This post is also available in:
עברית (Hebrew)
In a landmark ruling, a US district court found NSO Group, a commercial spyware company, guilty of violating key computer crime laws related to its use of the Pegasus malware to surveil WhatsApp users. The case, which dates back to a lawsuit filed in 2019 by WhatsApp and its parent company Facebook, has been seen as a significant victory for privacy advocates and victims of surveillance.
The court confirmed that NSO Group, also known as Q Cyber Technologies, breached both the federal Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act. WhatsApp had accused NSO Group of exploiting its Pegasus malware to infiltrate mobile devices, specifically targeting individuals using the messaging service, including journalists, activists, and political figures. The malware allowed attackers to secretly monitor phone activities without the user’s knowledge, raising serious privacy concerns.
Pegasus is widely regarded as one of the most advanced spyware tools, often used by governments for surveillance. The malware is capable of infiltrating mobile devices, tracking communications, and even activating the phone’s camera and microphone. Its use against high-profile targets has sparked widespread condemnation from privacy advocates and the international community.
The case has been ongoing for over five years, with WhatsApp firmly maintaining that spyware companies like NSO Group should be held accountable for unlawful actions. Will Cathcart, Head of WhatsApp at Meta, expressed that this ruling was a major win for privacy, signaling that illegal surveillance would no longer be tolerated.
The court’s decision also noted that NSO Group failed to provide critical evidence, including the source code of its software. It was revealed that the company’s clients used a modified version of WhatsApp’s application, which deliberately targeted WhatsApp’s servers in California to carry out the surveillance. Despite NSO Group’s defense that it merely provided the tool, the court ruled that the company must take responsibility for its role in the illegal activities.
With the issue of liability now settled, the case will move forward to determine the damages. This ruling sends a strong message to spyware firms that unlawful surveillance and evading accountability will not be tolerated.
