Arthur Willoughby
NSO group, the creators of the highly sophisticated Pegasus spyware, have been ordered by a US district court to hand over their source code as part of discovery in a lawsuit by WhatsApp. The ruling, which came at the end of February, is a major development in a slow-moving, highly publicised case, finally forcing NSO to reveal the functionality of its immensely powerful, yet highly secretive malware.
The plaintiffs, WhatsApp, claim that the NSO group used the WhatsApp system to transmit the Pegasus spyware to approximately 1,400 devices in early 2019, with the explicit intention of covertly surveilling device users. NSO’s previous motions to deflect legal accountability have now been rejected by the California court, sending a strong statement to the surveillance industry that it cannot continue to enable spyware abuse without facing repercussions.
In a statement on the 23rd of February, Judge Phyllis Hamilton declared, "The court rejects defendants’ argument that their production should be limited to the installation layer of the alleged spyware, and instead concludes that defendants must produce information concerning the full functionality of the relevant spyware. The complaint contains numerous instances alleging not only that spyware was installed on users’ devices, but also that information was accessed and/or extracted from those devices."
The ruling stipulates that NSO must now provide WhatsApp with all relevant code in the years before and after the alleged two-week attack, as well as disclose the spyware’s full functionality. The ruling, however, does not compel NSO to reveal any information about its third-party clients or specific server architecture information. Amnesty international have labelled this disappointing, bemoaning the fact that the “NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret.”
Regardless, the ruling is a major milestone in the story of the Pegasus software, which has been connected to numerous human rights violations since its creation in 2011. NSO claims that it provides "authorized governments with technology that helps them combat terror and crime”, but the technology has immense capabilities that allow complete access into a user’s text messages, photos, emails, videos, contact lists etc., and can even secretly turn on the device’s microphone and record without user knowledge.
An investigation by 17 news organisations revealed that more than 1,000 individuals from over 50 countries were targeted by the software since 2016. Crucially, the list included 189 journalists, more than 600 politicians and government officials, and several heads of states, amongst them French President Emmanuel Macron, South African President Cyril Ramaphosa, and the former Prime Minister of Pakistan Imran Khan.
For WhatsApp – a company which has branded itself on its distinct end-to-end encryption service that protects the privacy of its users – this latest ruling has undoubtedly brought great relief. The Pegasus spyware’s capacity to covertly install itself on any IOS or Android device represented a serious threat to their business model, and thus the ruling should come as positive news to both META and WhatsApp users worldwide.
Questions remain, however, as to the extent to which this ruling will limit the Israeli-based NSO group’s capacity to sell this powerful technology to foreign governments and malicious agents in the years to come. Pegasus still represents an immensely powerful technology, and, as of yet, it remains uncertain which actors have used it to pursue their own goals, and against who.