In a summary judgment, Judge Phyllis Hamilton of the US District Court in Oakland, Northern District of California has found Israeli-mercenary's surveillance firm NSO Group Technologies (also known as Q Cyber Technologies) liable for the hacking of Meta's Whatsapp through its state-of-the-art military-grade malware Pegasus.
The Court has found that NSO violated the Computer Fraud & Abuse Act, and Comprehensive Computer Data Access & Fraud Act by sending malicious messages through WhatsApp servers to hack users. It also found NSO for breaching its contract by violating WhatApp's Terms of Service.
A trial will now proceed only on the issue of damages in WhatsApp v. NSO.
The summary judgment dated December 20 states "Thus, the Court grants summary judgment in plaintiffs' favour on the CFAA claim under both section (a)(2) and (a)(4), on theory that defendants exceeded their authorisation. Defendants appear to fully acknowledge that the WIS sent messages through WhatsApp servers that caused Pegasus to be installed on target users' devices and that the WIS was then able to obtain protected information by having it sent from the target users, through the WhatApp servers, and back to the WIS...defendants argue that Pegasus was operated by their clients, and thus defendants did not collect any information. Defendants further argue that terms such as 'illegal,' 'unauthorised,' and 'harmful' as used in terms of service are vague and ambiguous. Finally, the defendants argue that plaintiffs waived those contractual provisions by failing to ensure them against any other users. The Court finds no merit in the arguments raised by the defendants."
The Court added" "Defendants do not dispute that they must have reverse-engineered and/or decompiled the WhatsApp software in order to develop the WIS, but simply raise the possibility that they did before agreeing to the terms of the service. However, as discussed above, the defendants have withheld evidence regarding their agreement to the terms of service. Moreover, common sense dictates that defendants must have first gained access to the WhatsApp software before reverse-engineering and/or decompiling it, and they offer no plausible explanation for how they could have gained access to the software without agreeing to the terms of service. Accordingly, the court concludes the plaintiff has sufficiently established a breach. "
NSO Group's flagship spyware Pegasus is known to be one of the most sophisticated spyware which can infiltrate both iOS and Android devices as per the University of Toronto's cybersecurity research laboratory Citizen Lab. Pegasus is described as "a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device".
As per Citizen Lab, to monitor a target, a Pegasus operator uses multiple vectors (the entry point by which an attacker gains unauthorised access to a computer system: malicious email attachment, sending a malicious link or sending malicious files through an instant messaging program)and tactics.
One of the vectors where through WhatsApp. In 2019, it was discovered that attackers were able to install the Pegasus software onto both iPhone and Android through WhatsApp voice calls.
More than 1400 members of political dissidents, and civil society including journalists, and human rights activists around the world including from India were targeted in the 2019 WhatsApp hacking. On October 30, 2019, Facebook (now Meta) confirmed that Pegasus targeted Indian human rights lawyers, journalists, Dalit rights activists and members of Opposition parties.
On October 29, 2019, WhatsApp then filed a lawsuit against the NSO Group and also sought a permanent injunction banning NSO from using its service. It alleged a violation of the Computer Fraud and Abuse Act.
Journalists, human rights activists, Dalit rights and anti-caste activists accused in the infamous Bhima-Koregaon Elgar Parishad under the anti-terror law Unlawful Activities (Prevention) Act, of 1967 were said to be the primary targets of the spyware. They claimed that through the hacking, digital evidences were planted on their devices. In Bhima Koregaon, 16 persons were arrested in 2018 in connection with allegedly supporting the banned Community Party of India (Maoist) and conspiring to kill the Prime Minister and overthrow the Government. All of them are yet to face trial.
When the allegations of spying reacted the Supreme Court of India, appointed an independent committee to investigate the allegations of widespread and targeted surveillance. In 2022, the Supreme Court orally said that the Committee found malware in some phones, though it could not confirm it was Pegasus. The Court also disclosed the Committee's grievance that the Centre did not cooperate.
A digital forensic consulting company based in the US, Arsenal Consulting, had confirmed that some of the Bhima Koregaon accused persons were targeted by Pegasus.
Since NSO Group's policy was to supply the spyware only to Government clients, the ruling Government led by Prime Minister Narendra Modi came under the radar for snooping to stifle the dissent. Another possibility that merged was that the Indian population were the target of surveillance by a foreign Government.
Reportedly, the malicious code through which the software could be infiltrated could be transmitted through WhatsApp calls even if the users did not answer their calls. Often, the calls would disappear from call logs as well. The spyware can then turn out the phone's microphone and camera and can monitor emails, and messages and track users' movements.
NSO Group had claimed it only sells its spyware strictly to Government clients. It also claimed that the exports are undertaken in accordance with Israeli laws. Pegasus came under strict scrutiny after it was reported that it was used to target US-based Saudi Arabian journalist Jamal Khashoggi and his family members. Khashoggi was murdered in Turkey.