Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.

At 1,800 words, this briefing is about an 8-minute read.

At a glance.

• US court orders NSO Group to stop targeting WhatsApp.
• Parents’ rights group files complaint against Google.

US court targets NSO Group.

The news.

Over the weekend, United States (US) District Court Judge Phyllis Hamilton released a twenty-five-page ruling imposing a permanent injunction on spyware developer, the NSO Group. With this injunction, Judge Hamilton has permanently halted any further attempts by the company to break into WhatsApp. 

Alongside issuing this injunction, Judge Hamilton reduced the punitive damages awarded to WhatsApp by a jury, reducing the amount from $167.3 million to $4 million. With this reduction, Judge Hamilton cited a previous precedent tying the ratio of damages that can be awarded.

In Judge Hamilton’s ruling, she wrote:

“Plaintiffs appear to have made [end-to-end] encryption, and the privacy and security that it entails, a significant part of its pitch to users, making it reasonable to conclude that users would be dissuaded from using WhatsApp if its encryption were ineffective.”

Will Cathcart, the head of WhatsApp, released a statement regarding the injunction. Cathcart stated:

“Today’s ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again. We applaud this decision that comes after six years of litigation to hold NSO accountable.”

The NSO Group stated that this injunction “would put the NSO Group’s enterprise at risk” and potentially put the company out of business.

Notably, this injunction does not apply to NSO Group customers.

The knowledge.

This injunction is connected to a previous court ruling from May 2025. In this previous ruling, a federal jury ruled against the NSO Group, awarding WhatsApp nearly $168 million in punitive damages alongside nearly $450,000 in compensatory damages. These damages were awarded after Judge Hamilton had ruled in favor of WhatsApp in December 2024 in a civil case. Alongside ruling in WhatsApp’s favor, Judge Hamilton also found fault with the NSO Group after the company failed to produce evidence in response to court orders. 

At the time, the court ruling was seen as one of, if not the largest, rulings against a spyware maker. Natalia Krapiva, the senior tech-legal counsel at the Access Now digital rights group, commented on the development, stating:

“This is a historic judgment and a first major court victory against NSO Group in the world, finding them liable for compromising the digital security infrastructure that millions of people rely on.”

Outside of this case and its subsequent developments, the NSO Group has long been considered to be one of the world’s most prolific spyware developers. Over the past several years, the company’s flagship spyware, Pegasus, has been used to target journalists, government officials, and dissidents globally. Most notably, in 2021, Pegasus was found in thirty-seven smartphones belonging to business executives, human rights activists, and journalists. Reportedly, these thirty-seven phones appeared on a list of over 50,000 numbers from countries known to deploy spyware and have been previous clients of the NSO Group. Other members of the list included at least 65 business executives, 85 human rights activists, 189 journalists, and over 600 politicians and government officials, which did include several heads of state and prime ministers.

While the NSO Group pushed back on these allegations, the company was embroiled in controversy. A few years later, in 2023, the former Biden administration signed an executive order banning the US government’s use of commercial spyware, emphasizing that it posed both a risk to human rights and national security.

The impact.

Spyware, like many other forms of malware, has become an increasingly sophisticated tool employed by both nation-states and threat actors alike. This injunction and the associated damages reflect a growing movement to curb spyware within the US. While other nations and threat actors will continue using the sophisticated technology, the ruling could represent a notable turning point, bringing greater oversight and accountability to how spyware is deployed.

Businesses and people alike should take time to understand what spyware is and how it is often deployed by groups. By understanding the technology, people can take proactive steps to mitigate their exposure and better protect themselves.

Google is challenged by parents’ rights coalition.

The news.

On Monday, the Digital Childhood Institute filed a complaint with the Federal Trade Commission (FTC). In their complaint, the advocacy group claimed that Google’s business practices violate US privacy laws and constitute unfair and deceptive practices. More specifically, the group laid out five core claims:

1. Google “knowingly” markets adult-themed or age-restricted apps as safe for children.
2. Google facilitates “exploitative” contracts between children and app developers in its Play Store.
3. Google has “widespread” violations of the Children’s Online Privacy Protection Act (COPPA).
4. Google’s bills for in-app purchases made by children with parental consent.
5. Google has decoupled parental control of child accounts after the age of 13.

In their letter, the group wrote that “Google uses no human moderation in its initial ratings of apps, relying instead on an automated survey by the International Age Rating Coalition (IARC) that takes only minutes to complete.”

The knowledge.

