Federal Judge Says NSO Group Violated CFAA, Holds It Liable For Malware Delivered Via WhatsApp’s Servers

WhatsApp has scored a limited win in its lawsuit against NSO Group. The allegations were that NSO used WhatsApp’s servers — located in California — to deliver its malware to targeted devices. NSO argued several things and failed in almost every case, including the deployment of diametrically-opposed assertions. First, it argued it couldn’t be held directly liable for the acts of its customers. Then it argued it should be granted the same sovereign immunity awarded to the governments that purchased its products.

All of this failed. NSO Group was also ordered to turn over the source code of its most powerful malware — the zero-click malware known as “Pegasus” — to WhatsApp so it could examine it for proof of its misuse of the company’s servers, as well as the messaging service itself. NSO did not comply with these orders. In fact, it even asked the Israeli government to intervene, but notably not by asking it to file a motion in court. Instead, it basically begged the government to raid its offices and seize anything it didn’t want to end up in the hand of litigants, which at that point also included Apple.

The win here is limited. And while it does seem to expand the definition of unauthorized access that has so often been a problem in CFAA cases, it only does so because NSO refused to make the source code available to WhatsApp, which means the court has to assume Whatsapp’s allegations are true because NSO is unwilling to prove them false. (And that’s assuming the source code would prove these allegations false. There’s a good chance it wouldn’t.) Here’s a short summary from Reuters:

A U.S. judge ruled on Friday in favor of Meta Platforms’ WhatsApp in a lawsuit accusing Israel’s NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.

U.S. District Judge Phyllis Hamilton in Oakland, California, granted a motion by WhatsApp and found NSO liable for hacking and breach of contract.

The case will now proceed to a trial only on the issue of damages, Hamilton said. NSO Group did not immediately respond to an emailed request for comment.

The damages trial that will be moving forward is directly due to NSO’s refusal to comply with discovery orders, as the court notes in its decision [PDF]:

Overall, the court concludes that defendants have repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery. Most significant is the Pegasus source code, and defendants’ position that their production obligations were limited to only the code on the AWS server is a position that the court cannot see as reasonable given the history and context of the case. Moreover, defendants’ limitation of its production such that it is viewable only by Israeli citizens present in Israel is simply impracticable for a lawsuit that is to be litigated in this district.

Accordingly, the court concludes that plaintiffs’ motion for sanctions must be GRANTED.

Yep, that’s right. NSO promised to produce the code but insisted it could only be viewed by an Israeli citizen on Israeli soil — a pretty bold move considering this case involved a California company and its California servers.

So, the first of the evidentiary sanctions is this: the court accepts WhatsApp’s allegations as true and rules accordingingly:

The court concludes that, because defendants did not produce Pegasus code in a way that was meaningfully accessible to plaintiffs or to the court, plaintiffs were unable to obtain detailed evidence of how the WIS chose which server(s) to use, and thus, an evidentiary sanction is warranted such that the court will conclude that the use of plaintiffs’ California based servers was a purposeful choice made by defendants.

As for the CFAA claims, the court says both parties are hung up on a semantic argument about whether or not the distribution of malware via WhatsApp messages (and, necessarily, utilizing the company’s servers to distribute the spyware) was “without authorization” or “exceeded authorization.” The court says it’s the latter. Sending messages to WhatsApp users is “authorized” because that’s the entire purpose of the platform. However, extracting device info, data, and communications “exceeded” authorization because NSO’s malware utilized WhatsApp’s servers to perform these extractions.

As the parties clarified at the hearing, while the WIS [WhatsApp Installation Server] does obtain information directly from the target users’ devices, it also obtains information about the target users’ device via the Whatsapp servers. See Dkt. 464 at 44 (“before Pegasus is on the device, in the process of getting the Pegasus agent installed on the target device, there is a whole lot of signaling that goes on. . . . They had to fingerprint the device which used a pretty sophisticated set of messaging to get information back to the WIS via the Whatsapp servers about the precise operating system and memory structure of the [target] phone.”); see also Dkt. 399-2 at 27 (“NSO also obtained information via the Whatsapp servers from the target device, such as the structure of its operating system and the location of crucial memory files, which a regular Whatsapp user using the Whatsapp client app cannot obtain.”).

The analysis for [CFAA] section (a)(4) is largely the same, as it uses the same statutory definition found in section (e)(6). Plaintiffs argue that the information’s value is established by defendants’ clients’ willingness to pay for Pegasus. Defendants challenge the mens rea showing for the ‘intent to defraud’ (as well as the ‘intent’ requirement of section (a)(2)), but the fact that defendants redesigned Pegasus to evade detection after plaintiffs first fixed the security breach is enough to prove intent.

All that’s left to be decided is how much NSO Group owes WhatsApp. Any expansion of CFAA authorized access definitions seems to be tempered by the specific facts of this case: namely, that accepting WhatsApp’s assertions was the only option left when NSO refused to comply with discovery. If it had, the ruling might have gone a different way. I assume NSO feels better about paying damages than opening up its malware for examination by opposing litigants. Hopefully this will deter NSO from resurrecting its mostly-dormant malware division, but hope seems to spring eternal for companies with no shortage of malicious governments willing to pay top dollar for effective malicious software.