How precedent-setting is it?
Santa came early for Meta. On Dec. 20, 2024, the U.S. District Court for the Northern District of California handed down a decisive legal win for the tech giant’s subsidiary, the messaging service WhatsApp, in its long-running battle against NSO Group, the embattled Israeli spyware maker. The court ruled that NSO had violated both U.S. and California anti-hacking laws and breached WhatsApp’s terms of service by deploying the Pegasus spyware on WhatsApp’s servers.
The decision has been hailed as “historic,” “a landmark,” and “precedent-setting.” Will Cathcart, head of WhatsApp, framed the ruling as a pivotal moment and “a huge win for privacy.” Echoing this sentiment, Meta spokesperson Emily Westcott emphasized the broader impact of the decision: “With this ruling, spyware companies should be on notice that their illegal actions will not be tolerated.” The celebration extended beyond Meta to human rights advocates, like John Scott-Railton of CitizenLab, who noted that this “most-watched case” will have useful “chilling effects” on the industry. Natalia Krapiva, senior tech legal counsel at Access Now, underscored the human dimension of the victory, noting it was a major win “not just for WhatsApp, whose servers were targeted by NSO, but for hundreds of victims around the world whose lives have been destroyed by Pegasus and other spyware.”
The once-mighty NSO Group, valued at $1 billion at its peak, has plummeted into financial and reputational ruin. Consulting firms have even deemed the spyware maker “valueless,” with investors losing “substantially all [of the] investment” they poured into the company. The Pegasus scandal unleashed a tidal wave of sanctions, lawsuits, and even a Committee of Inquiry at the European Parliament. Yet, despite overwhelming public backlash, the company has refused to fade quietly into obscurity. In January 2024, for example, NSO Group was actively working to regain its foothold, spending millions in lobbying efforts on Capitol Hill. With the impending inauguration of Donald Trump, whose administration is expected by some to reverse Biden’s aggressive campaign to curb the proliferation of commercial spyware, NSO may be positioning itself for a comeback.
A trial on the question of damages, set to begin in March, could theoretically deliver a fatal blow. But even if the court orders an exorbitant payout, a larger question looms: Is the decision truly a turning point in the fight against spyware abuses, as it is now being portrayed, or merely a victory on paper? It certainly feels good when a company as terrible as NSO Group loses in court, and I don’t diminish the symbolism that the loss brings with it. But what is the legal precedent the case offers litigants moving forward? I believe it is rather limited. The court’s reliance on evidentiary sanctions, coupled with its refusal to address critical legal ambiguities, undermines the ruling’s broader significance.
The Anatomy of a Five-Year Battle
While the ruling this past December may feel like the culmination of a single lawsuit, the truth is that the case—and the broader reckoning for NSO Group—was years in the making. The 2021 Pegasus Project, a bombshell investigation by an international journalism consortium called Forbidden Stories, revealed the vast scope of NSO Group’s spyware, including its use against dissidents, journalists, and even world leaders. Subsequent reports tied Pegasus to even more headline-making stories, from journalist Jamal Kashoggi’s murder to the ruler of Dubai spying on his ex-wife. These revelations have led to dozens of court cases and criminal investigations around the world from the U.K. to Colombia to Thailand to Poland. Even in Israel, an ultimately unsuccessful case was brought to revoke the company’s export license, and debates made their way to the Knesset Interior Security Committee.
In November 2021, the U.S. Commerce Department placed NSO Group on its Entity List, severely restricting its access to U.S. technology and business. In February 2024, the State Department announced a new policy, which it implemented for the first time in April, to impose visa restrictions on individuals involved in misuse of commercial spyware. As Mailyn Fidler has written, these actions by the Biden administration have sent a “strong political signal that the government regards this issue as a national security problem.”
