A London High Court has ordered more than £3 million in damages to Saudi satirist and human rights activist Ghanem Al-Masarir after finding compelling evidence that his iPhones were hacked with Pegasus, the government-grade spyware made by NSO Group. The ruling ties the intrusion to the Saudi state and also links a physical assault on Al-Masarir in London to the same actors, marking one of the clearest judicial repudiations yet of transnational repression carried out through commercial spyware.
High Court Confirms Pegasus Intrusion on Phones
Justice Pushpinder Saini concluded that Al-Masarir’s devices were compromised and that exfiltrated data likely flowed to Saudi operatives. The court found the hack “directed or authorised” by the Saudi government or its agents, and determined the Kingdom was also probably responsible for a street assault against the comedian, who built a large YouTube following by lampooning the Saudi leadership.
The damages reflect psychiatric injury, loss of earnings after his online show collapsed under pressure, and the personal toll of persistent surveillance. Saudi authorities had maintained that state immunity shielded them from suit, but the court rejected that position and proceeded without the Kingdom’s participation, as previously noted by Reuters.
Sovereign Immunity Arguments Weaken in UK Courts
The judgment adds to a growing body of case law narrowing the space for foreign governments and their suppliers to evade accountability. UK courts have increasingly recognized exceptions in cases of personal injury and harm occurring on British soil. The outcome echoes a broader trend: in the United States, NSO Group failed to secure sovereign immunity, and the Supreme Court let stand lower-court rulings allowing WhatsApp’s lawsuit to proceed.
For dissidents and journalists living in exile, the decision suggests that civil courts can scrutinize the marriage of physical intimidation and covert digital intrusion, even when the defendants are powerful states. It also signals potential exposure for intermediaries—contractors, procurement fronts, or vendors—who facilitate cross-border spyware operations.
What Pegasus Can Do and Why It Matters Today
Pegasus is prized by clients because it can compromise phones via “zero-click” exploits, requiring no user interaction. Security researchers at Citizen Lab and Amnesty International’s Security Lab have repeatedly documented infections that grant near-total device access: messages, photos, microphones, cameras, and location data. Apple has patched high-profile zero-click flaws such as FORCEDENTRY, but the offensive market continuously seeks new vulnerabilities.
The Pegasus Project, a media collaboration supported by Amnesty Tech, examined a leaked dataset of tens of thousands of phone numbers selected by clients for potential targeting, identifying more than 180 journalists among them. Forensic investigations have confirmed widespread abuse, from the targeting of pro-democracy figures in Bahrain and the UAE to the compromise of dozens of reporters at El Faro in El Salvador. NSO says it sells only to vetted government agencies for legitimate crime and counterterrorism operations and revokes access when misuse is found, assertions human rights groups dispute.
Regulatory Pressure and Market Backlash Mount
Governments and platforms have tightened the screws on the commercial spyware ecosystem. The US Commerce Department placed NSO Group on the Entity List, and a White House policy now restricts federal use of tools tied to human rights abuses. In Europe, lawmakers convened the PEGA committee to probe abuses and urged stronger oversight and a moratorium unless stringent safeguards are met. Technology companies, including Apple and WhatsApp, have sued or notified victims, and have rolled out security features such as Lockdown Mode aimed at high-risk users.
Despite those steps, demand persists. Private vendors pitch turnkey surveillance to states that lack in-house capabilities, driving a market where sophisticated exploits can command seven-figure prices. Without consistent export controls and verifiable client audits, watchdogs warn, abuses will recur as new vendors emerge.
Enforcement Questions and What Comes Next
Whether Al-Masarir ultimately collects the award remains uncertain. Enforcing judgments against a foreign state can be complex, with protections for diplomatic and sovereign assets limiting what can be seized. Commercial assets may face different treatment, but collection often hinges on protracted legal maneuvers across jurisdictions.
Even so, the ruling lands as a warning. It draws a bright line between legitimate law enforcement surveillance and the targeting of critics abroad, and it invites similar claims from others who can show forensic evidence and jurisdictional hooks. For exiled activists, the case underscores a practical takeaway: combine robust device security—regular updates, Lockdown Mode, and security training—with documentation and rapid reporting to credible labs if compromise is suspected.
A Landmark for Digital Rights and Accountability
Al-Masarir’s victory is more than a personal vindication. It is a milestone that links the dots between spyware vendors, state customers, and real-world harm, and it places courts at the center of a fast-evolving accountability framework. As export regulators, tech firms, and civil society converge on the issue, this judgment adds judicial muscle to a policy debate that has, until now, often lagged the technology it seeks to contain.
