BREAKING: jury awards massive $167 million in punitive damages against spyware company NSO Group.
It turns out that the regular people on a jury think it is evil when you help dictators hack dissidents.
After years of every trick & delay tactic it only took a California jury ONE DAY of deliberation to get this Monsanto-scale verdict. Precedent-setting win against notorious #Pegasus spyware maker.
BACKSTORY:
Rewind to 2019. About this time (April-May) #WhatsApp catches NSO Group hacking its users with #Pegasus.
They investigated.
We at Citizen Lab helped to investigate the targets & get in touch with the activists journalists & civil society members that were targeted
We identified at least 100. And got in touch. It was a tremendous push of sleepless days. But it made it so clear just how much harm was being done.
Then, In October 2019 WhatsApp sued.
Prior to the lawsuit, NSO had acted the playground bully.
Targeting victims that dared speak up & researchers like us.
Suddenly, the bully wasn't so surefooted. Like the scene in a high school movie where the cousin shows up in the beat up car & collars the bully.
You might not remember, but in 2019 no country had sanctioned NSO Group... No parliamentary hearings, no hearings in congress, no serious investigations.
For years, WhatsApp's lawsuit helped carry momentum & showed governments that their tech sectors were in the crosshairs from mercenary spyware too...
Credit due to Meta & WhatsApp leadership on this one, they stuck the fight out & carried it across the finish line.
NOTIFICATIONS MATTER
WhatsApp's choice to notify targets was also hugely consequential.
A lot of cases were first surfaced from these notifications.
With dissidents around the world suddenly learning that dictators were snooping in their phones...with NSO Group's help.
A SIDEBAR: HARASSING RESEARCHERS
One of NSO's many tactics was to leverage the case to badger me & us Citizen Lab researchers to try and extract information.
It never worked, but it laid bare the tactics that these firms prefer...instead of coming clean.
ROLE OF CIVIL SOCIETY
Ultimately, we wouldn't be here without civil society investigations of mercenary spyware... and alarm raising.
And victims choosing to come forwads.
Thankfully today there's a whole accountability ecosystem growing around this work.
Dozens of orgs engaging.
Numbers are growing.
IS THERE GONNA BE IMPACT? YES
NSO Group emerges from the trial severely damaged.
The damages ($167,254,000 punitive, $440K+ compensatory) is big enough to make your eyes water.
NSO'S BUSINESS IS NOW ALL OVER THE NET
The case is also a blow to NSO's secrecy, with their business splashed all over a courtroom.
WhatsApp just published NSO's depositions, exposing an unprecedented amount of info on a spyware company's operations:
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Eshkar-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gil-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Shohat-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gazneli-Transcrips_Case-4-19-cv-07123-PJH.pdf
This will scare customers. And investors. And other companies that do the same thing. Good.
MY VIEW:
Watching a jury of regular citizens see right through NSO's mendacity & hypocrisy...and to the need to protect privacy is amazing.
Gives me hope.
Despite all the fancy lawyering & lobbying, people know that this kind of privacy invasion is wrong.
Read more:
They Exposed an Israeli Spyware Firm. Now the Company Is Badgering Them in Court. 
Spyware maker NSO ordered to pay $167 million for hacking WhatsApp
https://www.washingtonpost.com/technology/2025/05/06/nso-pegasus-whatsapp-damages/
NSO Group must pay more than $167 million in damages to WhatsApp for spyware campaign 
It turns out that the regular people on a jury think it is evil when you help dictators hack dissidents.
After years of every trick & delay tactic it only took a California jury ONE DAY of deliberation to get this Monsanto-scale verdict. Precedent-setting win against notorious #Pegasus spyware maker.
BACKSTORY:
Rewind to 2019. About this time (April-May) #WhatsApp catches NSO Group hacking its users with #Pegasus.
They investigated.
We at Citizen Lab helped to investigate the targets & get in touch with the activists journalists & civil society members that were targeted
We identified at least 100. And got in touch. It was a tremendous push of sleepless days. But it made it so clear just how much harm was being done.
Then, In October 2019 WhatsApp sued.
Prior to the lawsuit, NSO had acted the playground bully.
Targeting victims that dared speak up & researchers like us.
Suddenly, the bully wasn't so surefooted. Like the scene in a high school movie where the cousin shows up in the beat up car & collars the bully.
You might not remember, but in 2019 no country had sanctioned NSO Group... No parliamentary hearings, no hearings in congress, no serious investigations.
For years, WhatsApp's lawsuit helped carry momentum & showed governments that their tech sectors were in the crosshairs from mercenary spyware too...
Credit due to Meta & WhatsApp leadership on this one, they stuck the fight out & carried it across the finish line.
NOTIFICATIONS MATTER
WhatsApp's choice to notify targets was also hugely consequential.
A lot of cases were first surfaced from these notifications.
With dissidents around the world suddenly learning that dictators were snooping in their phones...with NSO Group's help.
A SIDEBAR: HARASSING RESEARCHERS
One of NSO's many tactics was to leverage the case to badger me & us Citizen Lab researchers to try and extract information.
It never worked, but it laid bare the tactics that these firms prefer...instead of coming clean.
ROLE OF CIVIL SOCIETY
Ultimately, we wouldn't be here without civil society investigations of mercenary spyware... and alarm raising.
And victims choosing to come forwads.
Thankfully today there's a whole accountability ecosystem growing around this work.
Dozens of orgs engaging.
Numbers are growing.
IS THERE GONNA BE IMPACT? YES
NSO Group emerges from the trial severely damaged.
The damages ($167,254,000 punitive, $440K+ compensatory) is big enough to make your eyes water.
