Spyware Makers Fined $167.25 Million

The makers of the controversial Pegasus spyware have been ordered to pay $167.25 million for exploiting a bug in WhatsApp. The company that makes Pegasus markets it as a crime fighting tool for government agencies.

Israeli based NSO developed Pegasus to take advantage of a range of bugs through "zero-click" attacks that makes it possible to monitor somebody's phone without requiring any action from victim (such as clicking on a link or opening a phone).

The software has proven controversial despite NSO's claims that it only makes it available for legitimate government surveillance. Critics say Pegasus is used by governments with poor human rights records to target political opponents or journalists rather than "genuine" criminals.

Phone Call Enough to Compromise Handset

WhatsApp's owners Meta claimed in 2019 that Pegasus had targeted the messaging tool with an exploit that made it possible to spy on a user's phone simply by calling its number, even if the victim didn't answer. It said the exploit led to 1,400 people being targeted, with at least 100 identified as "human-rights defenders, journalists and other members of civil society across the world."

It sued NSO for violating the United States's Computer Fraud and Abuse Act. After a five-year legal battle a court ruled NSO was liable for the attacks. A jury has now settled on the financial penalty.

Meta said that while they "... stopped the attack vector that exploited our calling system in 2019, Pegasus has had many other spyware installation methods to exploit other companies' technologies to manipulate people's devices into downloading malicious code and compromising their phones."

It added that "These malicious technologies are a threat to the entire ecosystem and it'll take all of us to defend against it. Today's ruling shows spyware companies that their illegal actions against American technologies will not be tolerated." (Source: fb.com)

Legal Battle May Continue

Meta says it may not be a straightforward process to actually collect the damages but it hopes to donate some of the money to digital rights organizations. It also wants a court order specifically banning NSO from targeting WhatsApp.

NSO has not commented publicly beyond saying it will consider the details of the verdict and its options for an appeal. (Source: theverge.com)

What's Your Opinion?

Is this a suitable penalty? Is exploiting security bugs acceptable if its done for legitimate "crime fighting"? Is it realistic to restrict the way government agencies use surveillance on smartphones?