Express Aiming Requirement for Specific Personal Jurisdiction in Cross-Border Cyber Surveillance

Express Aiming Requirement for Specific Personal Jurisdiction in Cross-Border Cyber Surveillance

Introduction

This commentary analyzes the Fourth Circuit’s decision in Hanan Elatr Khashoggi v. NSO Group Technologies Ltd., 23-2234/23-2241 (4th Cir. May 21, 2025). Plaintiff Hanan Khashoggi, a refugee in Virginia and widow of journalist Jamal Khashoggi, alleged that NSO’s Pegasus spyware was used (at Saudi and UAE direction) to surveil her electronic devices in Virginia, culminating in her husband’s assassination. NSO moved to dismiss for lack of personal jurisdiction; the district court granted the motion and the Fourth Circuit affirmed. The key issues are (1) whether NSO purposefully availed itself of Virginia’s jurisdiction through its licensing of Pegasus, and (2) whether “express aiming” at the forum is required to satisfy due‐process minimum contacts.

Summary of the Judgment

The Fourth Circuit affirmed the district court’s dismissal for lack of specific personal jurisdiction. The court held:

  1. General jurisdiction over NSO in Virginia was absent because NSO’s contacts with the Commonwealth were neither “continuous and systematic” nor sufficient to render it “at home.”
  2. Specific jurisdiction also failed. Under the three-prong test (purposeful availment, causation, and reasonableness), NSO did not “expressly aim” its conduct at Virginia. Pegasus deployments were directed by Saudi and Emirati agents, not NSO itself, and the mere licensing of spyware was passive and insufficient to establish a substantial connection.
  3. The court declined to reach NSO’s Foreign Sovereign Immunities Act arguments, resolving the appeal solely on jurisdictional grounds.

Analysis

Precedents Cited

  • International Shoe Co. v. Washington, 326 U.S. 310 (1945): Introduced “minimum contacts” and “fair play and substantial justice.”
  • World-Wide Volkswagen Corp. v. Woodson, 444 U.S. 286 (1980): Recognized foreseeability of being haled into court as part of minimum‐contacts analysis.
  • Calder v. Jones, 465 U.S. 783 (1984): Developed the “effects test” and “express aiming” for out-of-state torts.
  • Daimler AG v. Bauman, 571 U.S. 117 (2014) and Goodyear Dunlop Tires Operations, S.A. v. Brown, 564 U.S. 915 (2011): Clarified limits on general jurisdiction.
  • UMG Recordings, Inc. v. Kurbanov, 963 F.3d 344 (4th Cir. 2020): Merged Virginia’s long-arm statute with due‐process analysis.
  • ALS Scan, Inc. v. Digital Service Consultants, Inc., 293 F.3d 707 (4th Cir. 2002): Held mere passive internet availability does not establish specific jurisdiction.
  • Carefirst of Md., Inc. v. Carefirst Pregnancy Centers, Inc., 334 F.3d 390 (4th Cir. 2003): Reaffirmed that the quality of contacts, not their number, governs jurisdiction.
  • Walden v. Fiore, 571 U.S. 277 (2014): Emphasized that contacts must be with the forum state itself, not just its residents.
  • Hawkins v. i-TV Digitalis Tavkozlesi zrt., 935 F.3d 211 (4th Cir. 2019): Limited the “effects test” to conduct expressly aimed at the forum.
  • WhatsApp Inc. v. NSO Group Techs. Ltd., 472 F. Supp. 3d 649 (N.D. Cal. 2020): Distinguished NSO’s express targeting of California servers from the passive licensing in this case.
  • Luis v. Zang, 833 F.3d 619 (6th Cir. 2016) and Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022): Held an unlawful interception occurs where the data is captured, but did not address personal jurisdiction.

Legal Reasoning

The Fourth Circuit applied the established three-prong test for specific jurisdiction under Rule 4(k)(1) and Virginia’s long-arm statute:

  1. Purposeful availment/express aiming: NSO’s licensing of spyware to foreign sovereigns was deemed passive. Unlike the targeted reverse engineering of WhatsApp’s California servers, NSO did not itself send code or target Virginia.
  2. Causation: Although Khashoggi alleged that her device was surveilled in Virginia, the court found the acts were directed and carried out by Saudi and Emirati agents, not NSO.
  3. Reasonableness: Exercising jurisdiction would violate “traditional notions of fair play and substantial justice” given NSO’s lack of direct forum contacts.

The court relied heavily on ALS Scan to underscore that “[t]he only direct contact” NSO had with Virginia was a general availability of its product, which cannot ground jurisdiction. The decision also reaffirmed that mere foreseeability of harm in the forum is insufficient unless the defendant “expressly aimed” its conduct there.

Impact

This decision sets a clear precedent for cross-border cyber-tort cases:

  • Foreign technology licensors will not be haled into U.S. courts absent direct, forum-targeted actions.
  • Courts will scrutinize whether the defendant itself sent or directed code into the forum, rather than relying on local acts of third-party clients or sovereigns.
  • The ruling narrows the reach of due-process-based personal jurisdiction in cyber-surveillance disputes, aligning with ALS Scan and Walden.
  • It encourages plaintiffs to gather specific evidence of express aiming—such as server logs or deployment instructions—before filing in a U.S. district court.

Complex Concepts Simplified

Personal Jurisdiction: A court’s power to decide a case involving a particular defendant.

General vs. Specific Jurisdiction: General jurisdiction arises from “continuous and systematic” contacts, allowing suit on any claim; specific jurisdiction requires that the claim “arise out of” the defendant’s forum-directed acts.

Purposeful Availment: When a defendant intentionally invokes the benefits of doing business in the forum.

Express Aiming (“Effects Test”): Out-of-state conduct must be targeted at the forum so that the defendant could reasonably anticipate being sued there.

“Minimum Contacts”: Sufficient links between defendant and forum to satisfy “fair play and substantial justice.”

Long-Arm Statute: State law authorizing courts to reach nonresidents to the extent allowed by the U.S. Constitution.

Conclusion

Hanan Elatr Khashoggi v. NSO Group affirms that mere licensing of surveillance software does not create a substantial nexus with a U.S. forum. The Fourth Circuit’s reinforcement of the “express aiming” requirement preserves due-process limits on personal jurisdiction in an era of cross-border digital intrusions. Plaintiffs must identify direct, forum-targeted conduct by the defendant itself to satisfy Virginia’s long-arm reach—a principle likely to govern future cyber-surveillance and international tort suits.

Case Details

Year: 2025
Court: Court of Appeals for the Fourth Circuit

Comments