Litigating Commercial Spyware: The Promise and Limits of Private Enforcement in a New Age of Cybersurveillance
Abstract
Commercial spyware firms—private companies that develop and sell sophisticated hacking tools to governments—are operating in a legal environment marked by weak oversight and notable regulatory gaps. NSO Group, the Israeli company behind the Pegasus spyware, offers a prominent example. Although marketed as a lawful investigative tool, Pegasus has also been used to target journalists and political opposition, prompting global concern and a wave of litigation.
This Article examines litigation against NSO in the United States and Israel as a case study to evaluate whether private lawsuits can function as a regulatory tool in this underregulated industry. Drawing on a comprehensive analysis of court dockets in the United States and Israel, as well as original interviews with attorneys involved in these proceedings, the Article supports the observation that traditional state-centered regulation has struggled to constrain commercial spyware. It further demonstrates that lawsuits brought by individual victims have faced considerable challenges, due to jurisdictional hurdles and structural resource disparities.
At the same time, litigation initiated by major technology companies has achieved limited success and could occupy an effective supplemental regulatory role. Building on the emerging scholarship painting Big Tech as a potential de facto complementary regulator in the field of surveillance in general, and in the context of spyware in particular, this Article shows that technology companies possess incentives, resources, and jurisdictional leverage necessary to pursue or back sustained litigation aimed at shaping legal rules that alter the economic and legal viability of abusive spyware use.