The proliferation of spyware poses a serious threat to civil rights and civil liberties with few avenues for accountability. Despite representative promises by industry entities that the technology is provided to governments for uses limited to “preventing and investigating serious crime, including terrorism,” the technology has been used to target journalists, human rights defenders, and U.S. diplomats. Such targeting chills the exercise of free expression, undermining fundamental rights.
Victims of spyware can seek redress through litigation, but people trying to obtain justice through the court system today can often face insurmountable barriers. Policymakers should step in and make it clear through legislation that U.S. courts are the correct venue for certain of these cases, thereby introducing a pathway for much needed accountability for these cyberattacks.
Understanding Spyware’s Reach and Ramifications
Spyware introduces insecurity into digital ecosystems and encourages the exploitation of security vulnerabilities. For example, Pegasus, a suite of software from NSO Group, allows governments and other clients to hack individuals’ cell phones imperceptibly. The company’s program supplies clients with full access to infected devices, including the ability to view and download content, take photos, and record audio. Pegasus can be installed through a “zero-click” exploit, meaning a purchaser can deploy the software remotely and without relying on the targeted user to download it by clicking a link. In continually seeking to overcome security patches, spyware companies like NSO Group–-which has admitted to employing a team to study Android devices and applications such as WhatsApp to identify vulnerabilities–-undermine cyber defenses and trust.
This is a lucrative business: although estimates about the size of the industry vary, as of 2021, NSO Group had a valuation of approximately $2 billion. According to the Carnegie Endowment for International Peace, 74 governments procured spyware between 2011 and 2023 from a variety of companies, including FinFisher, Hacking Team, and Cellebrite, among others. NSO Group alone grants foreign governments the ability to spy on approximately 12,000 to 13,000 people annually. The industry’s reach is being amplified; as the industry’s top players have faced increased scrutiny from governments and civil society, second-tier firms and hacking groups have turned to open-source code and low-cost tools to carry out spyware attacks. The uptick in easily deployed, malicious programs harms the digital ecosystem and increases the likelihood individuals will be victimized.
Why Legal Redress for Individual Spyware Victims Remains Elusive
Although recent federal efforts to limit government access to and use of mercenary spyware via procurement rules and export controls are commendable, access to justice for individual victims of spyware attacks remains elusive. In the past few years, at least three lawsuits have been filed in U.S. federal court against NSO Group on behalf of individual victims alleging violations of various federal and state laws after facing Pegasus spyware attacks. Myriad procedural challenges in court slow or even preclude the cases from reaching the merits, leaving victims in limbo with no redress.
These plaintiffs face significant jurisdictional hurdles, sometimes seeing their cases dismissed on these preliminary grounds after months-long battles in court. Judges have rejected attempts to hold NSO Group liable for violations of both state and federal laws prohibiting hacking and unauthorized data extraction on grounds that the company lacks adequate ties to the United States or particular states. Judges have also dismissed cases on grounds that the United States is not the proper forum for these cases, such that lawsuits should be brought in another, non-U.S. jurisdiction instead. For example, the Fourth Circuit recently affirmed a ruling by a federal district court in Virginia that dismissed a lawsuit against NSO Group filed by the widow of murdered journalist Jamal Khashoggi for a lack of personal jurisdiction.
These procedural challenges prevent judges from reaching the merits of the cases against NSO Group, leaving victims of spyware invasions in limbo and without redress in U.S. courts, despite the violations of privacy, safety, and freedom of expression they suffer due to the company’s technology.
To date, corporate plaintiffs allegedly victimized by NSO Group have had more success overcoming procedural hurdles than individual plaintiffs. Two cases—one brought by Apple and the other by Meta’s WhatsApp—survived NSO Group’s jurisdictional challenges. NSO Group finally faced liability in the case brought by WhatsApp, due in no small part to its refusal to provide information to opposing counsel during discovery. On May 6, a jury awarded WhatsApp $167 million in damages. NSO Group has asked the trial court to drastically reduce this award or order a new trial.
In September 2024, Apple moved to drop its case, in part because it would have been forced to disclose information about its security practices that predatory spyware companies have sought for years. According to the tech giant,
[b]ecause Apple currently uses its threat-intelligence information to protect every one of its users in the world, any disclosure, even under the most stringent controls, puts this information at risk.
These developments demonstrate it is past time to allow the victims of spyware attacks—the people whose devices are infected—a pathway to redress against NSO Group and its competitors in the United States for the harms they perpetrate.
The Knight First Amendment Institute at Columbia University, where I work, represents one such group of spyware victims, who are journalists and others from the Central American news outlet El Faro. The case, Dada v. NSO Group, seeks to hold NSO Group accountable for its role in spyware attacks against these plaintiff journalists, who were targeted with repeated Pegasus attacks between June 2020 and November 2021. The attacks, some of which coincided with dates on which journalists visited the U.S. Embassy in San Salvador to meet with officials, intensified around the publication of major stories exposing criminal activity and human rights abuses by the Salvadoran government. Plaintiffs include a U.S. citizen and two U.S. residents. The Pegasus attacks of their iPhones were conducted via interaction with the servers, software, and services of Apple, a Northern California-based company. The case was filed in the U.S. federal district court for the Northern District of California.
On March 8, 2024, the district court dismissed the case on forum non conveniens grounds, meaning it believed the case was more appropriately heard in another court. The plaintiffs appealed the dismissal to the Ninth Circuit, which vacated the district court’s decision and remanded the case for further consideration on July 8, 2025.
