A six-year lawsuit got covered as a morality play. The legal record underneath it tells a different story — and leaves the actual victims exactly where it found them.
Jonathan Brown
On June 8, 2026, WhatsApp announced it had caught NSO Group violating a permanent federal injunction barely eight months old — spear-phishing attempts designed to push targets onto external malicious sites, plus NSO-linked test accounts and groups built inside WhatsApp itself. The company filed a motion to hold NSO in contempt of court. Meta's statement leaned hard into the language its communications team has used for six years running: a landmark verdict, a fight for privacy and security, NSO violating "federal and state laws against hacking."
This is the part of the story that gets covered, and it will get covered again the next time it happens, because it almost certainly will happen again. What doesn't get covered, or gets covered as a footnote, is what's actually sitting underneath the contempt filing: a legal case that was never about human rights, brought by a company with its own serious surveillance record, against a vendor whose government clients have never been forced into daylight, that ended in a damages award cut by 97.6 percent — and that, six years and several hundred pages of court filings later, has not put one dollar in the hands of a single person Pegasus was actually used against.
Nobody made anybody safer here. That's the piece.
Same Story, Right on Schedule
The reflexive version of this story writes itself: WhatsApp, the privacy-protecting messaging app, catches NSO, the dictator-tech spyware merchant, defying a court order — round two of good versus evil, and good is winning. Both companies are happy to have it told that way. Meta gets to be the platform defending its users against a blacklisted surveillance vendor, eight months after a federal court agreed with that framing in writing. NSO gets to be the besieged underdog fighting for its survival against a trillion-dollar adversary, which is the version its own court filings have pushed for years — NSO has argued, with a straight face, that enforcing the injunction WhatsApp won would "force it out of business."
Neither framing survives contact with the actual record. This is not a human-rights case; it's a commercial dispute over unauthorized server access that happens to involve a company whose product was used to hack journalists and dissidents. The plaintiff is not a neutral defender of privacy; it is a company that paid the largest privacy fine in FTC history five years before it sued NSO, and is still fighting, in a different courtroom, over whether it illegally collected patient health data from hundreds of hospital websites. And the defendant's customers — the governments that actually pointed Pegasus at specific human beings and pulled the trigger — have never been required to explain themselves to anyone, including the judge who found NSO liable.
What follows is an attempt to take the case on its own terms: not who's the hero, but what actually happened, what it actually proves, and who, after six years of litigation and a jury verdict that made international headlines, is still standing completely exposed.
The Number That Gives Away the Whole Game
In May 2025, a jury decided what NSO's conduct was worth: $444,719 in compensatory damages, and $167,254,000 in punitive damages — a 376-to-1 ratio reflecting, in plain terms, what twelve people thought a Pegasus deployment campaign against journalists and human rights defenders deserved by way of punishment.
NSO's response, one month later, was to ask the same court to throw that number out. The company's June 2025 motion for a new trial or "remittitur" — the formal legal procedure by which a judge can reduce an excessive jury verdict — called the punitive award "outrageous," "blatantly unlawful," and "unconstitutionally excessive," arguing it exceeded "the maximum lawful punitive damages award in this case by many orders of magnitude."
On October 17, 2025, Judge Phyllis Hamilton agreed, mostly. Her 25-page order granted WhatsApp the permanent injunction it had sought, and in the same ruling cut the punitive damages from $167,254,000 to just over $4 million — a 97.6 percent reduction. The mechanism is worth naming precisely, because it is not "the judge took pity on NSO." Federal due-process law caps punitive damages at a ratio to compensatory damages, scaled to how egregious the underlying conduct is found to be; courts have generally treated single-digit multiples as the outer edge of what's constitutionally defensible absent something exceptional. Hamilton wrote that the court did not have "a sufficient basis for determining that defendants' behavior is 'particularly egregious'" and set the ratio at 9-to-1 — nine times the $444,719 compensatory figure, which is where the roughly $4 million comes from. She left the door open for a different outcome in a future case, writing that the court lacked enough precedent involving "unlawful electronic surveillance in the smartphone era" to conclude NSO's conduct was "particularly egregious" — a forward-looking hedge about the state of the law, not a verdict on Pegasus specifically.
