A federal judge has ordered spyware maker NSO to stop using its Pegasus app to target or infect users of WhatsApp.
The ruling, issued Friday by Phyllis J. Hamilton of of the US District Court of the District of Northern California, grants a permanent injunction sought by WhatsApp owner Meta in a case it brought against NSO in 2019. The lawsuit alleged that Meta caught NSO trying to surreptitiously infect about 1,400 mobile phones—many belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials—with Pegasus. As part of the campaign, NSO created fake WhatsApp accounts and targeted Meta infrastructure. The suit sought monetary awards and an injunction against the practice.
Setting a precedent
Friday’s ruling ordered NSO to permanently cease targeting WhatsApp users, attempting to infect their devices, or intercepted WhatsApp messages, which are end-to-end encrypted using the open source Signal Protocol. Hamilton also ruled that NSO must delete any data it obtained when targeting the WhatsApp users.
NSO had argued that such a ruling would “force NSO out of business,” as Pegasus is its “flagship product.” Hamilton ruled that the harm Pegasus posed to Meta outweighed any such considerations.
“In the court’s view, any business that deals with users’ personal information, and that invests resources into ways to encrypt that personal information, is harmed by the unauthorized access of that personal information—and it is more than just a reputational harm, it’s a business harm,” Hamilton wrote. “Essentially, part of what companies such as Whatsapp are ‘selling’ is informational privacy, and any unauthorized access is an interference with that sale. Defendants’ conduct serves to defeat one of the purposes of the service being offered by plaintiffs, which constitutes direct harm.”