Is NSO Group Responsible for Misuse of Pegasus Spyware?

January 7, 2025

In an era where digital surveillance is a growing concern, recent developments surrounding the NSO Group and its infamous Pegasus spyware have highlighted significant ethical and legal dilemmas. The Israeli tech company’s spyware has drawn international scrutiny for its use by various state actors to surveil journalists, activists, and dissidents, despite its claims of combating terrorism and crime.

Founded in 2010 by Niv Carmi, Shalev Hulio, and Omri Lavie—former members of the Israeli Defense Forces’ elite Unit 8200—the NSO Group quickly garnered a reputation for its cyber capabilities. The company’s flagship product, Pegasus, allows clients to covertly infiltrate smartphones, gaining access to messages, calls, and other personal data. Despite its marketed purpose of fighting crime and terrorism, instances of misuse are well-documented.

Pegasus gained notoriety as a favored tool for oppressive regimes. A striking example includes the Saudi government’s use of the spyware to monitor interactions between journalist Jamal Khashoggi and fellow dissident Omar Abdulaziz. This surveillance reportedly contributed to the decision that led to Khashoggi’s murder in 2018, underscoring the potential for abuse of such powerful tools.

The controversy surrounding the NSO Group intensified in July 2021 with the Pegasus Project revelations. This collaborative investigation by over 80 journalists, involving 17 media organizations and civil society groups, with technical support from Amnesty International’s Security Lab, unveiled a list of 50,000 potential targets of Pegasus. This investigation spotlighted global espionage conducted using the spyware, raising alarms regarding privacy and human rights violations.

A critical legal development occurred on December 20, 2024, when Senior District Judge Phyllis J. Hamilton of the US District Court for the Northern District of California issued a ruling against the NSO Group. This case stemmed from a 2019 lawsuit filed by WhatsApp, accusing NSO of compromising around 1,400 mobile devices using Pegasus, thus violating federal and California state laws.

Throughout the legal proceedings, NSO displayed evasive behavior, often ignoring court orders and failing to present crucial information. Although some details on Pegasus installation were disclosed, they were predominantly under Israeli jurisdiction, remaining mostly inaccessible to the US legal system. Consequently, the court found NSO’s actions obstructive and non-compliant.

Judge Hamilton’s decision asserted that NSO had breached the federal Computer Fraud and Abuse Act in addition to California’s Comprehensive Computer Data Access and Fraud Act. Furthermore, the company violated WhatsApp’s terms of service by reverse-engineering and decompiling the application to develop a server that installed Pegasus, amplifying the severity of the infractions.

NSO argued that its clients were responsible for Pegasus deployment, not the company itself. However, WhatsApp demonstrated that NSO controlled the spyware’s operations, dismantling the argument that client sovereignty excused the company from liability. This ruling established that NSO’s unauthorized intrusions into digital devices constituted a violation of US laws.

This judgment against the NSO Group marked a significant milestone in holding the company accountable for its unethical practices. Both WhatsApp and various advocacy groups celebrated the ruling, signifying enhanced scrutiny and the possibility of regulatory changes within the spyware industry.

Despite these challenges, the NSO Group is expected to persist, albeit with heightened caution in its dealings, particularly in the US. This case underscores the need for stringent regulations in the burgeoning and largely unregulated spyware market.

In conclusion, the detailed examination of the NSO Group’s operations and the subsequent legal repercussions shed light on the complex challenges posed by advanced spyware within a global framework. The ruling not only impacted the NSO Group but also set a precedent for accountability in an industry characterized by opacity and the absence of oversight.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later