> Their CFAA claim can only cover unauthorized access to WhatsApp’s servers – but NSO didn’t hack those servers;
Walking into an unlocked building is still breaking and entering. This is why people are tried for recording information but technically accessible but unauthorized-for-access pages.
> Walking into an unlocked building is still breaking and entering.
Yes, if you weren't authorized to be in the building. But this is more like... walking into an open store and then punching another customer. You didn't exceed your access to the store; you just used your authorized access to do something the store owner wouldn't want you to do (and which constitutes a crime and a tort against someone else). That's not trespassing. However, if the store owner noticed, they could then tell you to leave, at which point remaining in the store would be trespassing.
Does the same apply to the CFAA? Well, it's not entirely clear. There's been a spate of precedents in the last decade, the most recent from just last month, and, well... they're a bit of a mess, including a circuit split which will have to be resolved by the Supreme Court eventually [2], and even within the Ninth Circuit, a "zigzagg[ing]" series of decisions [1] with ambiguous dividing lines.
In particular, unlike in the store analogy, NSO had to agree to a ToS before using WhatsApp, which NSO then violated. That definitely gives WhatsApp a claim for breach of contract. But do actions that violate a ToS also automatically "exceed authorized access" and give WhatsApp a CFAA claim? Not according to Ninth Circuit precedent, but potentially yes according to other circuits' precedents.
That said, many of those precedents turned on the question of whether it makes sense to apply a "hacking" statute to something that's clearly not hacking. In this case, there undoubtedly is hacking involved, and the court may not draw as fine distinctions as I have regarding what exactly was being hacked.
By the way, like in the store analogy, WhatsApp could notify NSO that they're banned from accessing their service altogether, and ignoring that would result in a CFAA violation according to Ninth Circuit precedent. And indeed it seems that WhatsApp has banned NSO now. But they apparently didn't do so prior to the conduct the lawsuit complains about, so that isn't a factor in this case.
Walking into an unlocked building is still breaking and entering. This is why people are tried for recording information but technically accessible but unauthorized-for-access pages.