The US Supreme Court gave the green light on Monday for WhatsApp to pursue a lawsuit against NSO Group, the Israeli surveillance company, for installing the Pegasus spyware on roughly 1400 devices where WhatsApp was also installed.
More specifically, the court has ruled that WhatsApp is allowed to sue for damages ensued by the malicious installation of the spyware.
The ruling represents a substantial victory for the Meta subsidiary, which had unsuccessfully attempted to challenge NSO Group’s alleged activities in the past.
“NSO’s spyware has enabled cyber-attacks targeting human rights activists, journalists, and government officials,” said WhatsApp spokesperson Carl Woog. “We firmly believe that their operations violate US law, and they must be held to account for their unlawful operations.”
According to Andrew Barratt, vice president at Coalfire, the ruling could also serve to be an interesting precedent for public/private sector engagement when it comes to potential exploit weaponization.
At the time of writing, NSO Group denied involvement in human rights abuses or illegal activities. It stated that its products are designed to help law enforcement agencies fight crime and terrorism.
The company has also asked to be recognized as a foreign government agent and as such entitled to immunity under US law limiting lawsuits against foreign countries.
“Done under contract with a government this could be seen purely as an outsourced software development relationship,” Barratt told Infosecurity.
“However, actively operating the tools is akin to simultaneously operating private military contractors. Trying to leverage the ‘agent of a government’ isn’t likely to give any legal cover if that government hasn’t taken accountability for the actions done on their behalf.”
The Biden administration also acted following this line of thought, recommending that the court turn away the appeal. In this regard, the Department of Justice said NSO was not entitled to immunity.
“Whether or not it will lead to further rulings on ‘cyber weapons’ or these outsourced operations remains to be seen, but private companies could very quickly end up being a proxy for plausible deniability of other governments that are not clear allies of the West,” Barratt added.
“This certainly won’t be immune to the US legal system and serves as a good reminder as to why, as a security testing firm, we go to great lengths to have clearly defined rules of engagement and contractual permission to operate.”
Case in point, NSO Group also has been blacklisted by the US Commerce Department, which has limited its access to American technology.