WhatsApp vs Pegasus: A well deserved win for Zuckerberg

The case revolved around nations that used its Pegasus software to hack the WhatsApp accounts of 1,400 people, including journalists, activists and dissidents. Court transcripts revealed that some of those governments included Saudi Arabia, Uzbekistan and Mexico, but the full extent of NSO’s clientele remains a mystery.

NSO was already struggling financially. Having once boasted a valuation of $2 billion, it was on the brink of insolvency in 2021 after being blacklisted by the US, which means this week’s huge payout could be the final straw despite its pledge to appeal. “We will carefully examine the verdict's details and pursue appropriate legal remedies," a spokesman told me. He declined to comment on the company’s finances.

Also Read: A spyware scandal that can’t be brushed aside

If NSO hits the wall, perhaps that’s for the best. On its website, the firm claims to make “ethical cyber-intelligence" software to help governments “investigate terror and crime." 

But ethics took a back seat in practice, and the targets often weren’t criminals thanks to NSO’s hands-off approach to doing business. Its pitch to government clients was that there was no technical way for NSO to ascertain who was being surveilled, which made it impossible to stop the product from being misused, for instance, to spy on the wife of murdered Saudi journalist Jamal Khashoggi. 

“We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies," NSO’s spokesman says.

The surveillance trade is littered with companies like NSO, often smaller and lesser known, and prone to frequent name and jurisdiction changes to evade restrictions. It’s a lucrative market, according to Laurent Richard, a French journalist who authored a book on Pegasus in 2023. 

“This industry is resilient," he told me in an interview that year. “You can be 25 years old and get paid $30,000 per month in these jobs. You have dictators, tyrants and even democracies ready to pay millions to have access to this kind of surveillance solution."

Also Read: What Pegasus says about cyber power and our national security

But Meta’s court win now makes the spyware business look much riskier, and its decision to pursue this case to the end (rather than settle out of court) is even more laudable. 

Critically, it establishes a legal precedent. Simply using American servers now creates enough jurisdiction for the courts to hear cases from US tech giants against foreign vendors. In Meta’s case, NSO was specifically found liable for breaching federal and California hacking laws, as well as WhatsApp’s terms of service.

That could open the door to similar litigation, something from which businesses can derive some comfort. Although NSO sold exclusively to governments, the spyware industry also supports corporate espionage that costs billions in stolen research and development and intellectual property. At a minimum, it will make any government think twice about spying on US companies.

Unfortunately, Meta’s legal victory is more of a bruising than a death knell for this shadowy sector. Apple last year dropped its own suit against NSO, saying that pursuing a case would mean it has to share sensitive “threat intelligence" information, which it didn’t want to do.

Also Read: Why nobody seems very outraged by the Pegasus story

And there’s evidence that the spyware industry is adapting, with smaller, less visible players moving to fill the gap left by NSO. Take the Intellexa Consortium, a web of companies that make another hacking tool called Predator, which was used to monitor United Nations officials, US lawmakers and the president of the European Parliament, according to a 2023 investigation by Amnesty International.

America’s sanctions on Intellexa, while a good start, don’t solve the whack-a-mole problem that such companies pose, where they can pop up in other jurisdictions under new names or simply reprogramme their software to avoid detection. 

Predator, for instance, was recently modified to better anonymize its customers and was spotted being used in Africa a year after its blacklisting, according to a September 2024 study by Recorded Future Inc, a cybersecurity company.

The WhatsApp verdict—decided by a jury in one day—is a victory, but it hasn’t killed the threat. Smaller operators are evolving with fresh spyware tactics and exotic corporate structures, which means Meta’s $168 million blow is probably more of a warning shot. ©Bloomberg

The author is a Bloomberg Opinion columnist covering technology.