Israeli Spyware Company, NSO, Faces $168-Million Judgement in Hacking Case

A California jury issued a $168-million judgement against the Israeli spyware company, NSO Group, in a case brought by Meta, the owner of Whatsapp.  Nearly a decade ago, forensic investigators discovered that NSO’s hacking tool, Pegasus, was used by an unnamed client (likely Saudi Arabia) to hack the Whatsapp accounts of 1,400 customers.  Though we don’t know which specific individuals were targeted, they were considered opponents of the ruling regime.

The digital rights NGO, Access Now, has led the legal fight. It released this statement:

Today’s verdict against NSO is an enormous victory for digital rights and for victims of Pegasus spyware around the world. Congratulations to Meta for sticking with their lawsuit and holding NSO to account. We urge other companies whose infrastructure and users are targeted by NSO and other spyware companies to explore filing similar legal actions.

NSO’s spyware is notorious for the nefarious uses made by repressive, and even democratic regimes.  It was once declared one of the world’s 20 “worst digital-predators.” Clients have included Spain, India, Rwanda, Russia, Saudi Arabia, Mexico and nearly 50 others.  Victims have included human rights lawyers, political activists, journalists, and NGOs.  They first detected its use in 2016.

Pegasus was used to track a colleague of Jamal Khashoggi and permitted the Saudis to pinpoint his location before they murdered him.  Mexican journalists targeted by the spyware were tracked and murdered.  Other victims included Mexican journalists and lawyers representing the families of a group of students murdered by police.

Pegasus was used by an African country to intercept the communications of US diplomats there.  As a result, the Biden administration added the company to a commercial blacklist which prohibited it from selling its technology to US companies.  This essentially shut down its ability to do business here and took a hit from its bottom line.

One of NSO’s primary defenses was that its technology had beneficial uses, including tracking terrorists and drug cartels.  It also developed a COVID tracking app which it marketed as a tool to protect people and save lives.  These are prime examples of techwashing, Israel’s exploitation of “beneficial” uses of technology like Pegasus, to deflect from its disastrous impact on its victims.

NSO also declared it was not at fault for any irresponsible uses of its spyware, as it did not monitor how clients deployed it.  Since they used NSO servers as part of the hacking process, it would not have been difficult for the company to do so. It chose not to precisely in order to avoid liability.

Access added this statement after an earlier legal victory:

The District Court decision is a major sign for spyware companies around the world that the period of impunity is winding down. We call on other tech companies as well as governments to use judicial mechanisms and other tools at their disposal to hold spyware companies accountable for illegal conduct and to ensure respect for human rights across the industry.

NSO had prolonged the case, which lasted six years, due to delaying motions and appeals, all of which were denied by multiple courts including the Supreme Court, which declined to hear the case.  After the US district judge in the case found that NSO was responsible for the hack, it went to a jury which assessed the extraordinary judgement.

Another tactic it used to techwash its activities, was to devise what Access Now labeled a “sham” human rights code of ethics, which contained all the right sound bytes about its adherence to a strict standards of conduct. However, there’s little evidence this had any impact on its business practices.

The company has had a checkered financial past.  As with all high tech startups, its founders anticipated a big payday by selling the company to investors.  At one time, it was considered a unicorn with a $2-billion valuation.  A 2019 management buyout, valued NSO at $1-billion. However, its recent woes and current legal predicament that has undoubtedly substantially reduced it.  Several companies, venture capitalists, and an investment fund did, at various times, take a controlling interest. It’s not clear whether they reaped any profits.

NSO’s lenders forced it into bankruptcy in 2023.  This judgment will inflict further financial damage.  It’s not clear whether bankruptcy would cancel this liability.  The company is considering whether to appeal the verdict.

Despite this court victory–and even if NSO Group dissolves or is absorbed into another company–Pegasus remains a valuable asset.  Others will devise ways to exploit it for financial profit. It is the zombie tech that will never die.