Israeli spyware company, NSO Group, blocked from WhatsApp

Meta previously won $168 million in damages over claims spyware compromised WhatsApp users, but a judge reduced the damages down to $4 million.

OAKLAND, Calif. (CN) — Cyberintelligence firm NSO Group is now blocked from Meta’s WhatApp messaging platform, following a Friday ruling that also drastically reduced a multimillion dollar award granted to the Silicon Valley giant in May.

U.S. District Judge Phyllis Hamilton said in a 25-page ruling that there was evidence NSO Group’s flagship spyware could still infiltrate WhatApp users’ devices and granted Meta’s request for a permanent injunction.

However, Hamilton, a Bill Clinton appointee, also determined that any damages would need to follow a ratioed amount of compensation based on a legal framework designed to proportion damages. She ordered that the jury-based award of $167 million should be reduced to a little over $4 million.

“In this case, the court does not have a sufficient basis for determining that defendants’ behavior is ‘particularly egregious,’ which means the punitive damages ratio is capped at 9/1,” Hamilton wrote.

The damages stem from the company’s use of its proprietary spyware called Pegasus, which, once implanted, can control a phone’s microphones and cameras while extracting the personal and location data of its owner.

Meta — owner of WhatsApp, an encrypted communication app owned by Facebook’s parent company Meta Platforms, which boasts over 2 billion users worldwide — sued the Israel-based cyberintelligence firm in 2019 over violations of the U.S. Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, as well as for breaching WhatsApp’s terms of service. The spyware reportedly compromised the privacy of 1,400 activists, journalists and diplomats via WhatsApp servers in 2019.

“Today’s ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again," Will Cathcart, Head of WhatsApp said in a statement. “We applaud this decision that comes after six years of litigation to hold NSO accountable for targeting members of civil society. It sets an important precedent that there are serious consequences to attacking an American company.”

Representatives from the NSO Group did not immediately respond to requests for comment.

Hamilton’s permanent injunction prevents NSO from continuing to collect WhatsApp users’ data and stops any further “irreparable injury.”

The judge noted that NSO’s own statements via opposition brief and its CEO’s trial testimony indicated that NSO has continued attempting to get around Whatsapp’s security measures.

“Part of what companies such as Whatsapp are ‘selling’ is informational privacy, and any unauthorized access is an interference with that sale. Defendants’ conduct serves to defeat one of the purposes of the service being offered by plaintiffs, which constitutes direct harm,” she wrote.

Originally designed as a tool for government law enforcement and intelligence agencies, Pegasus sends a text message which then invades devices through a malicious code lurking in these messages sent via WhatsApp, Telegram or other messaging services — ultimately embedding the spyware into someone’s phone, where it can scrape browser history and contacts, grab screenshots and infiltrate communications.

NSO Group says it only sells its spyware to legitimate government law enforcement and intelligence agencies vetted by Israel’s Defense Ministry for use against terrorists and criminals.

Pegasus can also infect users through missed phone calls and  “zero-click” attacks, which do not require any action from the phone’s owner to succeed. Such attacks factored into Hamilton’s decision for the injunction.

“Given the multiple design-arounds, the covert nature of NSO’s work, and the designed undetectability of Pegasus itself, plaintiffs are unable to anticipate all the ways that defendants can access their platform, which is why they seek a broad injunction,” she said.

Though Meta had also asked for the injunction to extend to other Meta websites, like Facebook, Instagram and Threads, Hamilton said that evidence throughout the case primarily only focused on WhatsApp, so there was no way for her to determine if similar harms were being done on the other platforms.

NSO Group had motioned for a new trial or to amend the judgment to reduce the punitive damages. A hearing on the motion took place on Aug. 28, at which arguments by WhatsApp seeking a permanent injunction were also heard.

NSO has previously faced sanctions for refusing to comply with court orders demanding it to produce the Pegasus code in its entirety.

Meta’s lawsuit against NSO has seen more than half a decade of court proceedings that took the lawsuit through the Ninth Circuit, almost to the Supreme Court, and were almost “blown up” by their presiding judge a few weeks before trial.