Meta has ramped up its rhetoric after spyware developer NSO Group was ordered to pay the tech giant $259 million ($US168 million) in damages, five years after a cyberattack that saw the Israeli company’s intrusive Pegasus spyware installed on the phones of over 1,400 WhatsApp users.
The May 2019 attack – which analysts said had “all the hallmarks” of a government surveillance operation – infected phones even when their users hadn’t done anything, thanks to a ‘zero touch’ feature that let users transmit the malware to victims simply by phoning them.
NSO Group says it only sells its software – which skirts the security defences of iPhones and Android phones and can download most user data as well as activating their microphones and cameras – to government agencies for legitimate law enforcement use.
And while it vehemently denied involvement in the attacks at the time – arguing that it would “under no circumstances” be involved in targeting its technology at “any person or organisation” – the recently empanelled jury nonetheless held the company liable for the attack on Meta’s users.
Meta lauded the newly announced award against the “notorious foreign spyware merchant” – which includes $685,000 ($US444,719) to cover the cost of fixing the attack and $257 million ($US167 million) in punitive damages – as “the first victory against illegal spyware.”
The penalty is a “critical deterrent to this malicious industry”, said Meta – which has itself spent years dealing with the fallout of its massive Cambridge Analytica privacy scandal – “against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
Lobbying the world to take on spyware
Doubling down on its indignation, Meta – which has set the bar on questionable privacy practices and misuse of customer data – not only welcomed the verdict but used it as a rallying cry for the industry to push back against spyware vendors that have operated with relative impunity.
“For the first time,” it wrote, “this trial put spyware executives on the stand and exposed exactly how their surveillance-for-hire system – shrouded in so much secrecy – operates…. These malicious technologies are a threat to the entire ecosystem and it’ll take all of us to defend against it.”
Aiming to expose NSO’s operations “to researchers and journalists studying these threats”, Meta also published transcripts of testimony by NSO executives: CEO Yaron Shohat, R&D vice president Tamir Gazneli, global business operations VP Bizinsky Gil, and vice president Ramon Eshkar.
Meta isn’t the only tech giant with issues about NSO’s operations: Apple, for one, labelled NSO “abusive” and sued the company in 2021 as tech giants and journalists joined forces with a collective research effort called The Pegasus Project aimed at tracking use of the spyware.
In 2022, Amnesty International amplified calls for a ban on Pegasus after it was, among other discoveries, found on the phones of UK government officials and variously used to surveil journalists and citizens of Catalonia, Mexico, India, Hungary, Thailand, and elsewhere.
Pegasus was blacklisted by the US government in 2021 but has been a favourite of the government of Saudi Arabia, which used it to monitor the family of murdered journalist Jamal Khashoggi and was also found to have infected Jeff Bezos’s phone via WhatsApp.
Next steps for a spyware giant
The damages finding brings to a close six years of litigation and posturing as Meta sparred with NSO Group, which Amnesty International’s then secretary general Agnès Callamard said “paint[s] a picture of legitimacy, while profiting from widespread human rights violations.”
Pegasus had become the “weapon of choice” for authoritarian governments, she said – although NSO Group has claimed that it terminates the contracts of agencies found to be misusing tools that, it says, are “necessary to address international threats of terrorism and other serious crimes.”
NSO “is unwavering in its commitment to human rights and to investigating any credible claims of misuse,” the software vendor said last year as Amnesty International submitted an amicus curiae brief supporting Pegasus related litigation in Thailand.
Whether Meta collects any of the damages remains to be seen, with Shohat recently testifying that “my company never spied on anyone” and revealing the company is in a precarious financial position and is “struggling to keep our heads above water.”
Meta, for its part, has found a new raison d’etre – pursuing an injunction on use of Pegasus, promising to “continue going after spyware vendors indiscriminately targeting people,” and committing to support digital rights organisations “working to defend people against such attacks.”
