On December 20, 2022, WhatsApp achieved a significant legal victory against the controversial Israeli cyber intelligence firm NSO Group, marking a pivotal turn in the longstanding battle over digital privacy and surveillance.
A U.S. court for the Northern District of California ruled against NSO Group, holding the company liable for exploiting vulnerabilities within WhatsApp to hack thousands of devices, thereby violating the Computer Fraud and Abuse Act (CFAA) and the California Comprehensive Computer Data Access and Fraud Act (CDAFA). The case has far-reaching implications as it also opens the floor for determining the damages owed by NSO Group, notorious for its creation of the Pegasus spyware.
The legal unraveling began when WhatsApp filed its complaint against NSO Group back in 2019, detailing serious allegations of unauthorized access to its servers. WhatsApp argued the NSO Group created malware to infect users’ devices, which caused significant damage and loss to the platform. "Between January 2018 and May 2019, they accessed our servers without authorization and created accounts across various countries to spread malware," said WhatsApp representatives.
The court heard evidence indicating the NSO Group reverse-engineered the WhatsApp application, mimicking legitimate network traffic to deliver malicious code undetected. This sophisticated capacity enabled the firm to exploit WhatsApp's Signaling Servers using disguised malicious code as call settings, facilitating the injection of the code even when calls went unanswered.
This method resulted in around 1,400 devices being targeted during the peak of their activities—devices owned by attorneys, journalists, human rights activists, and political dissidents. WhatsApp also described the situation as "trespass to chattels," which pertained to their interference with WhatsApp’s computer systems. The complaint emphasized their damages amounted to more than $75,000.
The court laid out details of the CFAA violations, citing the NSO Group's conduct as exceeding authorized access, which transfers the ownership of information obtained to the platform itself. The NSO Group attempted to contend, stating they merely sent messages via WhatsApp; yet the court sided with WhatsApp, asserting access to protected computer systems had occurred.
While the NSO Group maintained its innocence, claiming the CFAA only pertained to access on the same computer, WhatsApp counter-argued successfully, stating it applied broadly to any protected computer, hence affirming their claims were legitimate.
The ruling also attributes breaches of the terms of service made by NSO Group when utilizing WhatsApp, particularly focusing on unauthorized access, reverse engineering, and the injection of harmful codes. NSO's defense argued no existing contract existed; the court swiftly rejected these claims, underscoring the necessity of agreeing to terms for account creation on WhatsApp and affirming the access required for reverse engineering.
The court's decision also made room for sanctions against the NSO Group due to their persistent failure to abide by court orders related to discovery materials. The ruling noted, "Overall, the court concludes defendants have repeatedly failed to produce relevant discovery and failed to obey court orders." This included failing to share the Pegasus source code with WhatsApp or the court, which intensified the judge's decision to impose evidentiary sanctions against the company.
Industry experts have stressed the importance of this case not only for WhatsApp but also for the broader impact on privacy rights and surveillance. Matthew Green, a cryptography professor, stated, "This case is not just about WhatsApp—it’s about all of us. When tech companies can be targeted by groups like NSO, it raises the stakes for everyone. We need strict regulations and sums of accountability to protect digital spaces and users from exploitation."
After WhatsApp’s landmark ruling, it is expected the trial will now progress to determine the amount of damages the NSO Group must pay—an outcome watched closely by privacy advocates worldwide. If the ruling against NSO Group stands, it could set significant legal precedents impacting future tech-related cases involving privacy breaches and cybersecurity concerns.
Events surrounding this legal battle have also sparked extensive debate on national and international levels about the appropriate use of surveillance technology and the ethical ramifications behind deploying such invasive tools.
With the world closely observing case updates, NSO Group continues to face pressure from various stakeholders and governments to reconsider its operations and ethical responsibility amid rising scrutiny over its practices.
Meanwhile, WhatsApp remains steadfast about protecting its user base from unauthorized access and has publicly stated it will continue to take necessary legal action against the misuse of technology targeting its services.
