On May 19, 2026, NPR reported that the Trump administration has begun dismantling the Biden-era guardrails on commercial spyware. The Treasury Department lifted sanctions on three executives tied to Intellexa, maker of the Predator spyware, and U.S. Immigration and Customs Enforcement revived a paused contract with Paragon Solutions, the Israeli firm behind the Graphite tool. Privacy advocates read the moves as a prelude: the next domino could be NSO Group, the Israeli maker of Pegasus, which has spent years and millions lobbying to get off the U.S. Commerce Department's Entity List.
That would be a mistake — and not because the open internet has no room for lawful surveillance. It is because the specific evidence that put NSO on the blacklist in 2021 has not dissipated. It has accumulated, in a U.S. federal courtroom, under oath.
The case for letting NSO back in
Start with the strongest version of NSO's argument, because it is not frivolous. Targeted, court-authorized interception of communications is a legitimate function of any democratic state, and the spread of end-to-end encryption has genuinely narrowed law enforcement's lawful-access options. NSO's new executive chairman, David Friedman — Trump's former ambassador to Israel, appointed in November 2025 — told the press the company should be considered for any contract that "might keep Americans safer." The firm argues its tools serve "legitimate and necessary" functions, that it now runs human-rights compliance frameworks, and that it has joined the multinational Pall Mall Process on spyware norms. A blanket export blacklist, NSO says, is a political instrument that punishes an entire category of technology for the misconduct of some customers.
There is a real principle buried here. People of Internet has consistently argued that regulation should be proportionate and evidence-based, and that you do not ban a tool because it can be misused. Encryption itself survives on exactly that logic.
Why the evidence cuts the other way
The problem is that the Entity List is not a ban on a tool. It is a targeted, evidence-based export control on a specific company, and NSO is the rare case where the misuse is not hypothetical — it has been litigated to a verdict. In November 2021, the Commerce Department added NSO and fellow Israeli firm Candiru to the Entity List, finding they "developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." That is not a category-wide indictment of interception technology. It is a finding about one firm's conduct.
Then came the courtroom. In WhatsApp v. NSO Group, a U.S. District Court in California found NSO liable in late 2024 for exploiting a zero-click vulnerability to deliver Pegasus to roughly 1,400 WhatsApp users — among them journalists and human-rights defenders. In May 2025 a jury awarded about $168 million. Judge Phyllis Hamilton, on October 17, slashed the punitive damages to just over $4 million as constitutionally excessive, but she left the liability finding intact and entered a permanent injunction barring NSO from targeting WhatsApp. The case is now before the Ninth Circuit (No. 25-7380), where NSO's appeal is being met by amicus briefs from the Knight First Amendment Institute, Access Now, and roughly a dozen civil-society groups urging the court to keep the injunction.
This is the inconvenient fact for the lift-the-blacklist campaign: a U.S. court has already concluded that NSO broke U.S. anti-hacking law against U.S. platform users. Delisting now would have the federal government rehabilitating a company that the federal judiciary has enjoined.
Proportionality runs both directions
Proportionate regulation is not the same as light-touch regulation. The Entity List is, in fact, the proportionate instrument — narrower than sanctions, narrower than a criminal referral, reversible if a firm genuinely reforms. It restricts U.S. technology exports to a named entity without outlawing the underlying market. Paragon and even the Intellexa executives can argue their slate is comparatively clean; NSO cannot, because its record is now a matter of public docket.
NSO has spent at least $7.6 million on Washington lobbying between 2020 and 2024 and retained more than fifteen firms, according to Tech Policy Press. That is the company's right. But the case for delisting rests on NSO's word that it has reformed, set against a court's finding that it has not stopped. WhatsApp returned to court in June 2026 seeking contempt, alleging continued Pegasus activity despite the injunction — the opposite of a company that has turned the page.
The open-internet stake
For a publication that defends both innovation and free expression, this is not a hard call. Zero-click exploits that silently break end-to-end encryption to read a journalist's messages are not a neutral law-enforcement utility; they corrode the security guarantees that make the open internet usable for dissidents, reporters, and ordinary users alike. Defending a thriving tech sector means defending the encryption that sector ships — and that means keeping evidence-based export controls trained on firms credibly shown to be attacking it.
The administration is entitled to revisit Biden-era spyware policy, and some of it deserves scrutiny. But the Entity List is the one tool here that is genuinely targeted, genuinely reversible, and genuinely earned. NSO can get off it the proportionate way: by demonstrably ending the conduct a U.S. court has already found unlawful, not by hiring the right lobbyists. Until the litigation says otherwise, lifting the listing would not be deregulation. It would be impunity.