Non-Lawyers Summary

Selling a software vulnerability to a broker is not explicitly illegal under U.S. law — there is no statute that says "you may not sell zero-days" — but the surrounding ecosystem is governed by a dense web of export control regulations, wiretapping statutes, CFAA provisions, and international arms-control agreements that create serious criminal exposure depending on who buys the vulnerability, what country they are in, and what the tool does. Commercial spyware vendors face a separate and harsher legal environment: manufacturing and deploying tools that intercept communications without consent violates the federal Wiretap Act, FTC enforcement authority has now been invoked against stalkerware companies, and the NSO Group litigation has tested whether sovereign immunity shields a foreign company that deployed malware at foreign government direction against U.S. persons.

The Commodity That Has No Name in the Law

Somewhere in a dark corner of the internet, a price list exists.

An iPhone zero-click remote code execution chain: $2.5 million. An Android full chain with persistence: $2 million. A WhatsApp remote execution vulnerability: $1.5 million. These are real numbers from Zerodium's published acquisition prices — a company that buys vulnerabilities the way art dealers buy paintings: quietly, expensively, and with very specific buyers in mind.

Here is the shock: no federal statute explicitly prohibits the sale of a software vulnerability.

The Computer Fraud and Abuse Act (18 U.S.C. § 1030) does not contain a provision targeting zero-day sales as such. Section 1030(a)(6) prohibits "trafficking in passwords or similar information through which a computer may be accessed without authorization" — but courts have not extended this to cover a vulnerability itself, as distinguished from credentials that provide direct unauthorized access. A zero-day exploit is not a password. § 1030(a)(6) has been read narrowly.

This legal gap is not an accident. Congress has repeatedly declined to enact a "vulnerability trafficking" statute, partly because the security research community, defense contractors, and government procurement operations all depend on a functioning market for vulnerability information.

But that was never the real story.

The real story is the ring of law that surrounds the gap — export controls, wiretapping statutes, national security law — that can transform an apparently legal transaction into a federal crime depending on three words: who, where, and what.

Export Administration Regulations — 15 C.F.R. Parts 730–774

In 2013, the international arms control community did something that sent shockwaves through the cybersecurity industry. The Wassenaar Arrangement — a multilateral export control regime — added "intrusion software" and "IP network communications surveillance systems" to the international control list. The United States implemented these controls in the Export Administration Regulations (EAR) under specific Export Control Classification Numbers (ECCNs):

  • ECCN 4E001 — technology for the "development" or "production" of software classified under ECCN 4D001, which includes "intrusion software" defined as software specifically designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network-capable device, and that can exfiltrate data or execute commands
  • ECCN 4D001 — the intrusion software products themselves

Under the EAR, "export" includes not only physical shipment but electronic transmission. A researcher who emails a working exploit to a foreign national potentially violates export controls without a BIS license — even if that foreign national is sitting next to them in the United States. This is called a "deemed export." The rules follow the person, not the border.

License requirements: Selling intrusion software or technology to a foreign government, foreign intelligence service, or any foreign person in a country subject to U.S. arms embargoes (Cuba, Iran, North Korea, Syria, Russia) requires a BIS license. License exceptions are narrow and do not typically apply to offensive tools. Selling the same capability to the U.S. government — including NSA, CYBERCOM, or DIA — does not require an export license.

The practical effect: Zerodium (incorporated in the United States) or Crowdfense (Malta) purchasing a zero-day from a U.S. researcher and reselling it to a foreign government intelligence service is potentially an EAR violation requiring a BIS license, and may additionally trigger State Department ITAR controls if the capability qualifies as a defense article under 22 C.F.R. Part 121.

2. Export Controls on Offensive Security Tools: BIS Enforcement

The Day the Department of Commerce Went to War With a Spyware Company

November 3, 2021. The Department of Commerce Bureau of Industry and Security issued a quiet administrative notice that detonated in boardrooms across the cybersecurity industry.

