Facebook’s lawsuit against NSO Group over alleged spying on WhatsApp users will be allowed to go forward.
WhatsApp-owner Facebook is alleging that NSO Group exploited a vulnerability in WhatsApp to deploy its spyware against human rights activists, journalists and political dissidents.
A federal judge in California ruled that NSO Group does not have immunity from legal action. The controversial Israeli firm, known for the development of the Pegasus spyware, had argued that because its clients are sovereign nations that can’t face civil charges in the U.S., it should benefit from a derivative immunity that would allow it to withhold information about its clients from the court.
The decision means that the firm will be required to comply with subpoenas and reveal information about its spy activities and potentially about global governments’ use of its malware.
“We are pleased with the Court’s decision permitting us to move ahead with our claims that NSO engaged in unlawful conduct,” a Facebook spokesperson said in a media statement. “The decision also confirms that WhatsApp will be able to obtain relevant documents and other information about NSO’s practices. Today we are one step closer to holding NSO accountable for attacking WhatsApp and its users, including journalists, human rights activists and government officials.”
In May 2019, a zero-day vulnerability was found in WhatsApp’s messaging platform, exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns. The lawsuit alleges that NSO Group developed the surveillance code and used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices.
“As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and internet-hosting services that were previously associated with NSO,” said Will Cathcart, head of WhatsApp, in a post when the lawsuit was filed back in October. “In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”
The court documents say that the attack targeted at least 100 human rights defenders, journalists and other members of civil society worldwide, and that it violates various U.S. state and federal laws, including the U.S. Computer Fraud and Abuse Act. The lawsuit seeks to bar NSO Group from using Facebook and WhatsApp services, among seeking other unspecified damages.
NSO Group has long maintained that its mobile spyware is meant to be a tool for fighting crime and terror, and that it’s not complicit in any government’s misuse of it. However, Judge Phyllis Hamilton said that it appears that NSO Group “retained some role” in how its wares are used. She also pointed to a statement to the court from CEO Shalev Hulio, which says that NSO Group carries out its activities “entirely at the direction of their government customers,” and that it provides “advice and technical support” for Pegasus.
The “declaration itself leaves open the possibility of defendants’ involvement in the intentional act,” Hamilton wrote. “At this stage, the boundary between defendants’ conduct and their clients’ conduct is not clearly delineated or definitively resolved by the Hulio declaration.”
For its part, NSO Group said that it is “reviewing the court’s decision, so we are not in a position to comment in detail at this time. Our technology is used to save lives and prevent terror and crime worldwide, and we remain confident that our conduct is lawful.”
The news comes shortly after a court in Tel Aviv handed NSO Group a win: It threw out a case filed by Amnesty International that looked to revoke the company’s export license, which would have blocked it from selling Pegasus outside of Israel.