A federal judge has ordered spyware maker NSO to stop using its Pegasus app to target or infect users of WhatsApp.
The ruling, issued Friday by Phyllis J. Hamilton of of the US District Court of the District of Northern California, grants a permanent injunction sought by WhatsApp owner Meta in a case it brought against NSO in 2019. The lawsuit alleged that Meta caught NSO trying to surreptitiously infect about 1,400 mobile phones—many belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials—with Pegasus. As part of the campaign, NSO created fake WhatsApp accounts and targeted Meta infrastructure. The suit sought monetary awards and an injunction against the practice.
Setting a precedent
Friday’s ruling ordered NSO to permanently cease targeting WhatsApp users, attempting to infect their devices, or intercepted WhatsApp messages, which are end-to-end encrypted using the open source Signal Protocol. Hamilton also ruled that NSO must delete any data it obtained when targeting the WhatsApp users.
NSO had argued that such a ruling would “force NSO out of business,” as Pegasus is its “flagship product.” Hamilton ruled that the harm Pegasus posed to Meta outweighed any such considerations.
“In the court’s view, any business that deals with users’ personal information, and that invests resources into ways to encrypt that personal information, is harmed by the unauthorized access of that personal information—and it is more than just a reputational harm, it’s a business harm,” Hamilton wrote. “Essentially, part of what companies such as Whatsapp are ‘selling’ is informational privacy, and any unauthorized access is an interference with that sale. Defendants’ conduct serves to defeat one of the purposes of the service being offered by plaintiffs, which constitutes direct harm.”
The judge went on to deny Meta’s request that the injunction bar foreign governments that may use WhatsApp. She said that sovereign governments weren’t parties to the lawsuit. Friday’s ruling also denied Meta’s request that the injunction bar NSO from targeting users of other Meta properties such as Facebook and Instagram on the grounds there was no evidence presented concerning targeting of them.
“Today’s ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again,” WhatsApp head Will Cathcart said in a statement. “We applaud this decision that comes after six years of litigation to hold NSO accountable for targeting members of civil society. It sets an important precedent that there are serious consequences to attacking an American company.”
Hamilton also slashed the punitive damages a jury awarded to Meta from $167 million to $4 million. The judge said the standard the jury based the amount on wasn’t proper. Under the correct standard, punitive damages must be capped at $4 million, she said.
Pegasus is among the most advanced means of surveilling iPhones and Android devices. Pegasus often infects devices using “zero-click” exploits, meaning they require no interaction on the part of targeted users. Both Apple and Google expend significant resources to secure their operating systems; Pegasus defeats these defenses by spending large sums reverse engineering the OSes.
NSO has said that it licenses Pegasus only to governments that a careful vetting shows don’t abuse their use of the spyware. As was demonstrated in the WhatsApp case, dissidents, journalists, and others have been targeted anyway.
The ruling is significant because, as Carthcart noted, it sets a precedent that other US parties who are in the same position as Meta can cite in any cases they bring against NSO.
NSO didn’t answer an email seeking comment.
Why did NASA’s chief just shake up the agency’s plans to land on the Moon?