A U.S. federal judge ordered Israeli surveillance company NSO Group to immediately stop using or developing technology that targets WhatsApp or its users. The decision marks another major setback for NSO after years of legal battles over its Pegasus spyware, which security experts linked to extensive global surveillance campaigns against journalists, activists, and diplomats.
The ruling, issued late Friday, follows a 2019 lawsuit filed by Meta Platforms Inc., the parent company of WhatsApp. The social media giant accused NSO of exploiting a vulnerability that allowed attackers to install Pegasus on nearly 1,400 mobile devices worldwide, enabling unauthorized surveillance.
While the court reaffirmed NSO’s liability, it reduced the overall damages that Meta sought, acknowledging jurisdictional limits on certain international claims. Even so, the injunction imposes strict conditions that effectively ban NSO from using WhatsApp’s infrastructure for any purpose.
Meta’s Lawsuit and Pegasus Allegations
In 2019, WhatsApp engineers detected unusual activity on their servers. They found that NSO’s Pegasus spyware had exploited WhatsApp’s video call feature to infect devices without user interaction. Through that exploit, attackers could access messages, cameras, microphones, and stored data.
Meta sued NSO under the Computer Fraud and Abuse Act, arguing that the company’s unauthorized use of WhatsApp servers constituted illegal hacking. The case quickly became a landmark in defining accountability for private surveillance firms operating across borders.
During hearings, Meta’s lawyers emphasized that NSO’s tools violated both privacy rights and international law. The company claimed the attacks undermined user trust in secure communications and put human rights defenders at risk.
The Court’s Decision and Its Broader Significance
Judge Phyllis Hamilton of the U.S. District Court for the Northern District of California ruled that NSO cannot invoke sovereign immunity a defense typically reserved for state actors. That decision built upon earlier appellate court findings that rejected NSO’s claim that it acted on behalf of foreign governments.
In her written opinion, Judge Hamilton noted that “private surveillance entities cannot shield themselves from accountability by asserting government affiliation when operating for profit.” She further stated that the injunction aims to prevent future misuse of encrypted communication platforms.
Although the court reduced potential monetary damages, the prohibition on NSO’s use of WhatsApp data serves as a powerful deterrent for similar firms. Legal observers believe the ruling could shape how international law treats spyware vendors that sell tools to foreign governments.
NSO’s Response and Ongoing Controversy
In a statement issued through its spokesperson, NSO expressed disappointment but vowed to comply with the injunction while continuing to “engage with regulators to ensure lawful use of its technology.” The company reiterated that its software is designed exclusively for counterterrorism and law enforcement purposes.
However, multiple investigations, including those by Citizen Lab and Amnesty International, have repeatedly linked Pegasus deployments to the targeting of civil society figures. Reports revealed infections on devices belonging to journalists, human rights lawyers, and opposition politicians across dozens of countries.
The U.S. government previously blacklisted NSO in 2021, placing it on the Commerce Department’s Entity List a designation that restricts its access to U.S. technology exports. That move severely curtailed NSO’s operations and prompted several of its investors to withdraw.
Implications for Privacy and Global Surveillance Regulation
The verdict represents more than a corporate setback; it underscores a growing shift toward judicial accountability in the digital surveillance market. By limiting NSO’s ability to interact with encrypted platforms, U.S. courts have drawn a clearer boundary between legitimate law enforcement use and commercial espionage.
Privacy experts argue that the decision will influence other cases involving government spyware procurement, forcing regulators to demand stricter transparency. Furthermore, it amplifies global momentum for regulating offensive cybersecurity exports under frameworks similar to arms control treaties.
As governments increasingly purchase intrusive surveillance tools, legal scrutiny of private spyware vendors will likely intensify. The NSO case demonstrates that even state-aligned firms must adhere to international privacy and human rights standards.
Expert and Industry Reactions
Cybersecurity analysts welcomed the decision, calling it a rare instance of a private company successfully challenging a state-linked spyware vendor in court. Researchers at Citizen Lab said the ruling “affirms the principle that digital rights cannot be traded under the guise of counterterrorism.”
At the same time, privacy advocates urged further action. Organizations such as the Electronic Frontier Foundation (EFF) argued that injunctions alone are insufficient without global coordination on surveillance oversight.
They recommend new treaties defining legal limits for spyware exports and mandatory transparency reports for developers. Meanwhile, legal experts predict that the case will influence ongoing lawsuits filed by Apple and Google against surveillance software vendors accused of similar exploits.
FAQs
Q1. What is the NSO Group?
NSO Group is an Israeli cybersecurity company best known for developing Pegasus, a spyware platform that can infiltrate smartphones and extract data remotely.
Q2. What was the basis of WhatsApp’s lawsuit?
Meta, WhatsApp’s parent company, alleged that NSO used WhatsApp servers to deploy Pegasus spyware against users, violating U.S. anti-hacking laws.
Q3. Did the court impose financial penalties on NSO?
Yes, but the court reduced the damages while maintaining the ruling that NSO unlawfully targeted WhatsApp’s infrastructure.
Q4. How does this decision affect NSO’s future operations?
The injunction prevents NSO from accessing or developing tools that target WhatsApp. It also strengthens restrictions resulting from the U.S. government’s 2021 export ban.
Q5. Why does this ruling matter globally?
The case sets a precedent that commercial spyware companies cannot hide behind claims of sovereign immunity when their technology violates privacy rights and international law.
One thought on “NSO Group Loses U.S. Court Case on WhatsApp Hacking Claims”