A federal judge, ruling on a fully litigated record that already established NSO hacked 1,400 phones — including those of journalists, dissidents, and at least one U.S.-located target — concluded that conduct doesn't yet clear the bar for "particularly egregious," for lack of comparable precedent. That framing deserves a closer look, because it isn't that this area of law is blank. It's the opposite: there has been plenty of litigation against NSO and its peers. Apple sued NSO in 2021 over the same spyware — and dropped the case in September 2024, saying continuing it risked exposing sensitive details of Apple's own security program. A Thai activist's case against NSO was dismissed by a Thai civil court in November 2025. NSO's sovereign-immunity defense in the WhatsApp case itself went all the way to the U.S. Supreme Court, which denied certiorari only after the Solicitor General weighed in against NSO. None of these resolved with a verdict on the merits that could function as precedent. They settled, got dropped, got dismissed, or got resolved on a jurisdictional technicality before reaching the question of how bad the underlying conduct actually was. So when Hamilton says there "have simply not yet been enough cases" to establish a baseline for egregiousness, the honest version of that sentence isn't "the law hasn't caught up." It's "every case capable of setting that baseline has been closed, settled, or abandoned before it could." The absence of precedent isn't an accident of timing. It's the accumulated result of a half-decade of litigation that kept almost reaching a verdict and then didn't.
And the number that did survive isn't functioning as punishment, either. NSO's own reaction confirms how little teeth made it through: spokesperson Gil Lainer called the 97 percent cut "welcome," while still describing the remaining $4 million as "disproportionately high." When the losing party's complaint after a 97.6 percent reduction is that the remainder is still too much, the figure isn't a deterrent. It's a rounding error with a press release attached.
Unauthorized Access, Not Human Rights Abuse
Read Meta's public statements about this litigation and you'd think WhatsApp sued NSO on behalf of the journalists, dissidents, and human rights defenders whose phones got infected with Pegasus. It didn't. The complaint WhatsApp filed in October 2019 alleged violations of the Computer Fraud and Abuse Act, California's Comprehensive Computer Data Access and Fraud Act, and a breach of WhatsApp's own terms of service. Strip the acronyms and what's left is a trespass claim: NSO accessed WhatsApp's servers without authorization to deliver its malware, and that unauthorized access is the entire legal injury the case is built on. The 1,400-plus people whose devices were actually infected are not plaintiffs. They were never asked to be. The party suing, and the party that collected the verdict, is the company whose servers got used as a delivery pipe — not the people on the other end of the pipe.
This isn't a technicality; it shapes everything the case could and couldn't accomplish. When Judge Hamilton justified the permanent injunction in October 2025, she explained the harm in commercial terms, not human-rights ones: "Part of what companies such as WhatsApp are 'selling' is informational privacy, and any unauthorized access is an interference with that sale. Defendants' conduct serves to defeat one of the purposes of the service being offered by plaintiffs, which constitutes direct harm." That's a clean, defensible legal rationale — and it is a rationale about WhatsApp's business model, not about the journalists who had to assume their sources were compromised, or the dissidents whose location data ended up in a government's hands. The court even narrowed the case at the outset: WhatsApp's original trespass-to-chattels claim, the cause of action closest to a straightforward "you invaded something that belongs to someone" theory, was dismissed in 2020. What survived to trial was the version of the story about unauthorized computer access and a broken contract.
None of that stopped the human rights framing from doing the heavy lifting in coverage and in Meta's own messaging. "Today's verdict in WhatsApp's case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone," Meta said when the jury verdict landed. Amnesty International, which along with Citizen Lab filed amicus briefs on behalf of the actual victims — a role the formal plaintiffs never occupied — called it "a momentous win in the fight against spyware abuse." Both statements are true to the spirit of what NSO did. Neither one accurately describes the cause of action that produced this specific verdict. The amicus briefs are the closest thing in this six-year record to anyone formally representing the people Pegasus was used against — and amicus briefs don't collect damages, and don't bind anyone to do anything.