BIS added NSO Group Technologies (Israel) and Candiru (Israel) to the Entity List (15 C.F.R. Part 744, Supplement No. 4), effectively prohibiting U.S. persons from exporting, re-exporting, or transferring any item subject to the EAR to these companies without a license — a license BIS indicated it would deny.

The stated basis: BIS found that NSO Group and Candiru "developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." BIS added Positive Technologies (Russia) and Computer Security Initiative Consultancy (Singapore) on the same date for similar reasons.

This is how you fight a spyware company without criminal charges. No arrest. No trial. No burden of proof beyond a reasonable doubt. Just a list. And the moment you appear on that list, every U.S. company that sells you servers, cloud infrastructure, or development tools faces potential criminal prosecution under the Export Control Reform Act of 2018 (50 U.S.C. §§ 4801–4852): up to 20 years imprisonment and $1 million per violation.

The Entity List is a slow strangulation. No handcuffs needed.

What "Intrusion Software" Means Under the EAR

The EAR defines "intrusion software" as software designed to: (a) avoid detection by monitoring tools or defeat protective countermeasures; and (b) do at least one of — exfiltrate data, modify system or user data, or modify standard execution paths.

A conventional penetration testing tool that requires physical access, user consent, and operates openly would not qualify. A remote-access trojan that silently exfiltrates contacts and location data almost certainly qualifies. The line between them — where many commercial spyware products sit — has not been fully adjudicated in federal court.

The gray area is where the industry lives. And where the liability hides.

3. NSO Group / Pegasus: The Civil Litigation Framework

WhatsApp v. NSO Group — The Lawsuit That Proved Spyware Companies Are Not Untouchable

Just before the breach was discovered, 1,400 phones were silently compromised in two weeks.

No user clicked a link. No user downloaded a file. The attack required nothing but the act of receiving a call — a call the user didn't even need to answer. A buffer overflow vulnerability in WhatsApp's VOIP stack. The attacker: NSO Group's Pegasus spyware, running on behalf of unnamed foreign intelligence services.

In October 2019, WhatsApp LLC and Meta Platforms, Inc. filed suit in the Northern District of California, alleging: (1) CFAA § 1030(b) — conspiracy to commit unauthorized access; (2) CFAA § 1030(a)(2) — unauthorized access to obtain information; (3) violation of the California Comprehensive Computer Data Access and Fraud Act (CDAFA, Penal Code § 502); and (4) breach of contract (WhatsApp Terms of Service).

NSO Group came to court with what they believed was an unassailable defense: foreign sovereign immunity.

Their argument: NSO acted as an agent of foreign governments. The Foreign Sovereign Immunities Act (FSIA, 28 U.S.C. §§ 1602–1611) shields foreign sovereigns from U.S. courts. NSO was, in their telling, merely a contractor — a tool of state power — and therefore untouchable.

The district court rejected it. The Ninth Circuit affirmed in 2021: FSIA immunity does not extend to private companies acting on behalf of foreign sovereigns. A private Israeli technology company is not a foreign state. FSIA applies to foreign states and their agencies and instrumentalities under defined criteria — not to vendors who sell to them. In January 2024, the U.S. Supreme Court denied NSO Group's petition for certiorari, leaving the Ninth Circuit ruling in place.

The case proceeded to discovery.

In December 2024, the district court granted summary judgment in favor of WhatsApp on the CFAA and CDAFA claims, finding NSO's conduct constituted unauthorized access as a matter of law. This was the first time a commercial spyware vendor was held liable under CFAA in civil litigation.

The armor had a crack. And it was widening.

Apple v. NSO Group — The FORCEDENTRY Case

Apple filed a parallel action in November 2021, targeting NSO Group's use of the FORCEDENTRY exploit (CVE-2021-30860) — a zero-click iMessage exploit used to install Pegasus. Apple sought a permanent injunction barring NSO Group from using Apple products, services, or devices. This case raises the same FSIA issues and additionally tests whether a company can obtain injunctive relief against a foreign spyware vendor's access to its platform ecosystem.

