On Monday, the United States Supreme Court granted Meta Platforms Inc’s WhatsApp permission to pursue a lawsuit accusing Israel’s NSO Group of exploiting a bug in the WhatsApp messaging app to install spy software that allowed the surveillance of 1,400 people, including journalists, human rights activists, and dissidents.
The justices denied NSO’s appeal of a lower court’s decision to allow the lawsuit to proceed. NSO claimed that it was not liable because it was acting as an agent for unidentified foreign governments when it installed the “Pegasus” spyware.
The administration of President Joe Biden had urged the justices to reject NSO’s appeal, noting that the US State Department had never before recognized a private entity acting as an agent of a foreign state as entitled to immunity.
In a statement, Meta, the parent company of both WhatsApp and Facebook, praised the court’s decision to dismiss NSO’s “baseless” appeal.
“NSO’s spyware enabled cyberattacks against human rights activists, journalists, and government officials,” Meta explained. “We are convinced that their operations violate US law, and they must be held accountable for their illegal activities.”
A lawyer for NSO did not respond immediately to a request for comment.
WhatsApp sued NSO in 2019 for an injunction and damages, accusing it of illegally accessing WhatsApp servers six months earlier to install the Pegasus software on victims’ mobile devices.
According to NSO, Pegasus assists law enforcement and intelligence agencies in combating crime and protecting national security, and its technology is intended to aid in the capture of terrorists, pedophiles, and hardened criminals.
According to court documents, NSO claimed that WhatsApp’s notification to users thwarted an investigation by a foreign government into an Islamic State militant who was using the app to plan an attack.
NSO spyware was allegedly used by the Saudi government to target the inner circle of Washington Post journalist Jamal Khashoggi shortly before he was murdered at the Saudi consulate in Istanbul.
NSO filed an appeal in 2020 against a trial judge’s refusal to grant it “conduct-based immunity,” a common law doctrine that protects foreign officials acting in their official capacity.
The San Francisco-based 9th U.S. Circuit Court of Appeals upheld that ruling in 2021, calling it an “easy case” because NSO’s mere licensing of Pegasus and offering technical support did not shield it from liability under a federal law known as the Foreign Sovereign Immunities Act, which took precedence over the common law.
According to WhatsApp’s lawyers, private entities such as NSO are “categorically ineligible” for foreign sovereign immunity.
In a November filing, the Biden administration stated that the 9th Circuit reached the correct conclusion, even though the government was not ready to endorse the circuit court’s conclusion that FSIA completely precludes any form of immunity under common law.
According to court documents, the accounts of 1,400 WhatsApp users were accessed using the Pegasus tracking software while their smartphones were secretly used as surveillance devices.
An investigation published in 2021 by 17 media organizations led by the Paris-based non-profit journalism group Forbidden Stories discovered that the spyware was used in attempted and successful global hacks of smartphones belonging to journalists, government officials, and human rights activists.
The US government blacklisted NSO and Israel’s Candiru in November 2021, accusing them of providing spyware to governments who used it to “maliciously target” journalists, activists, and others.
Apple Inc. is also suing NSO for allegedly violating its user terms and services agreement.