New Delhi: A US federal court in California has told the Israeli cybersecurity firm NSO Group to hand over documents related to its Pegasus spyware product to WhatsApp.
In 2019, WhatsApp filed a lawsuit alleging that NSO and other defendants in the case used WhatsApp systems to send spyware to about 1,400 devices in order to surveil their users.
The court said NSO must produce “all relevant spyware” – taken to mean NSO spyware that targeted or was directed at WhatsApp or its infrastructure to access target devices – for a period ranging from a year before and after the alleged attack took place.
According to The Guardian newspaper, “all relevant spyware” includes code for NSO’s Pegasus and other spyware products.
WhatsApp alleged that the attack took place between April and May 2019, so NSO was ordered to produce relevant material ranging from April 2018 to May 2020.
However, the court also ruled that NSO will not need to disclose the identities of its clients or information about its server architecture.
A spokesperson for WhatsApp told The Guardian that the court ruling, which was made last Friday (February 23), was “an important milestone in our long running goal of protecting WhatsApp users against unlawful attacks”.
“Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law,” the spokesperson continued to say.
Users of the Pegasus spyware are able to remotely hack into smartphones and gain access to their contents and functions, including the microphone and camera.
NSO has claimed that Pegasus is meant to catch terrorists and criminals and is not intended for illegal surveillance.
NSO Group, the Israeli company which sells Pegasus worldwide, says its clients, are confined to “vetted governments”. Though it refuses to identify its customers, this claim rules out the possibility that any private entity in India or abroad is responsible for the infections which The Wire and its partners who form a global consortium confirmed in a detailed investigation in 2021.
The investigation by The Wire and 16 media partners found that a leaked database of thousands of telephone numbers believed to have been listed by multiple government clients of NSO included over 300 verified Indian mobile numbers.
The numbers included those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others.
The government has neither confirmed nor denied its use of Pegasus. Solicitor general Tushar Mehta said during Supreme Court arguments in 2021 that that the government cannot be made to answer whether or not it uses the spyware for this would alert terrorists and compromise national security.
The top court had noted that in the absence of any “specific denial” of the use of Pegasus by the Union government, the court had no option but to set up an independent committee to probe the matter.
However, the then-Chief Justice of India N.V. Ramana noted in August last year that the Union government “did not cooperate” with the committee’s investigation.
Late last year, Amnesty International’s Security Lab said it detected evidence that Pegasus was used by an unknown government agency to compromise the mobile phones of two journalists in India, Siddharth Varadarajan of The Wire and Anand Mangnale of the Oraganised Crime and Corruption Reporting Project.