The Privacy Champion's Own Privacy Record
The framing problem compounds once you look at who's wearing the white hat. Meta is not a neutral platform that NSO happened to victimize. It's a company with one of the most consequential surveillance records of the last decade, and that record didn't end before this lawsuit started — large parts of it were unfolding at the same time.
In 2019, the FTC fined Facebook $5 billion over the Cambridge Analytica scandal — the largest privacy or data-security penalty any government agency had ever imposed on any company at the time, for harvesting data on roughly 87 million users without meaningful consent and funneling it to a political consultancy. That same year, TechCrunch revealed "Project Atlas": since 2016, Facebook had been paying users ages 13 to 35 up to $20 a month, plus referral bonuses, to install a VPN app called Facebook Research, built on the Onavo platform Facebook had acquired in 2013. The app required installing a custom root certificate that gave Facebook visibility into nearly everything happening on the device — private messages, browsing history, app usage — the same category of access Pegasus achieves through an exploit chain, here achieved through a $20-a-month consent form aimed at teenagers. Apple pulled the app and briefly revoked Facebook's enterprise developer certificate entirely for violating the terms governing internal-use-only apps.
And it isn't past tense. In re Meta Pixel Healthcare Litigation is still working its way through the same Northern California federal court that handled WhatsApp v. NSO, over allegations that Meta's ad-tracking code collected patient health data from at least 664 hospital and medical-provider websites without valid consent. Individual health systems have settled and admitted nothing — Duke University Health System paid $3.7 million in 2025 while denying all wrongdoing — while Meta itself remains a defendant, resisting a court order to put Mark Zuckerberg in a deposition chair badly enough to take the fight to the Ninth Circuit. As of a January 2026 discovery order, the case is still open.
None of this excuses NSO, or narrows the gap between what Pegasus did to its targets and what Meta's ad-tech business has done to its users — those are different things, at different scales, with different victims. But "platform defends users from surveillance" requires treating the platform as a disinterested party, and Meta simply isn't one. It is a company whose business model runs on exactly the kind of data collection it spent six years in court accusing NSO of conducting without permission. That doesn't make Meta and NSO equivalent. It makes "privacy champion" a strange hat for this specific plaintiff to wear without anyone in the coverage asking why nobody's pointing it out.
Losing Everything Except the One Secret That Mattered
Here is the part of the record that should get more attention than it has: NSO lost every major legal argument it raised over six years, and still never disclosed the one thing that would let anyone outside the company hold its actual customers accountable.
NSO's first line of defense was sovereign immunity — the argument that it couldn't be sued because it was merely an agent acting on behalf of foreign governments. The district court rejected that in 2020. The Ninth Circuit affirmed the rejection. NSO petitioned the Supreme Court, which took the unusual step of asking the Biden administration's Solicitor General to weigh in before deciding whether to hear the case at all; the Solicitor General's brief stated flatly that "NSO plainly is not entitled to immunity here." The Supreme Court denied certiorari. That's a defense that failed at every level available to it, including the highest court in the country declining to even reconsider the lower rulings.
NSO's second line was discovery obstruction. The company spent 2023 and 2024 fighting protective-order motions that would have let it skip producing material under claimed restrictions of Israeli law; the court, applying Ninth Circuit precedent, ruled in November 2023 that foreign-law claims didn't excuse NSO from producing material that was "sufficiently specific and important" — including, eventually, the Pegasus source code itself. NSO's compliance was incomplete enough that Judge Hamilton's December 2024 summary judgment order included discovery sanctions against the company for failing to produce what it had been ordered to produce. By April 2025, ahead of the damages trial, Hamilton was telling the courtroom she'd considered "blowing up" the case and reopening discovery entirely, because NSO still hadn't explained what its customers actually did or why — calling the company's position, in her words, "flummoxed" and adding: "I expected that that information would be provided."
