Case Summary and Outcome

The United States District Court for the Northern District of California held that the NSO Group could not claim sovereign immunity as a private company and found that its Pegasus spyware exploited vulnerabilities in WhatsApp to monitor over 1,400 individuals. WhatsApp accused the NSO Group of using the spyware to hack into its platform and monitor targets without their consent. The District Court reasoned that sovereign immunity did not apply to a private entity like the NSO Group, even if its actions were on behalf of a foreign government. It further determined that the NSO Group’s use of the spyware violated U.S. laws—particularly the Computer Fraud and Abuse Act (CFAA), and the California Comprehensive Computer Data Access and Fraud Act (CDAFA)—and was a breach of contract. The Court granted summary judgment on the CFAA and CDAFA claims—finding unauthorized access to WhatsApp’s California-based servers—and on the breach of contract claim due to the NSO Group’s reverse-engineering of WhatsApp software—in violation of its terms of service. The NSO Group’s defense on personal jurisdiction and evidence sufficiency was rejected, and the Court imposed evidentiary sanctions for discovery noncompliance.

---

Facts

On October 29, 2019, WhatsApp, an instant messaging and voice-over service, filed a lawsuit against NSO Group Technologies. WhatsApp claimed that the NSO Group had used its software to send malware to approximately 1,400 mobile phones and devices. The malware primarily aimed to infect these devices and monitor their users. 

WhatsApp’s software utilizes a signaling server to establish initial connections between users and a relay server to transmit communication data. The NSO Group, through their software called Pegasus, modified the WhatsApp application by using a tool known as the WhatsApp Installation Server (WIS). The WIS allowed the NSO Group’s clients to send encrypted files with installation vectors that enabled the surveillance of targeted users.

WhatsApp alleged four causes of action: violation of the Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), breach of contract, and trespass to chattels (personal property). The District Court for the Northern District of California dismissed the trespass to chattels claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure. It did not allow an amended complaint, leaving the remaining claims of CFAA violation, CDAFA violation, and breach of contract as the operative claims.

WhatsApp sought a partial summary judgment, requesting a ruling on liability for all claims, leaving only the issue of damages for trial. Meanwhile, the NSO Group moved for dismissal or summary judgment based on a lack of personal jurisdiction and also sought partial summary judgment on the merits of the case. Additionally, WhatsApp sought sanctions due to the NSO Group’s conduct during discovery.

---

Decision Overview

Justice Phyllis J. Hamilton of the United States District Court for the Northern District of California delivered the judgment. The primary issue before the Court was whether the NSO Group, a private entity, could claim sovereign immunity while being accused of violating the CFAA, the CDAFA, and other state and federal laws, by deploying spyware on WhatsApp users’ devices.

Before adjudicating on the issue, the Court referred to Anderson v. Liberty Lobby, Inc., (1986), and reiterated the principle that summary judgment is proper where the pleadings, discovery, and affidavits show that there is “no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” [p. 2] Material facts are those that could affect the case’s outcome, and a dispute is considered genuine if reasonable jurors can find for the non-moving party. The Court made references to the cases of the Ninth Circuit, such as Nissan Fire & Marine Ins. Co. v. Fritz Cos. (2000) and United Steelworkers of Am. v. Phelps Dodge Corp. (1989), to clarify that defendants can demonstrate the absence of genuine dispute either by negating an element of the challenged claim or by showing the plaintiff lacks evidence to substantiate their claim. The Court noted that as established in Hansen v. United States (1993), the non-moving party must respond with specific facts beyond mere pleadings, or conclusory allegations, to show a genuine issue exists. To it, courts must view the evidence in the light most favorable to the non-moving party, as set in Tolan v. Cotton (2014) and Leslie v. Grupo ICA (1999).

The District Court first addressed a critical jurisdictional issue raised by the NSO Group in several cases. It distinguished the current case from three previously dismissed cases: Corallo v. NSO (N.D. Cal.), Dada v. NSO (N.D. Cal.), and Elatr Khashoggi v. NSO (E.D. Va.). The Court noted that these cases were dismissed due to the foreign citizenship or residency of the plaintiffs, unlike the current case where the plaintiffs were U.S. citizens and residents of the district.

To assess whether it had jurisdiction to decide the matter, the Court applied the purposeful direction test from Calder v. Jones (465 U.S. 783), which required three elements: an intentional act by the defendants, express aiming at the forum state, and harm that the defendants knew would likely occur in the forum state. 

On this point, the NSO Group contended that the allegations were unsupported by evidence, specifically challenging the second element of the purposeful direction test: express aiming. It contended that none of WhatsApp’s signaling servers were located in California and that the messaging company made the choice of which server to use, implying the NSO Group could not have purposefully aimed their conduct at California. However, WhatsApp argued that the NSO Group failed to produce key evidence, including the Pegasus code, which would clarify how servers were selected. It further asserted that even if the WIS operated similarly to the official WhatsApp clients, it was still an intentional choice made by the NSO Group. 

Upon examining the evidence, the District Court found that during May 2019, the NSO Group’s Pegasus code was sent through WhatsApp’s California-based servers multiple times. This, the Court held, supported the earlier conclusion that the NSO Group caused a digital transmission to enter California, resulting in the breaking of a California server.  This aligned with the Court’s earlier finding that the defendants “caused a digital transmission to enter California, which then effectuated a breaking and entering of a server in California.” [p. 6] Based on this evidence, the Court concluded it had personal jurisdiction over the defendants in the district.

