Pegasus spyware is one of the most advanced smartphone hacking technologies at this time. It is developed and manufactured by an Israeli company NSO Group and distributed to governments around the world. It claims to help governments prevent the terrorism and serious crimes, but reports have shown its misuse by dozens of countries to spy on journalists, activists, and human rights defenders in an attempt to suppress political dissent.
In November 2021, Apple notified multiple iPhone users in Thailand that they might have been targeted by “state-sponsored attacker”. This prompted a joint investigation by iLaw, Citizen Lab, and DigitalReach SEA. The findings, published in a July 2022 report, confirmed that at least 35 pro-democracy activists involved in the 2020-2021 protests against the regime had been targeted by Pegasus spyware.
The findings led to three lawsuits to prove this rights violation, with two cases still in the process: a civil court case, where Pai-Jatupat sued NSO Group as a defendant, and an administrative court case, where Anon Nampa and Yingcheep Atchanont sued nine government agencies.
Spyware Manufacturer on Trial: civil case challenges NSO’s responsibility
Since the production and distribution of spyware as a weapon of cyber warfare is different from the sale of general goods, spyware is produced without any purpose and has no other use than to hack into systems and steal information without permission, which is a technology with a direct aim to violate people’s rights. Although some situations or laws of some countries allow government officials to use spyware to investigate information, manufacturers and sellers have a duty to design products and systems to prevent misuse. And if there is an incident where the technology in their possession is used to violate the rights of citizens, the manufacturers and sellers must be jointly liable.
In November 2022, eight Thai victims whose mobile phones were hacked “jointly” filed a lawsuit against NSO Group in the Civil Court for serious violation of privacy rights. However, the Civil Court did not accept the lawsuit for consideration because it considered that the eight plaintiffs were violated differently and could not be sued together as a single case. However, the victims considered that separating the lawsuit into eight cases would increase too much burden for lawyers, witnesses, and court fees, so they filed a new lawsuit as a single case on 13 July 2023, with Jatupat Boonpattararaksa, or Pai, as the sole plaintiff.
In the case of Jatupat, according to a report published on 18 July 2022, he was attacked by Pegasus three times: on 23 and 28 June and on 9 July 2021.
In Jatupat’s lawsuit, it states that when the Pegasus spyware penetrates the mobile phone and obtains all the information, it accesses all types of personal information, photos, videos, location, social networks, including turning on the microphone to eavesdrop on conversations and turning on the camera or eavesdropping on images related to the owner of the device. And when the spyware penetrates the phone once, it can access various information without time limit, which destroys the plaintiff’s privacy, freedom of communication and freedom of movement and choice of residence. After the defendant sold the rights to use Pegasus to various governments, the defendant still has the duty to take care of, control or use Pegasus with the target as the government agencies want, allowing the defendant to access the target’s information. There is no law in Thailand that gives both the government and private sector the power to access information on the phone like this. Therefore, it is a tort against the plaintiff, causing damage to the plaintiff.
The request to the court in the civil case between Jatupat and NSO Group is as follows:
- Request that the defendant stop using the Pegasus spyware against the plaintiff and
- Request that the defendant return all the information obtained from using Pegasus which was given to the Thai government agencies back to the plaintiff.
- Request that the defendant be liable for damages resulting from the infringement in the amount of 2,000,000 baht, with interest at 5 percent per year until the plaintiff is fully paid.
- Request that the defendant be liable for metal damages, causing the plaintiff to be paranoid and anxious that the Pegasus spyware will penetrate the system, totaling damages of 500,000 baht, with interest at 5 percent per year until the plaintiff is fully paid.
- Request that the defendant pay the plaintiff’s court fees and attorney’s fees in high amounts.
NSO surprises by engaging legal battle in Thai Court
After filing the lawsuit, the plaintiff must request the court to send a warrant and a copy of the lawsuit to the defendant at the defendant’s address in Israel. In a civil case, if the defendant is not in the Kingdom and does not want to fight the case, the Thai court does not have any jurisdiction to force the defendant. But when NSO Group received the warrant from the Civil Court, it appointed a Thai lawyer, Chitchai Pansane from Tileke & Gibbins, to represent it in the lawsuit.
