Apple says its lawsuit against NSO Group this week is an attempt to hold the surveillance firm “accountable for … the surveillance and targeting of Apple users.” And it spared no ire in accusing the Israeli spyware company of its selling surveillance software to authoritarian governments — regardless of whether those governments use it to target dissidents, journalists, and activists.
NSO Group was already facing legal problems after messenger platform provider WhatsApp filed suit in 2019 for similar reasons. Earlier this month, the US Ninth Circuit Court of Appeals rejected the spyware company’s claim that it should be protected under sovereign immunity laws. In the high-profile case, WhatsApp alleged NSO’s spyware was used to hack 1,400 users of the messaging app.
The two lawsuits open the company to discovery requirements as the cases move forward. Until now, NSO Group has been able to cloak its business practices in secrecy.
In September, Citizen Lab, a cybersecurity watchdog organization, released a report outlining what it found to be zero-day zero-click exploits by NSO Group’s Pegasus spyware against various electronic devices and digital documents.
“I think it’s highly unlikely they had no ability to control and no idea about the misuses of their software — especially over the past year or two because Citizen Lab and other organizations have been documenting the misuse of the software,” said Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. “I mean, after [Jamal] Khashoggi was killed, how do you not wonder.”
Various media outlets have alleged that NSO Group’s hacking malware was used to monitor people close to Saudi Arabian journalist and dissident Jamal Khashoggi both before and after his death at the Saudi consulate in Istanbul in 2018.
The NSO Group emphatically denied that its government clients used the spyware to target the journalist or his family.
The EFF published a paper, Know Your Customer, arguing the burden should be on the technology company to document its customers’ human rights records before selling them software that could be used to spy on citizens.
“It doesn’t take a rocket scientist to realize if you’re selling to the government of Saudi Arabia, it’s quite likely this software will be used against dissidents,” Cohn said.
Apple has made four claims for relief against NSO Group, specifically:
- Violations of Computer Fraud and Abuse Act;
- Violations of California Business and Professions Code § 17200;
- Unjust Enrichment (as an alternative to the third count).
In Apple’s filing, it described the NSO Group as “notorious hackers — amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple.”
Apple protrayed the NSO Group as dealing in spyware for its own commercial gain, allowing customers to abuse its offerings “to target individuals, including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.”
Apple revealed NSO Group’s “FORCEDENTRY” exploit had also been used to break into an Apple customer’s device to install the latest version Pegasus.
Apple claimed that the NSO Group’s software did not breach data contained on Apple servers, but it did abuse the company’s services and servers to perpetrate attacks on users users and the data stored on their devices. (The Israeli firm sells software that can aid governments and security personnel in the hacking of iPhones.)
The EFF raised questions about whether the legal action now under way could set a precedent enabling the Computer Fraud and Abuse Act to be used against legitimate actors such as Citizens Lab or other entities that investigate tech companies for improprieties.
“It’s a vague law that gets misused by prosecutors and private companies a lot,” Cohn said. “…We’re going to be watching this case very closely to make sure the impact of this case stays grounded in these bad actors and doesn’t spill over to the very researchers like Citizen Lab who brought this information public. Sadly, the law is not well defined in a way to make us comfortable that that will automatically happen.”
Jack Gold, president and principal analyst at J. Gold Associates, said if successful, Apple’s lawsuit has the potential to render the NSO’s main product “worthless,” since it depends on granting clients “full access” to targeted smartphones. But,Gold also questioned how effective a win would be in the end because the NSO Group is headquartered in Israel, not the US, and Apple would have to file separate lawsuits in each country in which they operate.
“Apple might win in the US courts and bar NSO here, but that is only in the US,” Gold said. “The EU and other countries would have to somehow sign on to any lawsuit. It’s not clear to me if Apple intends to pursue NSO in every country in the world where it operates, which it would have to do to completely prevent NSO working on any Apple devices.”
It’s also not clear to Gold how Apple as a company has been harmed. “It has caused damage to a few Apple users, but it might be hard for Apple to prove any damage to its reputation,” he said. “So, in essence, it is suing on behalf of its users, and I don’t know if that will fly.”
The jurisdictional reach of the Computer Fraud and Abuse Act (CFAA) is broad, according to Cohn. The US government uses it regularly to bring international cases against entities not based within its borders.
“So I’m not too worried about jurisdiction. There are some risks in an overbroad interpretation of the CFAA and some of the other claims Apple is doing, but I think if it’s done correctly, it could be extremely affective,” Cohn said.
In some ways, Apple’s case may rely on the financial impact spyware can have on its bottom line, according to Cohn.
“These companies have to spend a lot of resources to try to block out these bad actors,” she said. “I appreciate these companies are ultimately standing up for the human rights of these users. But what comes clear out of the complaint is [Apple has] got a financial interest, as well, in stopping this arms race situation and protecting their own bottom line and the amount of money they have to spend to try to deal with these malicious programs,” Cohn said.
The EFF is an unlikely cheerleader of Apple; it has been highly critical of the company for its own device surveillance efforts.
Over the past few months, the digital rights group has been protesting Apple’s new scanning system for Child Sexual Abuse Material on users’ devices. In September, EFF flew a protest banner over Apple’s Cupertino, Calif. headquarters calling on the company to stop scanning user’s iPhones.
They’re still doing stuff we don’t like, but now they’re finally doing something we do like,” Cohn said. “So, it’s a much better way to start the holiday to praise them rather than complain about them.”