It never fully was. What the public record actually contains is fragmentary and, in places, contradictory. In an April 2025 hearing, NSO's own lawyer told the court "there's at least eight customers whose names are part of the discovery in this case" and named three on the record — Mexico, Saudi Arabia, Uzbekistan — the first time anyone representing NSO had publicly acknowledged specific government clients after years of saying the company was "unable" to discuss its customer base. Separately, a previously sealed filing unsealed around the same time listed 1,223 targeted individuals across 51 countries, including the United States, Bahrain, India, Morocco, Spain, and the U.K. Saudi Arabia — the customer NSO's own lawyer named in open court — doesn't appear on that 51-country list. Reporters who reviewed both documents noted the discrepancy and could not explain it. Neither, as far as the public record shows, could anyone else.
This is the mechanism, in plain terms: a defendant can lose its immunity defense at the Supreme Court, get sanctioned for discovery violations, and still walk away from a six-year case without the one disclosure that would actually matter — a clean, complete account of who its customers were and what those customers did. EFF senior staff attorney Sophia Cope put the underlying logic better than any plaintiff's filing did: "the number one thing that NSO Group and companies like it [are] selling is secrecy." Losing the lawsuit was the cost of doing business. Keeping the secret was the business.
Closer to Home Than the Coverage Admits
The framing that's been doing the most work across six years of NSO coverage is geographic: the villains are foreign dictatorships, the victims are dissidents abroad, and American institutions are the ones holding the line. That framing survives almost nothing about what's actually documented in the public record. The clearest single fact undercutting it: the FBI itself bought Pegasus, in 2019, and spent roughly $5 million doing it.
This isn't a contested allegation. It surfaced through a Freedom of Information Act lawsuit the New York Times filed against the FBI, which produced dozens of internal documents and court records. They show NSO's Israeli government backers went further than just selling the FBI an off-the-shelf product — they issued a special export license for a variant called Phantom, engineered specifically to target U.S. phone numbers, and restricted by that license to sale only to American government agencies. The FBI tested it. Officials developed advanced deployment plans and drafted guidelines for how prosecutors would need to disclose the tool's use in criminal proceedings, should it come to that. On March 29, 2021, the Bureau's Criminal Investigative Division circulated an internal memo recommending Pegasus's use "under certain specific conditions" — the specifics were redacted before the document became public. The FBI and DOJ spent roughly two years deliberating before the Bureau decided, in the summer of 2021, not to deploy the tool operationally. The equipment, according to the Times's reporting, is still sitting in an FBI facility in New Jersey.
How the FBI characterized this afterward is its own small case study in the gap between public testimony and private record. Director Christopher Wray told senators in closed session that the bureau's Pegasus purchase was strictly "research and development," to "figure out how the bad guys could use it." Senator Ron Wyden, after seeing the fuller documentary record the Times's lawsuit had surfaced, called that characterization "wrong and inaccurate" and said it was "totally unacceptable for the F.B.I. director to provide misleading testimony about the bureau's acquisition of powerful hacking tools and then wait months to give the full story to Congress and the American people." Wyden's statement included a question the FBI has never fully answered in public: whether "the future operational use of NSO tools is still on the table." In its own legal filings, the FBI hedged rather than ruled it out — arguing that declining to deploy this specific tool "does not mean it would not test, evaluate and potentially deploy other similar tools for gaining access to encrypted communications used by criminals."
None of this makes NSO's foreign government customers less culpable for what they did with Pegasus. It does mean the moral geography in most coverage of this case is wrong. The demand side of the commercial spyware market isn't confined to the regimes everyone agrees to call villains. It runs straight through the FBI itself — an agency now directed by a lawyer who, a decade earlier, fought to keep that same federal government out of WhatsApp's encrypted systems. That overlap is the next thread worth pulling.