Dismissal on forum non conveniens grounds is uncommon, in part because the burden on the defendant is intentionally high. The use of forum non conveniens is of particular concern in cases concerning fundamental human rights, where U.S. courts may be the only plausible venue for such cases to proceed. Whereas a U.S. district court might be inclined to point parties in spyware cases to litigate in a defendant’s state of incorporation or the country in which the attacks are alleged to have taken place, the reality is that bringing such a case to fruition in those jurisdictions is unlikely. For example, NSO Group is incorporated in Israel; that government took “extraordinary measures” to undermine the WhatsApp litigation, the Guardian reported. And the courts of countries such as Saudi Arabia, the United Arab Emirates, or El Salvador—where targeting of human rights dissidents and journalists is common—are unlikely venues for justice. As the nascent body of spyware litigation shows, would-be plaintiffs face procedural challenges in bringing cases in U.S. court as well as in other courts around the world, threatening a situation in which no courts will be open to hearing these victims’ cases on their merits.
Pathways to redress via litigation are critical for individual victims of spyware targeting. The options for these would-be plaintiffs are inconsistent and unclear, yet the harms and security threats associated with spyware continue—and grow—unabated. Policymakers should address this fundamental imbalance and create a level playing field for spyware victims, allowing a pathway to redress.
An Opportunity for Congressional Action
The dangers of commercial spyware have received increased bipartisan attention in the past several years. Both the executive and legislative branches of the U.S. government have rightfully sought to place careful limits on the U.S. government’s operational use and procurement of commercial spyware that could harm U.S. national security interests or undermine human rights.
Congress has acknowledged the concerns raised by the misuse of commercial spyware, but has yet to offer guidance to federal courts grappling with the procedural questions that the attacks on U.S. persons and others raise. The Computer Fraud and Abuse Act (CFAA) offers one vehicle for Congress to act in support of individual spyware victims and clarify a pathway for redress in U.S. courts, via the codification of a venue right for victims who were targeted via the exploitation of a software vulnerability in their devices.
As indicated by court filings, in the spyware cases filed in U.S. federal district court on behalf of individual victims, the defendant purveyors of commercial spyware are alleged to have intentionally accessed, or caused to be accessed, without authorization, the victims’ devices; to have enabled or caused the surreptitious installation of spyware on those devices, thereby permitting the gathering of information from those devices for the purveyors’ clients via unfettered surveillance of the victims and the exfiltration of data from their devices.
Characterized as an “anti-hacking statute,” the CFAA prohibits, inter alia, obtaining information through unauthorized computer access; engaging in computer-based frauds through unauthorized computer access; and knowingly causing damage to certain computers by transmission of a program, information, code, or command. While the law was enacted well prior to the development of readily deployable malware and spyware, particularly the “zero-click” technology that powers Pegasus and some other commercial spyware, courts have held that the Act protects against unauthorized access facilitated by these invasive technologies.
Plaintiffs bringing cases against spyware manufacturers in the United States have faced forum challenges, as noted, and courts have grappled with the question of when a case is too foreign to be heard in the United States. On the surface, this hesitation may seem reasonable: To date, there is no public record of a device with a U.S. country code phone number being infiltrated with Pegasus; there have been no lawsuits brought alleging misuse of spyware on the part of a U.S. government entity; and neither NSO Group nor other major spyware purveyors are based in the United States. Yet the spyware purveyors, via their invasive technology, exploit vulnerabilities in U.S. companies’ software and access U.S. companies’ servers, operating systems, and services. Spyware purveyors provide their clients with access to victims’ devices, in order to facilitate access to victims’ information without their authorization. The purveyors make this possible by accessing U.S. companies’ services with the intent to gain access to and exploit vulnerabilities within those companies’ technologies. Without extensive interaction with U.S. entities’ software, services, and servers, the spyware purveyors could not facilitate access to victims’ information for their clients.
The exploitation of U.S. companies’ technologies to enable the unauthorized surveillance of and gathering of data from individuals’ devices harms U.S. economic and security interests. At a minimum, it should create a threshold from which victims of spyware abuse can seek redress in U.S. federal court.
This presents an opportunity for Congress to act. Congress has, in other contexts, limited courts’ ability to dismiss on forum non conveniens grounds. In the spyware context, Congress could amend the CFAA to clarify that the use of the software, services, or servers of U.S. companies to develop and/or deliver spyware to protected devices is sufficient to establish venue for purposes of seeking relief in U.S. courts. Within such a provision, Congress could also specify that venue would be proper in the district where the U.S. company has its place of incorporation or principal place of business.
Establishing a venue provision would not relieve plaintiffs of the burden to demonstrate personal jurisdiction in their chosen forum. But for litigants who can demonstrate a sufficient connection between the spyware attacks, the spyware purveyor, and the U.S. forum, this provision would serve as a guide for courts insofar as venue is concerned.
Being targeted by spyware affects victims, their families, their employers, and their communities. Unchecked, the use of this technology eliminates vital bulwarks against government power and abuse, degrading civic institutions and thwarting accountability. The courageous individuals who seek redress should have a pathway to justice. As litigation efforts continue, Congress can act to clear that pathway, creating a legislative mechanism for plaintiffs who seek accountability from spyware purveyors to have their cases heard on the merits.