Paragon Solutions — The Next Act

A newer entrant waited in the wings. Reports in early 2025 linked Paragon Solutions (Israel), maker of the "Graphite" spyware, to surveillance of Italian journalists and a WhatsApp administrator. Apple sent threat notifications to affected individuals. The Paragon litigation, while less developed, follows the same CFAA + CDAFA analytical framework as NSO Group.

The pattern is repeating. The names change. The law does not.

The Rules That Now Apply to Everyone

The NSO Group litigation establishes four principles that every commercial spyware vendor must now live with:

  1. Foreign sovereign immunity does not protect private spyware companies.
  2. CFAA § 1030(b) conspiracy liability attaches when a vendor facilitates unauthorized device access by third-party government clients.
  3. Civil CFAA damages under § 1030(g) can be predicated on loss calculations including investigation and remediation costs.
  4. California courts will assert personal jurisdiction over foreign spyware companies when the harm is targeted at U.S. persons.

4. Commercial Spyware and Stalkerware

The App That Hides From Its Victim

18 U.S.C. § 2511(1)(b) is a statute that most people have never read. It should terrify anyone who has ever considered building surveillance software.

The Electronic Communications Privacy Act of 1986 (Pub. L. 99-508) prohibits the intentional interception of wire, oral, or electronic communications. Section 2511(1)(b) specifically prohibits manufacturing, assembling, possessing, or selling "any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications." Maximum sentence: five years per count.

Stalkerware — applications marketed as parental monitoring or employee tracking tools but designed to hide from the device owner — fits squarely within § 2511(1)(b) when designed to operate covertly. The "primarily useful" standard means a court looks at whether the legitimate monitoring use case is bona fide or a pretext for marketing an interception device. If the app's differentiating features (icon hiding, stealth mode, no notification to monitored user) are the primary value proposition, the § 2511(1)(b) exposure is substantial.

FTC Enforcement: SpyFone — The First Shot Heard Around the Industry

September 1, 2021. The Federal Trade Commission took its first enforcement action against a stalkerware company: In the Matter of Support King, LLC d/b/a SpyFone.com.

The FTC ordered SpyFone to pay a $1 million civil penalty and delete all data collected through its platform. The FTC found that SpyFone had collected location, text message, photo, audio, and web history data from victims' devices without their knowledge — and had stored this data insecurely, creating a risk of exposure to third parties.

The legal theories: Section 5 of the FTC Act (15 U.S.C. § 45) — unfair or deceptive acts or practices — and the company's own privacy policies, which misrepresented data security.

Critically, the FTC did not need to prove a § 2511 criminal violation. The FTC can act on the basis that secret surveillance is an unfair practice regardless of whether it meets the criminal standard.

Two legal theories. One company. One industry-wide warning shot.

CFAA § 1030(a)(5) — When the Maker Becomes the Conspirator

Installing spyware on a device without authorization constitutes a violation of CFAA § 1030(a)(5) — knowingly causing transmission of a program that intentionally causes damage to a protected computer. A person who manufactures stalkerware that is installed by third parties may face liability as a co-conspirator or aider and abettor under § 1030(b) if they had knowledge that the tool would be used for unauthorized installation.

You don't have to install it. You just have to build it knowing what it's for.

California Penal Code § 632 — The State Line That Follows You

California Penal Code § 632 prohibits confidential communications interception without all-party consent. California is an all-party consent jurisdiction. Stalkerware installed on a device belonging to a California resident, recording their calls or capturing their communications, violates § 632 regardless of whether the installer is in California.

Civil remedies under § 637.2 provide $5,000 per violation or three times actual damages.

