US court: NSO must hand over spyware code

NSO logo on a smartphone against a blue background
Previously, NSO applied to invoke immunity during the proceedings – however, last year the US Supreme Court paved the way for the lawsuit.(Source: IMAGO / SOPA Images)

The Israeli company, NSO, must hand over code for its spyware Pegasus to WhatsApp. As revealed at the end of last week, this was ruled by a California court in the legal dispute between the two companies. The lawsuit has been ongoing for years.

According to the court, NSO must hand over “all relevant spyware” to WhatsApp. The decision from Judge Phyllis Hamilton is considered an important legal victory for Meta’s WhatsApp subsidiary. This is also important as the code is considered to be a closely guarded state secret as reported by the Guardian in Britain. NSO is regulated by the Israeli Ministry of Defence, which must approve all sales of licenses to foreign governments.

The background of the court order is a lawsuit from WhatsApp and Meta from 2019. The social media group accuses the spyware developer of being involved in an attack on 1,400 WhatsApp users.

According to the court order, at the time NSO exploited an already existing security vulnerability to infiltrate smartphones with its controversial Pegasus spyware. Devices that were called were also infiltrated even if the calls were not answered.

With the help of Pegasus, attackers could completely take over devices and obtain access to all data stored on the devices. Additionally, they could switch on the camera and microphone without being detected.

Attacks on members of the media and human rights activists

Those targeted on WhatsApp include members of the media, lawyers, dissidents, human rights activists, diplomats and government officials. According to the lawsuit, the servers that were used for the attacks were connected to NSO. Furthermore, WhatsApp found that many of the user accounts used for the attacks were associated with the Israeli company.

By doing so, the NSO broke US laws and also violated the terms and conditions of WhatsApp. WhatsApp is claiming damages and wants to deny NSO among others to register accounts with WhatsApp or Facebook.

The judge responsible has now decided that NSO must also “produce information concerning the full functionality of the relevant spyware” and hand it over to WhatsApp. With reference to “various U.S. and Israeli restrictions”, NSO filed a motion for protective order to refuse the disclosure.

However, NSO was successful with another application: The company must not disclose its client list nor information regarding its server architechture.

“Important milestone”

In response to the Guardian, a WhatsApp representative welcomed the decision: “The recent court ruling is an important milestone in our long-running goal of protecting WhatsApp users against unlawful attacks. Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law”.

NSO has not yet commented on the court order.

Donncha Ó Cearbhaill, Head of Security Lab at Amnesty International welcomes the court order as well. He said: “This court order sends a clear signal to the surveillance industry that it cannot continue to enable spyware abuse with impunity.”

It is, however, disappointing that NSO may continue to keep the identities secret of their clients who are responsible for the surveillance. Donncha Ó Cearbhaill continues: “NSO Group says that it only sells Pegasus to authorized government customers. Our Security Lab has documented the massive scale and breadth of the use of Pegasus against human rights defenders and journalists across the world. It is vital that targets of Pegasus find out who has purchased and deployed the spyware against them so that they can seek meaningful redress.”

NSO wanted to invoke immunity

Only last year was it decided that the WhatsApp lawsuit could go to court. The Israeli company attempted several times to invoke immunity – However, the NSO Group was denied this by the courts. In January 2023, the U.S. Supreme Court rejected NSO’s appeal, clearing the way for the lawsuit.

Even the U.S. Department of Justice provided a statement to the Supreme Court, declaring that the appeal from the spyware developer should be denied. Among other things, the Department of Justice referred to the U.S. government already imposing sanctions on NSO in November 2021.

More lawsuits

The company is also being confronted with further lawsuits. At the close of 2021, Apple filed a lawsuit against NSO. The goal of the lawsuit is to hold NSO accountable for surveillance and targeted attacks on Apple users. The court should prohibit NSO among others from developing and distributing malware for Apple devices. NSO also requested to dismiss this lawsuit. However, at the end of January, the U.S. Federal District Court denied the motion and ruled that the case could proceed.

Media professionals from the El Faro news site in El Salvador are also filing a lawsuit against NSO in the USA. Security researchers from Canadian, Citizen Lab, proved in January 2022 that they were under surveillance by Pegasus. Among other things, the plaintiffs want NSO to reveal which government customer is responsible for the spying operation. (js)