US court finds NSO liable for using WhatsApp server to spread Pegasus spyware

The order was passed in a case initiated by Meta-owned WhatsApp in 2019 alleging that NSO Group breached its terms of service and violated federal and State anti-hacking laws.

NSO Vs WhatsApp

The US District Court for the Northern District of California on Friday held Israeli technology company NSO Group liable for exploiting a vulnerability in WhatsApp to install its powerful Pegasus spyware on the devices of several WhatsApp users.

The order was passed in a case initiated by Meta-owned WhatsApp in 2019 alleging that NSO Group breached its terms of service and violated federal and State anti-hacking laws by installing Pegasus spyware in 1,400 mobile phones/ devices.

Judge Phyllis Hamilton, who passed the judgement, found that NSO Group had violated Federal and State anti-hacking laws by using WhatsApp’s servers to distribute Pegasus. The spyware, once installed, allowed extensive surveillance of targeted individuals, including the ability to access their messages, photos, and location data.

“Defendants (NSO) appear to fully acknowledge that the WIS (‘Whatsapp Installation Server’ – a modified version of WhatsApp which enabled the installation of spyware) sent messages through Whatsapp servers that caused Pegasus to be installed on target users’ devices, and that the WIS was then able to obtain protected information by having it sent from the target users, through the Whatapp servers, and back to the WIS,” the summary judgment dated December 20 said.

The court also held NSO Group liable for breach of contract, concluding that the company had violated WhatsApp’s terms of service, which prohibit the use of the platform for malicious purposes or reverse engineering or decompiling the software.

The court found that the breach of contract angle originated from NSO group’s creation of a WhatsApp account by agreeing to its terms and conditions. NSO had tried to argue that there was no evidence to show that any such contract existed or that it had agreed to its terms of service.

“However, defendants cannot meaningfully dispute that agreeing to the terms of service was necessary to create a Whatsapp account and to use Whatsapp,” the Court observed in turn, to reject this argument.

The US court further concluded that it has personal jurisdiction over NSO Group as the company’s actions were “purposefully directed” at California.

“NSO caused digital transmissions to enter California, which constituted a violation of the law within that jurisdiction,” Judge Phyllis J Hamilton stated.

Furthermore, the court addressed WhatsApp’s motion for sanctions against NSO Group due to alleged non-compliance with discovery obligations. WhatsApp accused NSO of failing to produce critical documents related to its Pegasus software and internal communications.

Judge Hamilton highlighted this issue, saying, “NSO’s lack of compliance with discovery orders raises serious concerns about their transparency and willingness to cooperate with the judicial process.”

The dispute is now expected to proceed to trial on the aspect of the amount of damages to be paid by NSO.

The Pegasus spyware issue emerged as a significant controversy in India after allegations surfaced that the Israeli surveillance software was used to target journalists, activists, politicians, and other individuals. Pegasus, developed by the NSO Group, is a sophisticated spyware capable of infiltrating smartphones without the user’s knowledge, granting access to calls, messages, and even the device’s microphone and camera. Reports by global media organizations and Amnesty International suggested that several individuals in India were on a list of potential surveillance targets, raising serious concerns about privacy violations and misuse of State power.

Source : https://www.barandbench.com/news/litigation/us-court-nso-whatsapp-pegasus-spyware

Exit mobile version