According to Ars Technica, A U.S. federal judge has permanently barred spyware maker NSO Group from targeting WhatsApp users with its Pegasus software. The ruling follows a 2019 lawsuit by Meta alleging NSO attempted to infect approximately 1,400 mobile devices.
The decision from Judge Phyllis J. Hamilton of the U.S. District Court for the Northern District of California stems from a lawsuit filed by WhatsApp owner Meta in 2019. The suit alleged that NSO was caught attempting to surreptitiously infect the mobile phones of about 1,400 individuals. The list of targets included attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. Meta’s complaint also contended that NSO created fake WhatsApp accounts and targeted Meta’s own infrastructure as part of its campaign to deploy the spyware.
The permanent injunction orders NSO to permanently cease targeting WhatsApp users, attempting to infect their devices, or intercepting their end-to-end encrypted messages, which use the open-source Signal Protocol. Judge Hamilton’s ruling also mandates that NSO must delete any data it obtained from its activities targeting the platform’s users. NSO had argued that the injunction would “force NSO out of business,” as Pegasus is its “flagship product.” The judge rejected this, ruling that the harm Pegasus posed to Meta outweighed such commercial considerations.
In her ruling, Judge Hamilton elaborated on the nature of the damage inflicted upon Meta. She stated that the harm extended beyond reputational concerns and constituted a direct business issue. “In the court’s view, any business that deals with users’ personal information, and that invests resources into ways to encrypt that personal information, is harmed by the unauthorized access of that personal information—and it is more than just a reputational harm, it’s a business harm,” the judge wrote. The court also limited the injunction’s scope, denying Meta’s request to bar foreign governments from using WhatsApp, as they were not parties to the lawsuit. A request to bar NSO from targeting users of Facebook and Instagram was also denied.
WhatsApp head Will Cathcart applauded the decision in a statement. “Today’s ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again,” he said. “We applaud this decision that comes after six years of litigation to hold NSO accountable for targeting members of civil society.” Cathcart added that the ruling “sets an important precedent that there are serious consequences to attacking an American company.” Concurrently, Judge Hamilton reduced the punitive damages a jury had awarded to Meta from $167 million to $4 million, citing that the proper statutory cap had not been applied by the jury.
Pegasus is a highly advanced spyware that can infect both iPhones and Android devices, often using “zero-click” exploits that require no user interaction. It defeats security measures from Apple and Google by reverse engineering their operating systems. While NSO has stated it licenses Pegasus only to vetted governments that do not abuse the technology, the WhatsApp case demonstrated that dissidents and journalists were targeted. The ruling is significant as it provides a legal precedent for other U.S. parties to cite in future cases against NSO.
