After five years of contentious litigation, Meta Platforms Inc., the parent company of WhatsApp, emerged victorious in its lawsuit against NSO Group, the controversial Israeli firm behind the Pegasus spyware.
The landmark decision, handed down by a federal court in California, holds NSO accountable for violating federal and state laws, as well as breaching WhatsApp’s terms of service. The case marks a pivotal moment in the global battle between tech companies and spyware developers.
The Case and Allegations
The lawsuit, initiated in October 2019, alleged that NSO Group exploited a vulnerability in WhatsApp to deploy Pegasus spyware, targeting at least 1,400 devices globally.
The spyware allowed NSO’s clients, primarily government agencies, to surveil individuals, including journalists, activists, and human rights defenders.
Meta accused NSO of violating the U.S. Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), and breaching WhatsApp’s terms of service.
Meta’s lawsuit detailed how NSO’s software, operating through a modified version of WhatsApp, infiltrated its servers to distribute spyware. These actions allegedly caused significant harm to users and impaired the functionality of WhatsApp’s systems.
Court’s Ruling
In its comprehensive decision, the court granted Meta’s motion for partial summary judgment, affirming that NSO violated both the CFAA and CDAFA and breached its contractual obligations under WhatsApp’s terms of service.
Judge Phyllis J. Hamilton ruled that NSO exceeded authorized access to WhatsApp’s servers, thereby obtaining sensitive information through unlawful means.
The court dismissed NSO’s defenses, including arguments that their clients not NSO itself executed the surveillance.
The ruling also addressed Meta’s sanctions motion, penalizing NSO for obstructing discovery. The court found that NSO failed to produce crucial Pegasus source code and other evidence, hindering Meta’s ability to fully assess the spyware’s operations.
As a result, the court imposed evidentiary sanctions, ruling that NSO had intentionally targeted WhatsApp’s California-based servers.
The ruling highlights the importance of the CFAA and CDAFA in combating cyber intrusions. By finding NSO liable, the court set precedent that entities deploying spyware—whether directly or through clients cannot evade accountability.
Moreover, the decision underscores the enforceability of digital platforms’ terms of service, vindicating Meta’s efforts to protect its user base.
Meta has consistently framed its legal battle as a defense of user privacy and the integrity of its platforms. In a statement following the verdict, Meta’s representatives reiterated the company’s commitment to holding malicious actors accountable.
“Today’s ruling is a victory for privacy, safety, and the rule of law. We will continue to use every legal tool available to protect our users,” Meta stated.
WhatsApp Spokesperson: “After five years of litigation, we’re grateful for today’s decision. NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists and civil society.”
NSO Group, which markets Pegasus as a tool for lawful surveillance, argued that it only provides the software to government clients and lacks direct involvement in its deployment.
However, the court rejected this defense, emphasizing that NSO’s actions facilitated unauthorized access to Meta’s servers and the distribution of spyware.
Throughout the proceedings, NSO faced criticism for its non-compliance with discovery obligations. This included limited production of Pegasus source code, which was made accessible only in Israel under restrictive conditions.
Next Steps
While the court resolved liability in Meta’s favor, the case will now proceed to trial solely on the issue of damages.
Meta has indicated that the costs of investigating and mitigating the Pegasus attack were substantial, and it intends to seek compensation for those losses.
Additionally, the court ordered both parties to meet and confer on sealing certain discovery materials, ensuring transparency while respecting confidentiality concerns. A final trial on damages is expected to shape the financial implications for NSO.
This decision is likely to resonate far beyond the courtroom. It comes amid increasing scrutiny of spyware companies and their role in enabling digital surveillance.
NSO has faced lawsuits and regulatory actions globally, including blacklisting by the U.S. Department of Commerce in 2021.
The Meta ruling could embolden other tech companies to confront cyber threats and assert their rights against spyware developers.
For NSO Group, the ruling adds to its mounting legal and reputational challenges. Critics argue that Pegasus has been weaponized against journalists, dissidents, and other vulnerable groups, raising serious ethical and legal concerns about its use.
Meta’s victory over NSO marks a significant milestone in the fight against spyware and cyber intrusions.
As the tech giant prepares for the damages trial, the case sends a clear message: even the most sophisticated surveillance tools must operate within the bounds of the law.
For More Interesting Daily Cybersecurity Stories, Follow us on LinkedIn, X and Google News