NSO Group forced to turn over Pegasus code in WhatsApp legal battle

WhatsApp secured a significant legal triumph against NSO Group, a producer of spyware, as a California federal judge mandated the Israeli company to disclose its closely guarded secret code as part of the ongoing litigation.

This ruling carries substantial implications for NSO Group, whose Pegasus spyware has infamously been employed to surveil human rights advocates, journalists, and political activists globally. This spyware can surreptitiously infiltrate victims’ phones without their knowledge, bypassing the need for them to interact with links from unknown sources. Once installed, the spyware grants access to the phone’s camera, microphone, emails, text messages, and other contents.

Judge Phyllis Hamilton’s order compelled NSO Group to unveil its code, specifically focusing on the spyware relevant to the period from a year prior to the alleged victimization of WhatsApp users in 2019 through May 2020 and extending a year beyond the purported attack’s conclusion.

WhatsApp contends that NSO Group exploited a vulnerability in its audio calling system to deploy Pegasus onto phones targeted by NSO Group’s clients. The lawsuit, initiated by WhatsApp in 2019, accuses NSO Group of enabling surveillance on approximately 1,400 WhatsApp users within a two-week timeframe, encompassing journalists, human rights activists, political dissidents, diplomats, and high-ranking foreign government officials.

According to WhatsApp’s allegations, NSO Group expressed dissatisfaction to a WhatsApp employee via message when the vulnerability was patched, lamenting, ‘you just closed our biggest remote for cellular… It’s on the news all over the world.’

In her ruling, Judge Hamilton dismissed NSO Group’s argument for modified discovery requirements, emphasising that the company must disclose information regarding the complete functionality of the relevant spyware. She cited numerous instances in the complaint alleging not only the installation of spyware on users’ devices but also the access and extraction of information from those devices.

WhatsApp welcomed the court ruling as a significant step toward safeguarding its users against unlawful attacks. A spokesperson underscored the importance of holding spyware companies and malicious actors accountable under the law.

However, the ruling wasn’t entirely in WhatsApp’s favour. Hamilton determined that NSO Group isn’t obligated to divulge its client names or provide details of its server architecture.

NSO Group declined to comment on the matter.

Earlier in January, a federal judge rejected NSO Group’s motion to dismiss an Apple lawsuit alleging that Pegasus spyware violated computer fraud laws.

The US government blacklisted NSO Group in 2021. Despite NSO’s claims that Pegasus serves counterterrorism efforts, its history of abuses has tarnished its reputation and led to calls for Israel’s government to cease its support.

Last year the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States announced their partnership to counter misuse of commercial spyware. The partnership comprises of governments working within their respective systems to establish guardrails and procedures to ensure that any commercial spyware used by their governments conforms to human rights. In February 2024, the UK and France, alongside major tech companies like Google, Microsoft, and Meta, issued a joint statement (‘Pall Mall Process’) acknowledging the urgent need for decisive action against the malicious exploitation of cyberespionage tools. At a conference convened by the UK and France with representatives from 35 nations, concerns were raised regarding the proliferation of spyware used to listen to phone calls, steal photos and remotely operate cameras and microphones.