The first half of 2025 has seen significant developments to curb the use of spyware, software that can extract users’ data, such as videos, photos and emails, and can turn phones and computers into surveillance devices. In April, the Pall Mall Process, steered by the United Kingdom and France, issued a non-binding, voluntary Code of Practice to tackle threats posed by spyware. As of July, 25 States have signed on. In May, a California jury awarded WhatsApp $167 million in punitive damages against the Israeli company NSO Group for violating the Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act, and WhatsApp’s terms of service for using WhatsApp servers to install its Pegasus spyware on more than 1,400 users’ devices. And, on July 8, the U.S. Court of Appeals for the Ninth Circuit reversed a district court decision dismissing the Dada case brought by journalists from El Salvador against NSO Group for targeting them with Pegasus. The case has been remanded to the district court to reassess the appropriateness of California as a venue in light of the Appeals Court’s decision. These civil lawsuits play an important gap-filling function as governments have yet to enact binding regulations for this technology.
Even the United Nations is addressing spyware concerns as part of larger cybersecurity multilateral efforts. On July 11, the U.N. Open-ended Working Group on security of and in the use of information and communications technologies (U.N. OEWG) issued its final report after five years of intense debate between U.N. Member States on responsible State behavior in cyberspace. Among the many issues States addressed were concerns about increasing availability of spyware to both State and non-State actors (which the report discusses as “commercially-available ICT intrusion capabilities”). Specifically, States worried that the growing market for this technology is “increasing the opportunity for their illegitimate and malicious use and making it potentially more difficult to mitigate and defend against,” while simultaneously stressing that “such capabilities could be used in a manner consistent with international law” and that any measures to combat threats posed by spyware “should not be detrimental to the ability of States, in particular developing countries, to access and utilize ICT tools for purposes consistent with international law.”
This flexible positioning by States — acknowledging threats in cyberspace and the need to take measures in response while simultaneously preserving the right to use such technology in accordance with international law, without specifying what the boundaries are, is commonplace in cybersecurity. For years, States have acknowledged that international law, including international human rights law (IHRL) and international humanitarian law (IHL), applies to cyberspace. But there is as of yet no consensus on determining which rules apply in specific cases (for example, what kind of cyber action could constitute an armed attack such that a State could justify a forceful response under self-defense).
After years of debate at the United Nations, there are a paltry two references to IHL in the U.N. OEWG’s final report, noting recommendations from the 2021 report issued by one of the OEWG’s predecessors, the Sixth Group of Governmental Experts, in which States “recognized the need for further study on how and when these [IHL] principles apply to the use of ICTs by States.” Four years later, States still seem to agree only on the need to continue discussions on this topic. There are few indications that States will agree on — much less implement or enforce — concrete measures setting boundaries on the kind of spyware development and use permitted under international law.
In contrast, civil society is urging at national and regional levels that States take steps now to combat growing threats posed by unregulated spyware. However, even national or regional processes take years. As those negotiations continue, spyware companies continue to do business with governments across the world. For example, the Israeli spyware company Paragon recently ended its relationship with the Italian government only after it was revealed that the country’s intelligence agencies had allegedly been targeting journalists with its product. That same company signed a $2 million contract last year with U.S. Immigration and Customs Enforcement, which has yet to take effect, likely in part due to recent public backlash over immigration enforcement policies under the Trump Administration in the United States.
Filling the Vacuum
Without regulations specifying the boundaries of permissible behavior, much is left to the discretion of spyware companies. This gray area, however, does not mean such companies are free to commit abuses without facing accountability, as the developments in civil cases demonstrate. Civil cases allow individuals or entities to bring cases and seek reparation for harms they have suffered when governments fail to act.
With respect to AI — a technology that has increasingly been the focus of extensive and lengthy debates on proper regulation — much attention has been paid to how civil liability might apply to its harms. For example, the European Commission released a white paper on AIin 2020 that focused heavily on how existing liability rules in the European Union may apply to AI harms and possible adjustments that might be needed. Although the European Commission eventually proposed an AI Liability Directive in 2022, it was withdrawn in February 2025 because lawmakers could not come to a final agreement. Across the pond, U.S. lawmakers even proposed — but ultimately rejected — 10-year and 5-year bans on state-level AI regulation. Yet much of the debate around AI still focuses on theoretical, future harms, which will inevitably become more likely as the technology advances. Conversely, despite significant global attention to documented harms from spyware abuses, few efforts to explore how civil liability may apply have been undertaken.
But why consider civil liability if it is true that private law approaches are not the ideal solution for a global problem? Former U.N. Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Fionnuala Ní Aoláin, rightly highlighted in a 2023 report that differing domestic tort frameworks result in an “inconsistent patchwork” that leaves room to debate about who is responsible in complicated “transnational production chains” and about the nature of human rights harms. Further, as the WhatsApp and Dada cases demonstrate, these processes also take many years. That means extensive legal costs and resource-intensive investigations, particularly when defendants refuse to cooperate.
What civil liability does offer is an available avenue today. Even if States agree on binding norms and enact regulations, any future investigations of abuses or violations of those regulations would take additional time. Further, any spyware-specific regulations would only cover future conduct after the enactment of those laws. Exploring how cases can be pursued across multiple jurisdictions under specific theories of liability clarifies at least some of the inconsistent tort patchwork and can assist individuals and organizations in assessing whether they want to pursue a case, the likelihood of success, and potential costs. Such discussions on potential liability can also inform future regulations by shedding light on the kinds of behaviors that might be grounds for future cases, the types of harms that may be covered, what the scale of reparations could be, and what actions — if any — by potential defendants could shield them from liability.
The Atlantic Council’s Strategic Litigation Project (SLP) (where the author of this post works) and the Cyber Statecraft Initiative (CSI) have convened this series on accountability for spyware harms in partnership with Just Security to explore different aspects, obstacles, and possibilities from law and policy as part of a larger research project exploring the relationship between spyware and tort liability in the United States. and the United Kingdom. The series will include the following articles:
- Natalia Krapiva will explore the U.S. discovery process in civil claims.
- Nadine Farid Johnson will present policy options enabled by recent litigation.
- Lindsay Freeman will articulate how international criminal law should develop to grapple with emerging cyber threats.
Addressing the problem of spyware abuses will require broad international action by States, a commitment to enforcing any rules that are developed, and monitoring by civil society organizations to ensure transparency and accountability. But such processes take years of negotiations, and victims and survivors who have already been targeted and suffered great harms need access to justice now. Exploring different forms of existing liability mechanisms can open up new avenues for redress for individuals while work to regulate the industry continues on a larger scale.