Not sure if this is too little, too late. The israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, employed almost 500 people as of 2017 [1] . However, the US govt included NSO Group in its Entity List for acting against U.S. national security and foreign policy interests, effectively banning U.S. companies from supplying NSO [1]
This makes me think that NSO is effectively frozen out of the US banking network, and therefore the whatsapp judgement is ineffective to go after US assets in US jurisdictions. So, no disgorgement outside of what banks may have frozen before this lawsuit (if anything) as a result of the Entity list addition.
Given that the NSO Group is supported by the Israeli government and their weapons have been used against US civilians, and US-aligned individuals, you would think there would be much heftier consequences.
They knowingly attacked and destroyed USS Liberty in 1967 and didn't face any consequences.
Sometimes I wonder what's so special about Israel that they keep getting away with everything.
Or exfiltrating enriched nuclear material from NUMEC in the US to get their weapons program underway (Apollo affair) in 1976, or violating the nuclear test treaty off the coast of South Africa (Vela incident) in 1979, or blackmailing Clinton in 1998 (Jonathan Pollard incident). Or any number of other things. And these are just the things we know about.
But we know why they are special and get away with things that any other country would be in serious shit for. AIPAC does not fuck around. They play to win. And the evangelicals support it because of their belief about the second coming of christ.
Fine, not wrong, but you missed the rather heavy factor of the western powers feeling they owe a huge debt to the Jewish people for turning their boats back during the Holocaust. It's a "no one helps you til you help yourself" scenario, now that a state exists with a mission to give Jews safe refuge and self governance, they have (some of) the world's sympathy.
its not merely because of a few lobbyists and evangelicals' wacky eschatology
>They knowingly attacked and destroyed USS Liberty in 1967
Both sides agree it was an accident.
>Israel apologized for the attack, saying that USS Liberty had been attacked in error after being mistaken for an Egyptian ship.[5] Both the Israeli and United States governments conducted inquiries and issued reports that concluded the attack was a mistake due to Israeli confusion about the ship's identity.[6]
The survivors themselves say it was deliberate.
And if you scratch the surface, you will quickly realise that their apology is bullshit.
Israel wanted the US involved and conducted a false flag operation:
“Some intelligence and military officials dispute Israel's explanation.[79] Dean Rusk, U.S. Secretary of State at the time of the incident, wrote: I was never satisfied with the Israeli explanation. Their sustained attack to disable and sink Liberty precluded an assault by accident or some trigger-happy local commander. Through diplomatic channels we refused to accept their explanations. I didn't believe them then, and I don't believe them to this day. The attack was outrageous.[80]”
>I was never satisfied with the Israeli explanation. Their sustained attack to disable and sink Liberty precluded an assault by accident or some trigger-happy local commander.
If the attack was due to mistaken identity, wouldn't you expect the Israelis to go all out? I also skimmed the section and there's not much in the way of arguments besides that and "Israel pressured US to admit it was an accident".
There was no mistaken identity. They knew it was an American ship and attacked it on purpose. It was witnessed and documented that they made the decision to deliberately attack an American warship, then tried to excuse themselves from responsibility.
They were targeting lifeboats and engaging in other dishonorable behavior we've since seen repeated in Gaza as well. "Going all out" is not warfare, it is sadism in violation of the Geneva Convention.
https://web.archive.org/web/20211111095447/https://www.haare...
There's also many voices saying it was a coverup.
The same could be said of the JFK assassination, or the moon landing.
The moon landing was a cover up for what?
Not having happened. Not a cover up for something else. Just that it didn't happen, but the US was so hard up to beat the Russians at something that they staged it.
It's ridiculous. But the world we live in is also ridiculous, and the internet has enabled idiots to meet in numbers that have never been possible before.
To cover up that the moon doesn't exist, of course.
I'm sure we can come up with a ridiculous conspiracy hypothesis around what we're actually seeing when we think we're seeing the moon. Might need to involve time travel to explain historical records.
The neo crusader kingdom?
There is no similarity at all between Israel and the crusader kingdoms: different historical circumstances, different aims.
Some guys àrrived in the middle of that land and beat the hell of others and built a kingdom. Sort of the same.
That is a mischaracterise of the crusades, at least with regard to the crusaders.
The crusades were a reaction to the Arab and Turkish Empires, which by then (between them) invaded at some point (and mostly conquered) Spain, France, southern Italy, most of the Mediterranean, North Africa, Italy, Anatolia, and the Levant, and more.