WhatsApp’s legal case against NSO Group stood out from the start, given the plaintiff’s immense scale and resources. As former UN Special Rapporteur on Freedom of Opinion and Expression David Kaye has said, the company’s suit was “bolstered by a sound legal strategy” and a “track record of wins.” In May 2019, WhatsApp uncovered a vulnerability in its app’s VoIP stack (CVE-2019-3568) that NSO exploited to deliver Pegasus to users of the chat-app across all major operating systems, Android, iOS, and Windows. WhatsApp promptly patched the issue, but the attack impacted approximately 1,400 mobile devices. Targets included an array of journalists, human rights activists, and dissidents—hardly the “terrorists and criminals” that NSO claims to pursue. On Oct. 29, 2019, and long before the Forbidden Stories revelations made NSO Group a household name, WhatsApp filed its lawsuit.
NSO Group, for its part, mounted a creative—though futile—defense. The company asserted sovereign immunity under the Foreign Sovereign Immunities Act (FSIA), arguing it acted as an agent of foreign governments. The court was unimpressed. On Nov. 8, 2021, the U.S. Court of Appeals for the Ninth Circuit ruled what should have been clear from the beginning: that private companies cannot cloak themselves in sovereign immunity merely because their clients happen to be states. In January 2023, the U.S. Supreme Court dismissed NSO Group’s appeal on the immunities question.
But WhatsApp’s unique legal strategy and track record of wins, as Kaye described it, did not stop there. A critical component of WhatsApp’s approach was targeting NSO Group Achilles’ heel: the shroud of confidentiality that its entire business depends on. As Sophia Cope, senior staff attorney at the Electronic Frontier Foundation, explained, the number one thing that “NSO Group and companies like it [are] selling is secrecy. So, if lawsuits are successful at chipping away at that, that could change the calculus for this type of spyware and the popularity of it overall.” WhatsApp spent most of 2023 and 2024 battling motions for protective orders that would have shielded NSO Group from complying with discovery obligations due to various claimed restrictions under both U.S. and Israeli law. WhatsApp was also fighting attempts by NSO Group to weaponize discovery against it, seeking to publicize its communications with Canadian research laboratory Citizen Lab as well as WhatsApp’s own communications relating to its internal investigations. This strategy worked for NSO Group in the past. In September 2024, Apple dropped a parallel suit against NSO Group, similar to WhatsApp’s, reasoning that mandated disclosures could force Apple to reveal its own security posture and “hamper its efforts to fight spyware.”
District Judge Phyllis Hamilton, however, sided with WhatsApp. While limiting the scope of disclosures the company was obligated to provide, she repeatedly declined to grant NSO Group a blanket order excusing it from all discovery. On Feb. 23, 2024, in a seven-page order, Hamilton compelled NSO Group to disclose “information sufficient to show the full functionality” of its spyware for a period of “one year before the alleged attack to one year after the alleged attack.” She did reject a separate call for NSO Group to disclose “the identities of their third-party clients” or “information regarding the server architecture” NSO Group used.
What Precedent Does the Case Set?
This brings us to the December decision. Between February and December, NSO Group did everything it could to stall, delay, and evade complying with the order. It filed endless motions, which were repeatedly rejected by the court, with the court making explicit the need to provide the full Pegasus source code in a way that is accessible and viewable from within the United States. According to one report, Israeli officials assisted NSO Group by seizing certain Pegasus-related documents and computers to further block the company’s ability to comply with the order. NSO Group also failed to produce internal communications about WhatsApp’s vulnerabilities, as well as certain financial information that it was required to provide.
The December ruling concerned WhatsApp’s request for sanctions, seeking terminating sanctions (resulting in an immediate default judgement against NSO Group) or, in the alternative, evidentiary sanctions (restrictions on NSO’s ability to present or challenge evidence). While Judge Hamilton noted that “terminating sanctions may be reasonably warranted” given the noncompliance, it ultimately declined to issue “such a harsh sanction” and imposed only evidentiary sanctions. These evidentiary sanctions allowed the court to rule against NSO Group on each of the underlying claims but in a way that limits the precedent-setting effect of the ruling overall.
