When Courts Reach The Merits, Spyware Loses

On April 28, 8 jurors were empaneled to decide how much NSO Group, the notorious mercenary spyware company, would be fined for hacking WhatsApp servers in order to spy on millions of Americans. On May 6, jurors gave their decision: NSO Group’s flagrant violation of the law would cost them $444,719 in statutory damages and $167.25 million in punitive damages, striking a major blow to the infamous company.

This trial concludes the sentencing portion of the historic ruling that NSO Group’s actions violated the Computer Fraud and Abuse Act (“CFAA”), the California Comprehensive Data Access and Fraud Act (“CDAFA”), and WhatsApp’s Terms of Service. In the process of targeting individual devices on behalf of its government clients, NSO Group used security vulnerabilities in the WhatsApp platform to send malicious code to WhatsApp users. NSO Group created WhatsApp accounts to identify and exploit these security vulnerabilities, then used the accounts to call various target phones which would pass malicious code over WhatsApp servers and onto the device without any action taken on the part of the target device owner. This latest ruling marks an enormous win for the journalists, activists, politicians, and everyday people that NSO Group targets on behalf of authoritarian governments.

NSO Group’s flagship product is a malicious software called Pegasus, which can infiltrate and monitor target devices as well as extract information with zero engagement from the target device owner. This infiltration is usually done by exploiting existing software, such as WhatsApp’s servers. Once on a device, Pegasus has full monitoring capabilities such as screen recording and listening in on calls as well as remote piloting capabilities, such as turning on microphones and cameras. These attacks are particularly invasive and difficult to combat – even tools such as end to end encrypted messaging services cannot protect the messages if an intelligence officer watches your screen as you type out the message.

Pegasus has reportedly been used to target thousands of people, including French President Emmanuel Macron, Dubai’s Princess Latifa, Saudi journalist Jamal Khashoggi, and many other prominent activists, academics, and journalists. In 2021, the U.S. government officially blacklisted NSO Group by placing it on the Commerce Department’s entity list and allegedly ended operational use. In 2021, EPIC submitted a Freedom of Information Act request to the FBI seeking information about its connections to NSO Group and use of Pegasus spyware. We have still not heard back.

The Northern District of California found that by transmitting its infiltration code and learning information about target devices through WhatsApp’s servers (located in California), NSO Group exceeded its authorized access of WhatsApp’s servers and breached WhatsApp’s Terms of Service. For this reason, NSO Group was liable under the CFAA, CDAFA, and for breaching contract.

History is Made

For 6 years, NSO Group tried to draw out the legal battle by evading discovery orders, working against the rule of law, and trying to exploit the legal process to ruthlessly draw out information from WhatsApp and third parties like security researchers at Citizen Lab. In the case of Apple’s nearly identical lawsuit against NSO Group, this strategy won. Apple dropped the suit to avoid exposure of its trade secrets and the integral work of its security team. However, WhatsApp and Meta at large persevered. Finally, in December of 2024, the court found that not only did NSO Group violate the CFAA, CDAFA, and breach contract, but that NSO Group flagrantly violated discovery orders to such a degree that its attorneys now face sanctions. In the face of a multi-billion dollar company, NSO Group’s strategy to deny, deflect, and go on the offense crumpled. However, the intended victims of these mercenary spyware attacks rarely have the same capital and legal firepower backing them as do infrastructure giants like Meta.

Victims of mercenary spyware find it nearly impossible to get redress because of companies like NSO Group who refuse to play by the rules and operate under the government sanctioned cloak of secrecy in the first place. There are no requirements to notify victims of spyware attacks that their devices have been compromised or surveilled. The technology is purposefully designed to operate as covertly as possible, with NSO Group’s Pegasus specifically functioning on a zero click model that requires no input from the victim to infect the target device. It takes researchers at trust and safety teams like WhatsApp’s security team and security labs like Citizen Lab, Amnesty International, and Access Now weeks to investigate and reverse engineer these infections. Discovering both how these attacks occurred and who is behind them is increasingly critical in the wake of ongoing urgent and imminent threats to the journalists, political activists, and other persons of interest under surveillance by hostile governments. Even when victims are made aware of malicious surveillance and are able to identify the perpetrator, companies like NSO Group still run circles around victims in court by throwing out cases on procedural grounds.

The historic ruling that NSO Group violated the CFAA, the hundreds of pages of legal filings, and the multi-day trial in California stand to bolster individual victim cases. Previous lawsuits were thrown out on procedural hurdles, mostly based on NSO Group’s purported inability to litigate cases in the United States due to its establishment in Israel. Time and time again, NSO Group has claimed that it would be impossible to adjudicate its actions fairly in the United States, but, clearly, this is not the case. The United States has a clear interest in hearing these cases since American telecommunications and digital infrastructure is being hacked and exploited to target individuals worldwide. NSO Group can no longer avoid accountability by arguing venue inconvenience in the United States. The undisputed record that exploitation of computer servers occurred in California, that WhatsApp could successfully depose NSO Group witnesses, and, finally, that NSO Group witnesses testified at trial in California demonstrate that this argument no longer holds water.

Looking Forward

WhatsApp’s victory against NSO Group is cause for celebration, but the fight cannot end here. The battle against government use of mercenary spyware continues both in the courts and by civil society on the front lines and in the policy sphere.

The Ninth Circuit recently heard oral arguments on an appeal of NSO Group’s dismissal of El Salvadorian journalists’ case based on forum non conveniens doctrine. During the hearing, the judges were sympathetic to the argument that American infrastructure involvement provided the United States and specifically the Northern District of California with an interest in litigating the case. In fact, both the WhatsApp case and the Apple case were brought up as examples of NSO Group’s ability to conveniently litigate in the United States. EPIC submitted an amicus brief upon appeal, detailing the CFAA’s extraterritorial nature. Overturning the district court’s dismissal of this case would ensure that more victims can come forward and hold NSO Group responsible for the damage it has wrought.

Additionally, there are ongoing, global policy efforts to reign in the use of mercenary spyware. Over 22 governments have signed the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and several others have joined in the Pall Mall Process to engage in multi stakeholder conversations with civil society and leading experts. However, the recommendations from the European Union Parliament’s PEGA Committee Report have yet to be meaningfully implemented, despite the various spyware scandals that have occurred since its publication.

The United States remains the only country to have engaged in binding, tangible efforts to curb the proliferation of commercial spyware. In 2021, United States placed NSO Group on the Department of Commerce’s Entity List as well as engaged in financial sanctions against Intellexa and visa restrictions against individuals involved with the proliferation of commercial spyware. Despite these precedent setting, positive steps, the United States government has much to answer for, including concerning use of Paragon’s Graphite spyware by the Department of Homeland Security.

Individual victims need a clear path to redress unburdened by irrelevant, procedural hurdles, and governments need to stop engaging in human rights abuses by using mercenary spyware to surveil individuals at a granular scale. The time is now to stop, drop, and rollback the use of this highly invasive and malicious software.

For immediate help if you believe you’ve been targeted using spyware, seek help from Access Now’s Security Line or Amnesty International’s Security Lab. For further resources on how to protect yourself and your devices, see Citizen Lab’s Resources and Electronic Frontier Foundation’s Guide to Surveillance Self Defense . If you or your organization has information about human rights abuses perpetrated with mercenary spyware, please use Freedom House’s Reporting Template to notify the appropriate government officials.

EPIC remains committed to combatting the proliferation and use of mercenary spyware.