I had not noticed the Palestinians aggressive expansionist empire.
If I had a nickel for every time that happened in Israel...
Yeah that's the story of the West
What's so special? A good chunk of the US population believes the Israelis were literally chosen by God over 2000 years ago to occupy that piece of land, and they're obligated to do whatever they can to help them.
> A good chunk of the US population believes the Israelis were literally chosen by God
There is more to it, not only that but they believe that the Jewish state of Israel is needed for Jesus to return to earth.
This belief comes from Thessalonians 2:1-4
"1 Now concerning the coming of our Lord Jesus Christ and our being gathered together to Him, we ask you, brothers, 2 not to be easily disconcerted or alarmed by any spirit or message or letter seeming to be from us, alleging that the Day of the Lord has already come. 3 Let no one deceive you in any way, for it will not come until the rebellion occurs and the man of lawlessness—the son of destruction—is revealed. 4 He will oppose and exalt himself above every so-called god or object of worship. So he will seat himself in the temple of God, proclaiming himself to be God."
So the "temple" is required for the anti-Christ to arise, and for Jesus to return.
Now as to if that actually means the physical Third Temple of Solomon... this is up for theological debate. Some Church Fathers held that the anti-Christ would indeed arise from a physical Third Temple. While other Church Fathers held that the 3rd Temple in Christianity was technically the Church, and so the anti-Christ would arise from her.
Either way, if you side with the first view there is no qualification for a state to be present in order to rebuild the physical Third Temple.
Protestant Evangelicals in America by and large take the first stance I mentioned, and are pretty stalwart in their belief the State of Israel is the vehicle through which this will be achieved.
references to a Temple involve a holy Temple that is not possible on this Earth, also coinciding with physical structures that make it possible to emerge?
Evangelical beliefs and others start to be more of a political topic, subject to survey? A basis of the practice is that it is done in the open and lawfully, so Church leaders might be fairly plain about what they actually believe, when asked?
They invented this view in the 1800s. Christians prior to this universally considered it a heresy.
For those who want additional information, it is called dispensationalism.
The same chunk of population "should" (??) think that the Israeli ancestors killed Jesus, and that the Jews will go to hell if they don't accept Jesus as their savior - so - people are weird.
They do; they have other theological reasons for supporting the State of Israel, despite often not being very well inclined toward the Jewish people or Judaism as a religion.
Surprisingly, it's internally consistent. Evangelical Christians don't support Israel because they like the people who live there. Instead, they support Israel because, based on their interpretation of Revelation 20, they believe that Israel must be rebuilt or restored as part of God's plan for the end times.
This story does not end well for Israel or the people who live there.
I am not no expert on the American evangelical version of Christianity so happy to hear better explanations, but not all evangelicals believe the same things so I do not think there is a reason to say they "should" believe those things. The argument that God's covenant with the Jews is still in effect implies the opposite, if anything.
It looks to me that it is correlated with whatever this survey defines as "traditionalist": https://www.pewresearch.org/religion/2005/04/15/american-eva...
Traditionalist applies across denominations with different traditions and theology so no idea whether it has a consistent meaning.
Well in that case they "should" also believe that Jesus was Jewish just like the Israelis of today, no? If Israelis are blamed for killing him they should also be praised for creating him.
[flagged]
I also wonder about this, my personal conclusion is israelis work very hard to create a dirt on politicians over the years, and politicians just afraid of losing everything in one day vs joining the club of other blackmailed, powerful politicians. cases: Epstein, Monica Lewinsky, AIPAC, and probably many more
[flagged]
> Do you also blame me for creating dirt?
1. I am not blaming you specifically, also I didn't mention race (Jews/Jewish), don't add the race card here please, I am saying Israelis because I don't have or know names of people who do it. Should I say Israeli Mossad? What if it wasn't Mossad, would you tell me that I am lying? If I say government, maybe it's not government, for example settlers, they are not affiliated with government, but government supports them.
2. As far as I remember Israeli government blamed Palestinians for electing Hamas and now carrying out mass extinction there, keep in mind Gaza was not a democracy.
In contrast, as a democracy in the middle east, don't you own what your elected officials carry out? If answer is no, then why they're blaming Palestinians for everything?
So you don't know who does it, which I assumes means you don't know of any evidence, or even if it's done. But you concluded this because...
You can definitely know that something is done without knowing who, exactly, did it. “A person formally or informally affiliated or aligned with the Israeli state”, if we have to use the State Dept lingo for terrorists.