Take personal jurisdiction as an example. Previous cases against spyware companies, including the one brought against NSO Group by Jamal Khashoggi’s widow, were dismissed on grounds of a lack of personal jurisdiction and forum non conveniens (typically finding that the licensing country is a more appropriate forum for hearing the dispute). In order to find personal jurisdiction in WhatsApp’s case, the court needed to be persuaded that NSO Group purposefully directed conduct at the state of California, meaning that it committed an intentional act, expressly aimed at California residents, that caused harm that the defendant knew was likely to be suffered in California. But the Pegasus spyware, while it may have moved through servers located in California, ultimately targeted devices and thereby produced harm in other jurisdictions. As such, there was a legal question pending as to the best way to interpret the “purposeful direction” test in these circumstances.
By issuing evidentiary sanctions, Judge Hamilton skirted the need to resolve this issue in full. Since WhatsApp was unable to obtain detailed evidence as to the “installation vectors” surrounding Pegasus selection and traversal through WhatsApp’s servers, “an evidentiary sanction is warranted such that the court will conclude the use of plaintiffs’ California-based servers was a purposeful choice.”
Another example concerns the breach of contract claims. These claims were based on a violation of WhatsApp’s terms of service, specifically the provisions prohibiting users from “reverse-engineering” WhatsApp products and using WhatsApp to send “harmful code” and collect user information. NSO Group claimed that WhatsApp had presented no evidence that the two companies entered into a contract by NSO agreeing to its terms of service or that it reverse-engineered WhatsApp products. They claimed that the term “harmful” was “vague” and that only Pegasus clients, not them, collected user information. Once again, the court did not need to resolve much of these legal and factual disputes. Since NSO Group “withheld evidence regarding their agreement to the terms of service … [and since they] offer no plausible explanation for how they could have gained access to the software without agreeing to the terms of service” the court concluded that a contract was established and was breached.
While the ruling represents a symbolic victory for WhatsApp, its broader legal impact is limited by the nature of the evidentiary sanctions imposed. Rather than resolving key legal ambiguities—such as the scope of personal jurisdiction over spyware companies or the substantive interpretation of contractual breaches—the court sidestepped these issues by relying on NSO’s uniquely egregious failure to produce evidence. This approach—while effective in sending a message to companies like NSO Group that ignoring discovery orders is a failed strategy—does little to establish a substantive precedent that could guide future spyware litigants or courts.
Implications for the Computer Fraud and Abuse Act
Particular attention should be given to the primary federal anti-hacking statute, the Computer Fraud and Abuse Act (CFAA), since here the court did not rely on evidentiary sanctions to reach its conclusion. WhatsApp argued for violations of 18 U.S.C. §§ 1030(a)(2) and (a)(4) and parallel provisions under California law. NSO Group made a simple claim in response: If all WhatsApp users are authorized to send messages, NSO Group did not act “without authorization” by sending its own messages through WhatsApp’s servers even though the messages contained spyware. The court agreed.
It next examined WhatsApp’s alternative theory of liability: that NSO Group violated the CFAA by “exceeding authorization.” Section 1030(e)(6) defines the term as the use of authorized access to a computer in order “to obtain and alter information in the computer that the accessor is not entitled to obtain or alter.” NSO Group accessed WhatsApp’s servers with authorization, no question. It then used that access to install spyware on target devices and obtain information from them. Typically § 1030(e)(6) applies where someone accesses a computer and uses that computer to obtain information they are not entitled to obtain. Here, however, the information was obtained not from computers owned by WhatsApp as the plaintiff but, rather, from mobile devices owned by the victims. Is that an appropriate reading of § 1030(e)(6)? WhatsApp thought so, citing § (a)(2) itself, focusing on the word any in the phrase “from any protected computer” to suggest that the drafters intended an expansive understanding of the category of possible targeted devices. NSO Group disagreed, citing the traditional reading.