The defendant submitted a ple denying the charges, which can be summarized as follows: The defendant did not oversee, control, or use the software to hack into the target’s usage tracking system. The defendant is only a company that invents and develops for sale to governments of various countries that have been inspected and screened internally by the defendant under the Israeli government’s strict export license. If it is found that there is any misuse, the right to use the spyware will be immediately revoked. The defendant is only a developer and provides the license to use it to customers, including helping with maintenance. But in terms of usage, the defendant is not involved. Only the customer is the user. The defendant does not control the usage. The defendant has no way of knowing who the targets are and does not access the data on the target’s electronic devices.
Between 2017 – 2022, NSO Group faced a lot of criticism around the world when it was revealed that Pegasus spyware was used against dissidents in several countries. It also faced at least 30 lawsuits from victims in 13 countries. In many cases, NSO Group challenged the jurisdiction of the courts in each country to try the case, which caused delays and did not argue the content of their responsibility. However, the Thai case is the first case where NSO Group decided to appoint a Thai lawyer to represent them, submit a statement of defense in the content of the case, request mediation, and provide witness testimony in detail.
During the legal battle, NSO Group demonstrated its technique of trying to keep the case from the public by asking iLaw to remove the published content, requesting the court to order a closed-door trial, and requesting the court to punish the plaintiff for contempt of court.
In the plaintiff’s witness examination, the plaintiff brought in the following witnesses:
- Jatupat Boonpattararaksa, the plaintiff himself, testified about the damage caused by the violation of personal rights by the Pegasus spyware.
- Yingcheep Atchanont, Director of iLaw, testified about the investigation into the use of Pegasus spyware on at least 35 Thais and the explanations that NSO Group had previously given internationally.
- Waranyuta Yan-in, a computer technician from iLaw, testified about the steps to copy data from the plaintiff’s mobile phone before sending it for examination.
- Sutawan Chanprasert, Director of DigitalReach, testified about the steps to receive a copy of the file from the victim’s phone and use Citizen Lab’s examination method to detect the Pegasus spyware.
- Thitirat Thipsamritkul, an international law scholar, testified about the principles of corporate responsibility towards the human rights of those involved and the United Nations’ views on the Pegasus spyware.
- Asst. Prof. Dr. Priyakorn Pusawiro, a computer scholar testified about the general nature of how the spyware works and the ability of developers to control the use of their own technology.
The Defendants presented the following witnesses:
1. Yuval Elovici, a computer expert, testified about the weaknesses and unreliability of a tool called “MVT” used to detect the Pegasus spyware.
2. Shmuel Sunray, the Defendants’ chief legal officer, testified about the purpose of Pegasus and the Defendants’ procedures for detecting misuse.
Main Argument : NSO Group is only an innocent seller or a complicit user?
The plaintiffs’ lawsuit alleges that after selling the licenses to governments, NSO Group is responsible for overseeing and controlling the use of the spyware against target individuals. Once the governments that purchased the spyware identify the targets, NSO Group controls the use of the spyware to hack into the systems, spy on the target individuals, copy the data, and send it to government agencies. In Thailand, after selling the spyware, NSO Group also trained government officials on how to use it, provided maintenance services, and investigated whether government agencies that were customers misused the spyware.
The defendant stated in the defense statement on this issue that NSO Group did not supervise, control and/or use Pegasus against targets, but was only the inventor and developer of spyware for sale. At the same time, the defendant’s company also emphasizes human rights with a human rights policy and transparency reports. Contracts with customers must have terms of use to suppress serious crimes only. The company will follow up on complaints from the media and NGOs. If there is any suspicion of misuse of spyware, the defendant will contact the customer and ask for cooperation in inspecting the usage, which the Pegasus system has an Activity Log that can be inspected. If the customer does not cooperate, the usage will be suspended. In the past, there have been many cases where usage has been terminated.
