(Reuters) – A U.S. judge on Friday ruled in favor of Meta Platforms Inc (Nasdaq) WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spyware that allowed unauthorized surveillance.
US District Judge Phyllis Hamilton in Oakland, California, granted a request from WhatsApp and found NSO liable for hacking and breach of contract.
Hamilton said the case will now proceed to trial on the issue of damages only. NSO Group did not immediately respond to an email request for comment.
Will Cathcart, head of WhatsApp, said the ruling was a victory for privacy.
“We have spent five years making our case because we firmly believe that spyware companies cannot hide behind impunity or avoid accountability for their illegal actions,” Cathcart said in a social media post.
“Surveillance companies should be aware that illegal spying will not be tolerated.”
A WhatsApp spokesperson said they were grateful for the decision.
“We are proud to stand against NSO and thank the many organizations that have supported this cause. WhatsApp will never stop working to protect people's private communications,” he said.
Cybersecurity experts welcomed the ruling.
John Scott-Railton, a senior researcher at Canadian internet watchdog Citizen Lab – which first highlighted NSO's Pegasus spyware in 2016 – described the ruling as a landmark ruling with “huge implications for the spyware industry.”
“The entire industry has hidden behind the claim that anything their customers do with their hacking tools, it is not their responsibility,” he said in an instant message. “Today’s ruling makes clear that NSO Group is in fact responsible for breaking numerous laws.”
In 2019, WhatsApp sued NSO for an injunction and damages, accusing it of accessing WhatsApp servers without permission six months earlier to install Pegasus on victims' mobile devices. The lawsuit claimed that the hack allowed 1,400 people to be monitored, including journalists, human rights activists and dissidents.
NSO claimed that Pegasus helps law enforcement and intelligence agencies fight crime and protect national security and that its technology is intended to help catch terrorists, child molesters and hardened criminals.
NSO appealed a judge's decision in 2020 to deny it “conduct-based immunity,” a common law principle that protects foreign officials acting in their official capacity.
Upholding that ruling in 2021, the San Francisco-based 9th U.S. Circuit Court of Appeals called it an “easy case” because NSO’s mere licensing of Pegasus and providing technical support does not protect it from liability under a federal law called the Foreign Sovereign Immunities Act. , which takes precedence over common law.
Last year, the US Supreme Court rejected NSO's appeal of the lower court's decision, allowing the lawsuit to continue.
