On May 21, 2026, Access Now and ten other civil society organizations asked the U.S. Court of Appeals for the Ninth Circuit to leave in place a permanent injunction barring the Israeli surveillance vendor NSO Group from ever again targeting WhatsApp or its users with Pegasus spyware. NSO, which filed its appeal on November 20, 2025, warns the order could "put NSO's entire enterprise at risk" and "force NSO out of business." The amici frame the stakes plainly: this is not a quarrel over one messaging app, but a test of whether the encryption billions of people depend on can be defended through ordinary law.
We think the brief has the better of the argument. The case is close to a textbook example of proportionate, evidence-based enforcement — the kind this publication consistently prefers to sweeping mandates.
What the district court actually decided
In May 2025, a federal jury in the Northern District of California found that NSO had violated the Computer Fraud and Abuse Act and its contract with WhatsApp by exploiting the platform's servers to push Pegasus onto roughly 1,400 devices across 20 countries — among them journalists, human-rights defenders, and diplomats. The jury awarded about $444,000 in compensatory damages and $167 million in punitive damages.
On October 17, 2025, Judge Phyllis Hamilton tempered the financial penalty while hardening the structural one. Citing established limits on the ratio between punitive and compensatory damages, she cut the punitive award to $4 million — a roughly 97% reduction NSO publicly welcomed. But she also issued a permanent injunction forbidding NSO from accessing or targeting WhatsApp's systems and users. The money was never the point; the prohibition is.
The strongest case for NSO
The opposing view deserves a fair hearing. NSO and its defenders argue that lawful-intercept tools are a legitimate, even necessary, answer to "going dark" — the reality that end-to-end encryption can shield terrorists, child predators, and cartel leaders from court-authorized surveillance. Israel's defense establishment has long treated firms like NSO as both a counterterrorism asset and a diplomatic one, and NSO maintains it sells only to vetted government agencies for serious-crime and national-security purposes. On that account, a blanket, perpetual bar on one vendor's access to the world's largest messaging platform is a heavy sanction that could chill a lawful industry.
Why a narrow injunction beats a broad mandate
The trouble is that the evidence cut against the theory of containment. A tool marketed against terrorists turned up on the phones of reporters and activists across 20 countries — not as isolated abuse, but as a pattern. And the method matters: Pegasus did not defeat encryption with a warrant; it defeated it by compromising the endpoint, quietly converting WhatsApp's own infrastructure into a delivery system.
That is why the encryption argument in the amicus brief is the right frame. Strong encryption is not a loophole; it is critical infrastructure — the same plumbing that protects hospitals, banks, dissidents, and government employees alike. The disproportionate response to "going dark" would be a legislative mandate to weaken encryption or install backdoors, degrading security for billions to reach a few. The proportionate response is precisely what the district court did: apply existing law to a specific actor, on a developed factual record, and enjoin the conduct proven harmful. The injunction weakens no one's encryption and imposes no new rule on the wider market. It disciplines one firm for documented abuse.
Israel's own course-correction
Notably, Israel's own regulators reached a parallel conclusion years earlier. After the 2021 Pegasus revelations, the Defense Exports Control Agency (DECA) sharply narrowed the field of countries to which Israeli firms may sell offensive cyber tools — reportedly from 102 to 37, dropping buyers with poor rights records. DECA also rewrote its end-user declaration so that purchasers must pledge to use the technology only against terror and serious crime, explicitly excluding political speech and criticism of governments. That is export control doing real work, and it reflects a recognition in Israel itself that an unaccountable spyware trade is a liability — to victims and to the country's standing as a responsible technology exporter.
A layered model worth keeping
The WhatsApp ruling is the newest layer in an enforcement stack that has grown deliberately, not bluntly. In November 2021, the U.S. Commerce Department added NSO to the Entity List for supplying tools used to target officials, journalists, and activists. In March 2023, Executive Order 14093 barred U.S. agencies from operationally using commercial spyware that poses counterintelligence or human-rights risks — after the government found personnel devices abroad had been targeted. Each measure aims at demonstrated harm by identifiable actors, and each leaves the underlying technology industry, and encryption itself, intact.
That is what proportionate regulation looks like: targeted, evidence-driven, and reversible if the facts change. The Ninth Circuit can endorse that model simply by declining to disturb it. Upholding the injunction would protect the open, encrypted internet without enacting a single new mandate — and would tell the spyware market that breaking other people's security to sell your own product carries consequences under the laws already on the books.