A U.S. federal judge has ruled that the Israeli spyware company NSO Group is responsible for its involvement in a series of hacks targeting WhatsApp users in 2019. This landmark decision could have wide-reaching implications for the surveillance industry and global cybersecurity laws. The ruling, issued by U.S. District Judge Phyllis Hamilton in San Francisco on Thursday, determined that NSO Group’s Pegasus spyware violated U.S. federal wiretap laws and the Computer Fraud and Abuse Act (CFAA). This ruling comes after years of legal battles between NSO Group and Facebook (WhatsApp’s parent company), which sued NSO in 2019 after discovering that Pegasus had been used to target WhatsApp users worldwide, including journalists, human rights defenders, and political activists.
The case stems from May 2019 when WhatsApp revealed that hackers had exploited a vulnerability in its video calling feature to install Pegasus spyware on over 1,400 phones. The targets included journalists, activists, and government officials, particularly in countries with oppressive regimes. Pegasus, a powerful surveillance tool developed by NSO Group, allows its operators to remotely access a phone’s microphone, camera, messages, and other personal data without the victim knowing. The spyware has been linked to numerous high-profile surveillance incidents worldwide, often involving authoritarian governments.
WhatsApp’s lawsuit accused NSO Group of enabling “highly intrusive and illegal surveillance” by exploiting flaws in its platform to access users’ private information, thereby violating privacy laws and WhatsApp’s terms of service.
Judge Hamilton’s decision is seen as a major win for privacy advocates and tech companies pushing for accountability in the surveillance industry. The judge found that NSO Group’s actions, which allowed its spyware to monitor users without their consent, violated U.S. wiretap laws. In her opinion, Hamilton wrote that NSO’s activities interfered with WhatsApp’s services and breached the privacy rights of individuals whose phones were compromised by Pegasus.
This ruling is especially significant because NSO Group is based in Israel, and its software has been sold to governments around the world. While the company claims its tools are intended for legitimate uses like law enforcement and counterterrorism, Pegasus has been linked to abuse, including the targeting of journalists, activists, and political opponents in authoritarian states.
Legal Implications for the Surveillance Industry
This ruling could set a legal precedent that makes it harder for spyware companies like NSO Group to operate in the U.S. and elsewhere. The case is grounded in U.S. laws, such as the Wiretap Act, which criminalizes the interception of communications without consent, and the Computer Fraud and Abuse Act, which prohibits unauthorized access to digital devices.
“This is a critical moment in the fight against surveillance abuse,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF). “This ruling sends a clear message to the surveillance industry that the law will hold them accountable for actions that invade people’s privacy and violate their rights.”
While the decision does not automatically require financial penalties, WhatsApp may seek damages in a separate phase of the case. Legal experts suggest that this could lead to significant financial consequences for NSO Group, especially if other entities, including governments and tech companies, pursue similar lawsuits based on this legal precedent.
NSO Group’s Response
NSO Group, which has faced growing international criticism for its role in high-profile surveillance operations, has vowed to appeal the ruling. In a statement, the company reiterated that it operates within the law and sells its technology to governments for legitimate purposes such as combating terrorism and organized crime.
“NSO Group has always complied with Israeli laws and does not control how its clients use its products,” the company said. “We are disappointed by this ruling and will appeal to higher courts. Our mission is to ensure law enforcement and intelligence agencies have the tools they need to fight crime and terrorism.”
The company also stressed that it was unaware of the specific targets involved in the 2019 hack, arguing that it should not be held responsible for how its clients use its technology. However, critics contend that NSO’s business model, which sells powerful spyware to foreign governments, has enabled widespread abuse, particularly in authoritarian regimes.
The ruling has sparked mixed reactions. Privacy advocates have hailed it as a victory for digital privacy rights, while governments using NSO Group’s technology have expressed concerns about its impact on national security.
“Pegasus has become a symbol of the dangers of unchecked surveillance technology,” said U.S. Senator Ron Wyden (D-OR), a vocal advocate for stronger surveillance regulations. “This ruling is a critical step toward holding companies accountable for enabling the misuse of such invasive technology.”
At the same time, some countries in the Middle East, Latin America, and Asia that have used Pegasus are likely to push back against the ruling, viewing it as a challenge to their ability to use surveillance tools for national security purposes.
What’s Next for NSO Group and WhatsApp?
The next phase of the case will focus on determining any financial damages NSO Group may face and whether additional restrictions on its operations in the U.S. are warranted. WhatsApp has made it clear that it intends to seek both financial compensation and legal measures to prevent future abuses by NSO and similar companies.
For NSO Group, this ruling is a major blow to its credibility and business model. The company has already been blacklisted by the U.S. government, and this latest decision could further hinder its ability to operate internationally. However, as the appeal process moves forward, the case is likely to continue shaping the global tech and surveillance landscape, raising fundamental questions about the balance between security and privacy in an increasingly connected world.
As the legal battle unfolds, this case sets a significant precedent for how courts may approach issues of technology, privacy, and surveillance in the years ahead.