The defendant did not deny that they had ever used Pegasus spyware to hack into the plaintiff’s mobile phone system, nor did they deny that they had ever sold it to a Thai government agency or that this type of spyware had ever been used in Thailand. However, they insisted on not accepting or testifying about any facts that might be related to their customers, such as who their customers were. The defendant’s witness did not answer the question of whether they had ever investigated the plaintiff’s complaints, but explained that they would only investigate cases where there were credible reports.
Is the Case Time-Barred?
The plaintiff filed a lawsuit with the court on 13 July 2023, stating that he knew he was attacked on 18 July 2022, the date the report was published that found at least 35 Thais were hacked by the Pegasus spyware. The defendant objected that in fact the plaintiff knew that his device was hacked in November 2021, following Apple’s notification, which means that a lawsuit for damages for infringement must be filed within one year from the time of knowledge, so the case is time-barred.
However, the Criminal Court denied Jatupat bail on 9 August 2021, and the plaintiff in this case had to be detained in prison until 10 February 2022. During that time, he could not access any electronic devices and could not access the notification email from Apple, so it is still unclear whether he was attacked or not. Later, on 17 July 2022, it was confirmed through a report by Citizen Lab, “GeckoSpy Pegasus Spyware Used against Thailand’s Pro-Democracy Movement”, that he had indeed been attacked. This was followed by confirmation on 18 July 2022, a joint report by iLaw and DigitalReach Asia, “Parasite that Smiles: Pegasus Spyware Targeting Dissidents in Thailand”
In addition, it is claimed that the defendant also contested that the plaintiff claimed damages without explaining how the life was affected, how it was calculated, and in the matter of mental damages, there is no legal provision that allows the plaintiff to claim damages in this part. In this case, the plaintiff claimed damages totaling 2,500,000 baht, even though the damages from the violation of privacy rights, being attacked by spyware that accessed the phone and took all data, both related to political movements, personal matters and finances, are damages that cannot be assessed and cannot be proven as documentary evidence.
Timeline of the trial
13 July 2023, the plaintiff filed a lawsuit in the Civil Court.
26 October 2023, the defendant submitted a plea to defend the case.
6 November 2023, pre-trial examination. The plaintiff’s lawyer told the court that the power of attorney from NSO Group to the law firm and forwarded to the defendant’s lawyer was improper under Section 47 of the Civil Procedure Code because there was no certification as evidence from the Thai embassy in Israel. The defendant’s lawyer explained that the reason for this was due to the war situation in Israel, which caused the trial date to be postponed until a government agency could be contacted to certify. The court then left the bench to consult with the owner of the case. When it returned to the bench, the court summoned the plaintiff’s and defendant’s lawyers for questioning. The defendant’s lawyer asked for the case to be postponed until the war situation improved and a government agency could be found to certify the power of attorney. The plaintiff’s lawyer argued that the defendant’s power of attorney occurred between September 21 and 24, 2023, which occurred before the Israel-Hamas war broke out on October 7, 2023.
5 February 2023, the court considered and examined the power of attorney document and found that it had been corrected. Therefore, the court determined the disputed issues in this case as follows: 1) Did the defendant commit a tort against the plaintiff? 2) How much damage was there? 3) Was the plaintiff’s lawsuit time-barred? The plaintiff has the burden of proof.
The plaintiff’s lawyer stated that they wanted to present nine witnesses. The defendant stated that they wanted to present only one witness, who was the defendant’s executive, and they would present the witness via an online system. The plaintiff objected and asked the witness to come to court, but the court ordered that the examination of the witness should be done via an online system, using Google Meet, allowing the witness to testify from their home in Israel. Both parties were required to prepare a record of their statements instead of questioning their witnesses, and send a copy to the other party at least seven days in advance.
