Legal documents released in ongoing US litigation between NSO Group and WhatsApp have revealed for the first time that the Israeli cyberweapons maker – and not its government customers – is the party that “installs and extracts” information from mobile phones targeted by the company’s hacking software.
The new details were contained in sworn depositions from NSO Group employees, portions of which were published for the first time on Thursday.
It comes five years after WhatsApp, the popular messaging app owned by Facebook, first announced it was filing suit against NSO. The company, which was blacklisted by the Biden administration in 2021, makes what is widely considered the world’s most sophisticated hacking software, which – according to researchers – has been used in the past in Saudi Arabia, Dubai, India, Mexico, Morocco and Rwanda.
The timing of the latest development is important in the wake of Donald Trump’s victory in the 2024 presidential election. Pegasus has been used by autocratic leaders around the world to target journalists and dissidents, including by the government of Viktor Orbán, who Trump admires.
NSO has lobbied members of Congress in an attempt to be removed from the Biden administration’s so-called blacklist, and Trump’s return to the White House could signify a change in White House policy on the use of spyware.
WhatsApp filed suit in California in 2019 after it revealed that it had discovered that 1,400 of its users – including journalists and human rights activists – had been targeted by the spyware over a two-week period.
At the heart of the legal fight was an allegation by WhatsApp that NSO had long denied: that it was the Israeli company itself, and not its government clients around the world, who were operating the spyware. NSO has always said that its product is meant to be used to prevent serious crime and terrorism, and that clients are obligated not to abuse the spyware. It has also insisted that it does not know who its clients are targeting.
WhatsApp is seeking a summary judgment in the case, which means it is asking a judge to rule on the case now. NSO has opposed the motion.
To make its case, WhatsApp was allowed by Judge Phyllis Hamilton to make its case, including citing depositions that have previously been redacted and out of public view.
In one, an NSO employee said customers only needed to enter a phone number of the person whose information was being sought. Then, the employee said, “the rest is done automatically by the system”. In other words, the process was not operated by customers. Rather NSO alone decided to access WhatsApp’s servers when it designed (and continuously upgraded) Pegasus to target individuals’ phones.
A deposed NSO employee also acknowledged under questioning from WhatsApp lawyers that one known target of the company’s spyware – Princess Haya of Dubai – was one of 10 examples of clients who had been “abused” “so severely” that NSO disconnected the service. The Guardian and its media partners first reported in 2021 that Haya and her associates were on a database of people who were of interest to a government client of NSO. A senior high court judge in the UK later ruled that the ruler of Dubai hacked the phone of his ex-wife Princess Haya using Pegasus spyware in an unlawful abuse of power and trust.
The president of the family division found that agents acting on behalf of Sheikh Mohammed bin Rashid al-Maktoum, who is also prime minister of the United Arab Emirates, a close Gulf ally of Britain, hacked Haya and five of her associates while the couple were locked in court proceedings in London concerning the welfare of their two children.
Those hacked included two of Haya’s lawyers, one of whom, Fiona Shackleton, sits in the House of Lords and was tipped off about the hacking by Cherie Blair, who was working with NSO.
NSO was also expected to publish a new filing on Thursday.
