Is Meta’s ‘Historic Win’ Against NSO Group Really a Win?

Why Trust Techopedia

After a long five years, the U.S. courts have ruled in favor of Meta and Whatsapp in the case ‘WhatsApp vs. NSO Group Technologies’.

WhatsApp accused controversial spyware maker NSO Group of exploiting a vulnerability in WhatsApp to install ‘Pegasus’ spyware, which enabled the unauthorized surveillance of 1,400 American citizens, including politicians, government officials, diplomats, journalists, and others.

Pegasus has been identified as one of the most powerful forms of malware impacting the world in 2024.

However, looking into the ruling and the growth of the global spyware and the surveillance market, which NSO Group is part of — some might say the ruling just deals with the tip of the iceberg.

Is this case really a win for everyone? Techopedia rounded up experts to get their insights as we pull the curtain back on the impacts.

Key Takeaways

  • Meta won its legal case against NSO Group over Pegasus spyware.
  • The ruling sets a legal precedent but did not secure Pegasus’s source code.
  • Experts argue it’s only a partial victory for combating spyware globally.
  • The spyware market remains a $148B+ unregulated global challenge.
  • Solutions, from encryption to regulation, are essential.

Whatsapp Vs. NSO Group: What’s a Win in A Spyware Tech Case?

On December 20, Mark Zuckerberg, CEO of Meta, celebrated the ruling of the U.S. District Court of the Northern District of California through a post in Threads, saying:

Advertisements

“Proud that we fought for this and that WhatsApp continues to lead on privacy and encryption.”

Media applauded the news, describing it as a “huge win for privacy” and a “historical ruling that will impact the threat of spyware”.

Sanctions or damages for NSO Group will come next in court processes. In the final stretch of the legal case, NSO Group’s strategy was to push for sanctions while revealing the least information possible to the U.S. court.

Defining a legal ‘win’ is challenging and depends on several factors. If a plaintiff achieved all the outcomes it set out to achieve, received a favorable ruling, and established a precedent, it would be hard to argue that the case is not a win.

Alexander Linton, President of the Session Technology Foundation, which manages the Session messaging app, explained to Techopedia why the case is a win.

“This case shows how legitimate developers can use the legal system to push back against spyware companies and malicious hackers.

 

Anything that can prevent or dissuade spyware companies from attacking legitimate technology is significant because, until now, they have operated with relative impunity.”

However, in WhatsApp vs. NSO Group, Meta got two out of three wins — a favorable ruling and a legal precedent. But WhatsApp and the U.S. court did not get everything they wanted. That which they did not get is significant — Pegasus’s source code.

The Northern District Court of California said that NSO Group repeatedly failed to properly answer court requests for information, nor did it disclose requested court evidence and key resources.

NSO group only made the source code of Pegasus available to the court for ‘Israeli citizens on Israeli soil’ (a big inconvenience of accessibility).

The Pegasus Source Code Dilemma

It’s not uncommon for companies taken to trial to be asked to present their source code as evidence. Demands for source code may be fueled by national security, copyright cases, antitrust, or criminal investigations.

Accessing the Pegasus source code would allow cybersecurity researchers and the U.S. government to develop spyware countermeasures.

Governments in the U.K., Europe, and the U.S. are committed to combating the spyware industry as they consider it a growing threat to national security.

Irina Tsukerman, national security and human rights lawyer, spoke to Techopedia about the unique challenges of disclosing the Pegasus source code.

“The fact that Whatsapp is asking for the source code to be released is in itself telling that it does not actually have anything that could pinpoint to Pegasus specifically.”

Tsukerman said that demanding the source code breaches software proprietary and intellectual property laws.

“The release of the source code for Pegagus would render the powerful surveillance tool useless to the many governments, which have used it at various points for legitimate security reasons.

“Meanwhile, Chinese, Russian, and other adversarial companies in the surveillance business are not being asked to release their source code and will likely continue to do damage unabated.”

Spyware Giants Hiding Behind NSO’s Spotlight

While there is little information on the spyware and surveillance infrastructure due to the secrecy of their line of work, experts conclude that it clusters around Israel, Italy, and India, where jurisdictional loopholes apply and investments are transferred from different parts of the world.

The global surveillance technology market was valued at over $148 billion in 2023. The market is expected to surge to around $235 billion by 2027

The Atlantic Council’s Digital Forensics Research Lab (DFRLab) report “Mythical Beasts and Where to Find Them” claims there are 435 entities across forty-two countries in the global spyware market. While Techopedia, at this time, cannot verify all the information in the DFRLab report due to its data volume, we asked Tsukerman for her insight.

“My assessment is going to be conditional on the assumption the findings (of this DRFLab report) are accurate, use appropriate methodology, and can be verified and replicated,” Tsukerman said.

“That said, all this report is basically saying is that NSO Group is not unique in utilizing jurisdictional complexities to its business advantage, which raises questions about why the organization is uniquely under scrutiny.”

Linton from the Session Technology Foundation told us that while NSO has gained a lot of notoriety due to their clients and those targeted by their spyware, there are many other companies with similar offerings.

“Due to the secretive nature of the business, it’s hard to get a grip on the exact scale and sophistication of the overall spyware trade. Currently, most people are stuck using insecure devices and software, which creates an opportunity for spyware to thrive.”

Linton explained that these ‘unknown-to-the-public’ spyware companies may not share the reputation of the NSO Group but provide data and keychain extraction services to law enforcement agencies all over the world.

“Of course, these same vulnerabilities can also be exploited by the ‘evil’ spyware companies,” Linton said.

Tskuerman added that as Western governments race to catch up to the quality of commercial spyware with their own products, the reality is that as long as markets and demand for such products exist, commercial spyware will be made by someone, somewhere.

“The best thing democracies can do is not end up being outgunned by those far less concerned about the rules-based order.”

On the other hand, Linton from the Session Technology Foundation spoke about technologies available today that can help combat spyware.

“A holistic approach is required to curb this threat,” Linton said.

“We must make proper, reliable security readily available to average people. Advocating for the use of encrypted services is a good start.”

The Bottom Line

The WhatsApp vs. NSO Group is one of those cases that appears clear on the surface but becomes a nightmare when we pull the thread.

This case leaves us with more questions than answers. Some call it a win; others have doubts about what exactly was achieved.

As spyware becomes more powerful and is increasingly weaponized by nation-states to target leaders, decision-makers, and average users, technological and policy solutions can combat the global spyware market.

From encryption to the courts, the battle against spyware is just warming up its engines and ready to go.

Advertisements

Related Reading

Related Terms

Advertisements
Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.