Written by: Haim Ravia, Dotan Hammer
In a lawsuit brought by WhatsApp (owned by Meta) against NSO Group Technologies, the court granted partial summary judgment in favor of WhatsApp, finding NSO liable for violations of the federal Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), and breach of contract.
NSO was accused of sending malware through WhatsApp’s system to surveil approximately 1,400 mobile phones and devices. The court determined that NSO’s actions constituted a violation of the CFAA by exceeding authorized access, as NSO’s “Pegasus” software exploited WhatsApp servers to obtain information from target devices. This was achieved through a modified version of the WhatsApp application called the “Whatsapp Installation Server” (WIS), which sent “cipher” files with “installation vectors” to surveil target users.
The court found that NSO’s conduct also violated the CDAFA, the state-level equivalent of the CFAA because NSO’s actions targeted California-based servers. The court concluded that NSO intentionally sent digital transmissions into California that resulted in a breach of a server located in the state. Additionally, NSO was found to have breached its contract with WhatsApp by violating its terms of service, including prohibitions against reverse engineering, sending harmful code, and collecting user information.
The court also granted sanctions against NSO for failing to produce necessary discovery, especially the Pegasus source code, in a usable format. NSO’s limited production of the Pegasus code, accessible only to Israeli citizens in Israel, was deemed non-compliant with discovery obligations. Due to this non-compliance, the court imposed evidentiary sanctions, including concluding that NSO purposefully targeted WhatsApp’s California-based servers.
The court rejected NSO’s arguments regarding lack of personal jurisdiction, finding that NSO purposefully directed its conduct at WhatsApp’s servers in California. The court clarified that NSO’s actions, such as sending the Pegasus code through California-based servers, established personal jurisdiction in the district. The court’s ruling sets the stage for a trial focused solely on the issue of damages, as liability has been established.
Click here to read the court decision in WhatsApp Inc. v. NSO Group Technologies Limited.
