Apple may have petitioned to drop its lawsuit against NSO Group, the maker of the insidious Pegasus spyware, but that doesn't mean the company isn't being forced to face the music from other corners.
Last week, a judge found NSO Group liable for infecting over 1,400 devices. While that's likely a drop in the bucket compared to how many more could be out there, it's a start to holding makers of industrial-grade mercenary spyware responsible for the damage their tools can do.
The ruling, which was reported by The Record, came in response to a lawsuit launched by WhatsApp in 2019 alleging that NSO Group had exploited a bug in its systems to install spyware on users' devices. In the filing, WhatsApp noted that victims included "journalists, human rights activists, political dissidents, diplomats, and senior foreign government officials."
That list is par for the course for the Pegasus spyware, which NSO Group only sells to government agencies for the purposes of national security, law enforcement, and counter-terrorism. Unfortunately, many foreign governments have slippery definitions of what constitutes a "terrorist" or a "criminal," and there's been plenty of evidence of Pegasus being used by unknown entities to spy on journalists, human-rights defenders, pro-democracy activists, and even employees of the US State Department and senior EU officials, including the Prime Minister of Spain.
Pegasus has been around for nearly a decade, but it came into the spotlight in 2021 when a forensic analysis conducted by Amnesty International and the University of Toronto's Citizen Lab revealed the spyware had been used to target and spy on dozens of "human rights defenders (HRDs) and journalists around the world" and that it was the source of "widespread, persistent and ongoing unlawful surveillance and human rights abuses."
After fighting a cat-and-mouse game with NSO Group for years to try to block the vulnerabilities used by Pegasus, Apple filed a lawsuit in late 2021 to try and eliminate the threat on legal grounds. It also began a notification program to advise iPhone users if they'd been targeted by mercenary spyware such as Pegasus.
Sadly, Apple asked for its case to be dropped earlier this year, fearing that the discovery process needed in such cases would "present too significant a risk to [the] threat-intelligence program" that it uses to "protect every one of its users in the world." In other words, it would need to disclose information that could actually empower NSO Group and other companies that develop more sophisticated spyware tools. Even though Apple feels that courts would do their best to protect this confidential information, it also argues that this is a high-stakes game "where adversaries aggressively seek this information using any means necessary."
Fortunately, Meta and WhatsApp have less at stake. It probably helps that they're not building entire hardware and software platforms that can contain all of a user's sensitive data, but whatever the reason, WhatsApp has stuck to its guns, and now it's managed to secure a landmark ruling -- the first time that a court has held NSO Group liable for the abuses caused by its spyware
After five years of litigation, we're grateful for today's decision. NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists and civil society. With this ruling, spyware companies should be on notice that their illegal actions will not be tolerated.
While the courts have yet to decide what the impact will be on NSO Group, the bigger win here is the precedent that has been set by this decision. As Natalia Krapiva, senior tech legal counsel at Access Now told The Record, this decision sends a message to spyware companies around the world "the time of impunity is over and they will be brought to justice for undermining the security of our devices and platforms, as well as our human rights."