Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case
Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case
A California federal judge ordered the Israeli company to turn over its highly protected secret code as part of discovery in a years-long lawsuit.
WhatsApp notched a major victory against the spyware producer NSO Group last week when a California federal judge ordered the Israeli company to turn over its highly protected secret code as part of discovery in a years-long lawsuit.
The case could have major repercussions for NSO Group, whose Pegasus spyware has been used to spy on human rights activists, journalists and opposition politicians across the world.
Judge Phyllis Hamilton ordered NSO Group to produce its code, specifically directing it to unveil relevant spyware from the year leading up to when WhatsApp users were allegedly victimized in 2019 through May 2020 until a year after the alleged attack ended.
WhatsApp has alleged that NSO Group exploited an audio calling vulnerability in its system to attach Pegasus to phones targeted by NSO Group clients.
It sued the company in 2019, alleging the spyware purveyor had facilitated surveillance of about 1,400 WhatsApp users over the course of two weeks, including journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials.
According to WhatsApp’s complaint, NSO Group complained to a WhatsApp employee in a message when the vulnerability was fixed, saying, “you just closed our biggest remote for cellular … It’s on the news all over the world.”
In her opinion, Hamilton said she weighed an NSO Group argument that the discovery requirements should be modified but ultimately dismissed the claim.
“The court rejects defendants’ argument that their production should be limited to the installation layer of the alleged spyware, and instead concludes that defendants must produce information concerning the full functionality of the relevant spyware,” Hamilton’s decision said. “The complaint contains numerous instances alleging not only that spyware was installed on users’ devices, but also that information was accessed and/or extracted from those devices.”
News of the order was first reported by The Guardian.
A spokesperson for WhatsApp said the court ruling is an “important milestone in our long running goal of protecting WhatsApp users against unlawful attacks.
“Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law.”
Not everything went WhatsApp’s way, however. Hamilton ruled that NSO does not have to reveal its client names or provide details of its server architecture.
NSO Group did not respond to a request for comment.
In January, a federal judge denied a NSO motion to dismiss an Apple lawsuit alleging Pegasus spyware broke computer fraud laws.
Pegasus and other powerful spyware has recently been used in several European countries to marginalize opposition politicians and spy on journalists. Recent scandals in Poland, Spain, Greece, Serbia and Hungary have alarmed government officials across Europe. Just last week, in advance of June elections, spyware was found on the phones of members and staff of Europe’s Parliament.
The spyware is easily placed on victim’s phones without their knowledge, not even requiring them to click on links sent by unknown contacts. Once a phone is overtaken by the spyware it can see through the camera, activate the microphone, read emails and text messages and otherwise fully access the phone’s contents.
The U.S. government blacklisted NSO in 2021. The company has long claimed that Pegasus is designed to help governments fight terrorism but a long string of abuses have undermined its reputation and led to pressure on Israel’s government to stop supporting it.