After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO Group in a significant lawsuit concerning the use of Pegasus spyware.
The verdict, handed down by the United States District Court for the Northern District of California, marks a major milestone in the fight against cyber espionage and reinforces the tech industry’s commitment to user privacy and security.
The lawsuit, initiated by WhatsApp’s parent company Meta (formerly Facebook) in October 2019, alleged that NSO Group exploited WhatsApp servers to distribute Pegasus spyware to approximately 1,400 mobile devices worldwide.
The spyware enabled covert surveillance of the users, many journalists, activists, and government officials.
WhatsApp’s claims centered on violations of the U.S. Computer Fraud and Abuse Act (CFAA), California’s Comprehensive Computer Data Access and Fraud Act (CDAFA), and breach of contract.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Key Legal Outcomes
The court ruled in favor of WhatsApp on all remaining claims. Judge Phyllis J. Hamilton’s decision was based on substantial evidence demonstrating that NSO Group purposefully targeted WhatsApp’s servers, some based in California, to deploy the spyware.
The court determined that these actions exceeded authorized access and clearly breached WhatsApp’s Terms of Service.
Furthermore, WhatsApp’s motion for sanctions against NSO Group for non-compliance in discovery was partially granted.
The court criticized NSO for failing to produce critical Pegasus source code and internal documents, limiting WhatsApp’s ability to analyze the spyware’s functioning. As a result, evidentiary sanctions were imposed, further strengthening WhatsApp’s position.
This landmark victory underscores the legal accountability of entities involved in cyberattacks, even when acting under the guise of national security or government contracts.
NSO Group, whose Pegasus software has gained notoriety for its use by authoritarian regimes to surveil dissidents, faced intense global scrutiny throughout the case.
Will Cathcart, Head of WhatsApp, celebrated the verdict, stating, “This victory sends a strong message to tech companies and governments around the world: private communications must remain private, and those who violate user trust will face consequences.”
The decision addresses liability, leaving the determination of damages for a future trial. WhatsApp is expected to argue for significant compensation, citing the costs incurred during its investigation and the heightened measures required to secure its platform against such incursions.
For NSO Group, the ruling represents a severe blow to its operations and reputation. Coupled with earlier sanctions and restrictions, including being blacklisted by the U.S. Department of Commerce, NSO faces a precarious future.
This case sets a powerful precedent for corporations aiming to protect their users from intrusive surveillance and reinforces the importance of digital security in an increasingly interconnected world.
With this legal win, WhatsApp has reaffirmed its commitment to defending user privacy against sophisticated cyber threats.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free