designed to be stealthy and evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators.