Israel-based maker of Pegasus program loses five-year-old landmark case.
Messaging giant WhatsApp won a landmark ruling Friday against the best-known maker of spyware when a federal judge in California ruled that NSO Group had hacked into the Meta unit's systems by sending malicious software through its servers to more than a thousand targeted phones.
District Judge Phyllis Hamilton granted WhatsApp's motion for summary judgment against Israel-based NSO, finding in the five-year-old case that it had violated the U.S. Computer Fraud and Abuse Act with the pernicious spying program known as Pegasus.
Hamilton also found that WhatsApp was entitled to sanctions against NSO for its refusal to turn over source code for the software in discovery, with the penalty to be determined later. She ruled that with the underlying legal issues settled, the case should proceed to trial only to determine how much NSO should pay in civil damages.
WhatsApp spokesman Carl Woog said the company believed the ruling is the first to hold a major spyware vendor responsible for breaking the fundamental U.S. hacking law, as well as California's state version of it.
"We're grateful for today's decision," Woog wrote in a statement. "NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists and civil society. With this ruling, spyware companies should be on notice that their illegal actions will not be tolerated."
NSO did not immediately respond to questions.
Apple dropped a similar case against NSO in September after Israeli authorities reportedly seized the company's source code and NSO said it could no longer produce it.
The victory is among the strongest in court against an industry that has found itself at the center of global disputes over governmental surveillance powers and individual freedoms. The U.S. government has sanctioned NSO and a few other companies and individuals after determining that they were operating in opposition to U.S. interests. Most American allies, however, have been slow to follow suit.
Like its peer companies, NSO argues that it should be exempt from legal punishment because it sells only to government agencies, which determine which people to target with the programs. Pegasus and similar wares have used a series of security flaws, including those in WhatsApp and Apple's operating system, to get inside phones and capture pictures, emails and texts, even those in WhatsApp and Signal that are fully encrypted in transmission.
In some cases, those exploits require no user interaction and leave the software all but indiscoverable.