A US judge ruled in favor of Meta Platforms' WhatsApp on Friday in a lawsuit against "Israel's" NSO Group, accusing the company of exploiting a vulnerability in the app to install spy software for unauthorized surveillance.

US District Judge Phyllis Hamilton in Oakland, California, granted WhatsApp's motion and determined NSO was liable for hacking and breach of contract.

The case is now set to move to trial to address the issue of damages, according to Hamilton. However, the NSO Group did not immediately comment on the ruling.

Will Cathcart, the head of WhatsApp, said the ruling is a win for privacy, adding, "We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions."

"Surveillance companies should be on notice that illegal spying will not be tolerated."

Cybersecurity experts welcomed the judgment.

A senior researcher at the Canadian internet watchdog Citizen Lab, John Scott-Railton — who uncovered NSO's Pegasus spyware in 2016 — described the ruling as a landmark decision with "huge implications for the spyware industry."

In an instant message he said, “The entire industry has hidden behind the claim that whatever their customers do with their hacking tools, it's not their responsibility,” adding, “Today's ruling makes it clear that NSO Group is in fact responsible for breaking numerous laws.”

NSO history of unauthorized access 

In 2019, WhatsApp took legal action against NSO, requesting an injunction and damages, accusing the company of hacking WhatsApp's servers six months earlier to deploy Pegasus spyware on victims' devices.

The lawsuit claimed the breach led to the surveillance of 1,400 individuals, including journalists, human rights defenders, and political dissidents.

To justify its actions, NSO argued that Pegasus helps law enforcement and intelligence agencies counter crime and protect national security, while its technology intends to catch terrorists, pedophiles, and hardened criminals. 

NSO appealed a 2020 decision by a trial judge, who denied the company "conduct-based immunity," a legal doctrine that typically shields foreign officials from performing duties in their official capacity.

In 2021, the 9th US Circuit Court of Appeals in San Francisco upheld the ruling, calling it an "easy case." The court determined that NSO's licensing of Pegasus and providing technical support did not protect it from liability under the Foreign Sovereign Immunities Act, which takes precedence over common law.

In 2022, the US Supreme Court turned away NSO's appeal of the lower court's decision, allowing the lawsuit to proceed.