I have a right to make personal conclusions based on things I see, read, learn and hear, what's your point?
Whether its biased, wrong, correct - my personal opinion and conclusions are still mine, hence I prefixed it with "my personal conclusion"
Thanks for pushing back <3 It must be difficult to do that there.
Many people don't deplore your government, they deplore the whole concept of political zionism as it is practiced - violent creation of Jewish state on the land inhabited by a lot of other people, driving many of them out, and avoiding solving resulting political issues repeatedly through the use of overwhelming force, insane militarization of society, long term occupations, blockades, assassinations, political imprisonment of opponents, and international political maneuvering and propaganda, for decade after decade after decade, in order to preserve Jewish majority rule over the territory.
More honest Israelis, like Meir Kahane, at least acknowledged that Jewish majority state is not compatible with democracy, when "greater Israel" is mostly occupied by non-Jews.
It doesn't matter whether you or other Israelis deplore your "current government". They can deplore it for all kinds of reasons, and replacement they'd prefer may not be much better wrt the issue above.
> I deplore my current government, and believe NSO are evil. There are plenty of Israelis that agree with me and protest weekly.
There were many like that in Nazi Germany but unfortunately they were a small minority that mostly needed to run away. That might be your predicament too so the people that want a peaceful resolution to the Gaza situation can't put their hopes on the likes of you, unfortunately. As a long time traveler, I met several great israeli people, but I also saw first-hand many of them that don't give a flying F to nobody, not only muslims but working locals and even other tourists.
How many are currently protesting the genocide? Because it seems like it's barely in the hundreds
You'd be surprised. But you already have a strong uninformed opinion.
Yes, we would really be surprised, because it seems like tens of people protesting against, hundreds of thousands supporting.
Inform me
Don't think it's other people's responsibility to spend their precious free time informing you of stuff you can freely look up online yourself.
If you're going to contradict someone making a claim ("Because it seems like it's barely in the hundreds"), then it is their responsibility to back it up.
I work on this area and spend a reasonable amount of time staying up to date. I made my claim - I have seen extremely limited news reports about Israeli protests that center the genocide. Indeed, these reports are extremely new and feature silent protests with several hundred protestors holding up pictures of Israeli kids. Now I could have led with that, but it's not my responsibility to spend my precious time informing people about stuff they could look up themselves online.
[dead]
US's legitimization of it's leading role in the world is based on the story how they saved the world from the nazis. This story escalated ideologically, so now any critique of Israel is indirectly questioning USA as the world leader.
I do not think so. Not outside the US anyway.
The legitimisation lies in the alternatives having been (historically) the Soviet Union, and (now) China.
In any practical sense the Soviet Union did in fact do the lion's share of beating the Nazis. They opened an extra front and sent in a staggering amount of troops. I don't see why it is still so demonized, except when you view it directly through the lens of US propaganda.
Their death toll, such as it is, is not even a tenth of the incredible casualty rate of the British. It does not need to be said that they're nowhere near as demonised, except in India. The scope and depth of a civilisation's deaths is not actually all that relevant to how much people hate it.
Molotov-Ribbentrop is not US propaganda.
Shouldn't we be seeing criminal sanctions? If I sold app exploits I would be in jail
Selling exploits is generally legal. What law would be used to put you in jail? Using exploits can fall under the Computer Fraud and Abuse Act's criminally prohibited conduct but afaik there is no similar law that covers distributing/selling exploits. In fact selling exploits to companies via their bug bounty programs is quite common.
All that said NSO didn't just distribute/sell the exploits (that would be giving away their secret sauce). Instead they offered what was essentially a managed service for executing the exploits against user selected targets.
Wouldn't hosting a service to facilitate others' use of the exploits fall under CFAA? Since there have been numerous arrests for those hosting Ransomware-as-a-service, DDOS-as-a-service, etc. Just curious whether there is a legal nuance that prevents them from being criminally charged instead of just politics/diplomacy.
The Computer Fraud and Abuse Act has a conspiracy provision. If NSO sells an exploit to someone, they can be charged for any downstream hacking that happens.
Depends on who you sell them to
You're not a three-letter agency, though.
NSO is not a three-letter agency, it is a private company
NSO is very cozy with Israel intelligence. It being private gives it the legal ability to do things that a government agency could not.
One of the founders is ex-Mossad.
Which is obviously 6 letters
Not sure how I feel about this - on one hand the NSO Group happily sold this exploit to absolutely horrible clients[0], but on the other, app security shouldn't depend on legal enforcement.
