A U.S. federal court has ordered the Israeli spyware firm NSO Group to pay nearly $170 million in damages to WhatsApp and its parent company, Meta, after its Pegasus spyware was used to hack approximately 1,400 WhatsApp accounts. The verdict, delivered Tuesday after a six-year legal battle, includes $167.25 million in punitive damages and $445,000 in compensatory damages. This ruling marks a significant victory for privacy advocates and those pushing back against the use of illegal spyware.
The lawsuit, originally filed by WhatsApp in October 2019, accused NSO Group of exploiting a vulnerability in the WhatsApp calling system to send malware to targeted mobile phones. This malware, known as Pegasus, allowed NSO's clients to access a device's microphones, cameras, and encrypted messages. The victims included attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.
NSO Group, which sells its technology to governments, has argued that its tools are only meant to be used against serious criminals and terrorists. However, the company has faced accusations that its spyware has been used by some countries to target anyone they deem a national security threat. The Pegasus scandal gained widespread attention in 2021 when a list of 50,000 phone numbers of suspected hacking victims was leaked to major media outlets.
The court's decision against NSO Group is based on the finding that the company "acted with malice, oppression or fraud" in deploying its Pegasus spyware. The U.S. District Court for the Northern District of California rejected NSO Group's claim of sovereign immunity, ruling that the Pegasus spyware exploited vulnerabilities in WhatsApp's platform. The ruling sends a strong signal that private firms profiting from invasive surveillance technology will not be shielded by their association with government clients.
Meta hailed the ruling as "the first victory against illegal spyware that threatens the safety and privacy of everyone". WhatsApp said that the jury's decision to force NSO to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and their users worldwide. The company added that the trial revealed WhatsApp was far from NSO's only target and that this is an industry-wide threat that requires a collective defense. WhatsApp intends to seek a court order to prevent NSO from ever targeting WhatsApp again and will make a donation to digital rights organizations that work to expose spyware abuses.
NSO Group has stated that it will carefully examine the verdict's details and pursue appropriate legal remedies, including further proceedings and an appeal. The company maintains that its technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies.
This case highlights the ongoing concerns surrounding the use of spyware to target civil society members. Amnesty International, which has been actively involved in advocating for accountability for NSO, called the ruling a "momentous win in the fight against spyware abuse". Access Now, another civil society organization, said the verdict sends a clear message to spyware companies that targeting people through U.S.-based platforms will come with a high price.
The Meta vs. NSO Group case has broader implications for the tech industry and cybersecurity. It underscores the importance of companies protecting their platforms from unlawful surveillance and taking action against those who develop and deploy malicious software. For consumers, the case highlights the need for increased awareness and protective measures, such as regular software updates, security software, and cybersecurity awareness, to safeguard their devices and data.
