On May 20, 2026, Access Now and ten other civil society organizations — eleven groups in all — filed an amicus brief with the U.S. Court of Appeals for the Ninth Circuit, urging it to uphold the permanent injunction barring Israel-based NSO Group from targeting WhatsApp. The case, WhatsApp Inc. v. NSO Group Technologies Ltd. (No. 25-7380), is the appeal of a ruling that, for the first time, held a commercial spyware vendor liable in a U.S. court for hacking an encrypted-messaging platform.
The brief's argument is narrow but consequential: weakening the injunction would erode the end-to-end encryption that journalists, activists, and human rights defenders rely on. We agree — and we think the case is a useful illustration of what proportionate, evidence-based regulation of the surveillance-technology market actually looks like. It is not a blanket ban. It targets a specific company, specific conduct, and a court-supervised remedy reached through ordinary adversarial litigation.
How the case got here
In 2019, WhatsApp discovered that NSO's Pegasus spyware had exploited a vulnerability in its calling feature to compromise roughly 1,400 users across 20 countries — among them journalists, diplomats, and human rights workers. The exploit was "zero-click": no link to tap, no message to open. WhatsApp and parent company Meta sued under the federal Computer Fraud and Abuse Act (CFAA), its California equivalent, and breach of WhatsApp's terms of service.
After six years — including a failed bid by NSO to claim foreign-sovereign immunity that the Ninth Circuit rejected in 2021 and the Supreme Court declined to disturb — Judge Phyllis Hamilton of the Northern District of California found NSO liable. In May 2025, a jury awarded $167.25 million in punitive damages plus $447,719 in compensatory damages. In October 2025, Judge Hamilton entered a permanent injunction ordering NSO to stop targeting WhatsApp, cease reverse-engineering the app, and delete any WhatsApp source code in its possession — while cutting the punitive award to roughly $4 million as constitutionally excessive. NSO has appealed liability, damages, and the injunction together.
The strongest case for NSO
It deserves to be stated fairly. NSO maintains that Pegasus is licensed only to vetted government agencies for counterterrorism and serious-crime investigations, and that lawful-access tools are a legitimate answer to the "going dark" problem — the reality that end-to-end encryption can place even court-authorized investigations beyond reach. There is a coherent argument that targeted, warrant-backed intrusion is preferable to the cruder alternative of mandating encryption backdoors that weaken security for everyone. NSO's defenders also warn that holding a tool-maker liable under the CFAA for how downstream customers deploy its product is an expansive theory that could chill the legitimate vulnerability research the entire cybersecurity industry depends on.
Those concerns are not frivolous. A rule that any security researcher or dual-use vendor is automatically liable for end-user abuse would indeed be bad for innovation.
Why this remedy is the proportionate one
But that is not what the injunction does. Its reasoning turns on conduct, not on the mere existence of surveillance technology. NSO was not found liable for building exploits in the abstract; it was found liable for repeatedly using WhatsApp's own infrastructure — creating accounts, reverse-engineering the service, routing attacks through its servers — in direct violation of the CFAA and the platform's terms. The remedy is correspondingly narrow: it restrains NSO from attacking one specific platform. It does not dissolve the company, outlaw vulnerability research, or reach Pegasus deployments that never touch WhatsApp.
That distinction matters for anyone who cares about innovation. End-to-end encryption is not a niche civil-liberties feature; it is load-bearing infrastructure for digital commerce, banking, journalism, and ordinary private speech. A mercenary-spyware business model that profits from quietly defeating that encryption — and sells the capability to whichever government can pay — externalizes its costs onto the rest of the open internet. Liability internalizes them. This is markets-and-courts discipline, not a regulator's prior restraint: the kind of targeted accountability that lets the legitimate security industry keep operating while the abusive edge of it pays for the damage it causes.
The accountability stakes are rising
The timing sharpens the point. In November 2021, the U.S. Commerce Department added NSO to its Entity List, restricting American firms from supplying it, on the ground that its tools let governments "maliciously target" officials, journalists, and activists. In October 2025, a consortium of American investors led by Hollywood producer Robert Simonds took a controlling stake in NSO — a deal researchers warn could grease the company's long-running campaign to get off the Entity List. If executive-branch pressure can quietly soften export controls, the judicial record becomes the more durable accountability anchor: a Ninth Circuit ruling affirming that hacking an encrypted platform carries legal consequences would survive shifts in the lobbying weather.
The eleven amici — including the Committee to Protect Journalists — are right that the encryption interest here is real and global. We would add that they are also defending something the tech sector itself depends on: the expectation that the security of mainstream platforms is protected by law, not auctioned to the highest bidder. Upholding the injunction does not pick a side between security and privacy. It draws a proportionate line — vulnerability research and lawful investigation can continue, but breaking into an encrypted service used by billions is a tort, and tortfeasors pay. That is the evidence-based, narrowly tailored outcome, and the Ninth Circuit should affirm it.