In a significant first, a Californian court found Israeli spyware maker NSO Group liable for hacking WhatsApp’s servers in a lawsuit brought by the Meta-owned platform in 2019. The court will now determine the damages.
The district court of Northern District of California concluded that the NSO Group had violated the Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA) and Californian Penal Code, and breached its contract with WhatsApp by using it to send “harmful code” and for using WhatsApp for illegal purposes.
In its lawsuit, which was the first of its kind where a Silicon Valley giant had sought to hold a company from Israel’s powerful hacking industry accountable, the Meta-owned end-to-end encrypted platform had said that NSO Group’s Pegasus was used to infect mobile phones of about 1400 people across the world. These included at least 121 Indians, including many linked Bhima Koregaon case including Surendra Gadling’s lawyer, Nihalsingh Rathod.
In 2021, reporting by a consortium of publications across the world would reveal that multiple opposition members including Rahul Gandhi, former election commissioner Ashok Lavasa, and the current IT minister Ashwini Vaishnaw, were amongst those who were on the list of potential targets.
The Indian government, however, has never categorically accepted or denied contracting the NSO Group, including in the Supreme Court. It has always maintained that all its interceptions are done legally.
Pegasus, the spyware in question, was first identified in 2016, and when planted on a mobile device, it allows the hacker remote access to the device. It can control the device’s camera and microphone, track location, read messages sent to and from the device, including communications over iMessage and WhatsApp. It is designed to evade forensic analysis and detection, Citizen Lab, a part of University of Toronto’s Muck School, had said. While initially, it used to be a one-click exploit, it later became zero-click exploit that could be installed on the victims’ phones using vulnerabilities in the phone operating system and apps (such as those in FaceTime and WhatsApp) without any engagement from the user.
Pegasus is considered powerful enough that its sale is regulated by Israel’s Defence Export Controls Agency (DECA), a part of the Israeli defence ministry. These licensing requirements and export restrictions are similar to those imposed on military weapons and national security systems in Israel.
NSO Group has always maintained that it only sells to authorised governments and law enforcement agencies, and has no access to the information collected so much so that early on in the hearings, the company had argued that since it was acting on behalf of foreign sovereigns, it was immune from legal action in the US under the Foreign Sovereign Immunity Act. The court dismissed NSO’s argument that Pegasus was operated by its clients and thus it did not collect any information. The company has clients in at least 45 countries.
After WhatsApp’s lawsuit, the company in June 2021 had started releasing a transparency and accountability report. In its 2023 report, the company claimed that in the previous two years, it had suspended/terminated accounts of six customers based on review by its Governance, Risk and Compliance committee, resulting in a revenue loss of US$ 57 million.
According to submissions made by WhatsApp on November 1 and unsealed on November 14, WhatsApp charged its clients up to US$6.8 million for a one year licence to use WhatsApp malware vectors and received at least $31 million in revenue in 2019.
Based on evidence, the court concluded that Pegasus’s code was sent through WhatsApp’s servers in California 43 times in May 2019, thereby effecting “breaking and entering of a server in California”.
In November 2021, the US government had sanctioned NSO Group by including it to Entity List.
While another Silicon Valley giant, Apple, had also sued the NSO Group on similar grounds in November 2021, in September this year, it had sought to get its suit dismissed as it determined that pursuing the case would put vital security information at risk and present a significant risk to Apple’s threat intelligence program, thereby undermining its users’ privacy and security. On November 12, Justice James Donato, judge in the district court of northern district of California, had approved Apple’s petition to dismiss the case without prejudice.
After the ruling was made public on early morning on Saturday (IST, late Friday evening pacific time), Will Cathcart, head of WhatsApp, posted on Threads, “This ruling is a huge win for privacy. We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions. Surveillance companies should be on notice that illegal spying will not be tolerated. WhatsApp will never stop working to protect people’s private communication.”
At the very outset, the NSO Group had sought to get the lawsuit dismissed by arguing that the Californian court did not have jurisdiction in this matter. The NSO Group had cited the dismissal of Apple’s lawsuit, a lawsuit brought by murdered Washington Post columnist Jamal Khashoggi’s wife Elatr Khashoggi, a lawsuit by a group of journalists who worked for a newspaper in El Salvador, and a lawsuit by an Italian casino owner Francesco Corallo.
“The key distinction in all of those cases appears to be the citizenship/residency of
the plaintiffs. In this case, defendants do not dispute that plaintiffs are citizens of the
United States and residents of this district, making the cited cases inapposite,” Phyllis J. Hamilton, the judge in the case, wrote in the order.
The court also concluded that the NSO Group had repeatedly “failed to produce relevant discovery” and had not obeyed court orders. When the court had sought source code from NSO Group, it wanted to know how the spyware was installed, and then used to access and extract information from infected devices. The NSO Group, however, had proposed to show only how Pegasus was installed, a proposal that the court had earlier deemed insufficient.
Eventually, NSO Group had produced Pegasus code in such a way that it could only be viewed by an Israeli citizen in Israel, and was limited to one AWS server. It had argued that WhatsApp could have used an Israeli lawyer to view the code or sought an export license from the Israeli government to view the code in the US. The Israeli company also did not produce internal communications, and key financial information. The court had called this move by NSO Group “impracticable”.