5. The Vulnerability Equities Process and Government Zero-Day Retention

The Secret Policy That Decides What Gets Patched

Somewhere in a government review board meeting, a decision is being made about a vulnerability in software you use right now.

The Vulnerabilities Equities Process (VEP) governs how the U.S. federal government decides whether to disclose a newly discovered vulnerability to the affected vendor or retain it for intelligence and offensive operations. The VEP was first formalized after the Heartbleed disclosure controversy and codified under Executive Order 13636 (2013), then substantially updated by a formal charter released by the National Security Council in 2017, and further reinforced by Executive Order 14028 (2021), which directed CISA to develop processes consistent with VEP principles.

The VEP charter creates an interagency review board — chaired by NSC, with participation from NSA, CYBERCOM, CIA, FBI, DHS, State, and others. When a U.S. government agency discovers or acquires a vulnerability, it should submit it for VEP review. The board weighs: intelligence value of retaining the zero-day vs. security harm to U.S. networks if the vulnerability remains unpatched.

Nobody elected these people. Nobody knows which vulnerabilities they've retained.

NOBUS and the Shadow Brokers — When Hubris Becomes a Billion-Dollar Catastrophe

NSA's internal doctrine for vulnerability retention is summarized as NOBUS — "Nobody But Us." A vulnerability is retained when NSA assesses that only NSA, given its unique access and capabilities, could realistically exploit it.

The NOBUS assessment proved catastrophically wrong.

In 2016-2017, the Shadow Brokers — an entity with suspected Russian intelligence ties — published NSA's entire exploit arsenal. Among the weapons: EternalBlue, targeting the SMBv1 vulnerability MS17-010. NSA had known about it. NSA had not told Microsoft. NSA had decided: "Nobody but us."

EternalBlue was weaponized in WannaCry (May 2017), which caused estimated damages of $4-8 billion globally, and NotPetya (June 2017), attributed to Russian GRU, which caused approximately $10 billion in damages.

The legal question of U.S. government liability for retaining EternalBlue has not been adjudicated. The Federal Tort Claims Act (28 U.S.C. § 1346(b)) requires a plaintiff to show a "negligent or wrongful act or omission" by a government employee — a difficult standard given that vulnerability retention decisions are discretionary policy judgments protected by the discretionary function exception (28 U.S.C. § 2680(a)). No court has held the government liable for downstream harm from a retained zero-day.

The government made the decision. The hospitals in the UK paid for it.

Two Markets. Two Destinies.

A researcher finds a critical vulnerability. Two paths open before them.

Path one: Disclose to the vendor. Submit through a bug bounty. Wait. Receive a reward — typically thousands to tens of thousands of dollars. The vulnerability gets patched. The world becomes slightly safer. The researcher's name might appear in an advisory, if the company is gracious.

Path two: Contact Zerodium. Zerodium publishes per-vulnerability acquisition prices reaching $2.5 million for iOS zero-click chains. Receive payment. The vulnerability goes into a vault. It is sold to government clients. It remains unpatched, potentially for years, on millions of devices — including your own.

The law has something to say about both paths. But what it says is surprisingly asymmetric.

HackerOne and Bugcrowd programs create contractual authorization that removes the "without authorization" element from CFAA civil and criminal exposure. Program Terms of Service typically require: (a) scope restriction to listed targets; (b) no exfiltration of real user data; (c) no destructive testing; (d) IP assignment or license grant to the company for any vulnerabilities discovered.

Researchers should note: IP assignment clauses in bug bounty agreements may transfer ownership of the discovered vulnerability to the company, preventing the researcher from simultaneously disclosing to a third party or publishing full technical details. Some programs use license grants rather than assignments, preserving researcher ownership while granting the company rights to use and fix the vulnerability.

Read every clause. The agreement that protects you also defines what you gave up.

Zerodium publicly commits to not disclosing acquired vulnerabilities to vendors. It sells to government clients — publicly disclosed to include U.S. government agencies and law enforcement.

