A federal judge in California has delivered a significant ruling in favor of WhatsApp in its legal dispute with NSO Group, an Israeli spyware vendor. The case centers around the use of Pegasus, a sophisticated spyware tool developed by NSO, which exploited a vulnerability in WhatsApp’s voice calling feature. The spyware was used to target and infiltrate 1,400 devices in May 2019. Judge Phyllis J. Hamilton’s ruling condemned NSO Group for repeatedly failing to comply with discovery orders and for not providing the necessary Pegasus source code, raising serious concerns about the company’s transparency and willingness to cooperate with the court.
The court’s decision also held NSO Group liable for breach of contract, as the company violated WhatsApp’s terms of service. WhatsApp’s terms explicitly prohibit using its platform for malicious purposes, such as deploying harmful code, reverse engineering the app, or accessing its servers without permission. This ruling underscores the importance of enforcing the terms of service to protect the privacy and security of users from harmful surveillance practices.
WhatsApp’s legal victory is seen as a crucial step in the fight against commercial spyware, which has been increasingly misused by authoritarian governments to target journalists, activists, and political opponents. WhatsApp head, Will Cathcart, hailed the ruling as a win for privacy, emphasizing that spyware companies should not be allowed to operate with immunity. The ruling serves as a reminder that tech companies and individuals targeted by such attacks have legal recourse and can hold perpetrators accountable for their unlawful activities.
The case now moves forward to determine the damages owed by NSO Group. WhatsApp first filed the lawsuit in late 2019, accusing NSO of exploiting a zero-day vulnerability (CVE-2019-3568) to deploy Pegasus. Court documents later revealed that NSO continued to misuse WhatsApp until May 2020. While NSO Group maintains that its tools are designed to assist law enforcement agencies in combating serious crimes, evidence has surfaced showing the misuse of Pegasus in surveillance campaigns targeting non-criminal individuals, further amplifying concerns about the tool’s ethical implications.
