WhatsApp Allowed to Sue Spyware Maker NSO Group, Says Judge

WhatsApp received the all-clear from the U.S. Supreme Court to seek a lawsuit against Israel’s NSO Group over allegations that the latter exploited a bug in the WhatsApp app to install its “Pegasus” spyware on 1,400 devices, including ones owned by journalists, human rights activists, and more (via Reuters).

Pegasus is a suite of spyware created by the Israeli cyber intelligence firm that is capable of accessing, taking over, and extracting sensitive information from a device without the user ever knowing. It’s even capable of hacking iPhones.

Pegasus is most commonly deployed as a “zero-click” exploit, which requires no input from the user to gain entry.

Meta Platforms-owned WhatsApp can now file a lawsuit against NSO Group for enabling the surveillance of its users. The ruling came after U.S. Supreme Court justices denied NSO’s appeal of a lower court’s refusal to award it “conduct-based immunity” in 2020.

Conduct-based immunity refers to a common law doctrine protecting foreign officials acting in their official capacity. NSO maintains it is immune to legal action because when it installed Pegasus on affected devices, it was acting as an agent for unidentified foreign governments.

Before making it to the Supreme Court, the 2020 decision to deny NSO immunity had already been upheld by the San Francisco-based 9th U.S. Circuit Court of Appeals last year. The appeals court ruled that NSO’s operations did not shield it from liability under the Foreign Sovereign Immunities Act (FSIA), a federal law that supersedes U.S. common law.

“NSO’s spyware has enabled cyberattacks targeting human rights activists, journalists and government officials,” Meta said in a statement following the court decision. “We firmly believe that their operations violate U.S. law and they must be held to account for their unlawful operations.”

WhatsApp’s lawyers said that private entities like NSO are “categorically ineligible” for immunity under the FSIA.

WhatsApp originally sued NSO Group in 2019, accusing the company of accessing its servers without authorization to install the Pegasus spyware on victims’ mobile devices. The instant messaging app was seeking an injunction and damages.

According to court papers, the accounts of 1,400 WhatsApp users were secretly infected with Pegasus spyware, allowing their smartphones to be used as surveillance devices.

NSO, meanwhile, argues that Pegasus is designed to help law enforcement and intelligence agencies catch terrorists, pedophiles, and hardened criminals. According to the cyberintelligence company, the spyware campaign in question enabled a foreign government’s investigation into an Islamic State militant who was using WhatsApp to plan an attack.

The U.S. government in November 2021 blacklisted NSO and Candiru, another Israeli company, for providing governments with spyware that was used to “maliciously target” journalists, activists, and others.

Pegasus has been found to be involved in attacks against journalists, government officials, and more. It was installed on Saudi journalist Jamal Khashoggi’s wife’s phone months before his murder, and it was also used to target Spanish Prime Minister Pedro Sánchez and Defence Minister Margarita Robles. NSO Group is also facing a lawsuit from Apple.