The Same Firm, Both Sides, Five Years Apart
In April 2020, WhatsApp asked a federal judge to disqualify NSO's law firm. The argument: King & Spalding had previously represented WhatsApp itself, in a sealed 2015 matter where the Department of Justice tried to compel WhatsApp to break its own encryption for a wiretap — a fight WhatsApp won. Now the same firm was on the opposite side, defending the company that had broken WhatsApp's encryption anyway, just without a warrant. "Any attorney defending this suit would love to have insight into how WhatsApp's platform and systems work," WhatsApp's filing argued. "And King & Spalding has that insight — because it was once WhatsApp's counsel."
One name on that earlier King & Spalding team makes the story irresistible: Christopher Wray, now the sitting Director of the FBI — the same agency that, per the previous section, spent two years deciding whether to deploy the exact category of tool NSO sells. Wray was one of four King & Spalding attorneys who'd worked the 2015 encryption fight on WhatsApp's behalf. But the precise, less cinematic fact matters more than the cinematic one: Wray left the firm in 2017, two years before WhatsApp ever sued NSO, to become FBI Director. He was not on King & Spalding's NSO defense team. He couldn't have been; he wasn't there.
That distinction is exactly what decided the case. Judge Hamilton denied WhatsApp's disqualification motion in June 2020, finding that WhatsApp had not shown King & Spalding still had access to confidential material from the earlier matter — the firm's general counsel controlled and restricted those files — and, regardless, had not shown that any surviving information was "material… as opposed to general knowledge" to the NSO litigation. Three of the four attorneys from the 2015 team, Wray included, were gone by the time it mattered. King & Spalding, through partners Joseph Akrotirianakis and Aaron Craig, went on to represent NSO for the rest of the six-year case.
There's no individual villain in this version of the story, and that's the point worth sitting with instead of the cleaner conspiracy. Nobody had to do anything improper for the same law firm to end up on both sides of a fight over WhatsApp's encryption within a single decade. The pool of attorneys equipped to handle this specific, technical, high-stakes category of litigation is small enough that crossing sides barely requires effort — just enough time for the relevant partners to rotate out the door. A conflict-of-interest rule built to catch a lawyer switching sides on the same case did exactly what it was designed to do here, and still let the overlap through, because by the letter of the rule, there wasn't one. That's not a loophole anyone exploited. It's just how thin the wall was to begin with.
The Lever That Actually Matters
Most of this piece so far has sat inside a courtroom, because the courtroom is where the cameras pointed. The FBI story didn't, and this one doesn't either — NSO's own behavior suggests the company doesn't think the courtroom is where the real fight is.
In October 2025 — one week before the punitive damages got cut and the injunction got entered — a U.S. investor group led by Hollywood producer Robert Simonds took controlling ownership of NSO. NSO's spokesperson confirmed the deal but declined to name the investors; Israeli outlet Calcalist separately reported unconfirmed indications that Wrigley heir William Wrigley Jr. may have had some involvement in the takeover talks. NSO's longtime co-founder, Omri Lavie, was out. Citizen Lab's John Scott-Railton, who has tracked NSO abuses for a decade, said the quiet part out loud: "NSO is a company with a long history of going against American interests and supporting the hacking of American officials. In what world can such a person be trusted to properly oversee a company like NSO Group?" His specific worry wasn't abstract — he flagged that NSO has "strenuously tried" to sell its product to American police departments.
By January 2026, the leadership change was complete. David Friedman — Trump's former ambassador to Israel — became NSO's executive chairman. The company released a 2025 transparency report that Access Now and Citizen Lab both dismissed as PR without substance: unlike prior years, it didn't disclose how many client relationships NSO had terminated or rejected for abuse, the one metric that would actually let outsiders judge whether its self-policing means anything.