The legal implications are layered and treacherous. A researcher who sells to Zerodium:

  • Does not receive the DOJ charging policy protection applicable to good-faith disclosure.
  • Contributes to the vulnerability remaining unpatched on third-party systems.
  • May face EAR scrutiny if Zerodium resells to foreign government clients.

The researcher's own EAR exposure depends on whether they knew or had reason to know of the ultimate foreign government end-user — a fact-intensive inquiry that no attorney can answer in advance.

You sold a weapon. You just don't know to whom it was eventually used.

7. Government Purchase of Zero-Days

U.S. government purchase of offensive cyber tools proceeds through classified procurement channels. NSA, CIA, CYBERCOM, DIA, and FBI all have programs for acquiring vulnerability information and offensive tooling. The legal framework governing these purchases is largely classified, but several statutory authorities are relevant:

  • National Security Act of 1947 (50 U.S.C. § 3001 et seq.) — authorizes intelligence activities including offensive cyber operations
  • 10 U.S.C. § 394 — authorizes CYBERCOM to conduct offensive operations "in or through cyberspace"
  • Presidential Policy Directive 20 (2012, partially declassified) — established framework for Offensive Cyber Effects Operations

Federal contractors handling zero-days and classified exploit tooling must comply with the National Industrial Security Program Operating Manual (NISPOM, 32 C.F.R. Part 117), which governs handling of classified information including classified vulnerability data.

Harold Martin — The NSA Contractor Who Took Too Much Home

For three months in 2016, the FBI watched Harold T. Martin III carry classified materials out of NSA facilities in Maryland.

In the end, investigators found approximately 50 terabytes of classified materials at his home, his car, and a storage unit. Among them: NSA hacking tools. Exploit code. The most sensitive offensive cyber capabilities the U.S. government possessed.

Martin pleaded guilty to willful retention and transmission of national defense information (18 U.S.C. § 793(e)). In 2019, he was sentenced to nine years in federal prison.

The Martin case demonstrates that zero-day tools, when classified, fall under the Espionage Act's national defense information provisions — not merely the EAR. Classification doesn't just restrict where you can take something. It defines what happens to you if you take it anyway.

8. DMCA § 1201 and Offensive Security Research

In 1998, Congress passed the Digital Millennium Copyright Act to protect movies and music from piracy. They couldn't have known they were also passing a law that would criminalize security research.

Section 1201 (17 U.S.C. § 1201) prohibits: (a) circumventing a technological protection measure (TPM) that controls access to a copyrighted work; and (b) manufacturing, offering, or trafficking in tools primarily designed to circumvent TPMs.

The second prohibition — the anti-trafficking provision — is where security researchers collide with copyright law. Security researchers regularly develop tools that bypass authentication mechanisms, defeat DRM, or circumvent access controls as part of legitimate research.

The § 1201(j) security research exemption allows researchers to circumvent TPMs for purposes of good-faith testing, investigating, or correcting security vulnerabilities — but this exemption applies only to the act of circumvention itself. Section 1201(j) does not extend to the anti-trafficking provision under § 1201(a)(2) or § 1201(b)(1). A researcher who builds a circumvention tool for legitimate research purposes and then distributes that tool may still face § 1201 trafficking liability even if their own use was exempt.

Build it for yourself: legal. Hand it to a colleague: potentially criminal.

2024 Triennial Rulemaking

The Copyright Office conducts triennial rulemakings to establish exemptions to § 1201's anti-circumvention prohibition. The 2024 rulemaking renewed exemptions for security research on networked devices, vehicles, medical devices, and consumer electronics. These exemptions do not create safe harbors for selling or distributing circumvention tools to others.

