Meta Wins Court Case Against Malware Developer Over Data Scraping

Meta has had a major legal win, which could establish a new precedent in cases of spyware that uses covert methods to access people’s personal information based on what they enter into various apps.

Which, in this case at least, involved WhatsApp, Meta’s biggest messaging app.

Back in 2019, WhatsApp alerted over 1,000 of its users that its video calling system had been compromised, and had circulated malware to their mobile devices. This attack was particularly concerning, because users didn’t even have to answer a video call to trigger the malware instance.

Meta worked with cybersecurity experts from the Citizen Lab to investigate the breach, which eventually led to Meta seeking legal action against developer NSO over the use of its spyware tool, called Pegasus, which essentially enables users to steal app user data.

As explained by Meta:

“Put simply, NSO’s Pegasus works to covertly compromise people’s phone with spyware capable of hoovering up information from any app installed on the device. Think anything from financial and location information to emails and text messages, or as NSO conceded: “every kind of user data on the phone.” It can even remotely activate the phone’s mic and camera – all without people’s knowledge, let alone authorization.”

To be clear, Meta is not suggesting that NSO itself initiated this attack on WhatsApp. But because its software was the tool used, it instead sought legal action against the developer, as a means to highlight the illegal use of such products, and the harms that can be caused by such within social apps, in particular.

And a federal jury agreed with Meta’s premise, and has approved the company’s pursuit of damages against NSO for its part in the breach. Meta says that NSO’s software was actually used in many similar attacks, and this case will open the door for further litigation, which will likely see NSO remove its spyware offerings as a result.

Which is a win in itself, but the bigger victory here is in legal deterrent, and establishing a case that essentially outlaws the use of spyware to steal people’s info through un-approved means.

Because the developer itself has been targeted, as opposed to individual perpetrators, the case could have significantly more impact, while also forcing similar offerings to re-asses their viability, and use case, outside of such programs.

Developers have generally been able to argue that such tools can be used to other purposes outside of data scraping, which is why they’ve been allowed to remain on the market. But this case shows that there is legal bearing in cases related to social media and messaging apps, especially now that so much of our personal info is accessible via these devices.

As such, it’s a positive step, which should have significant industry impacts.

Of course, there are still levels to what constitutes data scraping, and how third-parties can obtain and use such data. But in the case of malware, this could be a significant step in addressing misuse.