This mirrors an issue raised in Apple’s 2021 lawsuit against NSO Group mentioned above, which I discussed on the Lawfare podcast with Orin Kerr and Alan Rozenshtein. “What is novel about this, and I think probably just wrong as a matter of law,” Kerr said, is for a company to sue under the CFAA (and its equivalent California statute) for “hacking of devices that they do not own, but at most could only have a general commercial interest in.” Kerr, arguably the leading expert on the CFAA, clearly thought the narrow reading of § 1030(e)(6) should apply. In alignment with NSO Group’s argument, he reasoned that if all the information was obtained from the target users’ devices, and not from the plaintiff’s servers, then that plaintiff has no ground to sue under the CFAA. The only individuals who can sue under the CFAA are the owners of the targeted devices themselves, the victims.
The court declined to resolve this dispute—which it deemed “semantic”—further calling out the fact that neither party cited “any case law, either controlling or even persuasive, with a definitive answer to this statutory interpretation question.” Instead, it noted that in prior hearings it was revealed that NSO Group did obtain certain information from the WhatsApp servers directly, such as information about the target users’ devices, operating systems, and location of certain memory files. As such, data was obtained from WhatsApp servers that NSO was not entitled to obtain, triggering WhatsApp’s right to sue under the CFAA and making the novel legal question moot.
What made the WhatsApp and Apple cases particularly interesting, from a legal standpoint—the underlying issue of whether tech giants should be allowed to act as public defenders of their users’ devices under the CFAA—remains unresolved. Kerr’s skeptical position continues to loom in the background. In this sense, framing this case as a legal landmark may, again, be overstated.
Moving Forward: No Alternative to Multilateralism
I have always thought, and continue to think, like others, that “there’s a role for litigation and the justice system as one of those lines of change” for spyware regulation. But as I have also argued, unilateral ad hoc litigation by tech giants or victims cannot and will not offer a comprehensive solution to the spyware problem. Apple dropping its case against NSO Group, months before the WhatsApp win, offers just one point of evidence of the limitations of a litigation-focused strategy. Such a strategy is resource intensive, time consuming, and venue specific, thereby producing a debatable degree of deterrence against an extremely resilient industry. This was exactly what Apple told the court when it sought its motion for voluntary dismissal: citing to a “growing number of different spyware companies,” Apple admitted that “even complete victory in this suit will no longer have the same impact as it would have had in 2021.” This is because other spyware companies unaffiliated with NSO Group “would be unaffected by the suit and able to continue their destructive tactics.”
So what else, if not litigation? As I have said elsewhere, the utility of lawful hacking tools by law enforcement is undisputed, as are the harms that unrestricted proliferation of spyware is producing on democracy, victim communities, and human rights. Given that it is enough for one country to offer a licensing safe haven for abusive companies to flourish, the only real solution for spyware regulation is a multilateral international framework centered around the procurement powers of its core members. Such a framework, as I have defended, could introduce meaningful and enforceable guardrails along the full supply chain of surveillance technologies, from their development to their deployment.
In March 2024, during the Third Summit for Democracy in Seoul, dozens of global leaders reaffirmed their commitment to countering the misuse of surveillance technologies, emphasizing the need for collective action to uphold democratic values. Sadly, experts currently predict a relaxation of cybersecurity regulations and a diminished emphasis on human rights concerns with Trump’s return to the White House. Even if we lose U.S. leadership in the fight for collective responses to spyware regulation, the fight must go on. In this context, initiatives like the Pall Mall Process, launched by the U.K. and France to address the proliferation and irresponsible use of commercial cyber intrusion capabilities, become even more vital. Other countries should step into the void that a U.S. withdrawal is likely to generate in prioritizing and supporting such global frameworks. Collaborative international action remains the most viable path to addressing the complex challenges posed by the misuse of surveillance technologies.
– Asaf Lubin is an Associate Professor of Law at Indiana University Maurer School of Law, a Fellow at the Center for Applied Cybersecurity Research at Indiana University, an Affiliated Fellow at the Information Society Project at Yale Law School, and a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University. published courtesy of Lawfare.