[0] https://www.theguardian.com/news/2021/jul/18/revealed-murder...
> app security shouldn't depend on legal enforcement
Why not? There are significant negative externalities to not enforcing cybercrime laws.
I think they meant solely depend on legal enforcement.
For the same reason banks should have a decent vault for cash they aren’t using at this exact moment, since they shouldn’t just depend solely on any robbers getting caught.
It's not like hacking WhatsApp was that easy. If it were, NSO wouldn't be able to sell it's exploits for so much
> app security shouldn't depend on legal enforcement
EU Cyber Resilience Act (CRA) will soon impose legal security requirements on a wide class of software binaries sold in the EU.
Just because locks can be defeated by five seconds and a lockpick gun doesn't mean that the housebreaker, his fence, or his getaway driver is absolved of their responsibility.
Of course law plays a huge part in computer security.
As is constantly being made abundantly clear from blockchain stuff, code cannot make legal systems obsolete.
No crime in the world can be made physically impossible. Why would hacking be any different?
Meta published deposition transcripts, http://nitter.poast.org/jsrailton/status/1919880291667292460
https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-N...
https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-N...
https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-N...
https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-N...
Below are the Internet Archive copies, since Facebook doesn't have the greatest track record on stable URLs.
(I reregistered recently and was banned for being "inauthentic" -- the URL they linked to which was supposed to detail what part of the policy I broke was broken.)
https://web.archive.org/web/20250506235016/https://about.fb....
https://web.archive.org/web/20250506235104/https://about.fb....
https://web.archive.org/web/20250506235302/https://about.fb....
https://web.archive.org/web/20250506235441/https://about.fb....
This is a great day for people who can make more than $167M by hacking whatsapp users! On the off chance that they happen to be caught in the first place they now know what their profit margins will look like after Facebook goes to court to take their cut.
I wonder about the other end of liability - if the app was so broken that merely calling a phone with it could lead to a back, it seems like users might reasonably also blame its authors.
I've been thinking about requiring iMessage and other codebases in memory unsafe languages to be built by WASM compiler with the objective of being memory safe and minimal performance loss.
Unfortunately, the smartest programmers in the world (people like Linus Torvalds) sometimes screw up and create security issues. If Linus can't get it 100% right, what hope is there for the rest of us?
Israel defense green lights the sale and use of Pegasus software. https://www.nytimes.com/2022/01/28/magazine/nso-group-israel...
This feels like one of the rare moments where there's actual financial accountability for spyware abuse — but is $167M even close to meaningful for a company like NSO, backed by deep-pocketed clients?
Ok ....where is the form so as an ex-whatsapp user, I can get a piece of that 167M pie? Oh... there isnt one... :)
They're based in Israel, so it's unlikely they'll pay. It's interesting that Zerodium has slowly stopped their gears (at least publicly) even though the USG was buying their exploits to target HVTs. It's like when the DOJ posts an arrest warrant for a Russian or a Chinese military official, it's mainly for show.
It’s amazing how much justice you can get when you are a billion dollar company
> The jury also awarded WhatsApp $444 million in compensatory damages.
spying software should be illegal to sell under any circumstance the people who need these programs should be writing them themselves not buying them off the shelf
The same argument could be made about conventional arms.
Unfortunately, 99% of nations prioritize having quick & easy access to weapons.
And for many nations, selling weapons is also a lucrative way to exert influence.
> Unfortunately, 99% of nations prioritize having quick & easy access to weapons.
What?
Re-read user jeisc's comment.
There are 200 or so nations on our planet.
How many of those nations have governments which believe that their own army, air force, & navy should be unable to buy (say) guns, bombs, and torpedoes? Vs. having to hire engineers to design them, then build weapon factories, then build all of their own weapons.
My assertion is that zero-ish of those governments want such legal restrictions.
(And obviously, actual legal restrictions on the sale of spyware might be similarly unpopular, with the people who actually write the our world's laws.)
Oh right, I see what you mean.
Still, I believe there is a difference. First, it feels like anyone willing to pay enough will convince NSO to "help" them. It's not the same with firearms (in 99% countries in the world): you can't just pay a private company to go rob a bank with firearms.
Then for the police and the military, it's usually restricted to professionals. In my country, if a police officer gets their gun out (I'm not talking about firing), an investigation follows. If they fire their gun, a bigger investigation follows, they make the news, and the officer may lose their job (or be affected to a desk job for the rest of their career).