Green v. U.S. Department of Justice — When Cryptographers Went to Court

Green v. U.S. Department of Justice (filed 2016, D.D.C.) — brought by Matthew Green, a Johns Hopkins cryptographer, and Andrew "Bunnie" Huang, a hardware hacker, with EFF support — challenged § 1201 as a First Amendment violation. Their argument: the statute restricts protected speech (security research publication and tool development), and its criminal penalties chill legitimate work.

The constitutional challenge has not resulted in a Supreme Court ruling. As of 2026, the question remains open. But the litigation has shaped how BIS and DOJ approach security researcher enforcement decisions.

The researchers went to court to protect the right to talk about the work they do. The case is still pending.

9. International Zero-Day Law

Where Your Laptop Is Also a Weapon — By Law

United Kingdom: Computer Misuse Act § 3A — The Tool That Is Already Illegal

Section 3A of the UK Computer Misuse Act 1990 (inserted by the Police and Justice Act 2006) creates a criminal offense for making, supplying, or obtaining "articles" for use in CMA offenses — with "articles" broadly interpreted to include exploit code. A security researcher in the UK who develops a functional exploit tool, even without using it, potentially commits a § 3A offense if the tool is "likely to be used" in a CMA offense.

The CMA does not contain a security research exemption comparable to the U.S. DOJ 2022 charging policy. UK-based zero-day development carries legal risks that U.S.-based development does not.

Germany: § 202c StGB — The Hacker Paragraph

Section 202c of the German Strafgesetzbuch — the so-called "hacker paragraph" — criminalizes producing, selling, transferring, or possessing "computer programs whose purpose is the commission of" a § 202a or § 202b offense (unauthorized access or data interception). The German federal constitutional court (Bundesverfassungsgericht) upheld § 202c but narrowed its scope to require intent to use the tools for criminal purposes.

The provision nonetheless chills legitimate dual-use tool development in Germany and drove several German security conferences to question whether presenting working exploit code constitutes a criminal offense.

France: ANSSI's Coordinated Disclosure Safe Harbor

France's Agence nationale de la sécurité des systèmes d'information (ANSSI) has published guidelines for coordinated vulnerability disclosure (CVD) that provide informal protection for researchers who follow the process. French law — specifically Article 323-1 through 323-7 of the Code pénal — criminalizes unauthorized system access. ANSSI's guidelines create a safe harbor through process compliance: report to ANSSI, which coordinates with the affected vendor, giving the researcher institutional backing. Selling to a zero-day broker rather than following CVD forfeits this protection.

Israel: NSO Group and the Export License That Became a Diplomatic Weapon

Israeli law governs NSO Group's export of Pegasus. Israel's Export Control Law (5766-2007) and associated Defense Export Controls regulations require Ministry of Defense approval for export of defense products, including offensive cyber tools. NSO Group's export license — which the Israeli government reportedly modified and suspended in response to U.S. diplomatic pressure — is the primary regulatory lever foreign governments have used to constrain Pegasus deployment.

Israel suspended Pegasus exports to multiple countries following the 2021 Entity Listing. The export license mechanism is the international legal architecture most directly analogous to BIS Entity Listing in the U.S. context. A company's access to its own product can be revoked by a government's signature.

