Before 2020, approximately 1,400 mobile devices were infected with Pegasus malware, which was used to surveil WhatsApp users. Last week, the US district court found NSO Group accountable for violating key computer crime laws, marking a major victory for WhatsApp and spyware victims.
WhatsApp and Facebook filed a lawsuit against NSO Group, which also goes by the name Q Cyber Technologies, on October 29th, 2019. The social networks accused the commercial spyware vendor of using its Pegasus malware to hack and spy on users.
The court confirmed that NSO Group violated the federal Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act and breached WhatsApp's terms of service.
Pegasus is a sophisticated spyware tool often used by governments and authorities to secretly track and control phones. Its invasive nature and use against journalists, political activists, officials, and other high-risk targets raised many privacy and human rights concerns.
“NSO has spent 5 years trying to claim that they are above the law. And engaged in all sorts of maneuvering. With this order, the music stopped, and NSO is now without a chair,” John Scott-Railton, senior researcher at Citizen Lab, posted on X.
BREAKING: NSO Group liable for #Pegasus hacking of @WhatsApp users.
undefined John Scott-Railton (@jsrailton) December 21, 2024
Big win for spyware victims.
Big loss for NSO.
Bad time to be a spyware company.
Landmark case. Huge implications. 1/ 🧵 pic.twitter.com/hLvEipf6np
Will Cathcart, Head of WhatsApp at Meta, said that this ruling is a huge win for privacy.
We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions. Surveillance companies should be on notice that illegal spying will not be tolerated,” Cathcart posted on X.
This ruling is a huge win for privacy.
undefined Will Cathcart (@wcathcart) December 21, 2024
We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions.
Surveillance companies should be on notice that illegal spying will…
US District Judge Phyllis J. Hamilton in Oakland said that his order resolves all issues regarding liability, and a trial will proceed only on the issue of damages.
NSO Group did not turn over important evidence, such as the source code of its surveillance software. According to the court document, NSO Group’s clients used “a modified version of the WhatsApp Application,” dubbed WIS (WhatsApp Installation Server), which deliberately targeted WhatsApp’s servers in California.
“The WIS, among other things, allows defendants’ clients to send “cipher” files with “installation vectors” that ultimately allow the clients to surveil target users,” the document reads.
NSO Group argued that WhatsApp “cannot prove when they reverse-engineered or decompiled” the WhatsApp program, and this could’ve happened before “any agreement to the terms of service.” Also, NSO pointed fingers at their clients, arguing that Pegasus is operated by them, therefore the company did not collect any information.
“They offer no plausible explanation for how they could have gained access to the software without agreeing to the terms of service,” the judge noted.
The Pegasus code was sent through WhatsApp’s California-based servers 43 times during the relevant time period in May 2019.
The WhatsApp exploit, disclosed in May 2019, was only one of the vectors for Pegasus, and spyware can be placed on phones via other means. According to Citizen Lab, Pegasus is designed to be stealthy and evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators.
Your email address will not be published. Required fields are markedmarked