None of this is happening in a vacuum. The single restriction that actually limits NSO's reach into the American market isn't the WhatsApp injunction — it's the U.S. Commerce Department's Entity List, which has barred American companies from doing business with NSO since November 2021. NSO has lobbied to get off that list continuously since, spending at least $1.8 million on a pre-election push concentrated on Republican lawmakers. After Trump's return to office, the company shifted lobbying partners, bringing in the Vogel Group alongside Chartwell Strategy Group. Both firms registered under the Lobbying Disclosure Act rather than the Foreign Agents Registration Act — a distinction that matters mechanically, not just symbolically: FARA requires disclosing specific meetings and contacts; the LDA doesn't. Most of what the public has ever learned about NSO's Washington lobbying came from FARA filings. Routing the newer push through LDA-registered firms makes the next phase of it harder to track by design, whether or not that was the explicit intent.
The broader political climate has moved in NSO's direction regardless of any one lobbying contract. On December 30, 2025, per Reuters, the Trump administration lifted sanctions on three executives linked to Intellexa — Sara Hamou, Andrea Gambazzi, and Merom Harpaz — partially reversing sanctions the Biden administration had imposed on seven Intellexa-linked individuals in 2024. (Intellexa founder Tal Dilian remained sanctioned.) Intellexa is a rival spyware maker, not NSO, but the move was read across the industry as a signal that restrictions on commercial spyware firms generally were loosening — a signal with an ironic coda: Hamou is the same Intellexa executive an Athens court would criminally convict two months later, in February 2026, discussed below. OpenSecrets researcher Dan Auble described the mechanism plainly, speaking generally about the access lobbyists with administration ties can buy: "Lobbyists and advisers who have passed through the revolving door... have a unique ability to bend the ear of the new administration. That access is very valuable." NSO didn't need to win in court. It needed the one thing that actually constrains it to disappear through a different process entirely — and it restructured its ownership, its leadership, and its lobbying registration specifically to make that happen.
The Exception That Proves the Rule, Not Disproves It
If this piece stopped here, it would risk arguing that spyware impunity is some kind of natural law — that no legal system anywhere has ever made it stick. That's not true, and the counter-example is worth taking seriously on its own terms before explaining why it doesn't actually rescue the optimistic version of this story.
In February 2026, an Athens court convicted four people connected to Intellexa — a different company from NSO, maker of a different spyware product called Predator, but operating in the same mercenary-surveillance market. Tal Dilian, Intellexa's founder and a former Israeli intelligence officer; his business partner Sara Hamou — whose U.S. sanctions had been lifted just two months earlier, in the same December 2025 Treasury action noted above; former Intellexa executive Felix Bitzios; and Yiannis Lavranos, who owned the firm that purchased Predator on the client's behalf — all four were found guilty of unlawfully accessing information systems and violating the confidentiality of telephone communications, in a case stemming from Greece's 2022 "Predatorgate" scandal, which exposed Predator's use against at least 87 people, including a sitting opposition party leader and journalist Thanasis Koukakis. The court handed down a combined 126 years and eight months, capped at an eight-year misdemeanor maximum, suspended pending appeal. Citizen Lab's John Scott-Railton, who has spent a decade watching spyware cases go nowhere, called it plainly: "the first time that an executive at a mercenary spy company has been convicted and sentenced to prison." Criminal law, pointed at the right defendant with the right evidence, worked.
It worked on the vendor. It did not reach the client. The presiding judge found that the four defendants acted alongside unnamed "third parties" — possibly Greek or foreign intelligence officials — and referred the case file to prosecutors for further investigation into who else might bear criminal responsibility. That referral matters less than what had already happened before it: Greece's own Supreme Court cleared the country's intelligence service and political officials of wrongdoing in this same scandal back in July 2024, a year and a half before the vendor-side conviction. The government actors with the actual authority to point Predator at a journalist or a rival politician were formally exonerated first. The executives who built and sold the tool went to prison after.
So the honest version of this exception isn't "accountability is possible." It's narrower and more useful than that: criminal law can reach a spyware vendor when prosecutors and a court are willing to use it — which is more than civil litigation has managed against NSO in six years. But in the one case anywhere that produced a conviction at all, the client side of the transaction was cleared before the vendor side was even tried. Even at its best, this market has never once produced accountability for the government official who decided whose phone to infect. It has only ever produced accountability for the company that built the phone-infecting tool.
