A U.S. court bans Israeli spyware firm NSO Group from targeting WhatsApp, but slashes damages—raising questions about global accountability in cyber surveillance.
 |
| WhatsApp wins an injunction against Israeli spyware firm NSO, but a U.S. court’s reduction in damages highlights the legal system’s struggle with 21st-century cyber threats. Image: CH |
Tech Desk – October 18, 2025:
A landmark U.S. federal court decision last Friday permanently barred Israeli spyware firm NSO Group from targeting WhatsApp users, concluding a six-year legal battle led by Meta. The ruling grants a permanent injunction in favor of WhatsApp—but slashes the original $168 million in damages to just $4 million. The outcome is being celebrated as a win by Meta, yet it also exposes an unsettling gap in how modern courts handle cyber surveillance cases.
While the court acknowledged that NSO’s conduct caused “irreparable harm,” Judge Phyllis Hamilton ruled it did not meet the “particularly egregious” threshold required for maximum financial penalties. The dramatic reduction raises concerns about how existing legal frameworks—largely shaped in the pre-digital era—are ill-equipped to deal with the complexities of 21st-century spyware.
“Today’s ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again,” said WhatsApp chief Will Cathcart. He emphasized the decision as a step toward accountability after years of allegations that NSO’s Pegasus spyware was used to monitor activists, journalists, and lawyers across the globe.
Filed in 2019, the lawsuit accused NSO of exploiting vulnerabilities in WhatsApp’s encrypted messaging platform to install spyware on users' phones without their knowledge. Meta argued that NSO reverse-engineered WhatsApp’s code, bypassed security updates, and orchestrated a covert cyberespionage campaign. The judge accepted that the firm caused significant harm—but found no precedent for applying full punitive damages in a mobile-era surveillance case.
This legal ambiguity is emblematic of a broader challenge: existing U.S. and international legal systems are struggling to keep pace with the rise of commercial spyware. The ruling, while setting a new precedent for banning surveillance firms from targeting specific platforms, also suggests that without stronger digital privacy laws or multilateral regulation, spyware vendors may continue to operate in the gray areas of legality.
Notably, the decision coincides with TechCrunch’s report that a U.S.-based investment group recently acquired a controlling interest in NSO. The timing has sparked speculation about whether this move signals a strategic repositioning for the embattled company, potentially aiming to soften regulatory scrutiny under new American ownership.
Founded in 2010 and headquartered in Herzliya, near Tel Aviv, NSO is notorious for its Pegasus spyware, which has been linked to surveillance abuses in multiple countries. The firm continues to insist that its tools are licensed only to government clients for legitimate counterterrorism and criminal investigations. Yet independent investigations, including the Pegasus Project, have documented extensive misuse of its technology.
Although Meta and privacy advocates are celebrating this ruling as a breakthrough, it stops short of delivering the kind of deterrent that may be needed to curtail future abuses. In an era where spyware can be deployed remotely, silently, and at scale, the legal bar for what counts as "egregious" may need to be urgently redefined.
Without clear legal standards or international enforcement mechanisms, this ruling—while meaningful—may be more precedent than punishment.