In a landmark decision, a US District Judge has ruled against Israel’s NSO Group in a lawsuit filed by Meta Platforms’ WhatsApp, holding the spyware maker liable for exploiting a vulnerability in the messaging app to install Pegasus spyware.

Key Ruling in the WhatsApp Case

  • Court Decision:
    US District Judge Phyllis Hamilton in Oakland, California, granted WhatsApp’s motion, finding NSO Group liable for hacking and breach of contract.
    The case will now proceed to trial to determine damages.
  • WhatsApp’s Response:
    Will Cathcart, Head of WhatsApp, hailed the ruling as a victory for privacy, stating:
    “Surveillance companies should be on notice that illegal spying will not be tolerated.”A WhatsApp spokesperson also expressed gratitude, reaffirming the company’s commitment to protecting user privacy.

Implications for the Spyware Industry

  • Expert Reactions:
    John Scott-Railton of Citizen Lab called the ruling a major blow to the spyware industry, stating:
    “Today’s ruling clarifies that NSO Group is indeed responsible for breaking multiple laws.”
  • Legal Precedent:
    This decision challenges spyware companies’ reliance on claims of immunity, reinforcing accountability for unlawful actions.

Background of the Lawsuit

  • WhatsApp’s Allegations:
    WhatsApp sued NSO Group in 2019, alleging the company accessed its servers to install Pegasus spyware on 1,400 devices, targeting journalists, dissidents, and human rights advocates.
  • NSO’s Defense:
    NSO argued that Pegasus was used by law enforcement to combat crime and national security threats. However, the court rejected claims of “conduct-based immunity” under the US Foreign Sovereign Immunities Act.
  • Judicial Milestones:
    • The 9th US Circuit Court upheld the denial of immunity in 2021.
    • The US Supreme Court declined NSO’s appeal, allowing the lawsuit to proceed.

A Turning Point for Privacy Rights

This ruling reinforces the need for accountability in the spyware industry, sending a clear message that unauthorized surveillance will not be tolerated. As the trial now shifts to determining damages, this case could redefine legal responsibilities in the cybersecurity sector.