San Francisco, CA – May 2025
An American jury has ordered Israeli surveillance technology firm NSO Group to pay over $167 million in punitive damages, alongside $444,719 in compensatory damages, to WhatsApp over the unlawful use of its Pegasus spyware to target users of the encrypted messaging platform.
The verdict, delivered Tuesday by a federal jury in the Northern District of California, marks a watershed moment in efforts to hold spyware vendors accountable for digital intrusion and privacy violations.
The case dates back to October 2019, when WhatsApp, owned by Meta, filed a complaint accusing NSO of sending malicious code to approximately 1,400 mobile devices via WhatsApp servers. The company alleged that this covert surveillance violated both federal and state anti-hacking laws, specifically the Computer Fraud and Abuse Act (CFAA) and its California counterpart, the California Comprehensive Data Access and Fraud Act (CDAFA).
In its defense, NSO claimed its Pegasus spyware was sold exclusively to government agencies for legitimate national security purposes, including combating terrorism and crime. NSO further argued it bore no responsibility for how its clients deployed the tool. However, the court rejected these arguments in a December 2024 ruling, stating that NSO had violated sections of both the CFAA and CDAFA related to unauthorized access and fraudulent use of protected systems.
Critically, the court also invoked Section (b) of the CFAA, which assigns liability to co-conspirators, effectively rejecting NSO’s claims that end users—not the company—were solely responsible for the misuse of Pegasus.
Following the jury’s decision, Meta issued a public statement via its website, describing the ruling as “a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
Amnesty International welcomed the ruling, expressing hope that it would “deter the spyware industry, its investors and its government customers worldwide.”
In response, NSO said in a statement that it would “carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal.”
Pegasus spyware has become synonymous with digital repression. Investigations by The Pegasus Project and human rights groups have linked the tool to targeted surveillance of journalists, opposition leaders, and civil society actors in countries including Morocco, Thailand, and Serbia. The spyware, once installed, grants full access to a device’s camera, microphone, messages, and stored credentials—often without the user’s knowledge.
The NSO ruling has intensified calls for international regulation of commercial spyware vendors. In 2023, the Biden administration blacklisted NSO Group, and digital rights organizations continue to push for broader global action against companies enabling unlawful surveillance.
This article draws on reporting by Lowri Thomas for Jurist (New York University School of Law), public court filings, and official statements by Meta and Amnesty International.
