WhatsApp has scored a major legal victory in its fight against NSO Group, in a decision that will have profound repercussions on privacy and the spyware industry.

Judge Phyllis Hamilton, of the U.S. District Court of the Northern District of California has issued a landmark summary judgment, in which the court found that Israeli firm NSO group was liable for damages in its hack of WhatsApp.

Background

The case dates back to 2019, when WhatsApp revealed that NSO Group had exploited a vulnerability in its messaging app that allowed it to install its Pegasus spyware onto target devices. The software could be installed remotely via a phone call—whether the call was answered or not.

From there, NSO Group continued to refine Pegasus, improving its abilities to the point that phones could be compromised with absolutely no user interaction, making the software one of the most successful spyware packages in history.

Because of NSO Group’s success compromising both Android and iOS devices, Pegasus quickly became very sought after, especially among regimes that wanted to crack down on dissent and monitor political adversaries. Many of the targeted devices and accounts belongs to journalists, activists, and government officials.

WhatsApp framed the case in the context of the Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), as well as WhatsApp’s own terms of service. NSO Group resorted to a rather novel defense, claiming that it was entitled to sovereign immunity, since its actions were taken in behalf of foreign governments. The Biden administration urged the US Supreme Court to deny the defense, as the US State department has never given sovereign immunity to a private company. SCOTUS agreed, shooting down NSO Group’s defense and allowing the trial to proceed.

Judge Hamilton Calls Out NSO Group’s Obstruction

Judge Hamilton called out the Israeli firm for its lack of transparency, as the company produced remarkably few documents in response to discovery orders.

Overall, the court concludes that defendants have repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery. Most significant is the Pegasus source code, and defendants’ position that their production obligations were limited to only the code on the AWS server is a position that the court cannot see as reasonable given the history and context of the case. Moreover, defendants’ limitation of its production such that it is viewable only by Israeli citizens present in Israel is simply impracticable for a lawsuit that is to be litigated in this district.

CFAA Claims

Judge Hamilton found that NSO Group violated the CFAA.

Thus, the court GRANTS summary judgment in plaintiffs’ favor on the CFAA claim under both section (a)(2) and (a)(4), on the theory that defendants exceeded their authorization. Defendants appear to fully acknowledge that the WIS sent messages through Whatsapp servers that caused Pegasus to be installed on target users’ devices, and that the WIS was then able to obtain protected information by having it sent from the target users, through the Whatapp servers, and back to the WIS. Defendants’ only arguments go to statutory interpretation (addressed above), and their delegation of Pegasus operation to their clients (addressed by § 1030(b)). The court need not address plaintiffs’ alternative argument, that defendants acted without authorization.

CDAFA Claims

Similarly, Judge Hamilton found in favor of WhatApp’s CDAFA argument, in no small part due to NSO Group not producing the source code it was ordered to, making it impossible to determine if Pegasus actively violated the CDAFA by targeting accounts within the state.

The CDAFA is the state-law equivalent of the CFAA, with the additional requirement that a computer be unlawfully accessed in California. See, e.g., Meta Platforms, Inc. v. BrandTotal Ltd., 605 F.Supp.3d 1218, 1260 (N.D. Cal. 2022). In the court’s view, plaintiffs’ evidence regarding California relay servers is sufficient, even without more, and to the extent the statute requires an intent to target a California server, the outcome is the same as it was with respect to the jurisdictional analysis – because defendants’ failure to produce Pegasus source code is at least one reason why there is no evidence of exactly how the WIS chose servers, an evidentiary sanction is appropriate to conclude that the WIS did indeed target California servers. Thus, the court concludes that summary judgment must be GRANTED on the CDAFA claim for the same reasons as the CFAA claim.

Breach of Contract Claims

Judge Hamilton found NSO Group violated WhatsApp’s terms of service, dismissing the Israeli firm’s arguments and issuing a summary judgment for damages.

The court finds no merit in the arguments raised by defendants. Defendants do not dispute that they must have reverse-engineered and/or decompiled the Whatsapp software in order to develop the WIS, but simply raise the possibility that they did so before agreeing to the terms of service. However, as discussed above, defendants have withheld evidence regarding their agreement to the terms of service. Moreover, common sense dictates that defendants must have first gained access to the Whatsapp software before reverse-engineering and/or decompiling it, and they offer no plausible explanation for how they could have gained access to the software without agreeing to the terms of service. Accordingly, the court concludes that plaintiffs have sufficiently established breach.

Finally, as to damages, defendants do not dispute that plaintiffs incurred costs investigating and remediating defendants’ breaches, which are sufficient to establish the fourth and final element of a breach of contract claim. Accordingly, the court GRANTS summary judgment on plaintiffs’ claim for breach of contract.

Because the court has issued a sumamry judgment that ” resolves all issues regarding liability, a trial will proceed only on the issue of damages.”

The Implications of WhatsApp’s Win

WhatsApp’s win is a major victory for privacy, regardless of whether they use WhatsApp or not. Judge Hamilton’s decision sends a clear message to surveillance and spyware companies and reaffirms users’ reasonable expectation of privacy.

The decision was lauded by WhatsApp head Will Cathcart in an X post.

Hopefully Judge Hamilton’s decision will set a precedent that will make it more difficult for other surveillance and spyware companies to stay in business.