Open Editor's Digest for free
Roula Khalaf, Editor of the FT, selects her favorite stories for this weekly newsletter.
WhatsApp has won against Israeli spyware maker NSO Group in a US lawsuit over NSO's misuse of the messaging app to hack the phones of journalists, activists and dissidents with its Pegasus hacking tool.
A judge in the Northern District of California ruled on Friday that NSO violated hacking laws and the terms of its service agreement with WhatsApp by using the messaging platform to inject more than 1,000 devices with its Pegasus spyware.
The ruling in the civil case did not address the rights of people whose phones are being tapped, but it does give a victory to technology groups that want to prevent their platforms from being exploited by groups targeting their users.
It's also a victory for Apple, Amazon and other tech giants backing WhatsApp's case.
“The court finds no merit in the arguments raised” by the NSO Group, judge Phyllis Hamilton ruled. Summary judgment means future trials will only cover the question of damages, rather than whether the NSO can be held liable for its actions.
“After five years of litigation, we appreciate today's decision,” WhatsApp said. “The NSO can no longer avoid answering for their illegal attacks on WhatsApp, journalists, human rights activists and the public.”
The NSO Group did not immediately respond to a request for comment.
Pegasus can read encrypted messages stored on the phone, activate the camera and microphone remotely and track its location. Its use has been tied to human rights abuses and the US Commerce Department has banned the Israeli company.
A legal case was launched after the Financial Times in 2019 report that coincides with WhatsApp's discovery that its services were hacked by NSO and Pegasus.
The ruling said NSO Group did not dispute that it “must reverse-engineer and/or patch WhatsApp's software” to hack phones, but suggested it did so before agreeing to WhatsApp's terms of service.
However, the judge found that, “reason dictates that (NSO) should first have access” to the WhatsApp software and that NSO had provided “no plausible explanation” as to how it could have done so without agreeing to the terms of service. It ruled against WhatsApp's claim that NSO violated federal and state fraud laws.
The judge also found that NSO “repeatedly failed to produce reasonable discovery”, including with respect to the Pegasus source code.
“This sets a precedent that will be defined for years to come,” said John Scott-Railton, a researcher at the University of Toronto's Citizen Lab who researched the use of Pegasus.
“This is the most watched case of mercenary spyware and everyone will take notice. “I predict that this will have a negative impact on the efforts of other spyware companies to enter the US market, and the interest of investors in supporting their hacking,” he said.