NSO Group Hit with $168 Million Penalty for WhatsApp Hacking
A federal jury in California has ordered Israel’s NSO Group to pay a hefty $168 million penalty after finding the company liable for hijacking WhatsApp servers to hack users on behalf of foreign intelligence agencies. The verdict marks the culmination of a six-year legal battle between Meta, the owner of WhatsApp, and the controversial surveillance firm, shedding light on the often-opaque world of the spyware industry.
The lawsuit, filed by Meta, accused NSO Group of exploiting a vulnerability in WhatsApp to install its Pegasus spyware on the phones of targeted individuals, including journalists, human rights activists, and political dissidents. The spyware allowed NSO Group’s clients, primarily governments, to access encrypted messages, emails, photos, and other sensitive data on the compromised devices.
During the trial, Meta presented evidence demonstrating that NSO Group had specifically targeted WhatsApp’s servers between 2018 and 2020 to deliver the Pegasus malware. This involved reverse engineering WhatsApp’s security protocols and developing techniques to bypass its encryption.
Sarit Bizinsky Gil, NSO’s vice president of global business operations, testified that the company charged its European government clients a standard price of $7 million for the ability to hack 15 different devices. She also revealed that hacking a phone located outside the client’s country was an additional add-on, costing approximately $1 million to $2 million.
Meta lawyer Antonio Perez emphasized the sophistication and high cost of NSO Group’s technology, stating, "It is a highly sophisticated product, and it carries a hefty price tag."
Tamir Gazneli, NSO’s vice president of research and development, acknowledged that the firm was responsible for breaking into thousands of devices between 2018 and 2020. However, he disputed the characterization of NSO Group’s tools as "spyware," arguing that they were used to gather intelligence on targets, not people.
This distinction sparked a heated exchange between Gazneli and Perez. When Perez asked, "You don’t consider the targets people, Mr. Gazneli?", Gazneli responded, "That’s not what I said. What I said is that the targets are intelligence targets of intelligence agencies."
The trial also revealed the extent of the relationship between NSO Group and US intelligence agencies. Court records showed that the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) collectively paid NSO Group $7.6 million. While previous reports by The New York Times had disclosed the CIA’s funding of Djibouti’s purchase of NSO spyware and the FBI’s acquisition of the technology for testing purposes, the trial provided a specific price tag for these dealings.
Meta’s lawyers argued that NSO Group’s actions posed a significant threat to the privacy and security of WhatsApp users. They pointed out that the lawsuit had not deterred NSO Group from continuing to abuse WhatsApp’s infrastructure, alleging that the company repeatedly targeted Meta’s servers and mobile clients even after the litigation was filed.
In a court document filed late last month, Meta stated, "NSO repeatedly targeted Plaintiffs, Plaintiffs servers, and Plaintiffs mobile client even after this litigation was filed."
Meta is now seeking a permanent injunction against NSO Group, arguing that the company "poses a significant threat of ongoing and prospective harm" to Meta, its platform, and its users. The injunction would effectively prevent NSO Group from using WhatsApp’s infrastructure to deliver its spyware.
The verdict in the case has significant implications for the spyware industry. It sends a strong message that companies involved in the development and sale of surveillance technology can be held liable for their misuse. The case also highlights the challenges of regulating the spyware industry, which operates in a gray area between national security and individual privacy.
Civil liberties groups have long criticized NSO Group for selling its spyware to governments with a history of human rights abuses. These groups argue that the technology has been used to target journalists, activists, and political opponents, chilling freedom of expression and undermining democratic institutions.
NSO Group has defended its actions, arguing that its technology is used to combat terrorism and other serious crimes. The company claims that it vets its clients and takes steps to prevent the misuse of its spyware. However, critics argue that these safeguards are insufficient and that NSO Group has consistently failed to prevent its technology from being used for malicious purposes.
The outcome of the Meta v. NSO Group case could lead to increased scrutiny of the spyware industry and greater efforts to regulate its activities. It may also encourage other companies and individuals who have been targeted by spyware to pursue legal action against those responsible. The legal battle has exposed the inner workings of a secretive industry, raising important questions about the balance between national security, individual privacy, and corporate responsibility. The debate surrounding the use of powerful surveillance technology like Pegasus will likely continue for years to come, as societies grapple with the complex ethical and legal challenges posed by these tools. The case against NSO highlights the need for greater transparency and accountability in the spyware industry to prevent the abuse of these technologies and protect fundamental human rights.
The lawsuit’s revelations about the CIA and FBI’s dealings with NSO have also sparked controversy, raising questions about the extent to which US intelligence agencies should be involved with companies that have been accused of enabling human rights abuses. Critics argue that such relationships undermine the US government’s commitment to promoting human rights and democracy abroad.
