In a significant legal development, a U.S. judge has mandated the NSO Group, an Israeli spyware vendor, to provide the source code for its Pegasus spyware and related remote access trojans to Meta. This directive is a part of Meta’s ongoing lawsuit against NSO, initiated in October 2019, accusing the company of misusing WhatsApp’s infrastructure to deploy the spyware on around 1,400 mobile devices, targeting Indian activists and journalists among others.
The controversy centers on a zero-day vulnerability in WhatsApp (CVE-2019-3568) that was exploited to transmit Pegasus spyware via the app’s voice call function, without the need for the recipient to answer the call. This stealthy method also included steps to erase call logs to avoid detection.
The court’s order specifies that NSO must disclose comprehensive details about the spyware’s functionality for a two-year window surrounding the alleged attacks, from April 2018 to May 2020. However, the ruling stops short of compelling NSO to reveal its client list or the specifics of its server architecture, with the rationale that WhatsApp could deduce the latter from the spyware’s functionality.
The decision has been met with mixed reactions. Amnesty International’s Security Lab head, Donncha Ó Cearbhaill, welcomed the move but expressed disappointment over the court’s decision to protect the identities of NSO’s clients, who are implicated in the unauthorized surveillance activities.
NSO Group has faced international criticism and was sanctioned by the U.S. in 2021 for supplying cyber weapons to governments that have reportedly misused these tools against various individuals, including officials, journalists, and activists.
Meanwhile, Meta is under scrutiny in the European Union for its “pay or consent” subscription model, criticized by privacy advocates as a dilemma forcing users to choose between paying a fee for privacy or consenting to data tracking. This model is argued to commodify privacy, contravening the ethos of GDPR and exacerbating digital exclusion.
In related news, threat intelligence firm Recorded Future has unveiled a new infrastructure tied to Predator, another spyware product from the Intellexa Alliance, potentially used by clients in several countries. Despite adjustments in response to public exposure, Predator’s deployment strategies, including spoofing tactics and targeting patterns, remain relatively unchanged, indicating a persistent threat landscape.
This case underscores the complex interplay between privacy rights, corporate responsibilities, and national security interests, highlighting the ongoing challenges in regulating cyber surveillance tools in the digital age.
