Date: 5/3/2024
Where:
US, Israel
Who’s involved:
US District court, NSO Group, Meta corporation
What happened?
On 04/03/2024, Israeli software developer, NSO Group, creators of the infamous Pegasus spyware, were ordered by a U.S. judge to disclose the program’s code to Meta, the owners of WhatsApp and Facebook. This would allow Meta to reverse-engineer the software and figure out how to prevent future vulnerabilities.
Pegasus is a powerful piece of what’s been called “mercenary spyware” due to its capabilities for deep surveillance, enabling unauthorized access to a target's mobile device data, including calls, messages, and location. It has been active since at least 2016.
Despite NSO Group’s claims that it should have immunity, the U.S. Supreme Court decided that the company was acting as an agent of a foreign government, and therefore subject to the California court’s rulings.
The software has been sold to law enforcement agencies and governments around the world, and violates numerous laws and regulations, particularly within the European Union and North America.
The specific case was brought to a district court in California to address Pegasus’ use against 1,400 WhatsApp users in 2019.
The case is part of an ongoing legal struggle between Meta and NSO Group. Meta is holding NSO Group responsible for its propagation over its platforms.
Analysis
The Pegasus spyware has been at the center of global controversy due to its use by governments and government contractors against human rights defenders, journalists, and political opponents. This accusation has been prominently lodged against the governments of India and Israel.
Its existence was first established when a 2016 investigation by Citizen Lab and Lookout Security released the technical analysis of a novel spyware found on the phone of a UAE-based human rights activist.
In December 2023, forensic investigations found evidence of Pegasus spyware on the iPhones of Siddharth Varadarajan of The Wire and Anand Mangnale of The Organized Crime and Corruption Reporting Project (OCCRP). Both were critical of the Indian government.
In 2021, leaked documents indicated that over 1,000 Indian phone numbers were targeted by Pegasus. Among those targeted were Prime Minister Modi's main rival, Rahul Gandhi, and several other opposition politicians and activists. The government refused to cooperate with further inquiries.
Other governments credibly accused of abusing Pegasus include Azerbaijan, Morocco, Kazakhstan, and Thailand.
Pegasus has used various methods to infect target devices, including spear-phishing text messages or emails, exploiting vulnerabilities in network infrastructure, and zero-click attacks. Zero-click attacks are particularly insidious as they require no interaction from the device owner. For example, Pegasus has exploited vulnerabilities in WhatsApp and iMessage to infect devices without user interaction.
Once installed, Pegasus can perform a wide range of surveillance activities. It can access text messages, emails, and chats; activate the camera and microphone for recording; track the device location; and gather information from apps.
Conclusion
The legal pursuit against Pegasus underscores the challenges and implications surrounding cybersecurity, state-sponsored surveillance, and the responsibilities of private companies in combating misuse of their platforms.
This decision in the case of Meta vs. NSO Group poses the most potent legal challenge to the spyware to date. While those championing privacy and digital rights might be critical of the fact that this blow to NSO Group is coming from Meta, who themselves have a poor reputation within the information security sector, the corporation’s vast resources and influence will likely have an impact on how these proceedings play out. There is an incentive within Meta to use this case to repair reputational damage various accusations of “spying” have inflicted on their various products and services.
NSO Group and similar organizations have been involved in what’s been called the “hack-for-hire” industry. This particular sector within the cybersecurity realm is understandably secretive, and blurs the line between private and government actors within offensive cyber practices. While Pegasus has given NSO Group its own highly destructive reputation, it’s only the first of many organizations deserving of further scrutiny for those concerned with their organization’s security and individuals’ civil liberties.