This complaint nearly mirrors a similar complaint the group filed against Apple in September 2025. In that complaint, the advocacy group alleges that Apple’s app rating process is both inadequate and deceptive. Additionally, the complaint alleged that Apple:

• Utilized deceptive vetting and safety claims regarding its Apple Store and parental controls.
• Enabling exploitative contracts with minors.
• Violating both COPPA and the 2014 FTC consent decree.

These two complaints are representative of the growing movement to increase oversight and accountability for social media and technology companies. Out of all the various measures proposed so far, the Kids Online Safety Act (KOSA) has gained the most traction. If passed, KOSA would implement the following for online platforms:

• Creating a “duty of care” provision that would require companies to take reasonable steps to prevent harm.
• Providing minors with options to protect their information, disable product features, and opt out of personalized algorithmic recommendations.
• Limiting communication features for minors and features designed to extend the use of the platform.
• Having minor accounts automatically set to the safest settings possible.
• Empowering the FTC to oversee what content is “harmful” to minors.

However, despite the bill’s sweeping measures, many have expressed concerns about its constitutionality and potential for misuse. The Electronic Frontier Foundation (EFF) wrote about the powers the bill grants the FTC. Specifically, the EFF noted how the bill’s “duty of care” provision is so vague that regulators could broadly interpret its meaning, opening the door for potential abuse. NetChoice echoed these concerns, also noting that the bill was likely unconstitutional given that it would conflict with the First Amendment “by chilling and overly burdening free speech.”

The impact.

The push to better manage minors’ online presence has only continued to gain momentum in recent years. While the federal government has not been able to pass a comprehensive bill, such as KOSA, this momentum will likely only continue to grow given the bipartisan support.

For now, parents should understand that these efforts are important as they will change what their rights are and their children’s rights when engaging with online platforms. Additionally, online platforms should monitor these laws and proposals to understand what measures are being considered and how they could potentially impact business requirements.

Highlighting key conversations.

In this week’s Caveat Podcast, our team held its monthly Policy Deep Dive conversation. During this conversation, our team focused on North Korean hacking. Throughout the show, we look at how Pyongyang has developed into one of the most sophisticated nation-state threat actors and how it has continued to evolve its tactics.

Like what you read, and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.

Other noteworthy stories.

Chinese users file antitrust complaint against Apple.

What: A group of Chinese users has filed a complaint with China’s market regulator against Apple

Why: On Monday, fifty-five Chinese iPhone and iPad users filed a complaint against Apple, alleging that the company has abused its market dominance. In their complaint, the users allege that Apple has restricted app distribution and payments while charging high commission fees. 

More specifically, the complaints state that Apple has maintained a monopoly over application distribution in China through its iOS system while using different payment methods in other markets after being pressured by European and American regulators.

Meta adding AI chatbot safety features.

What: Meta announces new safety features for teens for its AI chatbots.

Why: Last Friday, Meta announced it would be rolling out new parental controls for its AI chatbots. These controls will allow parents to remove a teen’s access to one-on-one chats with AI models and will also inform parents about the topics teens discuss with the AI bot. 

With this announcement, Adam Mosseri, Meta’s chief AI officer, wrote:

“We recognize parents already have a lot on their plates when it comes to navigating the internet safely with their teens, and we’re committed to providing them with helpful tools and resources that make things simpler for them.”

These new features are set to launch in early 2026.

Singapore passes new content restriction law.

What: Singapore created a new commission aimed at improving online safety.

Why: Last week, Singapore created a new online safety commission, which will be empowered to block harmful content on social media platforms. This new law emerged after researchers from the Infocomm Media Development Authority found that a majority of user complaints about harmful content were left unaddressed. 

With this new law, Josephine Teo, Minister for Digital Development and Information, stated: 

“More often than not, platforms fail to take action to remove genuinely harmful content reported to them by victims.”

China’s spy agency accuses the NSA of attacks on the timekeeping service.

What: China accuses NSA of years-long attack.

Why: On Tuesday, China’s Ministry of State Security (MSS) accused the National Security Agency (NSA) of conducting a years-long attack on the nation’s timekeeping infrastructure. Additionally, China’s Ministry alleged that the NSA gained initial access in 2023 by using stolen credentials. According to the MSS, China “obtained irrefutable evidence” of the NSA’s attack and accused the nation of using over forty tools to conduct its “high-intensity cyberattack against multiple internal National Time Service Center network systems.”

The NSA responded to these allegations, stating that the “NSA does not confirm nor deny allegations in the media regarding its operations.”