Pegasus Spyware Maker NSO Group Found Liable for Attacks on WhatsApp Users
- December 31, 2024
- Clayton Rice, K.C.
The developer of the mercenary Pegasus spyware has been found liable by a California court for the infection of targeted devices belonging to 1,400 WhatsApp users. The ruling will have significant implications for an award of damages against the notorious NSO Group Technologies whose invasive surveillance software has been abused by multiple government clients worldwide. It is the first time the company has been held liable for abuse of its spyware which has been deployed against journalists, lawyers and other members of civil society.
1. Introduction
On October 29, 2019, Meta-owned WhatsApp Inc. initiated a high profile lawsuit in the United States District Court, Northern District of California, claiming that NSO Group Technologies Limited sent malware, using WhatsApp’s system, to approximately 1,400 mobile phones and other devices designed to infect them for surveillance purposes. (here) The complaint alleged four causes of action: (1) violation of the U.S. federal Computer Fraud and Abuse Act; (2) violation of the California Comprehensive Computer Data Access and Fraud Act; (3) breach of contract; and, (4) trespass to chattels. The software products developed by NSO, generally called “Pegasus”, allow NSO’s clients to use a modified version of the WhatsApp application called the “WhatsApp Installation Server”. The WIS allows NSO’s clients to send “cipher” files with “installation vectors” that ultimately allow the clients to surveil targeted users. Pegasus is a zero click spyware exploit that I have discussed in previous posts to On The Wire. (here, here and here)
2. Background
WhatsApp provides an encrypted communication service available on mobile devices and desktop computers. Approximately 1.5 billion people in 180 countries used the service at the time the lawsuit was filed in 2019. All of the types of communication on WhatsApp (calls, video calls, chats, group chats, images, voice messages and file transfers) are encrypted during transmission between users. The encryption protocol was designed to ensure that no one other than the intended recipient could read any communication using the service. NSO Group manufactured the surveillance technology or “spyware” designed to intercept and extract information and communications from mobile phones and devices. Known as a “remote access trojan” Pegasus was designed to be remotely installed and enables the remote access and control of information on devices using Android, iOS and BlackBerry operating systems. Pegasus effectively takes control of a targeted device without the knowledge and consent of the user.
3. Summary Judgment
On November 7, 2024, a motion for summary judgment by WhatsApp’s came on for hearing. According to California law, a summary judgment is proper where the pleadings, discovery and affidavits show there is “no genuine dispute as to any material fact” and the moving party is thus entitled to judgment as a matter of law. A material fact is one that may affect the outcome of the case. A dispute as to a material fact is genuine if there is sufficient evidence for a reasonable jury to return a verdict for the non-moving party. The court must view the evidence in the light most favourable to the non-moving party. If evidence produced by the moving party conflicts with evidence produced by the non-moving party, the judge must assume the truth of the evidence set forth by the non-moving party with respect to that fact. In Nissan Fire & Marine Insurance Company v. Fritz Companies, Inc., a ruling of the U.S. Court of Appeals, Ninth Circuit, it was succinctly said that “[i]f the non-moving party fails to produce enough evidence to create a genuine issue of material fact, the moving party wins the motion for summary judgment.” (here)
On December 20, 2024, Judge Phyllis J. Hamilton granted WhatsApp’s motion for summary judgment on the CFAA claim, the CDAFA claim and the claim for breach of contract. The claim for trespass to chattels had been previously dismissed. Judge Hamilton also granted WhatsApp’s motion for sanctions. The crux of the sanctions issue was that NSO Group “failed to produce Pegasus source code in a manner that can be used in this litigation, failed to produce internal communications (i.e., email), and wrongfully imposed temporal limitations on their production/testimony.” Judge Hamilton concluded that NSO Group “repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery.” While Judge Hamilton concluded that terminating sanctions may have been reasonably warranted given that NSO Group’s discovery non-compliance went to key facts in the case, she preferred not to issue such a harsh sanction where lesser evidentiary sanctions were available.
4. The Fallout for NSO Group
Writing for The Record, cybersecurity reporter Suzanne Smalley described the summary judgment as a “precedent-setting ruling” that could lead to an award of “massive damages” against NSO Group. (here) It is the first time the company has been held liable for surveillance abuses despite Pegasus being found on hundreds of devices belonging to journalists, politicians, lawyers, human rights activists and other members of civil society. NSO Group has maintained for years that its tools can only be used by national security officials and law enforcement. However, as Ravie Lakshmanan said in a post for The Hacker News “there have been several instances of Pegasus being misused by authoritarian governments across the world”. (here) Natalia Krapiva, legal counsel at Access Now, described the ruling as “a historic judgment and a first major court victory against NSO Group in the world, finding them liable for compromising the digital security infrastructure that millions of people rely on”. (here)
Will Cathcart, the head of WhatsApp, characterized the ruling as a “huge win for privacy” in a post to the social media service, Threads. “We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions,” he said. (here) John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto, which exposed Pegasus spyware in 2016, called the judgment a “landmark ruling” with “huge implications” for the spyware industry. “The entire industry has hidden behind the claim that whatever their customers do with their hacking tools, it’s not their responsibility,” he said. “Today’s ruling makes it clear that NSO Group is in fact responsible for breaking numerous laws.” (here) Citizen Lab maintains the Pegasus Archives that documents its research on mercenary spyware that often involves collaboration with other civil society organizations such as Amnesty International and Access Now. (here)
5. Conclusion
The use of Pegasus does not require cooperation with telecommunication companies and it can easily overcome encryption and proprietary protocols. The implications of its unregulated use for human rights and the right to privacy cannot be understated. In a report titled Pegasus Spyware and Its Impacts on Human Rights published by the Council of Europe, Information Society Department, Tamar Kaldani and Zeev Prokopets said the software “can theoretically harvest any data from [a] device and transmit it back to the attacker.” (here) Pegasus can run any code on a target’s device, use its camera and microphone by remote commands in real time, and extract contacts, call logs, web searches, text messages, photos, videos, settings, locations records and data from apps such as iMessage, WhatsApp and Skype. The report emphasized that Pegasus has the capacity to be used for both targeted and indiscriminate surveillance. It therefore violates Article 8 of the European Convention on Human Rights that protects the right to private life and undermines standards established by the European Court related to targeted communication surveillance and indiscriminate bulk interception of communication data. (here)