NSO Group Hit with $168 Million Penalty for WhatsApp Hack: Key Takeaways from the Trial
A federal jury in California has delivered a significant blow to Israeli spyware firm NSO Group, ordering it to pay $168 million in damages for exploiting WhatsApp’s servers to compromise the mobile devices of its users. The ruling concludes a six-year legal battle between Meta, WhatsApp’s parent company, and NSO, and has shed light on the previously opaque world of the surveillance industry and its practices. The case revealed the high costs associated with spyware, the extent of NSO’s operations, and the company’s justifications for its actions.
The central issue in the case revolved around NSO’s use of WhatsApp’s infrastructure to deliver its Pegasus spyware to targeted devices. Pegasus is a sophisticated tool that allows its operators to gain near-total access to a device, including its messages, emails, photos, and location data. Meta alleged that NSO exploited a vulnerability in WhatsApp’s video calling feature to install Pegasus on victims’ phones without their knowledge.
According to court testimony, NSO charged its European government clients a standard fee of $7 million for the ability to simultaneously hack 15 different devices. This figure, provided by Sarit Bizinsky Gil, NSO’s vice president of global business operations, underscores the substantial financial resources required to engage in this type of surveillance. Furthermore, hacking a device located outside of the client’s country incurred an additional cost of $1 million to $2 million, highlighting the technical challenges and logistical considerations involved in cross-border surveillance. Meta’s lawyer, Antonio Perez, emphasized the complexity and costliness of NSO’s product, referring to it as a "highly sophisticated product" carrying a "hefty price tag."
Tamir Gazneli, NSO’s vice president of research and development, testified that the company was responsible for breaking into thousands of devices between 2018 and 2020. This revelation demonstrates the scale of NSO’s operations and the widespread impact of its activities. Gazneli’s testimony also revealed a philosophical divide regarding the nature of NSO’s work. While Meta characterized NSO as a seller of "spyware," Gazneli resisted the label, arguing that NSO’s tools were used to gather intelligence on "targets" rather than "people." This semantic distinction was challenged by Perez, who questioned Gazneli’s dehumanizing language. Gazneli clarified that his intent was not to deny that the targets were people but to emphasize that they were intelligence targets of intelligence agencies.
The trial also revealed the financial dealings between NSO and U.S. intelligence agencies. Court records showed that the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) collectively paid NSO $7.6 million. While previous reports had disclosed the agencies’ relationships with NSO, the trial provided specific figures, quantifying the extent of their financial investment in the company’s technology. The New York Times had previously reported that the CIA funded Djibouti’s purchase of NSO spyware, and the FBI acquired it for testing purposes.
Meta’s lawyers asserted that NSO’s actions extended beyond the initial hack in 2019. In a court document filed late last month, they alleged that NSO continued to target Meta, its servers, and WhatsApp users even after the lawsuit was filed. This alleged continued activity underscores the ongoing threat posed by NSO and its willingness to disregard legal constraints.
As a result, Meta is seeking a permanent injunction against NSO, arguing that the company "poses a significant threat of ongoing and prospective harm" to Meta, its platform, and its users. This injunction would effectively prohibit NSO from accessing or using WhatsApp’s services, thereby limiting its ability to deploy Pegasus and other surveillance tools through the platform.
The outcome of this case has significant implications for the spyware industry and its regulation. The $168 million penalty imposed on NSO sends a clear message that companies engaging in unauthorized surveillance activities will face serious consequences. The trial has also increased public awareness of the capabilities and potential abuses of spyware, prompting calls for greater oversight and accountability.
The trial also raises complex questions about the balance between national security and individual privacy. NSO has consistently argued that its tools are used to combat terrorism and crime, helping governments protect their citizens. However, critics argue that the technology has been used to target journalists, human rights activists, and political opponents, undermining democratic values and infringing on fundamental rights.
The debate over the use of spyware is likely to continue, particularly as technology advances and surveillance tools become more sophisticated. Governments and international organizations will need to grapple with the ethical and legal challenges posed by these technologies, developing frameworks that protect both national security and individual privacy.
The NSO Group case serves as a cautionary tale about the potential for abuse in the surveillance industry. It underscores the importance of holding companies accountable for their actions and ensuring that their technologies are not used to violate human rights or undermine democratic institutions. The case is a significant step in the ongoing effort to regulate the spyware industry and protect the privacy of individuals in an increasingly digital world.
