Access Now is asking the Ninth Circuit to preserve a permanent injunction that bars NSO Group from targeting WhatsApp or its customers’ devices again. The filing matters because the dispute is not only about one spyware vendor or one messaging app. It is about whether legal pressure can help defend encryption when the practical attack often lands on the user’s device.
What changed#
Access Now says it joined ten other civil society organizations in filing an amicus brief with the U.S. Ninth Circuit Court of Appeals. The brief asks the court to protect encryption from NSO Group’s Pegasus spyware and to keep in place a lower court’s permanent injunction.
The injunction, as described by Access Now, forbids NSO from ever targeting WhatsApp or WhatsApp customers’ devices again. That is the operational core of the update. The case is now at the appellate level, and civil society groups are arguing that the lower court’s restriction should survive.
The public source does not provide the full legal argument in the short item. It also does not say that the Ninth Circuit has ruled. The known change is the filing itself: Access Now and partner organizations are trying to influence the appeal before the court decides what happens next.
That distinction matters. A brief is not a verdict. It is a signal of what civil society groups believe is at stake, and where they want the court to draw the line around spyware, encrypted platforms, and user devices.
Why access now matters for security operations#
The phrase “protect encryption” can sound abstract. In this context, it is concrete. Pegasus-style spyware is not mainly a debate about whether a message app uses encryption correctly. The deeper risk is endpoint compromise: if a phone is infected, encryption may still exist, but the attacker can try to observe the user before or after the protected channel does its work.
That is why the Access Now filing is relevant beyond lawyers and policy teams. For security operations, the case touches a familiar failure mode: users trust the secure channel, while the device running that channel becomes the weak point.
A court order cannot patch a phone. It cannot prove that a device was never targeted. It also cannot remove the need for operational checks. But an injunction against a spyware vendor can still matter. It can raise the cost of abuse, preserve discovery paths, and create legal exposure for conduct that technical teams alone cannot stop.
The practical lesson is narrow but useful. Encryption is necessary. It is not a complete threat model. If the attacker can compromise the endpoint, the protected pipe is no longer the whole story.
This is also why open source security work and artifact-level verification keep showing up in adjacent debates. Trust needs more than a claim. It needs inspectable systems, repeatable checks, and a way to detect when the supply chain or endpoint has become hostile. For related context, see our note on OpenSSF’s April signal and why security artifacts need to become operational: https://gigatap.top/en/articles/openssfs-april-signal-make-security-artifacts-operational
What to check before acting on this#
For ordinary users, the filing does not mean WhatsApp is unsafe by default. It also does not mean a specific person is being targeted now. The source says civil society groups filed a brief to preserve an injunction against NSO targeting WhatsApp or its customers’ devices.
The right response is not panic. It is better hygiene around high-risk communications.
If you are a journalist, lawyer, activist, political worker, executive, or someone who may be targeted by a state-linked or high-budget actor, check the basics first:
- Keep the operating system and messaging apps current.
- Treat unexpected links, attachments, calls, and profile interactions as possible delivery paths, even when they arrive through trusted apps.
- Separate high-risk work from casual device use where possible.
- Use device security features that reduce attack surface, especially when traveling or handling sensitive sources.
- Preserve evidence if compromise is suspected; wiping a device too early can destroy useful traces.
- Seek help from a credible digital security organization if you face targeted risk.
For organizations, the operational checks are different. This is where security operations teams should avoid treating “encrypted messaging” as the endpoint of the control plan.
Useful checks include:
- Which roles rely on personal phones for sensitive work?
- Is there a documented response path for suspected mobile spyware?
- Are high-risk staff trained to report weird device behavior without fear or delay?
- Are backups, logs, and account recovery paths protected from the same device compromise?
- Are legal, security, and executive teams aligned on evidence preservation?
None of this requires assuming Pegasus is present. It requires accepting that high-risk communications can fail at the device layer, even when the app layer is strong.
What not to overclaim#
The Access Now item supports several careful claims. It says an amicus brief was filed. It says the filing asks the Ninth Circuit to protect encryption from NSO’s Pegasus spyware. It says the groups want the lower court’s permanent injunction kept in place. It says the injunction forbids NSO from targeting WhatsApp or its customers’ devices again.
It does not, from the provided source text, establish a new technical exploit, a new Pegasus campaign, or a new court ruling. It does not give fresh victim counts. It does not say the injunction has already been upheld by the Ninth Circuit.
That restraint is important because spyware coverage often collapses into two bad habits. One is to treat every legal development as if it proves a new technical compromise. The other is to treat legal remedies as symbolic because they do not directly remove malware from devices. Both miss the point.
Legal pressure and technical defense work on different layers. A strong injunction can help define unacceptable conduct and limit repeat targeting by a named actor. Device hardening, patching, detection, and incident response handle the operational layer. Users need both, but they should not confuse one for the other.
Practical takeaway#
The Access Now filing is worth watching because it sits at the seam between encryption policy and real-world device compromise. If the lower court’s injunction remains in force, it would preserve a legal barrier against NSO targeting WhatsApp and its users’ devices. If it is weakened, the signal to spyware vendors and secure communication platforms could shift.
For readers, the action item is simple: do not downgrade encryption, but do not let encryption become a false comfort. Review the device and account paths around the secure app. That is where the privacy risk often becomes operational.