On May 20, 2026, Access Now led ten civil society organizations — including the Committee to Protect Journalists and the Center for Democracy and Technology — in filing an amicus brief with the U.S. Ninth Circuit Court of Appeals in WhatsApp LLC v. NSO Group Technologies (No. 25-7380). The brief urges the court to uphold Judge Phyllis Hamilton's October 17, 2025 permanent injunction, which bars the Israeli vendor from targeting WhatsApp users with Pegasus or any successor product. The Knight First Amendment Institute filed a parallel amicus the same day.
The procedural posture matters. NSO filed its opening appellate brief on February 11, 2026; WhatsApp answered on May 13. The Ninth Circuit will now decide whether the district court correctly applied the Computer Fraud and Abuse Act ("CFAA") and California's state analog to a foreign vendor whose servers and operators never touched U.S. soil — but whose exploit payload moved through WhatsApp's California-hosted infrastructure to reach roughly 1,400 user devices across about twenty countries in 2019.
A narrow remedy after six years
The litigation has been historically slow. WhatsApp filed in October 2019; the district court entered summary judgment on CFAA and breach-of-contract grounds in late 2024; a jury awarded $167.3 million in punitive damages in May 2025; and Hamilton then capped that figure at roughly $4 million in October 2025 to keep the punitive-to-compensatory ratio inside State Farm v. Campbell's 9-to-1 ceiling.
Critically, Hamilton's injunction is narrower than its detractors usually admit. It binds NSO Group itself — not its government customers, and not other Meta products. Customers can still buy Pegasus; they just cannot use it against WhatsApp. The remedy is a corporate-conduct order against a private vendor whose product was used to commit a federal computer-crime tort. It is not a global ban on lawful intercept.
Why encryption is the real stake
Pegasus is not "wiretapping" in any traditional sense. It is a zero-click implant that hijacks a device's operating system to read messages after they have been decrypted on the endpoint — precisely the architecture WhatsApp's Signal-Protocol end-to-end encryption is designed to protect. As Citizen Lab and Access Now documented in their May 2024 joint investigation of Russian- and Belarusian-speaking exile journalists in Latvia, Lithuania, and Poland, targets typically learn they were compromised only when Apple's threat notifications arrive months later. Five of seven new targets in that investigation were not just targeted but successfully infected.
That is the structural problem the Ninth Circuit panel has to weigh. End-to-end encryption is the closest thing the open internet has to a single-stack security primitive — banks, hospitals, journalists, and government employees all depend on it. A commercial vendor that successfully commoditizes endpoint-level circumvention does not just hurt the 1,400 people NSO targeted in 2019. It lowers the cost of mass surveillance for every authoritarian customer and degrades assurance properties on which the rest of the digital economy is built.
The case for Pegasus — taken seriously
The strongest argument for commercial offensive-cyber tooling deserves an honest hearing. Israel's defense ministry and many Western law-enforcement agencies argue that targeted, court-authorized lawful intercept against terrorism and serious crime is now functionally impossible against modern encrypted messaging without endpoint implants. Telegram, Signal, WhatsApp, and iMessage have collectively made the historical wiretap model obsolete. If governments cannot legally intercept, they will either build the capability in-house at vastly higher cost or buy from less-accountable vendors. This is not a frivolous point: Five Eyes intelligence chiefs have made versions of it publicly for a decade.
But the answer to that operational gap is not a license for vendors to attack platform infrastructure on a commercial basis. It is judicial oversight of specific targets, narrow lawful-intercept assistance regimes, and proportionality limits on cyber tools — the same principles applied to physical surveillance. The injunction does none of the things critics fear. It does not prohibit lawful intercept, ban NSO's customers from using legally authorized tools, or impose a global encryption mandate. It tells one private vendor that a U.S. statute against unauthorized server access means what it says.
Israel's regulatory bind
For Jerusalem, the harder question is downstream. Pegasus has been treated for years as a strategic export by the Israeli Ministry of Defense's Defense Export Control Agency (DECA), licensed country-by-country under Israel's 2007 Defense Export Control Law. The U.S. Commerce Department's November 3, 2021 addition of NSO Group and Candiru to the Bureau of Industry and Security's Entity List has already constrained access to U.S. components; an affirmance from the Ninth Circuit would add a layer of private-law liability that no Israeli license can cure.
Israel can credibly argue that DECA already screens Pegasus buyers and that human-rights abuses sit with end-users. But the structural fact is that the country's commercial spyware sector now lives inside a global accountability sandwich: U.S. export controls above, U.S. tort and CFAA liability below. From a pro-innovation perspective this is roughly the right division of labor. Israel keeps its sovereign defense-export discretion; U.S. courts maintain the integrity of U.S.-hosted communications infrastructure. The injunction draws a workable line — not against surveillance, but against vendors who treat platform infrastructure as a hunting ground.
The Ninth Circuit should let it stand.