After that, the plaintiff and the defendant set the date for the plaintiff’s witness examination on September 3-6, 2024, the date for the defendant’s witness examination on September 10, 2024.
21 June 2024, the mediation date, the plaintiff submitted a document proposing that if the defendant disclosed the contract for the sale of Pegasus spyware made with a Thai government agency, the plaintiff would not pursue any additional damages. Or if the defendant agreed to disclose some information, such as the name of the agency that sold the Pegasus spyware and the individuals who were targeted by the attack, he would claim only half of the damages, which is 1,250,000 baht. The defendant had a representative from Israel travel to the court to negotiate, but did not accept any conditions, except for paying only half of the damages, resulting in an inability to reach an agreement and canceling the mediation.
28 June 2024, the defendant’s lawyer filed a petition with the Civil Court, requesting that the court order the plaintiff, the plaintiff’s lawyer, and iLaw to delete news reports about the mediation process, which the court ordered in the petition to set a date to examine the matter on the first plaintiff’s witness examination date.
11 July 2024, the defendant’s lawyer filed another petition with the Civil Court, explaining that many people had shared the post, and Jatupat had shared it in a way that mocked the defendant, causing the defendant to suffer more damage. Therefore, he asked the court to order a new hearing date, but the Civil Court dismissed the petition, reasoning that: The original time frame is not considered unreasonably late.
3 September 2024, The court has scheduled the examination of plaintiff witnesses: Jatupat Boonpattararaksa, Yingcheep Atchanont, Waranyuta Yan-In
4 September 2024, The court has scheduled the examination of plaintiff witnesses: Waranyuta Yan-in, Sutawan Chanprasert, Thitirat Thipsamritkul
5 September 2024, The court has scheduled the examination of plaintiff witnesses: Asst. Prof. Dr. Priyakorn Pusawiro
6 September 2024, The court has scheduled the examination of defendant witnesses: The defense called Yuval Elovici, an Israeli cybersecurity expert from Ben-Gurion University, to dispute the plaintiff’s forensic evidence. Although Yuval’s written testimony was only given to the plaintiff’s lawyers the night before the hearing, he appeared in court in person, as the judge had denied NSO’s request for him to testify online.
Yuval, a retired major general with expertise in cybersecurity and cryptography, explained that identifying cyber attackers is extremely challenging because they often use techniques to hide their identities and confuse investigators. He described how attackers can mimic patterns from other countries or plant false evidence to mislead attribution. Using translated PowerPoint slides, he detailed how attackers exploit software vulnerabilities to access systems, alter data, and fabricate evidence. His testimony aimed to cast doubt on the forensic findings that linked Pegasus spyware to Jatupat’s phone, challenging the credibility of the plaintiff’s claims.
10 September 2024, The court has scheduled the examination of defendant witnesses: Shmuel Sunray, NSO’s general counsel and a former lawyer, testified that Pegasus was developed in 2010 as a surveillance tool sold exclusively to governments for counter-terrorism and criminal investigations. He emphasized that NSO operates under strict Israeli export regulations and requires government approval for all sales.
Sunray explained that while Pegasus enables government clients to access devices, NSO cannot monitor customer operations or data. He claimed NSO enforces ethical use through international human rights standards and a “kill-switch” feature to disable the software if misuse is detected. He cited eight terminated contracts as examples of accountability. During cross-examination, he clarified that NSO is not legally responsible for misuse outside its control but does have human rights obligations. Sunray also denied allegations linking Pegasus to attacks on 35 Thai human rights defenders, asserting that the defense’s expert witness confirmed it was not Pegasus.
21 November 2024, Civil Court ruled to dismiss the case of Jatupat Boonpattararaksa vs. NSO Group, stating that the evidence failed to meet legal thresholds on critical points such as forensic evidence. According to the plaintiff’s evidence, the Citizen Lab’s confirmation letter only stated that Jatupat had been attacked by Pegasus spyware. It did not clearly explain the process of investigation, such as log file processing in the server and identifying evidence of Pegasus-linked binaries.