NSO'S BUSINESS IS NOW ALL OVER THE NET
The case is also a blow to NSO's secrecy, with their business splashed all over a courtroom.
WhatsApp just published NSO's depositions, exposing an unprecedented amount of info on a spyware company's operations:
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Eshkar-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gil-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Shohat-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gazneli-Transcrips_Case-4-19-cv-07123-PJH.pdf
This will scare customers. And investors. And other companies that do the same thing. Good.
MY VIEW:
Watching a jury of regular citizens see right through NSO's mendacity & hypocrisy...and to the need to protect privacy is amazing.
Gives me hope.
Despite all the fancy lawyering & lobbying, people know that this kind of privacy invasion is wrong.
Read more:
They Exposed an Israeli Spyware Firm. Now the Company Is Badgering Them in Court. The Intercept
They Exposed an Israeli Spyware Firm. Now the Company Is Badgering Them in Court.
NSO Group, which makes Pegasus spyware, keeps trying to extract sensitive information from Citizen Lab — and a judge keeps swatting it down.
TechCrunch
NSO Group must pay more than $167 million in damages to WhatsApp for spyware campaign | TechCrunch
The five-year legal battle between the Meta-owned company and the most notorious spyware maker in the world ends with a huge win for WhatsApp.
Connoisseurs of the AI-will-end-humanity marketing hype train of a few years ago should find plenty to appreciate in an eyeball scanner framed as as a 'helpful' tool to distinguish between AI agents & humans.
Or is it for that? Or maybe point of sale? Or nebulous 'verification?'
The only clear thing? This device starts from a point of biometric #privacy invasion.
It sure looks to me like another effort by the company Sam Altman founded to make a global data-grab.
Just say no.
(btw if you get one of these, take it very seriously & get in touch with an expert)
CONTEXT
It's time for transparency from the Italian government. This scandal has been going on since the end of January.
Unlike the first revelations earlier this year & their initial denials...Italy is now an admitted Paragon user.
And everything we know about Paragon indicates that government deployments keep immutable logs that should give a quick answer: was it the Italian government?
Story [IT] 
TECHNICAL SOPHISTICATION? NAH.
Technical sophistication of this attack was...meh.
But that's not where the attackers focused.
INTELLIGENCE-DRIVEN? YAH.
They spent their effort carefully crafting credible bait that matched what they knew about their targets:
Trojanizing a legit Uyghur language app was a clever, cynical move.👇
Many marginalized communities struggle with getting fonts & dictionaries to capture their language.
And developer talent is very welcome.
With a lure that credible you don't need to burn your most sophisticated exploits.
Good news in this case: Gmail spotted & blunted the attacks which were only found whey my colleagues worked with vigilant targets to screen for them.
But the theme of China-nexus hacking groups being economical about exposing technical methods (just using minimum necessary stuff) while drawing from (presumably) vast amounts of intelligence and understanding of their targets to craft effective social engineering is something we at the Citizen Lab have tracked for decades.
READ THE FULL REPORT:
By my talented colleagues: 
Image source: 
LATEST:
On demands from the Turkish government, Bluesky restricted access to 72 accounts per a report from a Turkish NGO.
DETAIL:
Accounts are restricted for users in Turkey.
Accounts aren't banned from Bluesky's AT Protocol relays etc, but access is moderated at the official client level through geography-specific labels.
WORKAROUNDS?
Realistically impacted accounts are no longer visible to the majority of Bluesky users (most aren't on 3rd party clients) in Turkey.
However, since 3rd party client apps for the AT Protocol aren't forced to use geography-specific labels, they an still be used to view the content.
In theory, official client + VPN would also result in seeing the accounts.
LOOKING AT SOME DATA:
Bluesky has been publishing transparency reporting about legal & government requests. The most recent report covers 2024 and shows a relatively modest number of takedown requests, but about 50% response by Bluesky.
Unfortunately, the company doesn't differentiate between legal demands in civil litigation and *government* demands. This makes it hard to get a clear picture.
I hope Bluesky segments out these very different kinds of pressure in 2025 reporting so we can get a better sense of what's happening.
BIG PICTURE:
Looking ahead, governments are probing for new ways to enforce content restrictions. These are early days for Bluesky and it is likely that a lot more requests like this will be inbound as users head there to try and avoid the well-greased censorship machinery on legacy platforms like X.
Recommended reading & Sources:
Super-helpful-to-me TechCrunch article: 
Graphs from this story are stark.
Link: 
Maybe we can all 'live without' private messaging?
Pay attention.
Denmark is set to take over the rotating EU Council presidency.
And is sending signals that they want to go after encryption.
Backdoors end badly.
Demanding backdoors isn't just surest way to chase away innovation...it's collective punishment for security services' own failures to adapt.
And the history of democracies is littered with states abusing secret surveillance powers to undermine core values.
Article: 
Anyone come across good analyses of new US #tariffs .
Longer term projections a bonus. #AskNostr
I've spent my adult life thinking about defending digital privacy.
Yet until a few years ago, financial freedom & privacy was barely on my radar.
This would have probably continued but for a handful of good humans that took the time to talk me through things.
Thanks to thinking they kicked off for me, I now think that individual access to aspects of financial freedom & privacy are necessary to a healthy society.
Why did it take so long? Well, there was a failure of adversarial imagination on my part.
And partly because if you aren't actively asking hard questions, this state of affairs will be hidden from you.
The financial system & how it is taught is set up to hide structural privacy violations & disempowerment.
I'm pretty sure my ignorance was closer to the norm than the exception.
But when you completely restrict financial privacy & freedom, you disempower people...constantly.
And it will keep eroding & blocking the exercise of other core rights.
Until this changes & awareness grows, we're stuck paying the price for it in a thousand ways.
Shoutout to 