Horrifying WhatsApp unauthorised access

Jan 23 2023

US supreme court lets WhatsApp pursue Pegasus spyware lawsuit

Court rejects NSO claim it could not be sued because it was acting as agent for unidentified foreign governments

NSO Group logo is shown on a smartphone
NSO has argued that Pegasus helps law enforcement and intelligence agencies fight crime and protect national security. Photograph: Dado Ruvić/Reuters


Mon 9 Jan 2023

The US supreme court has let Meta Platforms Inc’s WhatsApp pursue a lawsuit accusing Israel’s NSO Group of exploiting a bug in its WhatsApp messaging app to install spy software allowing the surveillance of 1,400 people, including journalists, human rights activists and dissidents.

The justices turned away NSO’s appeal over a lower court’s decision that the lawsuit could move forward. NSO has argued that it is immune to being sued because it was acting as an agent for unidentified foreign governments when it installed the Pegasus spyware.

Joe Biden’s administration had urged the justices to reject NSO’s appeal, noting that the US state department had never before recognised a private entity acting as an agent of a foreign state as being entitled to immunity.

Meta, the parent company of both WhatsApp and Facebook, in a statement welcomed the court’s move to turn away NSO’s “baseless” appeal.

“NSO’s spyware has enabled cyber-attacks targeting human rights activists, journalists and government officials,” Meta said. “We firmly believe that their operations violate US law and they must be held to account for their unlawful operations.”

A lawyer for NSO did not immediately respond to a request for comment.

WhatsApp in 2019 sued NSO seeking an injunction and damages, accusing it of accessing WhatsApp servers without permission six months earlier to install the Pegasus software on victims’ mobile devices.

NSO has argued that Pegasus helps law enforcement and intelligence agencies fight crime and protect national security and that its technology is intended to help catch terrorists, child abusers and hardened criminals.

In court papers, NSO said WhatsApp’s notification to users scuttled a foreign government’s investigation into an Islamic State militant who was using the app to plan an attack.

In one notorious case, NSO spyware was used – allegedly by the Saudi government – to target the inner circle of Washington Post journalist Jamal Khashoggi shortly before he was murdered at the Saudi consulate in Istanbul.

NSO appealed against a trial judge’s 2020 refusal to award it “conduct-based immunity”, a common law doctrine protecting foreign officials acting in their official capacity.

Upholding that ruling in 2021, the San Francisco-based 9th US circuit court of appeals called it an “easy case” because NSO’s mere licensing of Pegasus and offering technical support did not shield it from liability under a federal law called the Foreign Sovereign Immunities Act (FSIA), which took precedence over common law.

WhatsApp’s lawyers said that private entities like NSO are “categorically ineligible” for foreign sovereign immunity.

The Biden administration in a filing in November said the 9th circuit reached the right result, even though the government was not ready to endorse the circuit court’s conclusion that FSIA entirely forecloses any form of immunity under common law.

According to court papers, the accounts of 1,400 WhatsApp users were accessed using the Pegasus tracking software, secretly using their smartphones as surveillance devices.

An investigation published in 2021 by 17 media organisations, led by the Paris-based non-profit journalism group Forbidden Stories, found that the spyware had been used in attempted and successful hacks of smartphones belonging to journalists, government officials and human rights activists on a global scale.

The US government in November 2021 blacklisted NSO and Israel’s Candiru, accusing them of providing spyware to governments that used it to “maliciously target” journalists, activists and others.

NSO also is being sued by iPhone maker Apple , accused of violating its user terms and services agreement.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: