Meta Awarded $167m in Court Battle with Spyware Mercenaries

Meta Awarded $167m in Court Battle with Spyware Mercenaries

A California court has ordered Israeli spyware merchant NSO Group to pay a staggering $167.25 million in punitive damages, and $444,719 in compensatory damages, for enabling state-backed hacks of mobile devices belonging to 1,400 users of Meta’s WhatsApp messaging service.

The judgment, handed down this week in a federal courthouse, comes five months after US district judge Phyllis Hamilton ruled in favour of Meta in the case, having reviewed evidence that NSO’s Pegasus code had transited WhatsApp’s California-based servers 43 times during May 2019 after exploiting a vulnerability, CVE-2019-3568, in the WhatsApp voice calling feature.

The court had also ruled NSO infringed WhatsApp’s terms of service by using it for malicious or illegal purposes. This ruling is a significant victory for Meta, which has been fighting against the use of Pegasus spyware, known to have been used in numerous high-profile hacking incidents, including the murder of a Washington Post journalist.

Beyond NSO, Meta faces challenges from other spyware vendors who provide malicious exploits for instant messaging apps, mobile browsers and operating systems. However, this ruling sends a strong message that companies like NSO will face consequences for their actions.

"This verdict is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone," said a Meta spokesperson in a blog post. "Today, the jury's decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve."

"For the first time, this trial put spyware executives on the stand and exposed exactly how their surveillance-for-hire system – shrouded in so much secrecy – operates. Put simply, NSO’s Pegasus works to covertly compromise people’s phones with spyware capable of hoovering up information from any app installed on the device," said Meta.

"This verdict sends a clear message to spyware companies that targeting people through US-based platforms will come with a high price. It underscores the importance of US institutions protecting the digital infrastructure and individuals that rely on it from unlawful surveillance," added Michael De Dora, US policy and advocacy manager at Access Now.

Carolyn Crandall, CMO at AirMDR, described this ruling as a defining moment for accountability in cyber security. While she praised Meta's victory, she also noted that the ruling opens up potentially difficult new questions for some organisations, such as how to govern and distribute dual-use software like Mimikatz.

"By holding a spyware vendor liable for how its tools were used, the court has drawn a clear line between those who knowingly enable illicit hacking and those who build dual-use defensive solutions in good faith," said Crandall. "But it also raises an important question: where will courts draw that line next? As more cyber security tools blur the boundary between offence and defence, transparency and intent will become defining factors."

In a statement shared with Courthouse News, NSO’s Gil Lanier claimed that his technology plays a critical role in stopping serious crime and terrorism, has been "deployed responsibly" by governments, and saved many lives. However, the company maintains its intention to appeal this ruling.

Meta said it intends to collect the awarded damages from cash-strapped NSO but also plans to make a significant donation to digital rights organisations that have been working tirelessly to expose the activities of mercenary spyware firms and provide guidance and protection to at-risk users.