It seems a lot easier to get access to NSO than to actually fire a gun, and to me that's a good thing. I don't want a police like in the US. To the point where I do believe that it should be as hard to access NSO as it is to use firearms.
Your police and military where you live doesn't have easy access to weapons?
I wouldn't call it easy, no.
How would you call it?
I wonder what percentage of that $167M will go to the ~1400 victims of this hack (that we know about)
None. WhatsApp has stated it will give to a privacy advocacy organization
Whose urgent warnings on privacy concerns will be ignored by everyone, as usual.
0? I understood that the plaintiff is what'sapp. Not sure if it's for damages or punitive.
The victims are probably not citizens of the US so they would be outside of this jurisdiction. That's between those two countries. The reason it's going to the US court is because it occured in US cyberturf (Meta's servers)
This looks like a pretty spicy political bomb. I wonder if the group will pay, I'm assuming they won't, if they do it's because the Israeli government intervened and bailed them out. They are fighting a war after all.
Who gets the damages here, Meta or the hacking victims?
Meta who says they will donate it to digital rights organizations.
[flagged]
It is worse than that. Mobile, and iOS in particular, is a second class operating system platform. Your device and data can be taken over by a text message that someone sends you, and you don't even need to open it. That's bad. Look at some of the Black Hat presentations about the number of zero day vulns for imessage in the previous two years.
You Shall Not PASS - Analysing a NSO iOS Spyware Sample https://www.youtube.com/watch?v=wAmGU2YUa9Y
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...
https://www.darkreading.com/vulnerabilities-threats/apple-ze...
https://www.infosecurity-magazine.com/news/apple-update-extr...
I don't see how this is meaningfully different than a desktop operating system.
No amount of sysadminning was going to save you from state-sponsored zero-day attacks.
Competent people regularly discover state-sponsored zero-day attacks. Maybe it's a higher level than 'sysadmining', but I suspect there are people who are called sysadmins who do discover these kinds of things.
"State-sponsored" covers a broad range from sending phishing links to zero-click exploit chains. It takes specialized talent to find the latter. Most of those people would not call themselves sysadmins.
Isn't it the sysadmin's job to set up honeypots etc., with the intent of actually getting the zero-day exploit chains?
So they do need that competence if they are to be sysadmins.
Honeypots to catch this kind of thing are very hard to set up. People throwing exploits are generally really careful about targeting.
Yes, of course, but it is possible.
For a phone though, there is an external homogeneity that could make setting it up as a honeypot easier. I'm not incredibly familiar with phone OSs, but I see it as an interesting opportunity.
I have worked on this professionally; it's quite hard. Even getting exploits off of non-honeypot devices is hard. Setting up a honeypot adds even more complexity, especially because of how much fingerprinting attackers do. Before sending the initial payload it's likely that your phone OS, hardware model is already known–they're critical to deploying the exploit. Rough geographical location, who you've been around, which one of your devices is being targeted–all of these are not that hard to get. Once you're on the device and have elevated privileges you can run even more checks!
Yes, but surely getting exploits off non-honeypot devices shouldn't possible in general?
Surely it should only be generally possible if you have special monitoring.
Exploit authors are not perfect and sometimes they leave traces behind in accessible places that can be found if you know where to look.
I know we'll all get infected, but at least we could try to detect it afterwards is my point
Did Citizen Lab's sysadminning contribute to the outcome of this legal case to impose financial penalty on a vendor of state-purchased spyware? Or is the penalty considered insignificant to future deterrence?
That's not what Citizen Lab did.
Didn't Citizen Lab perform forensic analysis of victim devices?
Geez, you're really tilting at windmills here. What makes you think if you had your choice of 100 different security products (as is the ecosystem on Windows and Mac) that you'd be any more secure than "just" relying on Apple's security team (which is surely world-class)? Remember that Windows exploits abound, despite the antiviral/antirootkit ecosystem that grew up around it. If you want to "check your filesystem", I have an OS for you: Linux, BSD, maybe Solaris or something exotic. But I think you'll find that Torvalds gives less than two shits about Linux desktop/mobile security, so the first time you install a Pip or NPM package you risk getting rooted, and there are no serious (desktop or mobile) antivirus products for Linux.
> Geez, you're really tilting at windmills here. What makes you think if you had your choice of 100 different security products (as is the ecosystem on Windows and Mac) that you'd be any more secure than "just" relying on Apple's security team (which is surely world-class)?
Why shouldn't I have a choice? I could then depend on more than just Apple's security team.
