Messaging platform WhatsApp achieved a significant legal victory over Israeli spyware firm NSO Group on Friday, December 20th, when a federal judge ruled that the NSO Group was liable under both federal and California law for a 2019 hacking campaign that targeted over 1,000 WhatsApp users. This ruling represents a rare triumph for activists seeking to curb the power of companies that produce spyware software capable of monitoring calls and messages that have reportedly been used against journalists, human rights defenders, and political dissidents around the world.
The case is now set to go to trial to determine what damages NSO Group must pay Meta-owned WhatsApp, following a ruling by Judge Phyllis Hamilton of the Northern District of California, who granted WhatsApp’s motion for partial summary judgment. The legal battle goes back to 2019 when WhatsApp filed a lawsuit accusing NSO Group of violating a federal anti-hacking law. WhatsApp alleged that NSO’s flagship malware, Pegasus, had been deployed in a wide-ranging attack that affected journalists and human rights activists that spring.
NSO Group has not yet commented on the ruling, but the company has previously denied any wrongdoing, asserting that its products are intended for use in fighting crime and terrorism. In response to the decision, Will Cathcart, WhatsApp’s head, posted on social media, emphasizing that illegal spying would not be tolerated. “Surveillance companies should be on notice,” he said.
The commercial spyware market has grown substantially over the past decade, with companies from Israel to North Macedonia selling their services to governments willing to purchase. According to US intelligence reports, at least 74 countries have bought commercial spyware, and the Biden administration has sought to curb the influence of spyware vendors, especially after reports in 2021 that NSO’s software had been used to hack the phones of several US diplomats.
US officials have expressed concerns over spyware companies aggressively marketing their tools to various government agencies. For instance, the FBI confirmed in 2022 that they had bought a testing license for Pegasus, although they have not used it in any investigations.
Friday’s ruling marks a critical moment in the fight against mercenary spyware, with experts predicting it will be referenced for years to come. John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab, who has investigated NSO’s spyware, told CNN that the ruling could have a “chilling effect” on other spyware companies considering entering the US market.
“This ruling is a huge win for privacy,” WhatsApp’s Cathcart said. “We spent five years presenting our case because we firmly believe that spyware companies should not be able to hide behind immunity or escape accountability for their illegal actions.”
Meta CEO Mark Zuckerberg also expressed pride in the decision, stating, “Proud that we fought for this, and that WhatsApp continues to lead on privacy and encryption.”