In a landmark legal development, the NSO Group, infamous for its Pegasus spyware, has been held liable for cyberattacks on approximately 1,400 WhatsApp users. This decision comes as part of an ongoing lawsuit initiated by Meta’s WhatsApp in 2019. The ruling, reported by The Record, marks a significant step forward in the global fight against invasive surveillance technologies and sets a precedent for holding spyware manufacturers accountable for their tools’ misuse.
Here's ads banner inside a post
The Pegasus Controversy
The Pegasus spyware, developed by the Israeli company NSO Group, is designed to infiltrate smartphones covertly. Once installed, Pegasus provides its operators with near-complete access to a device, including messages, emails, photos, and even the microphone and camera. While the NSO Group claims that Pegasus is intended for government use in combating terrorism and serious crime, numerous investigations have revealed its deployment against journalists, human rights activists, and political figures worldwide.
Here's ads banner inside a post
The scale of misuse has been staggering. Investigative reports have linked Pegasus to the hacking of phones belonging to individuals in over 50 countries, sparking outrage and calls for greater oversight of surveillance technologies. Critics argue that the spyware’s lack of accountability has enabled authoritarian regimes and other malicious actors to suppress dissent and violate fundamental rights to privacy and freedom of expression.
The Lawsuit: WhatsApp’s Fight for Accountability
WhatsApp’s lawsuit against NSO Group centers on a series of cyberattacks conducted in 2019. According to court filings, the attackers exploited a vulnerability in WhatsApp’s video calling feature, allowing them to install Pegasus spyware on targeted devices without the users’ knowledge. Victims included journalists, activists, and government officials—a pattern consistent with broader Pegasus misuse allegations.
Here's ads banner inside a post
In its defense, NSO Group contended that it was not liable for the attacks, asserting that its clients—state entities—operated the spyware to investigate crimes and protect national security. However, Judge Phyllis Hamilton of the US District Court for the Northern District of California rejected these arguments. In her ruling, Hamilton stated that NSO Group’s conduct violated the Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act, and WhatsApp’s terms of service.
Implications of the Ruling
The court’s decision underscores the principle that companies cannot evade liability for the misuse of their products, even when governments are involved. By allowing the case to proceed to the damages phase, the ruling paves the way for potential financial penalties against NSO Group. Moreover, the decision could have far-reaching implications for other spyware vendors, signaling that the legal system is willing to hold such companies accountable.
“This ruling is a huge win for privacy,” said Will Cathcart, head of WhatsApp, in a post on Threads. “We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions. Surveillance companies should be on notice that illegal spying will not be tolerated.”
Legal experts suggest that the case could inspire similar lawsuits from other tech companies and advocacy groups, potentially reshaping the regulatory landscape for surveillance technologies. By establishing clear legal precedents, courts may limit the unchecked proliferation of spyware and its misuse.
Broader Context: The Battle Against Spyware
The NSO Group’s legal troubles are part of a broader reckoning for the spyware industry. In recent years, public awareness of spyware’s dangers has grown, fueled by high-profile investigations and whistleblower revelations. The 2021 Pegasus Project, a collaborative investigation by journalists from around the world, exposed the extensive misuse of Pegasus against civil society figures, leading to widespread condemnation and regulatory scrutiny.
Governments and international organizations have also taken action. The US government blacklisted NSO Group in 2021, restricting its access to American technologies and markets. Meanwhile, the European Parliament has called for tighter controls on spyware exports and increased transparency from surveillance technology companies.
Despite these efforts, challenges remain. Spyware’s covert nature and the secrecy surrounding its use make it difficult to monitor and regulate. Moreover, the lucrative nature of the surveillance industry ensures that companies continue to develop and market advanced tools, often with little regard for ethical considerations.
The Human Cost of Surveillance
While legal battles and regulatory measures play out, the human cost of spyware cannot be overstated. Victims of Pegasus attacks have reported devastating consequences, including harassment, imprisonment, and even physical harm. For journalists, spyware undermines their ability to protect sources, jeopardizing press freedom and the public’s right to information. Activists and political dissidents face similar risks, with surveillance tools often weaponized to stifle dissent and intimidate critics.
One such victim, a journalist targeted by Pegasus, described the experience as “a constant invasion of privacy.” Speaking anonymously for fear of retaliation, they said, “Knowing that someone could be reading your messages or watching you through your own camera is terrifying. It’s a form of psychological warfare.”
What’s Next for NSO Group?
For NSO Group, the court’s ruling adds to mounting challenges. The company faces multiple lawsuits, declining revenues, and increasing scrutiny from governments and human rights organizations. In recent years, reports have surfaced of internal strife within NSO Group, with employees and executives reportedly divided over the company’s direction and ethical responsibilities.
In response to the backlash, NSO Group has attempted to rebrand itself as a responsible actor in the surveillance industry. The company claims to have implemented stricter oversight of its clients and terminated contracts with governments accused of human rights abuses. However, critics argue that these measures are insufficient and point to continued evidence of Pegasus misuse.
A Call for Global Action
The WhatsApp lawsuit and other legal efforts highlight the urgent need for a coordinated global response to spyware. Experts advocate for stronger international regulations, including a binding treaty on the development and use of surveillance technologies. Transparency, accountability, and independent oversight are crucial to ensuring that such tools are not weaponized against civil society.
“Spyware is a double-edged sword,” said Sarah Jacobs, a cybersecurity researcher. “While it can be a powerful tool for law enforcement, its misuse poses a grave threat to democracy and human rights. We need to strike a balance that prioritizes accountability and protects individuals from abuse.”
Towards a Safer Digital Future
The court’s ruling against NSO Group is a victory for privacy advocates and a significant step toward curbing the misuse of surveillance technologies. However, the battle is far from over. As spyware continues to evolve, so too must the strategies for combating its abuse. Governments, tech companies, and civil society must work together to create a safer digital landscape where individual rights are respected and protected.
With the legal precedent set by the WhatsApp case, the message to spyware vendors is clear: accountability is not optional. In a world increasingly shaped by digital technologies, ensuring the ethical use of those tools is more important than ever.