Subsequently, the Court addressed a significant motion for sanctions against NSO regarding their discovery obligations—particularly concerning the production of Pegasus source code and internal communications. The Court traced its previous orders, starting with the November 2023 ruling that applied the Richmark balance test [see, Richmark Corp. v. Timber Falling Consultants (1992)], which required NSO to produce information “sufficiently specific and important” to the claims.

WhatsApp contended that the NSO Group had not complied with prior Court orders regarding the disclosure of the full Pegasus code, as required by earlier rulings. On February 23, 2024, the District Court rejected NSO’s attempt to limit production to only the “installation layer” of the source code, mandating instead the production of “full functionality” information. The Court had directed the NSO Group to produce not just the “installation layer” of the code but the AWS (Amazon Web Services) server containing Pegasus source code—clarifying that “full functionality” meant the complete Pegasus computer code. However, NSO’s subsequent production was severely limited since the code was only viewable by Israeli citizens within Israel and only included code from the specific AWS server rather than the complete Pegasus functionality.

At this point, the District Court referred to several cases including Rambus v. Hynix (2007), Satya v. Martin (2019), and InTouch Techs. v. VGO (2012), which established that producing source code in a foreign or relatively inaccessible location violated federal rules. The District Court considered that NSO’s actions were impractical for litigation in the district, leading to the conclusion that the respondent’s failure to comply with discovery obligations warranted sanctions.

Beyond the source code issues, WhatsApp raised concerns about NSO’s refusal to produce internal communications regarding WhatsApp vulnerabilities and their interactions with US company Westbridge. WhatsApp sought both terminating sanctions and evidentiary sanctions on specific topics: targeting of California-based servers, location of third-party servers, relationship with Westbridge, and use of Pegasus by NSO’s customers. NSO, for its part, argued that their AWS server production in Israel complied with discovery obligations, suggesting plaintiffs could either use Israeli counsel or obtain an export license to view the code in the US. The District Court found NSO’s position regarding limiting production to only the AWS server code unreasonable given the case’s history and context. It determined that restricting code access to only Israeli citizens present in Israel was impracticable for a lawsuit being litigated in the Northern District of California. While noting that terminating sanctions could be justified due to NSO’s non-compliance with discovery obligations concerning key facts, the Court opted for evidentiary sanctions as a less severe measure—thus, reserving terminating sanctions as a potential future remedy if the plaintiffs couldn’t establish their claims otherwise.

Most significantly, regarding the personal jurisdiction issue, the District Court imposed an evidentiary sanction concluding that NSO’s use of California-based servers was purposeful. This sanction was levied because NSO’s failure to produce accessible Pegasus code prevented plaintiffs from obtaining detailed evidence about how the WhatsApp Internet Service (WIS) selected servers. Hence, the Court held that the evidence showed Pegasus code was transmitted through California-based servers 43 times in May 2019. This supported the earlier finding that the NSO Group had “caused a digital transmission to enter California, which then effectuated a breaking of a server in California.” [p. 6] This evidentiary sanction reinforced the Court’s determination that it had personal jurisdiction over NSO in the district.

Next, the District Court analyzed WhatsApp’s claims regarding violations of the CFAA and the CDAFA, and a breach of contract. Upon examining the CFAA claim, the Court focused on sections (a)(2) and (a)(4) of this act, along with conspiracy allegations under Section (b). While the Court had previously limited plaintiffs to an “exceeds authorization” theory, a key dispute emerged about whether sending Pegasus through WhatsApp servers constituted exceeding authorized access. The Court found that NSO’s WhatsApp Internet Service (WIS) obtained protected information about target users’ devices via WhatsApp servers, which a regular WhatsApp user could not obtain. Despite the NSO Group’s claims that it only obtained information from the users’ devices, the Court ruled in favor of WhatsApp, granting summary judgment. To it, the NSO Group’s actions—such as redesigning Pegasus to evade detection—demonstrated intent to defraud, satisfying the statutory requirements under both sections (a & b). The ruling was further strengthened by the acknowledgment that the NSO Group’s actions resulted in unauthorized access and information extraction.

Regarding the CDAFA claim—which mirrored the CFAA’s while requiring unlawful access to computers in California (as established in Meta Platforms, Inc. v. BrandTotal Ltd.)—, the Court found the evidence of California relay servers sufficient. Due to NSO’s failure to produce Pegasus source code showing how servers were selected, the Court imposed an evidentiary sanction concluding that the WIS deliberately targeted California servers. This finding led the Court to grant summary judgment on the CDAFA claim.

On the breach of contract claim, based on the violation of WhatsApp’s terms of service, the Court referred to the case law set forth in Laatz v. Zazzle (2024), and Sellers v. JustAnswer LLC (2021) to establish contract formation between WhatsApp and NSO. The Court rejected NSO’s arguments that they might have reverse-engineered WhatsApp before agreeing to terms of service. It noted that NSO had withheld evidence about their account creation and would have needed to access the software (thus agreeing to the terms first) before reverse-engineering it. The Court found that NSO breached the contract by reverse-engineering WhatsApp, sending harmful code, and collecting user information.

In conclusion, the District Court granted WhatsApp’s motion for partial summary judgment and motion for sanctions while denying the NSO Group’s motion for summary judgment. The Court found the NSO Group liable on all three claims—violations of the CFAA and CDAFA, and breach of contract—leaving only the question of damages for trial.

---