Express Aiming and Personal Jurisdiction Limits for Foreign Technology Defendants: NSO Group v. Khashoggi

Introduction

In Hanan Elatr Khashoggi v. NSO Group Technologies Limited (Fourth Circuit, May 21, 2025), the Court of Appeals addressed a novel jurisdictional challenge involving a foreign technology company (NSO Group) that licenses an advanced spyware tool (Pegasus) used by third-party sovereign actors to conduct electronic surveillance. The plaintiff, Hanan Khashoggi, wife of slain journalist Jamal Khashoggi, brought claims under the Computer Fraud and Abuse Act, the Virginia Computer Crimes Act, and various Virginia common-law torts, alleging that her cell phones were infected and monitored. NSO moved to dismiss for lack of personal jurisdiction in Virginia and for lack of subject-matter jurisdiction under the Foreign Sovereign Immunities Act. The district court granted dismissal for lack of personal jurisdiction; on appeal, the Fourth Circuit affirmed.

Summary of the Judgment

The Fourth Circuit held that the district court properly dismissed for lack of specific personal jurisdiction. Although Virginia’s long-arm statute reaches the full scope of federal due process, the Fourteenth Amendment requires minimum contacts: the defendant must have “purposefully availed” itself of the forum by expressly aiming tortious conduct at it. NSO Group, an Israeli company with no offices or employees in Virginia, had never itself targeted the Commonwealth. The alleged surveillance was directed and executed by Saudi and Emirati agents who licensed Pegasus but the spyware’s mere presence on devices when the plaintiff was later in Virginia was insufficient to show NSO “expressly aimed” its conduct at the forum. The Fourth Circuit therefore affirmed dismissal, declining to reach the separate Foreign Sovereign Immunities Act argument.

Analysis

1. Precedents Cited

• International Shoe Co. v. Washington, 326 U.S. 310 (1945): Established the “minimum contacts” due-process standard for personal jurisdiction.
• Calder v. Jones, 465 U.S. 783 (1984): Held that out-of-state libelous conduct “expressly aimed” at California supported jurisdiction based on the “effects test.”
• Daimler AG v. Bauman, 571 U.S. 117 (2014): Clarified the limits of general jurisdiction, requiring “continuous and systematic” contacts to render a foreign corporation “essentially at home.”
• ALS Scan v. Digital Service Consultants, 293 F.3d 707 (4th Cir. 2002): Applied a two-step test for internet-based contacts, emphasizing that passive publication of web content does not constitute “express aiming.”
• Hawkins v. i-TV Digitalis, 935 F.3d 211 (4th Cir. 2019): Reinforced that “effects” must connect the defendant’s own conduct to the forum, not merely the location of the harmed party.

2. Legal Reasoning

The Fourth Circuit’s specific jurisdiction analysis followed three prongs:

1. Purposeful Availment/Express Aiming: NSO had no offices, employees, direct sales or marketing in Virginia. Licensing Pegasus to foreign sovereigns did not itself constitute purposeful availment of Virginia’s market or legal protections. Unlike the WhatsApp litigation in California—where NSO allegedly reverse-engineered WhatsApp’s California servers and “expressly aimed” transmission of malware at them—here NSO never targeted or accessed any Virginia computer systems.
2. Arising‐Out‐Of Requirement: The plaintiff’s claims (illegal access, trespass to chattels, emotional distress) stemmed from third‐party installation and use of Pegasus by Saudi and Emirati actors. Those acts took place abroad (Dubai airport detention) or at unspecified times when the plaintiff visited Virginia. The mere fact that surreptitious data capture could have recurred while the plaintiff was physically present in Virginia did not connect NSO’s own conduct to the forum.
3. Fair Play & Substantial Justice: Exercising jurisdiction over a small foreign technology licensor with no Virginia ties would be unreasonable and offend traditional notions of jurisdictional fairness.

3. Impact

This decision clarifies that licensing advanced surveillance software to third parties—even when that software enables reports and data extraction worldwide—does not by itself subject a foreign provider to suit wherever a surveilled target happens to reside or travel. Future plaintiffs must allege either (a) the software vendor’s own directed acts in the forum (e.g., penetration of servers, targeted marketing, technical support provided from the forum), or (b) express communications or transactions with the forum state. The Fourth Circuit’s ruling thus preserves clear jurisdictional limits on cross-border tort claims against technology companies whose indirect client relationships and remote SaaS-style offerings alone will not suffice to establish “minimum contacts.”

Complex Concepts Simplified

• Specific vs. General Jurisdiction: General jurisdiction allows suit on any claim if the defendant is “at home” in the forum (e.g., state of incorporation). Specific jurisdiction permits suit on claims arising from the defendant’s forum‐related acts.
• Express Aiming (“Effects Test”): A court may assert jurisdiction when the defendant’s intentional out-of-state act was aimed at the forum and caused foreseeable harm there.
• Pegasus Spyware: A sophisticated malware tool licensed to governments and agencies for stealth intrusion, data exfiltration, and real-time monitoring of mobile devices.
• Foreign Sovereign Immunities Act (FSIA): A statute that generally bars U.S. courts from hearing claims against foreign states or their instrumentalities, subject to enumerated exceptions.

Conclusion

NSO Group v. Khashoggi reaffirms the necessity of a defendant’s own purposeful, forum-directed conduct to establish specific personal jurisdiction under the Due Process Clause. Indirect or passive effects in the forum—such as data harvested by third parties licensing foreign spyware—alone will not suffice. In doing so, the Fourth Circuit both safeguards sovereign and international comity concerns and delineates clear boundaries for transnational tort litigation against technology companies.