> Remember that Windows exploits abound, despite the antiviral/antirootkit ecosystem that grew up around it.
Many exploits for iOS and Android, too. Seems that locking down the phone doesnt't help with that... (different security model for apps/userland does, but that's unrelated to my point)
> I have an OS for you: Linux, BSD, maybe Solaris or something exotic.
No, I want what works on phones now, with more user control.
> Apple's security team (which is surely world-class)
Hahaha, do you read HN much? There are stories on here all the time of security holes in Apples products which they refuse to fix.
Heres a recent example of their M series CPUs having similar exploits in them to SPECTRE and MELTDOWN in Intel CPUs. The difference is Intel fixed it and took the 20% performance hit. Apple refuses to fix it because it would make their processors slower.
https://arstechnica.com/security/2024/03/hackers-can-extract...
What about deciding not to "fix" an issue that is extremely hard to exploit in practice (especially on consumer-grade machines) negates my assertion that their engineers are "world-class"?
There is only two mobile OSes and it wasn't the market that decided that state of affairs.
Markets tend toward monopolies, with a stop at duopolies along the way.
I do agree that Apple and Google both played the game with moves below the table, but that’s what “the market” gets you (amoral profit seeking that has no qualms with cheating and taking measures to ensure that one isn’t somehow suddenly operating under a political regime that cares about the morality of its market participants).
My brother this has nothing to do with you and ads spying on you or whatever. This is about a war occuring in Israel.
Also in this case "daddy's regular updates" are indeed protecting millions of non technical users that can't "take charge" of their own security, because they are not programmers.
[flagged]
[flagged]
I'm on NSO's side here. It's quite hypocritical of everyone involved to be against NSO but not gun makers. I don't even want to touch civilians abuse of guns, just governments buying guns from weapons manufacturers and using them in properly sanctioned wars. People are acting like exploits are more dangerous than bullets or restricted like nuclear, biological and chemical weapons, they are not!
The demand is there and the suppliers exist. without companies like NSO, the price of exploits goes up and it becomes more lucrative for malicious actors to sell them to even more nefarious actors. The exploit brokers become more anonymous. And when they sell to the really bad actors, it will require deanonymizing market places on Tor instead of having law suits like this.
It is much better for everyone involved to tolerate companies like NSO and regulate them.
> It is much better for everyone involved to tolerate companies like NSO and regulate them.
That's what this is. That's what a lawsuit is. This is them being regulated. They aren't being ordered to shut down, they're being ordered to pay damages.
no, there is no regulation or law for what they do. This is a civil suit between two companies, it is not a regulation. had they actually violated the law, it would have been a criminal prosecution. civil damages are not government regulation. if you can simply be anonymous, you won't even break the law as you sell to any party.
> no, there is no regulation or law for what they do
Yes, there is: the CFAA. Corporations and the government have even weaponized criminal complaints against individuals under the law.
> This is a civil suit between two companies, it is not a regulation
The venue in which regulation is enforced does not change its status as a regulation. The distinction between criminal and civil is irrelevant here. (Notwithstanding the possibility of a corrupt judge) Meta would not have been able to continue their suit had there not been a regulation.
> had they actually violated the law, it would have been a criminal prosecution
No, had a prosecutor wanted to pursue an indictment, it would have been a criminal prosecution. A prosecutor's willingness to enforce a law and bring trial is at their discretion. In the same way that charges don't necessarily indicate criminality, a lack thereof doesn't necessarily indicate the absence of wrongdoing.
> civil damages are not government regulation.
Civil laws are regulation. The judge is the regulating authority who enforces the penalty for being out of compliance with those laws, which comes in the form of ordering money damages in this situation.
> if you can simply be anonymous, you won't even break the law as you sell to any party
Yes and maybe the fact that they're anonymous brings it it to the level of criminality in a prosecutor's eyes. That desire to conceal their identity could the turn preponderance of the evidence (civil) into beyond a reasonable doubt (criminal).
Or it could always stay in the civil system. The criminal system is political just like anything else. See above.
I think your last sentence is key. The NSO as far as I'm aware to targets people on an individual level.
It's not hard to phish and hack a single individual as a large organization. It's just a matter of resources and slipping up eventually. With that being said, the exploits they find are interesting and I wish they would publish them in a white hat manner instead.
It isn't an either or scenario, NSO can be in the wrong and rightfully fined and weapons can also be sold by governments to the wrong parties. The latter should be regulated as well, not the former being let off as well. Demand shouldn't always equal supply.