In a landmark decision, a U.S. federal jury has mandated that NSO Group, the Israeli firm behind the controversial Pegasus spyware, pay approximately $168 million in damages to WhatsApp. This verdict follows a protracted legal battle initiated by WhatsApp in 2019, accusing NSO Group of exploiting its servers to deploy spyware targeting over 1,400 individuals worldwide.
Background of the Case
The origins of this case trace back to May 2019, when WhatsApp discovered that NSO Group had utilized a zero-day vulnerability in its voice calling feature to install Pegasus spyware on users’ devices. This exploit, identified as CVE-2019-3568 with a CVSS score of 9.8, allowed attackers to infect devices merely by placing a call, even if the recipient did not answer. The targets included journalists, human rights activists, and political dissidents across 51 countries, with significant numbers in Mexico, India, Bahrain, Morocco, and Pakistan.
Legal Proceedings and Verdict
WhatsApp, owned by Meta Platforms, filed a lawsuit against NSO Group in October 2019, alleging violations of the U.S. Computer Fraud and Abuse Act and breach of contract. In December 2024, U.S. District Judge Phyllis J. Hamilton ruled that NSO Group had indeed violated U.S. laws by exploiting WhatsApp’s servers to deploy Pegasus spyware. The recent jury verdict has now quantified the damages, awarding WhatsApp $167,254,000 in punitive damages and $444,719 in compensatory damages for the resources expended to mitigate the attack.
Implications for the Spyware Industry
This ruling marks a significant precedent in holding spyware manufacturers accountable for their actions. Will Cathcart, head of WhatsApp at Meta, emphasized the broader impact of the decision, stating, The jury’s verdict today to punish NSO is a critical deterrent to the spyware industry against their illegal acts aimed at American companies and our users worldwide. This sentiment underscores the growing scrutiny and potential legal repercussions facing companies involved in the development and distribution of surveillance tools.
NSO Group’s Response and Future Actions
In response to the verdict, NSO Group has maintained that its technology plays a crucial role in preventing serious crime and terrorism. The company has expressed its intention to pursue appropriate legal remedies, indicating a potential appeal. However, this legal defeat adds to the mounting challenges faced by NSO Group, including being blacklisted by the U.S. government in 2021 for engaging in malicious cyber activities.
Broader Context and Industry Impact
The case against NSO Group is emblematic of the broader concerns surrounding the use of spyware by governments and private entities. Investigations have revealed that Pegasus spyware has been used to target a wide array of individuals, including government officials, journalists, and activists. This has prompted calls for increased regulation and oversight of the spyware industry to prevent abuse and protect individual privacy rights.
Conclusion
The $168 million judgment against NSO Group represents a significant victory for digital privacy advocates and sets a legal precedent for holding spyware manufacturers accountable for their actions. As the digital landscape continues to evolve, this case underscores the importance of safeguarding user privacy and the need for stringent oversight of surveillance technologies.
