For years, NSO Group’s notorious Pegasus software program has allowed foreign governments to spy on U.S. diplomats, target journalists, and endanger human rights activists around the world. Efforts to hold the company accountable in U.S. courts have proved a mixed bag with some cases dismissed on procedural grounds without addressing the merits of NSO’s conduct.
But recent developments in a case brought by WhatsApp (which is owned by Meta), including a ruling that NSO was liable for hacking and breach of contract, shows the weaknesses of the company’s position. Because this is the first time any commercial spyware company has been held accountable in U.S. courts, WhatsApp’s victory opens the door for future litigation aimed at holding spyware companies to account. And it sends an important message: despite NSO’s best efforts, it cannot keep evading accountability.
NSO’s Connections to the United States
NSO long argued that U.S. courts should dismiss cases brought against it because its spyware is used only by foreign governments to target foreign victims, and because the company has negligible connections to the United States. To exercise jurisdiction over a defendant, courts require sufficient ties to the forum where the lawsuit is filed so that the defendant has reasonable notice that they may be sued there.
Courts have been divided over whether NSO has sufficient connections to the United States to justify U.S. jurisdiction over the company. NSO has been subject to several lawsuits concerning its Pegasus spyware, which allows users to access a smartphone’s messages, contacts, search history, location data, and more – even giving users the ability to turn on the target device’s microphone and camera. But new records released in November 2024 through the WhatsApp lawsuit revealed that NSO uses U.S.-based technology to infect targets’ phones. Based on that evidence, the court recently concluded that NSO was subject to U.S. jurisdiction. The court proceeded to find NSO liable for violating the Computer Fraud and Abuse Act, California Comprehensive Computer Data Access and Fraud Act, and WhatsApp’s terms of service. The case will proceed to trial on damages in March 2025.
WhatsApp’s lawsuit, which was filed in 2019, alleges that Pegasus was used to target the phones of WhatsApp users, including journalists, human rights activists, and diplomats. NSO created several “exploits” that deploy Pegasus by using WhatsApp’s servers – and the newly released records support long-held suspicions that many of these servers targeted by Pegasus are located in the United States, including in California, where most lawsuits against NSO have been filed. During one ten-day period in May 2019, NSO accessed WhatsApp’s U.S.-based relay servers at least 176 times – including accessing California-based relay servers 43 times – according to a WhatsApp brief that describes the servers used by Pegasus. NSO itself leased a third-party server, which WhatsApp claims was based in California and used in over 700 messages sent through WhatsApp’s servers to install Pegasus.
The release of these records undermined NSO’s arguments that as a foreign company, it should not be forced to litigate in U.S. courts. The court in the WhatsApp case rejected these exact arguments last month, finding that NSO was subject to jurisdiction in California because NSO, by accessing WhatsApp servers, “caused a digital transmission to enter California, which then effectuated a breaking and entering of a server in California.” In WhatsApp’s case, as well as a lawsuit filed by Apple, a California federal district court similarly rejected NSO’s forum non conveniens (“inconvenient forum”) arguments. Forum non conveniens doctrine states that a U.S. court can dismiss a case if it finds that another country or court would provide a more appropriate forum to hear the case. The court hearing a case filed by journalists from the Salvadoran newspaper El Faro, however, dismissed their suit based on forum non conveniens, finding their claims to be “entirely foreign.” (The Knight First Amendment Institute at Columbia University, where I work, representsthe plaintiffs.) A Virginia court dismissed, on similar jurisdictional grounds, a suit brought by the widow of journalist Jamal Khashoggi, who alleged that she was targeted by Pegasus before her husband’s 2018 murder in Saudi Arabia’s consulate in Istanbul, Turkey. This case is now on appeal, and the ruling in WhatsApp’s case may strengthen Khashoggi’s jurisdictional arguments if Khashoggi can similarly show that NSO purposefully targeted servers in Virginia.
Legal Accountability for NSO’s Conduct
NSO’s strategy is clear: it desperately wants to avoid U.S. litigation because it realizes that other countries are unlikely to hold it accountable. Although NSO has been investigated in other countries – including the United Kingdom and Spain – no other court has held NSO legally accountable. For plaintiffs like the El Faro journalists, bringing a lawsuit in their home country is likely futile due to widespread corruption. And suing NSO in Israel, its home country, is not a likely scenario given that Israel’s government has tried to frustrate WhatsApp’s lawsuit by seizing key documents related to the case. Israel also retains strict control over the approval of Pegasus licenses, often using the spyware as political leveragefor its diplomatic efforts.
The importance of holding spyware companies accountable through U.S. courts has become even more urgent as experts raise concerns that the Trump administration will undo progress in regulating commercial spyware. The Biden administration took steps to prevent the proliferation of spyware used by regimes to suppress free speech and other human rights. For example, the Department of Commerce in 2021 added NSO to its “Entity List” – an export control regime aimed at preventing the proliferation of dangerous weapons that compromise U.S. national security. And in May 2023, President Joe Biden issued an executive order prohibiting federal agencies from using spyware that has enabled human rights abuses. When Trump takes office advocates worry that his administration will abandon the national security and human rights concerns underlying the Biden administration’s anti-spyware campaign.
NSO hopes this is true. Last year, the company spent over a million dollars lobbying Congress to reverse its blacklisting and rehabilitate its troubled reputation. Framing Pegasus as an essential tool in the war in Gaza, NSO has met with several Republican members of Congress to make its case. If NSO’s lobbying efforts are successful, it would be a major blow to the progress made so far in regulating commercial spyware.
Allowing cases against spyware manufacturers to proceed in the United States would be a significant step forward in confronting technology that has been used to target journalists, U.S. diplomats, and human rights defenders. Courts should not be reluctant to hold transnational actors responsible for abusing spyware, especially as the American judicial system may be the only way to hold them responsible at all.