Judge unlikely to allow expert testimony for NSO as jury decides damages in WhatsApp case

A federal judge expressed deep skepticism about admitting evidence that a spyware manufacturer wants a jury to hear as it decides how much money WhatsApp should receive in damages because devices belonging to about 1,400 users were allegedly hacked with the surveillance technology.

The NSO Group, which makes the powerful Pegasus spyware, argued that it should be allowed to present witnesses who can tell the jury how its technology is used to fight crime and terrorism. Pegasus is zero-click, meaning it can be installed without any specific behavior by a device’s owner.

While the firm has already been found liable for the alleged abuses in the WhatsApp case, the damages phase of the trial does not begin until April 28. WhatsApp, an instant messaging platform, is owned by Meta.

Northern California federal judge Phyllis Hamilton appeared disinclined to introduce the evidence, which is at the heart of the NSO Group’s attempt to fend off what experts say could be a massive financial penalty.

During a hearing on Thursday, Hamilton repeatedly criticized the NSO Group for seeking to admit expert testimony about its intent to fight crime and terrorism despite the fact that it failed to disclose how it vetted customers involved in the WhatsApp hacks and other details.

Expressing frustration at the lack of evidence NSO has submitted, Hamilton at one point said she was considering “blowing up” the case and reopening discovery in what is already a 5-year-old court battle.

Hamilton also appeared dissatisfied with NSO’s assertion that it doesn’t know who its customers target with its spyware, which has been abused worldwide to infect phones belonging to members of civil society.

The judge said she was a “little uncomfortable” about letting a jury hear evidence about Pegasus’ use in terrorism and law enforcement investigations “without any tethering to the specific acts here … and for them to say, ‘trust me, trust me.’”

“I'm not likely to allow those experts,” Hamilton said. “Why should you be able to put on evidence that has nothing to do with what actually happened in this case?”

She added that because NSO Group has offered few details about the targeting in the WhatsApp case, “the plaintiff has no opportunity to kick the tires of that discovery. That doesn't seem a fair way to approach this.”

Testimony by NSO’s three chosen experts about the spyware’s legal uses “just has nothing to do with what specifically happened in this case,” Hamilton said, because there is no evidence that all of the WhatsApp hacks were executed for legitimate law enforcement or counterrorism efforts.

“I've never tried a case in which there was no evidence as to what exactly happened here,” Hamilton said.

She said she was “flummoxed” by NSO’s refusal to explain what actions its clients engaged in related to the WhatsApp intrusions, especially since she allowed the spyware firm to cloak their identities. 

“I expected that that information would be provided,” she said, before asking a WhatsApp lawyer if he had received any evidence beyond the “self-serving testimony of the defendant's own witnesses about what happened.”

The lawyer replied that the company has only been provided with general policy statements about NSO’s rules for its clients and not any specific information about what occurred in the case of the estimated 1,400 WhatsApp targets.

An attorney for NSO told Hamilton that the company could not provide details it does not have.

“We don't know what client X is investigating — it would be totally inappropriate for a software provider to be exposed to what criminal investigations or what counterterrorism investigations are being conducted by a foreign nation state,” NSO lawyer Joseph Akrotirianakis said. 

“They wouldn't want us to know that and we wouldn't want to know that,” he added. “We can't produce things that we don't have.”

NSO Group and WhatsApp declined to comment.

An exhibit list NSO submitted to the court on March 13 also includes several articles about how encryption limits investigations into international corruption and terrorism as well as how encrypted platforms, including WhatsApp, are allegedly abused by criminals.

One of the submitted articles includes public remarks made by former president Barack Obama about the need for law enforcement to break encryption on criminal and terror suspects’ phones.

NSO Group also is seeking to admit a video of an al-Qaeda terrorist who was reportedly a Pegasus target in the case.

Case dates to 2019

Hamilton’s December ruling finding NSO liable for its role in the infection of the roughly 1,400 devices is unprecedented. No court has ever before said the company should be held accountable for abuses of Pegasus.

Hamilton found that the company violated the federal Computer Fraud and Abuse Act (CFAA) as well as a California anti-hacking law. 

The case began in 2019 when WhatsApp sued, alleging NSO Group had exploited a security flaw to install the spyware, which in some cases allegedly targeted journalists, human rights activists, political dissidents, diplomats and senior foreign government officials.

NSO repeatedly modified the exploit to launch new attacks on WhatsApp systems after the company patched holes the spyware had previously penetrated, depositions given by NSO executives show.

A Friday court filing revealed that 1,223 individuals in 51 countries were targeted in the hack. 

The document, which had previously been sealed, listed targets located in Mexico, India, Bahrain, Morocco, Israel, Lebanon, Uzbekistan and Cyprus, among many other countries. 

First reported by the Israeli publication CTech, the filing revealed that 456 people were targeted in Mexico alone. One target was located in the United States, the filing shows.

WhatsApp has said about 1,400 people were targeted. The court filing lists locations tied to 1,223 people. It is unclear why the numbers differ.

NSO's clients include individuals in the U.S., Saudi Arabia and Uzbekistan, NSO’s lawyer revealed in court Thursday.

Saudi Arabia and Uzbekistan are authoritarian regimes. The Saudi government has used Pegasus to infect phones belonging to dissidents, including one who worked with Jamal Khashoggi in an effort to disrupt the monarchy’s propaganda program.  

NSO had previously said it stopped selling Pegasus to the Saudis following Khashoggi’s killing.