WhatsApp’s Victory Over Spyware Titan: the Takedown of Pegasus

WhatsApp has triumphed in a major legal battle against NSO Group, forcing the Israeli company to disclose the workings of Pegasus, a spyware program implicated in the unauthorized surveillance of 1,400 Americans, marking a decisive step forward in the fight for digital privacy and security.

WhatsApp, a messaging app owned by Meta, has won a major legal battle against NSO Group, an Israeli company that makes very powerful spyware. A US judge has ordered NSO Group to hand over to WhatsApp the code behind Pegasus, its most famous spyware, and other surveillance tools. This is part of a lawsuit that WhatsApp started in 2019 after it discovered that NSO’s spyware had been used to spy on 1,400 of its users.

Pegasus is a tool that can infiltrate any phone and access calls, emails, photos, location, and private messages without the owner’s knowledge. NSO Group sells this software primarily to governments, and it has been used in several countries to target activists, journalists, and others. Although NSO claims its products are designed to help fight crime and protect national security, their use has raised serious privacy and human rights concerns.

The judge’s decision means that NSO Group will have to share details about how its spyware works with WhatsApp, but it won’t have to reveal who its customers are or specific details about its servers. The ruling is seen as a big step for WhatsApp in protecting its users from illegal surveillance. NSO Group, which is heavily regulated by the Israeli government and was blacklisted by the Biden administration in 2021 as a threat to US national security, has not commented on the court’s decision. The case is still pending.

Background and Parties Involved

The dispute involves WhatsApp Inc. and Facebook Inc. (plaintiffs) against NSO Group Technologies Limited (defendant), focusing on allegations of unauthorized access and distribution of spyware. WhatsApp, a messaging service owned by Facebook, accuses NSO Group, an Israeli technology firm, of exploiting its platform to distribute malicious software to surveil certain WhatsApp users.

This case raises very significant concerns about digital privacy, cybersecurity, and the implications of government surveillance technologies being used against individuals without authorization. It sets a critical precedent for how legal frameworks shall address and potentially regulate the use of such technologies in global digital communications.

Legal Claims and Allegations

The legal claims and allegations revolve around WhatsApp and Facebook accusing NSO Group of illegally using WhatsApp’s platform to distribute spyware. The claims include:

• Violations of the Computer Fraud and Abuse Act (CFAA). This federal law prohibits unauthorized access to computers and networks, suggesting that NSO Group accessed WhatsApp’s servers without permission to inject spyware.
• California’s Comprehensive Computer Access and Fraud Act. Similar to the CFAA, but at the state level, this law targets unauthorized computer access and data theft within California, where WhatsApp argues NSO Group’s actions fall under unauthorized access and use.
• Breach of Contract. WhatsApp alleges that NSO Group violated WhatsApp’s Terms of Service, which strictly prohibit misuse of the platform, including the use of malicious software.
• Trespass to Chattels. This common law tort involves interfering with another’s possession of personal property. WhatsApp alleges that NSO’s spyware not only invaded privacy, but also interfered with its proprietary software and users’ devices, amounting to trespass to chattels.

Analysis of the Richmark Factors

The analysis of the Richmark Factors (Richmark Corp. v. Timber Falling Consultants (1991)) in the court’s decision involves a methodical approach to evaluating whether certain discovery requests should be compelled, particularly in cases involving foreign laws or parties. Here’s a breakdown of the approach:

1. Importance of the Information. The court first considers how crucial the requested documents or information are to the investigation or litigation. This means assessing whether the information being sought is likely to be significant in determining the outcome of the case or in understanding the matters at issue.
2. Specificity of the Request. The court looks at how detailed and targeted the discovery request is. A request must not be overly broad or vague; it should clearly specify the information needed, helping to ensure that the discovery process is efficient and relevant to the case.
3. Origin of the Information. The court considers whether the information or documents requested originated in the United States. This factor is particularly relevant in international disputes or when foreign laws might affect the discovery process.
4. Availability of Alternatives. If there are other ways to obtain the needed information that might be less burdensome or contentious, the court will consider these alternatives. This could mean looking for the information from other sources or through less invasive means.
5. Impact of Compliance or Non-Compliance. The court assesses the consequences of either complying with the discovery request or failing to do so. This includes consideration of how noncompliance might undermine important interests of the United States or how compliance might affect the interests of the state in which the information is located, particularly if foreign law is involved.

In applying these factors to the case at hand, the court seeks to balance the need for disclosure with respect for international legal norms and the potential burden on the parties involved. Particular emphasis is placed on the first two factors — the importance of the request to the litigation and the degree of specificity of the request.

