Updates

NSO Group Liable Under CFAA for Hacking WhatsApp Servers, NSO Attorneys Sanctioned for Discovery Misconduct

December 23, 2024

When courts reach the merits, spyware loses. After five years of procedural back and forth, the Northern District of California granted WhatsApp’s motion for partial summary judgement finding NSO Group liable under a variety of hacking and breach of contract claims. The Court found NSO Group liable because its malicious Pegasus software infiltrated WhatsApp’s servers in order to spy on WhatsApp users. This is a huge win for the journalists, activists, politicians, and everyday users that NSO Group targets to help authoritarian governments.

NSO Group’s flagship product is a malicious software called Pegasus, which can infiltrate and monitor target devices as well as extract information with zero engagement from the target device owner. This infiltration is usually done by exploiting existing software, such as  WhatsApp’s servers. The spyware has reportedly been used to target thousands of people and has been used to spy on French President Emmanuel Macron, Dubai’s Princess Latifa, Saudi journalist Jamal Khashoggi, and many other prominent activists, academics, and journalists. In 2021, the U.S. government officially blacklisted NSO Group by placing it on the Commerce Department’s entity list and allegedly ending operational use. EPIC submitted a Freedom of Information Act request to the FBI seeking information about its connections to NSO Group and use of Pegasus spyware. We have still not heard back.

The Northern District of California found that by transmitting its infiltration code and learning information about target devices through WhatsApp’s servers (located in California), NSO Group exceeded its authorized access of WhatsApp’s servers and breached WhatsApp’s terms of service. For this reason, NSO Group was liable under the Computer Fraud and Abuse Act (“CFAA”), California Comprehensive Computer Data Access and Fraud Act (“CDAFA”), and for breaching contract. All that remains is to adjudicate damages at trial, which will proceed in the new year.

The court also granted in part and denied in part WhatsApp’s motion for sanctions. NSO Group is subject to evidentiary sanctions for refusing to comply with discovery requests, even when the court ordered NSO Group to do so. NSO Group notoriously makes it so difficult to adjudicate suits against it by withholding relevant information that Apple dropped its suit of a similar nature.

EPIC regularly advocates for greater oversight of surveillance systems and closely tracks government procurement, use, and export of spyware to ensure that fundamental human rights are protected. EPIC filed an amicus brief in the Ninth Circuit against NSO Group arguing that foreign spyware is not exempt from prosecution under the CFAA when the exploited computers are located in the United States. Recently, EPIC joined a letter sent to the DHS regarding its $2 million contract with well-known spyware developer Paragon Solutions. EPIC is also a part of an international coalition which has engaged with the EU government to address the unchecked spread of spyware abroad.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate