Court highlights NSO Group’s actions caused irreparable harm, reducing punitive damages significantly.
A United States court has issued an injunction against the Israeli spyware company NSO Group, prohibiting it from targeting WhatsApp users in a cyber espionage case dating back to 2019. This decision comes as a result of the court’s finding that the NSO Group’s conduct caused “irreparable harm.” The ruling was made by Judge Phyllis Hamilton of the US District Court for the Northern District of California.
While the court acknowledged the serious nature of the NSO Group’s actions, it also significantly reduced the punitive damages initially set at approximately $168 million to just $4 million. Judge Hamilton pointed out that the company’s behaviour did not meet the “particularly egregious” standard required to justify the higher amount determined by a jury in May.
The case began when WhatsApp, a subsidiary of the US-based technology company Meta, filed a lawsuit against the NSO Group, claiming that the company had unlawfully installed Pegasus spyware on the devices of its users, including journalists and activists, via the messaging application. WhatsApp alleged that the spyware had been deployed against about 1,400 users over a two-week period in April and May 2019.
In December 2024, the court ruled in favour of WhatsApp, stating that NSO Group had exploited a flaw in the application to unlawfully install spyware on users’ phones. Following this decision, the case proceeded to determine the extent of damages owed by the Israeli firm. The jury’s May ruling not only mandated the payment of $167.3 million in punitive damages but also included $444,719 as compensatory damages.
Judge Hamilton emphasized that the NSO Group’s actions undermined WhatsApp’s commitment to user privacy, which is central to its service offering. She highlighted that unauthorized access to user data constitutes an infringement on the informational privacy that WhatsApp provides to its customers.
During the trial, evidence presented indicated that NSO Group had reverse-engineered WhatsApp’s code to stealthily install Pegasus on users’ devices. The court noted that the company had made repeated adjustments to its methods in an effort to evade detection and circumvent security measures.
In its request, Meta sought an extension of the injunction to cover its other platforms, including Facebook and Instagram. However, Judge Hamilton found insufficient evidence to conclude that similar harm was being inflicted on those services.
Hamilton characterized the initial punitive damages awarded to WhatsApp as excessive and indicated that the ratio of punitive damages should be capped at 9:1, leading to the reduced figure of $4 million. Following the ruling, Will Cathcart, the head of WhatsApp, expressed approval of the decision, stating it sets a precedent for accountability against attacks on American companies.
The Pegasus software, when installed on a device, can access various private information without the user’s consent, raising significant concerns regarding privacy and security. The NSO Group has claimed that it sells its software exclusively to vetted governments with strong human rights records and that its purpose is to combat crime. However, investigations have revealed instances of unauthorized surveillance of various individuals, including journalists and politicians.
In the broader context, the US government blacklisted NSO Group in November 2021, citing actions contrary to US foreign policy and national security interests. In her December ruling, Hamilton concluded that NSO Group had violated multiple laws, including the Computer Fraud and Abuse Act and WhatsApp’s terms of service, further highlighting the serious implications of the company’s actions.
