A United States (US) federal court has ordered Israeli spyware company NSO Group to pay nearly US$170mn (million) in damages to WhatsApp and its parent company Meta, in a landmark ruling over the illegal surveillance of around 1,400 users using the notorious Pegasus software.
The jury awarded WhatsApp US$167.25mn in punitive damages and an additional US$444,719 in compensatory damages after finding that NSO Group’s hacking campaign in 2019 violated US and California laws, as well as WhatsApp’s terms of service.
This marks the first significant legal victory against a spyware company accused of facilitating illegal digital surveillance. WhatsApp filed the lawsuit in 2019 after uncovering that NSO had exploited a vulnerability in its video calling system to install spyware on the phones of users, including journalists, human rights activists and civil society workers.
“This is a historic win for privacy and security,” WhatsApp spokesperson Zade Alsawah says in a statement. “The jury’s decision to hold NSO accountable sends a powerful message that illegal surveillance will not be tolerated. It is a critical deterrent to a malicious industry built around targeting innocent people and undermining digital safety.”
NSO Group, whose Pegasus spyware has been linked to surveillance abuses across the world, has long claimed that its tools are only sold to vetted government agencies to combat serious crime and terrorism. However, the company has faced mounting criticism for enabling authoritarian regimes to target dissidents and political opponents.
Gil Lainer, NSO’s vice-president of global communications, signalled that the company intends to appeal. “We firmly believe that our technology plays a critical role in public safety and is used responsibly by authorised agencies. We will examine the verdict and pursue appropriate legal remedies,” he says.
The ruling brings to a close — pending an appeal — a five-year legal battle initiated by WhatsApp which argued that NSO’s unauthorised access to its servers caused not only technical harm but posed a grave threat to the privacy of users globally.
The case began in 2019 when WhatsApp, owned by Meta Platforms, discovered that the NSO group had exploited a vulnerability in its application to install Pegasus spyware on approximately 1,400 devices. The targets included journalists, human rights activists and political dissidents. WhatsApp subsequently filed a lawsuit accusing NSO Group of violating the Computer Fraud and Abuse Act and breaching its contractual terms. (Read:
California Court Holds NSO Group Liable for Hacking WhatsApp in Spyware Case: Report)
In response to the judgement, Meta announced plans to seek a court order to permanently block NSO from targeting WhatsApp users in the future. The company also pledged to donate to digital rights groups and publish deposition transcripts from NSO executives to aid research into the global spyware ecosystem.
NSO Group was added to the US department of commerce’s entity list in 2021, restricting its business with American companies. The European Parliament has also launched inquiries into the use of Pegasus spyware within the bloc.
Although Apple also filed a lawsuit against NSO over similar concerns, it dropped the case last year amid fears that sensitive user data could be exposed during litigation.
On 20 December 2024, a California district judge ruled that the Israeli company making spyware known for the famous Pegasus spyware, which was also found illegally injected in the phones of many Indian activists, had breached hacking laws and the terms of its service agreement with WhatsApp to infiltrate over 1,000 devices.
Last month, the Supreme Court (SC) of India remarked that there was nothing wrong with the country using spyware for its security, but allegations of it being used against private individuals will be looked at.
In reference to the ongoing security situation in the country, the SC remarked that one must be careful in these times.
When a lawyer submitted that nothing was stopping the state from using the spyware if it had been purchased, the SC said, "What is wrong if the country is using that spyware against the adverse elements? To have a spyware, nothing wrong... We cannot compromise and sacrifice the security of the nation. Private civil individual, who have right to privacy, will be protected under the Constitution... their complaint with regard to that [can always be looked at]."
The SC also remarked that the expert committee report on the alleged misuse of the spyware cannot be made public, thereby turning it into a matter of discussion on the streets.
In 2021, an international consortium of news outlets, including the Indian news portal The Wire, had released a series of reports indicating that the said software may have been used to infect the mobile devices of several persons including Indian journalists, activists, lawyers, officials, a former SC judge and others.
The reports had referred to a list of phone numbers that were selected as potential targets. On analysis by a team from Amnesty International, some of these numbers were found to have traces of a successful Pegasus infection, while some showed attempted infection, the reports had said.