Discovery Compliance and International Considerations

The discovery compliance and international considerations part of the court’s decision revolves around the challenges and legal intricacies of enforcing discovery requests across different jurisdictions, especially when it involves international laws and parties from different countries:

1. The court reviewed the defendants’ obligations to comply with discovery requests under both U.S. and Israeli laws. Despite various restrictions, the court decided not to grant a complete exemption from all discovery but allowed for partial exemptions based on specific criteria, emphasizing the Richmark factors for considering compliance in light of foreign statutes.
2. In deciding the extent to which foreign laws may excuse non-compliance with discovery orders, the court focused on two main factors from the Richmark decision (discussed in the previous section): the importance of the requested documents or information for the litigation, and the specificity of the discovery requests. The court aimed to ensure that only necessary and specifically targeted information would be subject to discovery, reducing the burden on the defendants while still allowing the plaintiffs to access crucial evidence.
3. The court made several key decisions regarding the scope of discovery: (i) Spyware Production: It required the defendants to produce versions and functionalities of the alleged spyware, specifying that all relevant spyware targeting WhatsApp servers or using WhatsApp in any way should be included; (ii) Client Identities: The court determined that the identities of the defendants’ third-party clients (i.e., who used the spyware) did not need to be disclosed. The rationale was that understanding the actions taken by these third parties did not necessitate knowing their specific identities, as long as the role of the defendants in any alleged misuse of spyware could be investigated; (iii) Server Architecture: The court concluded that specific information about the defendants’ server architecture was not required at the current stage of litigation. This decision was based on the assessment that understanding the full functionality of the alleged spyware (which was to be disclosed) would suffice for the plaintiffs’ purposes without needing to delve into the technical specifics of the server setup.

Court’s Rulings on Motions

The court made several key rulings on various motions related to the discovery process and case management:

1. Plaintiffs’ Motion to Compel Discovery (Dkt. 236). This motion was GRANTED in part and DENIED in part. The court agreed to some of the plaintiffs’ requests for information from the defendants, which were deemed important and specific enough under the guidelines provided by the Richmark factors. Specifically, the court required the defendants to produce information regarding versions and functionalities of the spyware in question, as it was relevant to the case. However, the motion was not fully granted, indicating that some requests were likely deemed too broad, insufficiently specific, or otherwise not meeting the threshold for compelled discovery.
2. Defendants’ Motion to Compel Discovery (Dkt. 240). This motion was DENIED. The defendants sought documents related to plaintiffs’ communications with a third-party witness (Citizen Lab) and internal documents relating to the identification of users allegedly targeted by the defendants’ software. The court found that the defendants did not demonstrate how these requests were relevant under Rule 26(b)(1) to the claims or defenses in the case, especially considering the causes of action that remained operative.
3. Defendants’ Motion for Relief from Case Management Schedule (Dkt. 265). This motion was GRANTED, allowing the defendants approximately a six-month extension for discovery deadlines and extended deadlines for summary judgment and trial. The court’s decision to grant this motion suggests recognition of the complexities involved in the case, possibly including the volume of information to be reviewed or the challenges of coordinating across jurisdictions.
4. Motions to Seal (Dkt. 235, 239, 249, 257, 260, 264, 272, 276). All motions to seal filed by the parties were GRANTED. This means that certain documents or information submitted to the court will be kept confidential and not made available to the public, likely due to privacy concerns or the sensitivity of the information contained within those documents.

Implications for Digital Surveillance and Cybersecurity

At the heart of this issue is a fundamental question: Do Americans want to be watched without their consent by an entity from another country, in this case an Israeli company? This touches on deep concerns about people’s right to privacy and the invisible lines that are crossed in the digital world.

The American legal system and government are at a crossroads. They need to think hard about what kind of society people want to live in. Are they willing to sacrifice their privacy? Or do they believe that freedom includes the right to be unseen unless we’ve given our permission?

America’s legal framework must evolve. It must ensure that while people guard against threats, they do not become a society where surveillance (especially, foreign) without consent becomes the norm.

Disclaimer

The information provided in this article is for informational and educational purposes only and is not intended to serve as legal advice or as a substitute for legal counsel. While efforts have been made to ensure the accuracy and completeness of the content herein, it is important to note that legal principles and regulations can vary significantly based on jurisdiction and specific circumstances. Therefore, this article should not be used as a definitive legal resource or as a basis for making legal decisions. Readers are strongly advised to consult with a qualified attorney for advice on legal issues or matters, as each individual case may require detailed and personalized legal analysis.

Reliance solely on the information provided in this article without seeking professional advice from an attorney may lead to unintended legal consequences or misinterpretation. The author or publisher of this article do not accept responsibility for any potential errors or omissions, nor will they be responsible for any losses, injuries, or damages arising from its display or use. The information provided here does not create an attorney-client relationship between the reader and the author or publisher.