Nobody's Umbrella
Everything in this piece up to now has been about institutions: a platform, a vendor, a court, a law firm, an investor group, a foreign judiciary. One category of person hasn't appeared yet, because the case itself barely makes room for them. They're the actual point of all of it, and they are the only party in this entire six-year record who ends it exactly as exposed as they started.
WhatsApp says roughly 1,400 of its users were targeted in 2019. A court filing puts the number at 1,223 across 51 countries. Neither figure is a roster of abstractions. When Access Now and Citizen Lab filed their amicus brief, they put names and testimony in front of the court — among them former Moroccan journalist Aboubakr Jamaï, who described what it actually feels like to live as a Pegasus target: "Being spied on by an authoritarian state does not only spoil your professional relationships, it reduces your social circle too. You put at risk your relatives and friends by the mere fact of freely talking to them on the phone." Multiply that by 1,223, or 1,400, across Mexico, Bahrain, India, Morocco, Uzbekistan, Rwanda, Togo, and dozens of other countries, and you have the actual subject matter of this case — not the litigants, the subject matter.
None of them are plaintiffs. None of them ever could have been, given the legal theory WhatsApp chose. None of them will receive one dollar of the $4 million NSO now owes — that money belongs to Meta, in compensation for interference with WhatsApp's own business, full stop. Meta has separately, voluntarily, and at its own discretion donated to something called the Spyware Accountability Initiative, which funds the work of digital-rights organizations generally. That's a real gesture, and it costs Meta nothing it didn't choose to spend. It is also not victim compensation, was not ordered by any court, and is not contingent on the actual people targeted in 2019 receiving anything at all. The only organizations in this entire record that did the work of finding, identifying, notifying, and supporting individual victims — Citizen Lab, Amnesty International — were doing that work for years before this lawsuit existed, will keep doing it after the lawsuit is forgotten, and have never once been a party with standing to ask a court for anything on a victim's behalf. The amicus brief is the closest the legal system came to letting them speak. It is also, structurally, just a brief. Nobody reads it into a verdict.
This is the actual shape of the thing, after six years, a jury verdict, an injunction, a 97.6 percent damages cut, a denied disqualification motion, an ownership change, and a lobbying campaign: a foreign spyware vendor restructuring itself to survive: a domestic platform collecting a check for its own commercial injury; a law firm that represented both sides of an encryption fight five years apart; an FBI that wanted the same capability it now polices; a government using political access to make its own restrictions disappear; and, somewhere underneath all of it, several thousand actual human beings whose phones were actually infected, who were never asked, never paid, and never protected by any of the institutions currently taking credit for protecting them. Everyone in this story has an umbrella except the people it was raining on.
The Pattern, Stated Plainly
Neither WhatsApp nor NSO is the protagonist the coverage wants. That was never on offer. What six years of litigation actually produced is a map of where the structure gives way: a confidentiality regime that lets a losing defendant keep its customer list dark regardless of the verdict; a civil-versus-criminal asymmetry that has, so far, reached vendors only when prosecutors abroad were willing to use a different legal theory than the one available here; an export-control list that functions as the one real constraint on a company like NSO, and that a hostile administration can impose and a friendlier one can be lobbied into lifting; and a legal and political class small enough that the same firms, the same access, and the same revolving doors show up on every side of every fight, without anyone needing to fix the outcome in advance.
That's not a conspiracy. A conspiracy would require someone in charge of the result. Nobody is. The result happens anyway, because the structure was built to produce it, one ordinary, defensible, individually justifiable decision at a time — a judge applying a damages cap, a firm clearing a conflict check, a company changing owners, a court honoring a protective order. Every one of those decisions can be correct on its own terms and the outcome is still the same: the institutions fight each other to a standstill, the vendor survives reorganized, the platform collects its check, and the people who were actually spied on were never in the room where any of it was decided.
Jonathan Brown for Border Cyber Group
Member discussion: