WhatsApp snooping scandal

Meta Platforms
This article is part of a series about

History Instagram WhatsApp Acquisitions
Products and services
Facebook 2021 outage Features Dating Feed Like button Reels
Other products Instagram Threads Messenger Kids Meta AI Meta Portal Quest Quest 2 Quest 3 Quest 3S Quest Pro Supernatural Ray-Ban Stories WhatsApp
People
Executives and board members Mark Zuckerberg Sheryl Sandberg
Notable employees Adam Mosseri
Related organizations Oversight Board
Business
Criticism Privacy concerns Content management Censorship of Censorship by Cambridge Analytica data scandal 2020 ad boycotts 2021 company files leak WhatsApp security and privacy features WhatsApp snooping scandal Careless People
Litigation Young v. Facebook, Inc. (2011) Fraley v. Facebook, Inc. (2016) Force v. Facebook, Inc. (2019) FTC v. Meta Platforms (ongoing)
Related Facebook, Inc. IPO
v t e

On October 30, 2019, WhatsApp's parent company Facebook, Inc. confirmed that Pegasus, a sophisticated snooping software developed by Israel's NSO Group, was used to target Indian journalists, activists, lawyers and senior government officials. The journalists and activists are believed to have been targets of surveillance for a two-week period until May, when the Indian national election was held.^[1]^[2]

The snooping scandal came out after WhatsApp filed a case in California's Northern District federal court against the NSO group, alleging the NSO group had developed the software used to infect 1,400 target devices with malware.^[3]

The IT Ministry of India sought a detailed response from WhatsApp on the issue.^[4] They responded that they had alerted the government on two occasions—once in May and for the second time in September 2019.^[5]^[6]^[7] In response to Indian Government's order, WhatsApp informed the Computer Emergency Response Team of India in May and September that Pegasus spyware affected Indian WhatsApp users.^[8]

Indian National Congress party alleged that the Narendra Modi-led government has been caught snooping on journalists, activists, lawyers and senior government officials.^[9] They later alleged that their leaders, including general secretary Priyanka Gandhi, are also being targeted by this. They also claimed WhatsApp sent messages to different people whose phones were hacked. One such message was also received from the WhatsApp of Priyanka Gandhi a few months ago.^[10]

Former Chief Financial officer of Infosys Mr. T.V. Mohandas Pai also demanded government to probe on the scandal and to come out with a report before the public.^[11]

In 2024, the lawsuit in Northern Californian was ruled by a federal judge that the NSO group was liable for infecting devices belonging to 1,400 Whatsapp users.^[12] NSO group was ordered to pay 4 million dollars to Meta as of May 2025 and was barred from targeting Whatsapp users in the future.^[13]

The WhatsApp incident was part of a larger pattern of Pegasus spyware abuse. Investigations by the Pegasus Project (2021) revealed that governments worldwide used the malware to target journalists, activists, and politicians, including associates of murdered Saudi journalist Jamal Khashoggi and staff of French President Emmanuel Macron.^[14]

Technical details

The attack exploited CVE-2019-3568, a zero-click exploit vulnerability in WhatsApp's VoIP stack. The exploit allowed installation of Pegasus spyware without any user interaction.^[15] WhatsApp patched the vulnerability through server-side fixes and client updates in May 2019.

Global legal repercussions

Beyond lawsuits in the U.S. and India, the scandal prompted regulatory scrutiny in the European Union, where lawmakers questioned NSO Group's compliance with GDPR requirements.^[16] The Israeli government subsequently tightened oversight of cyberweapon exports.

In 2024, the Northern Californian lawsuit ruled that the NSO group was liable for infecting devices belonging to 1,400 Whatsapp users. The federal acts violated were the Computer Fraud and Abuse Act (CFAA) and California’s Comprehensive Computer Data Access and Fraud Act in addition to WhatsApp’s terms of service. ^[17] The original 167 milliion amount ordered to be paid was then later adjusted to 4 million in accordance to proper standard due to a maximum cap on punitive damage charges. The ruling also included an order for NSO group to cease targeting Whatsapp users in the future and delete data extracted from targeted users in the case.^[18]

NSO Group's response

NSO Group maintained that Pegasus was licensed exclusively to governments for counterterrorism purposes. The company stated it had no visibility into how clients used the software, though this claim was disputed by researchers.^[19] NSO claimed the ruling by the Northern California lawsuit for NSO to cease its targeting of Whatsapp users would "force NSO out of business," given that nature of the Pegasus product, which the judge found to be insignificant compared to the harm Pegasus posed to the privacy and safety of Meta and their users.^[20]

Impact on WhatsApp

Following the disclosure, many users migrated to alternative messaging platforms like Signal and Telegram.^[21] WhatsApp responded by enhancing its security communications and emphasizing its commitment to end-to-end encryption.

WhatsApp snooping scandal

Technical details

Global legal repercussions

NSO Group's response

Impact on WhatsApp

See also

References

Further reading

Related Articles

Related Articles

"WhatsApp snooping: FB India chief appears before parliamentary panel"

"EU calls for investigation into Pegasus spyware use"

"NSO Group says it can't reveal who uses Pegasus spyware"