A U.S. judge had ruled that Israeli spyware maker NSO Group breached hacking laws by using WhatsApp to stealthily infect devices with its Pegasus spyware.
In a historic ruling on Friday, a Northern California federal judge held NSO Group liable for targeting the devices of 1,400 WhatsApp users, violating state and federal hacking laws as well as WhatsApp’s terms of service, which prohibit the use of the messaging platform for malicious purposes.
The ruling comes five years after Meta-owned WhatsApp sued NSO Group, alleging the spyware outfit had exploited an audio-calling vulnerability in the messaging platform to install its Pegasus spyware on unsuspecting users’ devices. WhatsApp said that more than 100 human rights defenders, journalists, and “other members of civil society” were targeted by the malware, along with government officials and diplomats.
In her ruling, Judge Phyllis Hamilton said NSO did not dispute that it “must have reverse-engineered and/or decompiled the WhatsApp software” in order to install its Pegasus spyware on devices, but raised questions about whether it had done so before agreeing to WhatsApp’s terms of service.
However, the judge said that “common sense dictates that [NSO] must have first gained access” to WhatsApp and said NSO had offered “no plausible explanation” for how it could have done so without agreeing to the terms of service.
Hamilton also said NSO had repeatedly failed to produce relevant discovery, including the Pegasus source code, despite a court order requiring that it be turned over. She said NSO also refused to produce internal communications, including communications about WhatsApp vulnerabilities.
“NSO’s lack of compliance with discovery orders raises serious concerns about their transparency and willingness to cooperate with the judicial process,” the judge said.
In a statement given to TechCrunch, Meta spokesperson Emily Westcott said WhatsApp welcomes Friday’s ruling.
“NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists, and civil society,” she said. “With this ruling, spyware companies should be on notice that their illegal actions will not be tolerated. We’re proud to have stood up against NSO and thankful to the many organizations that were supportive of this case. WhatsApp will never stop working to protect people’s private communication.”
Will Cathcart, the head of WhatsApp, described the ruling as a “huge win for privacy” in a post on X.
NSO spokesperson Gil Lainer declined to comment. NSO had previously argued that Pegasus helps law enforcement and intelligence agencies fight crime and protect national security.
The landmark case will now proceed to a trial in March 2025, where a jury will decide on the damages NSO Group should pay WhatsApp.
