top of page
Search

Pegasus versus Meta: lawsuit

  • Writer: Matthew Parish
    Matthew Parish
  • 2 minutes ago
  • 3 min read

Thursday 29 January 2026


The long-running lawsuit between NSO Group and Meta Platforms over the Pegasus espionage product has become one of the defining legal contests of the contemporary digital age. It is not merely a dispute about liability for a particular security breach in WhatsApp, but a broader confrontation over where responsibility lies when powerful surveillance tools, developed by private firms and sold to states, are turned against civil society.


At the heart of the case is Pegasus, a highly sophisticated spyware platform designed to infiltrate mobile telephones, extract communications and activate microphones and cameras without the user’s knowledge. NSO has consistently argued that Pegasus is sold only to governments and solely for legitimate purposes such as counter-terrorism and serious crime prevention. Meta, by contrast, alleges that NSO exploited vulnerabilities in WhatsApp’s calling function to deliver Pegasus to the devices of journalists, lawyers, diplomats and human rights activists, in clear violation of WhatsApp’s terms of service and, more fundamentally, of domestic and international law.


The factual dispute focuses on an alleged “zero-click” exploit, meaning that the target did not need to answer a call or interact with a message for the spyware to be installed. Meta maintains that this amounted to unauthorised access to its servers and users, framing the conduct as both a breach of contract and a violation of computer misuse laws. NSO has countered that responsibility for securing WhatsApp lay with Meta itself and that its clients, not NSO, determined how Pegasus was deployed. This attempt to shift responsibility up and down the chain has become a recurring theme in litigation involving digital surveillance.


The lawsuit therefore raises an uncomfortable question for the technology sector. To what extent can a platform provider be held responsible for flaws in its own security architecture, even when those flaws are exploited by a third party for malign ends? Meta’s position is that it is entitled to protect the integrity of its systems and its users, and that commercial spyware vendors should not be permitted to treat vulnerabilities in widely used communication tools as fair game. NSO’s response implicitly suggests that absolute security is illusory and that sophisticated state actors will always find ways to penetrate popular platforms.


Beyond the immediate technical arguments, the case has significant geopolitical and humanitarian implications. Pegasus has been linked, in investigative reporting and civil society research, to surveillance campaigns in numerous countries with poor records on press freedom and judicial independence. While NSO disputes many of these allegations, the perception that private Israeli technology has facilitated repression abroad has drawn diplomatic scrutiny and, in some cases, sanctions. The lawsuit thus sits at the intersection of private law, export controls and international human rights norms.


The proceedings also test the limits of sovereign immunity and corporate accountability. NSO has argued that because it acts on behalf of state clients, it should benefit indirectly from their immunity. Courts in the United States have shown scepticism towards this claim, signalling a willingness to treat spyware vendors as ordinary commercial actors rather than extensions of foreign governments. If that approach is upheld, it could have far-reaching consequences for an industry that has until recently operated in the shadows, shielded by secrecy and national security rhetoric.


For Meta the litigation is as much about signalling as it is about damages. By pursuing the case aggressively, the company presents itself as a defender of user privacy despite its own contested record in that field. For NSO, the stakes are existential. An adverse judgment would not only impose financial costs but could also further delegitimise the commercial spyware market, encouraging other platforms and victims to bring similar claims.


Ultimately the NSO v Meta case illustrates a deeper structural problem. Digital communications have become critical infrastructure for modern societies, yet they remain vulnerable to exploitation by actors operating in legal grey zones. Courts are being asked to adjudicate questions that sit uneasily between law and technology, national security and individual rights. Whatever the outcome, the lawsuit marks a turning point. It suggests that the era in which surveillance technology firms could plausibly deny responsibility for how their tools were used is drawing to a close, and that the law is beginning, however haltingly, to catch up with the realities of twenty-first-century espionage.

 
 

Note from Matthew Parish, Editor-in-Chief. The Lviv Herald is a unique and independent source of analytical journalism about the war in Ukraine and its aftermath, and all the geopolitical and diplomatic consequences of the war as well as the tremendous advances in military technology the war has yielded. To achieve this independence, we rely exclusively on donations. Please donate if you can, either with the buttons at the top of this page or become a subscriber via www.patreon.com/lvivherald.

Copyright (c) Lviv Herald 2024-25. All rights reserved.  Accredited by the Armed Forces of Ukraine after approval by the State Security Service of Ukraine. To view our policy on the anonymity of authors, please click the "About" page.

bottom of page