New Delhi: A US district court has found Israel’s NSO Group – which sells the Pegasus spyware – liable in a 2019 lawsuit brought by the messaging app WhatsApp, citing breaches in 1,400 devices.
WhatsApp is owned by Mark Zuckerberg’s Meta, which also owns Facebook, Threads and Instagram.
Judge Phyllis Hamilton said that NSO had violated US Computer Fraud and Abuse Act (CFAA) and WhatsApp’s own terms of service.
The judge said:
“Defendants’ [NSO’s] relevant software products, collectively referred to as “Pegasus,”allow defendants’ clients to use a modified version of the Whatsapp application – referred to as the “Whatsapp Installation Server,” or “WIS. The WIS, among other things, allows defendants’ clients to send “cipher” files with “installation vectors” that ultimately allow the clients to surveil target users. As mentioned above, plaintiffs allege that defendants’ conduct was a violation of the CFAA, the CDAFA [California Comprehensive Computer Data Access and Fraud Act], and a breach of contract.”
The judge also noted that the NSO Group repeatedly failed to produce “relevant discovery and failed to obey court orders regarding such discovery.”
It said that the most significant of such behaviour by NSO was its position that the Pegasus source code should be viewable only by Israeli citizens present in Israel – something it said was “simply impracticable” for a California lawsuit.
‘Illegal spying’
Will Cathcart, who heads WhatsApp, said on social media channels that this ruling is a “huge win for privacy.”
“We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions. Surveillance companies should be on notice that illegal spying will not be tolerated. WhatsApp will never stop working to protect people’s private communication,” he wrote.
The issue of damages will go on trial next year, according to the judgement.
Pegasus and India
In 2021, The Wire was among an international consortium of news outlets which had unveiled the use of Pegasus with the help of a leaked list of potential surveillance.
The NSO Group, as this consortium had reported then, says it only offers its spyware to “vetted governments”. NSO Group has said in this US case that it cannot be considered liable because Pegasus was operated by clients investigating crimes and cases of national security. This argument was rejected by the judge.
During the 2021 news investigations, the company had refused to make its list of customers public but the presence of Pegasus infections in India, and the range of persons that may have been selected for targeting including opposition politicians, journalists, lawyers and activists, had strongly indicated that the agency operating the spyware on Indian numbers is an official Indian one.
The Supreme Court had in 2021 ordered an inquiry into the findings. A technical committee set up by it found malware in five phones but could not say if it was or was not Pegasus. Notably, the Indian government, when asked, refused to confirm or deny that it had acquired and used Pegasus.