ActivityLegal StatusPrimary RiskNotes
Finding a zero-day in your own authorized testing environmentSAFENoneNo CFAA issue; no authorization required for own systems
Finding a zero-day while conducting authorized pen testSAFEScope creep = riskAuthorization document is your shield; stay within scope
Reporting a zero-day to the vendor under a VDPSAFECivil suit if out-of-scopeDOJ 2022 policy + Van Buren provide additional protection
Selling a zero-day to a U.S.-based domestic broker (Zerodium U.S. entity)GREYEAR if broker re-exports; no § 1030 protectionNo explicit prohibition, but EAR exposure if foreign re-export; no DOJ policy protection
Selling a zero-day directly to a foreign government brokerREDEAR criminal violation (15 C.F.R. § 774); potential IEEPA violationRequires BIS license for most foreign governments; countries on embargo list = strict liability
Selling a zero-day to a foreign government on the BIS Entity ListRED — CriminalEAR criminal + IEEPA civilNSO Group / Candiru Entity Listed; any supply to them is criminal
Using a zero-day in an authorized red team / pen testSAFE (with authorization)Without written authorization = CFAA § 1030(a)(5)Written engagement letter is mandatory; scope the authorization precisely
Publishing full working PoC to the publicGREY§ 1201(a)(2) anti-trafficking if circumvents DRM; civil CFAA suit by target company; 18 U.S.C. § 2511 if PoC enables wiretappingNo criminal prohibition on publishing; civil exposure from target; international law varies (§ 202c Germany, § 3A UK)
Developing stalkerware for a clientRED — Criminal18 U.S.C. § 2511(1)(b) (manufacturing interception device); CFAA § 1030(b) conspiracy; FTC Act § 5"Primarily useful for surreptitious interception" = federal crime; no legitimate use exception saves tool designed around stealth from target
Selling a CFAA-covered access device (credentials, session tokens)RED — Criminal18 U.S.C. § 1030(a)(6) trafficking in access credentialsSelling a zero-day ≠ selling credentials; but selling hijacked session tokens or credential pairs = clear § 1030(a)(6) exposure
Participating in VEP-covered government zero-day retentionCLASSIFIED — LEGAL under NSA authorityMishandling = 18 U.S.C. § 793(e) (Espionage Act)Harold Martin example; classification does not shield individual mishandling
Exporting intrusion software classified ECCN 4D001 without licenseRED — CriminalECRA 50 U.S.C. § 4819; up to 20 years / $1M per violationEAR license required for most foreign governments; no license exception covers offensive tools to state actors

Key Statutes and Regulations

AuthorityCitationWhat It Controls
Computer Fraud and Abuse Act18 U.S.C. § 1030Unauthorized computer access, credential trafficking
Wiretap Act (Title III)18 U.S.C. §§ 2510–2523Interception device manufacture and use
Espionage Act18 U.S.C. §§ 793–798Classified national defense information
Export Control Reform Act50 U.S.C. §§ 4801–4852Criminal penalties for EAR violations
Export Administration Regulations15 C.F.R. Parts 730–774Dual-use export controls; Entity List
DMCA § 120117 U.S.C. § 1201Anti-circumvention; anti-trafficking
FTC Act15 U.S.C. § 45Unfair/deceptive practices (stalkerware)
FSIA28 U.S.C. §§ 1602–1611Foreign sovereign immunity (limits; does not cover private spyware vendors)
FTCA Discretionary Function Exception28 U.S.C. § 2680(a)Shields VEP decisions from tort liability

Key Cases

  • Van Buren v. United States, 593 U.S. 374 (2021) — narrowed CFAA "exceeds authorized access"
  • WhatsApp LLC v. NSO Group Technologies Ltd., N.D. Cal. No. 4:19-cv-07123 — CFAA § 1030(b) + CDAFA against commercial spyware vendor; FSIA rejected
  • Apple Inc. v. NSO Group Technologies Ltd., N.D. Cal. No. 3:21-cv-09078 — injunctive relief theory against spyware vendor
  • In the Matter of Support King, LLC d/b/a SpyFone.com, FTC File No. 1923003 (2021) — first FTC stalkerware enforcement
  • United States v. Harold T. Martin III, D. Md. No. 1:17-cr-00069 — 9 years for hoarding NSA exploit tools
  • Green v. U.S. Dep't of Justice, D.D.C. No. 1:16-cv-01492 — § 1201 First Amendment challenge (ongoing)

This module is part of the LawZeee Phase 2 curriculum — Offensive Security Law. Cross-reference: Module 1A (CFAA Federal Statutes), Module 1J (Bug Bounty Legal Protections), Module 1N (Criminal Prosecution History), Module 1O (Nation-State Indictments).

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →