A federal judge in California ruled Thursday evening that Facebook’s lawsuit alleging that NSO Group technology was used to spy on thousands of WhatsApp users can move forward.
The decision marks a blow for the Israeli software surveillance company, which has vigorously denied the allegations and fought to get the suit thrown out of court. In allowing the case to move forward, the judge threw cold water on several of NSO Group’s arguments, leaving open the possibility the firm would have to reveal information about its clients and their spying targets.
A WhatsApp spokesperson applauded the decision.
“We are pleased with the Court’s decision permitting us to move ahead with our claims that NSO engaged in unlawful conduct. The decision also confirms that WhatsApp will be able to obtain relevant documents and other information about NSO’s practices,” the spokesperson told CyberScoop. “Today we are one step closer to holding NSO accountable for attacking WhatsApp and its users, including journalists, human rights activists, and government officials.”
The judge ruled that NSO Group lawyers cannot use the defense they said they had been planning, known as derivative sovereign immunity, which could have allowed them to keep details of their clients from the court. They had hoped to argue that because their clients are sovereign nations and therefore can’t face civil charges in the U.S., NSO Group should also face that same kind of immunity.
It was not clear what defense NSO Group now plans to use. An NSO Group spokesperson told CyberScoop in a statement the legal team is “reviewing the court’s decision, so we are not in a position to comment in detail at this time. Our technology is used to save lives and prevent terror and crime worldwide, and we remain confident that our conduct is lawful.”
The decision comes shortly after an Israeli judge decided to allow NSO Group to continue selling its technology outside of Israel.
NSO Group has long sought to distance itself from how its technologies are used, claiming repeatedly that the company is not involved in the operation of its spyware. The company has also claimed its technologies can only be used by governments’ intelligence agencies and law enforcement entities to fight terrorism and crime in an effort to dodge allegations about targeting of dissidents and journalists.
But the judge notes that NSO Group’s court filings thus far, including a declaration from CEO Shalev Hulio, have left some noticeable gaps that don’t dismiss NSO Group’s involvement in the alleged hacking via WhatsApp.
Namely, the judge takes aim at Hulio’s declaration, which claims NSO Group, “entirely at the direction of their government customers,” provides “advice and technical support” to clients in their operation of NSO Group’s signature spyware, Pegasus.
“[T]he declaration itself leaves open the possibility of defendants’ involvement in the intentional act,” the judge writes in the decision. “At this stage, the boundary between defendants’ conduct and their clients’ conduct is not clearly delineated or definitively resolved by the Hulio declaration.”
A key ruling from the judge also shows WhatsApp has the opportunity to make its case that NSO Group violated the Computer Fraud and Abuse Act. In particular, Facebook has alleged that NSO Group used WhatsApp’s servers “without authorization” to activate NSO Group’s malicious code.
“[D]efendants had permission to access a portion of the computer in question (the WhatsApp servers) but did not have permission to access other portions,” the judge writes.
The WhatsApp decision may be especially ominous for NSO Group because it comes just hours after Hulio appears to have revealed in an interview with German publication Die Zeit that NSO Group is able to keep track of clients’ spying targets, despite the company’s earlier statements that it cannot do so.
Hulio’s interview also appears to show a departure from previous company statements. Previously, NSO Group has denied allegations that its tech has been used to target journalists or human rights activists. Hulio told Die Zeit in the interview that target distinctions are not for the company to decide.
“Is a lawyer a legit target? A human rights activist, is he a legit target? Yes or no? A sixteen year old kid? The answer is: it depends,” Hulio told Die Ziet.
When reached for comment about the interview, an NSO spokesperson told CyberScoop that the company “is not privy to the identity of its law enforcement customers’ targets,” but that if NSO Group is “conducting investigations on potential misuses of the technology by customers … then and only then, we demand that our customers provide us with information relevant to the investigation.”
The WhatsApp lawsuit alleges that Bahrain, the United Arab Emirates, and Mexico, are customers of NSO Group. Just this week, allegations surfaced that NSO Group spyware has been used against Catalonia’s politicians, who have been fighting for independence in Spain. It is unknown who targeted the officials but the Spanish government was allegedly a customer of NSO Group’s, Vice News reported.
Amnesty International has alleged in recent days NSO Group spyware has been used against a journalist in Morocco.