NSO ruling is a victory for WhatsApp, but could have a small impact on spyware industry

When a federal judge recently ruled that a major spyware manufacturer should be held liable for the phone hacks its technology allows, privacy advocates cheered. But within hours of the first-of-its-kind decision, close observers of the commercial surveillance marketplace were asking what impact the ruling might have on the company’s continued operations and on the industry as a whole.

The answer could be: not that much.

The closely-watched case began in 2019 when the Meta-owned messaging platform WhatsApp sued NSO Group — which makes the powerful zero-click spyware Pegasus — for allegedly hacking devices belonging to 1,400 of its users, including journalists, human rights defenders, dissidents and diplomats. 

Late last month, a federal judge in California stunned spyware manufacturers and human rights activists alike when she concluded that NSO violated both computer hacking laws and WhatsApp’s terms of service when it allegedly repeatedly breached the messaging platform to infect victims’ devices with Pegasus.

A trial to determine what type and amount of damages NSO will pay is set to begin in March.

If NSO Group is forced to pay damages to WhatsApp — far from a sure thing — such a payment would be made many years from now given the appeals process. And even if NSO does have to pay a significant amount, experts say, it wouldn’t necessarily mean the end of Pegasus. 

“If they did somehow find a way to force them to pay fines here, all they would have to do is declare bankruptcy, change their name and stay in business,” James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, told Recorded Future News.

“The people who have these skills are not going to go away and they all live in countries that are not subject to U.S. jurisdiction,” he added. “Call it OSN Group, and you're back in business.”

The legal impact of the decision may also be small. 

Because of the type of sanctions the judge ordered, the ruling does not set a precedent for whether spyware victims who live abroad can sue foreign spyware firms in U.S. courts., a dynamic which has long been a barrier for plaintiffs, one legal expert said.

The legal landscape

The legal precedent set by the case is “rather limited,” Asaf Lubin, an associate professor at Indiana University Maurer School of Law, wrote in Lawfare Tuesday.

While the court handed WhatsApp an important symbolic victory, the way the judge worded her opinion gives future courts little precedent to latch onto for holding spyware companies accountable, wrote Lubin, who is also an affiliated fellow at the Information Society Project at Yale Law School.

Spyware victims who have sued NSO in U.S. courts have faced an uphill battle trying to get their cases heard because many American judges have said they lack the jurisdiction needed to decide the cases. NSO Group has long contended that Pegasus cannot be used to infect American phone numbers and most known victims have been located outside of the U.S when they were hacked.

A lawsuit brought against NSO by Jamal Khashoggi’s widow, for example, was dismissed in late 2023 because a judge ruled her allegations were not well enough connected to Virginia, where she brought the case. And in March, a federal judge dismissed a 2022 lawsuit from Salvadoran journalists who said Pegasus was used to hack their iPhones in 2020 and 2021, ruling that the case was “entirely foreign.”

Lubin argued that the judge in the WhatsApp cases skirted the jurisdiction issue by focusing on the fact that NSO failed to produce evidence, particularly its source code.

“This approach — while effective in sending a message to companies like NSO Group that ignoring discovery orders is a failed strategy — does little to establish a substantive precedent that could guide future spyware litigants or courts,” Lubin wrote.

The WhatsApp suit raised a specific and thorny jurisdictional issue. 

Could WhatsApp successfully sue NSO because its California-based servers were used to facilitate the spyware infections even though the targeted devices were located abroad? The judge’s decision does not adequately answer that question, Lubin said.

The damages question

Whether the damages WhatsApp is awarded will bankrupt NSO one day and even whether they will ultimately be paid is unclear, legal experts say.

Israeli courts could decide not to enforce the judgement, Lubin said in an interview with Recorded Future News.

“The court may deem enforcement against a spyware company, given the industry's significance in Israel, prejudicial to Israeli security,” Lubin said. 

An Israeli court also could decide that the American court lacked jurisdiction needed to make the judgment. 

If an Israeli court does enforce damages, how big they could be will largely be determined by whether punitive damages, which WhatsApp has sought, are applied.

Statutory damages dictated by the state and federal anti-hacking laws WhatsApp sued under as well as compensatory damages meant to cover costs WhatsApp incurred to defeat the spyware could be somewhat large, but nothing in the league of potential punitive damages meant to punish defendants and deter others from similar conduct.

What’s next

Whatever the future holds, the WhatsApp decision gave human rights advocates a much needed win after a string of disappointments.

In September, Apple withdrew a lawsuit against NSO for hacking iPhones, citing concerns over jeopardizing its security program in the discovery process. 

A high-profile Thai case brought by an anti-government activist who claimed Pegasus was used to breach his phone was dismissed in November. A Thai judge said the activist, who had previously been jailed for criticizing the monarchy, failed to prove Pegasus was used to hack his phone.

The possibility that WhatsApp’s success will spur more lawsuits and particularly lawsuits against other spyware firms which have been less in the spotlight than NSO is important, said Jen Roberts, an Atlantic Council expert who co-authored a highly regarded report on the spyware industry.

“There have been a lot of cases against NSO Group, but I think that if this has sprawling effects across the industry, and people start making those connections, it will have a much wider effect,” she said. 

The case also could chill Western investment in spyware firms, Roberts said, increasing perceptions that they are financially risky and that owning large stakes in them could lead to reputational damage.

The San Francisco-based private equity firm Francisco Partners (FP) held a majority stake in NSO from 2014 through February 2019. A WhatsApp court filing citing sworn depositions and a written statement from NSO executives alleges that the firm knew about NSO’s efforts to to develop the vectors used in the WhatsApp hack. (An FP spokesperson said the contention has “absolutely no basis in fact”).

Despite the obstacles to holding spyware firms accountable, Natalia Krapiva, a lawyer at the digital rights nonprofit Access Now, said the ruling will at least have a chilling effect on what she called an out of control commercial spyware industry, whose products have been used to surveil hundreds of civil society victims despite industry assurances that only law enforcement and intelligence targets are permitted.

Citing NSO’s already precarious financial status and the cost of top flight American lawyers, Krapiva said lawsuits, especially when successful as in the WhatsApp case, “impose a lot of costs.”

“It is still worthy to pursue this kind of action because otherwise these companies do what they want without any cost, without any friction,” she said.

A spokesperson for NSO Group declined to comment.

Krapiva is hopeful that the WhatsApp decision will cause spyware industry leaders to think more carefully about their methods and ask more questions about how their technology is being used.

While WhatsApp’s win is a sign for spyware companies around the world that “the impunity is winding down, at the same time the road to accountability is still long and difficult,” Krapiva said. “The companies receive a lot of support from states and other powerful actors so those who want to challenge their power in court or otherwise need to be prepared.”

“It is definitely worth fighting for,” she said.