US court holds Israeli company NSO liable for targeting WhatsApp users

Friday’s ruling came five years after the Meta-owned WhatsApp sued the NSO Group in the US District Court of North California in October 2019. In its ruling, the court concluded that in exploiting a bug in WhatsApp, NSO Group had violated sections of the Computer Fraud and Abuse Act (CFAA), a federal cybersecurity law that criminalises unauthorised access to computers, networks and other digital information, and a similar state law in California called the California Computer Data Access and Fraud Act (CDAFA).

“Defendants (NSO Group) appear to fully acknowledge that the WIS (WhatsApp Installation Server, which enabled the installation of the spyware) sent messages through WhatsApp servers that caused Pegasus to be installed on target users’ devices, and that the WIS was then able to obtain protected information by having it sent from the target users, through the WhatsApp servers, and back to the WIS,” judge Phyllis Hamilton ruled in the Northern District of California.

Concluding that WhatsApp had sufficiently established breach, the court said that “common sense dictates that defendants (NSO Group) must have first gained access to the WhatsApp software before reverse-engineering and/ or decompiling it, and they offer no plausible explanation for how they could have gained access to the software without agreeing to the terms of service”.

It also ruled in WhatsApp’s favour over its claim that the NSO Group had violated its terms of service, handing the messaging app a decisive victory. In a post on the Meta-owned social network Threads, Will Cathcart, the head of WhatsApp overseeing development and strategy, wrote, “The ruling is a huge win for privacy. We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions. Surveillance companies should be on notice that illegal spying will not be tolerated. WhatsApp will never stop working to protect people’s private communication.”

This is significant, given that no prior court had held NSO Group liable for its spyware. As The Indian Express reported in November using unsealed court documents, WhatsApp alleged that between April 2018 and May 2020, the NSO Group had reverse-engineered and decompiled its source code to create installation vectors (points of entry) named “Heaven”, “Eden” and, “Erised”—all part of a sophisticated hacking suite called “Hummingbird” that NSO Group sold to its government clients.

Critically, the ruling rejects NSO Group’s oft-quoted defence that it wasn’t liable for its clients’ – governments that acquired the spyware — actions and decisions on how they deployed it. However, in the documents unsealed in the court, WhatsApp contradicted this claim, alleging that Pegasus customers had minimal role in its deployment, with NSO Group managing a substantial part of the process. “The customer only needed to enter the target’s device number and press Install. Pegasus will install the agent on the device remotely without any engagement,” WhatsApp had argued.

“In other words, the customer simply places an order on the target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus,” WhatsApp had argued.

NSO admitted that the installation of Pegasus through WhatsApp was indeed a matter for “NSO and the system to take care of, not a matter for clients to operate.”