Spyware Maker NSO Ordered to Pay WhatsApp $168 Million for 2019 Hack
Spyware maker NSO Group must by Meta and its WhatsApp business almost $168 million in damages after a jury found that the company’s surveillance software was used to hack into 1,400 WhatApp accounts.
The jury award this week comes five months after a U.S. District Court judge in California ruled that the Israeli company broke U.S. cybersecurity laws when its Pegasus surveillance software was used to break into phones in 20 countries through the WhatsApp mobile application and, at least for now, marks the end of a six-year legal battle.
The case also put a spotlight into the dark world of commercial spyware used by some governments to track journalists, human rights workers, activists, lawyers and others by hacking into their mobile devices. NSO Group executives have countered that the surveillance software is used by countries to protect against crime and terrorism.
But reports by organizations like Citizens Lab, which was involved in the investigation of the WhatsApp case, and Amnesty International have documented abuses of Pegasus and similar spyware by governments.
‘Harm is Not Hypothetical’
Google’s Threat Analysis Group last year released a 33-page report about the commercial surveillance software industry, noting that “the harm is not hypothetical. Spyware vendors point to their tools’ legitimate use in law enforcement and counterterrorism efforts. However, spyware deployed against journalists, human rights defenders, dissidents, and opposition party politicians — what Google refers to as ‘high risk users’ — has been well documented.”
Other spyware vendors include Intellexa, Negg Group and Cy4Gate.
1,400 User Devices Hacked
In this case, WhatsApp sued NSO Group in 2019 for accessing its servers without permission and installing the Pegasus software onto mobile devices that carried the app, with newer versions being able to be downloaded via a text message and needing no user interaction. Included among the targets were human rights activists, journalists and diplomats, according to Meta.
In a statement, Meta, which owns WhatsApp and Facebook, along with other businesses, said the jury’s award was “an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone.”
“Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
Meta Leads the Way
John Scott-Railton, senior researcher at Citizen Lab, wrote on X (formerly Twitter) noted the importance of WhatsApp’s decision to file suit against NSO Group six years ago, noting that “back in 2019 no country had sanctioned NSO Group… There had been no parliamentary hearings, no hearings in Congress, no serious investigations. WhatsApp’s lawsuit helped carry momentum at a critical time, and showed governments that their tech sectors were in the crosshairs from mercenary spyware, too.”
Gil Lainer, NSO Group’s vice president for global communication, told The New York Times that the company will evaluate the verdict and consider next steps, which could include more court proceedings and an appeal.
“We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” Lainer said.
Meta said in its statement that it was likely going to take time to wrest the $168 million from NSO Group, adding that it likely will donate the money to digital rights groups.
Spyware Makers are Getting Attention
Apple also had sued NSO Group after finding the spyware was used against its users, but eventually dropped the case in fear that it could lead to the exposure of sensitive data from Apple users.
The United States under the Biden Administration had pushed back against the use of Pegasus and other spyware, with the Commerce Department in 2021 putting it on its entity list to reduce NSO Group’s ability to do business in the country and using other means, including sanctions and visa restrictions.
In April, 21 countries signed onto the Pall Mall Process, a code of practices outlining how such technology can be used responsibly. The United States is expected to sign the document.
