What would you do if you found out that your phone was probably hacked by a foreign government in an effort to prevent you from reporting on its human rights abuses? That’s precisely the situation in which New York Times Beirut bureau chief Ben Hubbard recently found himself after it became apparent that his iPhone had been compromised. Hubbard is not alone. Numerous other reporters, human rights defenders, and high-ranking officials across the world are increasingly becoming the targets of the notorious Pegasus spyware program, which can infiltrate even some of the most secure servers and commercial software programs without the need for even a click. Once the spyware is on a person’s phone, the hackers can access the user’s photos, text messages, videos, contacts, and other files. The hackers can also utilize the phone’s camera and microphone to record conversations.
To combat the use and dissemination of Pegasus, Apple Inc. filed suit last week against the spyware’s creators, NSO Group Technologies and Q Cyber Technologies, on grounds related to the damage allegedly caused by the malicious program on Apple devices. Pegasus was developed by the Israel-based NSO Group, which was formed in 2010, is a subsidiary of Q Cyber, and was previously valued at $1 billion. For years, much of NSO’s operations were shrouded in secrecy. However, recent reports and lawsuits have begun to shed light upon its operations. Now, Apple’s lawsuit may be the best opportunity to put Pegasus to pasture for good.
And it’s long past time. Pegasus was used to target Al Arab editor Abdulaziz Alkami eight years ago. The same spyware was also employed to surveil Emirati human rights advocate Ahmed Mansoor and Saudi-American dissident Jamal Khashoggi. On Friday reports even emerged that at least nine State Department officials working on East Africa-related issues were hacked using Pegasus over the past few months, representing the widest known hacks of American officials using NSO technology to date.
A collection of scholars and journalists across the world have spent countless hours documenting the damage that Pegasus wrought upon human rights defenders and others. One group of researchers formed the Pegasus Project, a collaboration of more than 80 international journalists that examined records of NSO clients in more than 50 countries going back to 2016. Similarly, Amnesty International’s Security Lab released a detailed report in July 2021 laying out the precise method by which Pegasus attacks its targets. Finally, the Citizen Lab at the University of Toronto’s Munk School chronicles reportage on this massive spyware program.
Some of Pegasus’ alleged victims have sought redress through the judicial system.
For example, Mexican, Qatari, and other Pegasus targets filed suit against NSO Group in or around 2018 in Israel, Cyprus, and Panama.* On Oct. 29, 2019, WhatsApp filed the first notable American claim against NSO and Q Cyber, alleging: 1) violation of the Computer Fraud and Abuse Act; 2) violation of the California Comprehensive Computer Data Access and Fraud Act; 3) breach of contract; and 4) trespass to chattels, which in this context, refers to illegally accessing Apple’s computer system. This case remains pending a decision on the merits from the U.S. District Court for the Northern District of California. In the interim, the Department of Commerce has added NSO Group to its Entity List, restricting the Israeli firm’s ability to engage in certain transactions without federal approval.
Apple’s Nov. 23 suit marks the latest, and perhaps the most aggressive, attempt to corral Pegasus. The complaint exhibits legal writing at its finest: “Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.” The WilmerHale team skillfully and repeatedly presents Apple’s competitive advantage in protecting the security of its users, noting that “Apple is synonymous with security” and “[s]ecurity researchers agree that iPhone is the safest, most secure consumer mobile device on the market.” The complaint proceeds to support these statements with verifiable facts, figures, and legal sources. It also takes passing swipes at competitors. In one instance, the authors even brilliantly contrast Apple with PCs, harkening back to the company’s famed marketing campaign and referencing its motto. (“Apple knew that iPhone had to be highly reliable and protected from malware; it could not fall victim to the fate of PCs—it needed to be different.”) This narrative-heavy approach stands in stark contrast to the utilitarian WhatsApp complaint, which may be technically sufficient, but lacks panache.
After emphasizing the importance of security to Apple as early as possible, the WilmerHale legal team describes NSO in the exact opposite language: “NSO is the antithesis of what Apple represents in terms of security and privacy. While Apple creates products to serve and protect its users, NSO targets and attempts to exploit those products to harm Apple and its users.”
Apple’s claims for relief are similar, though not identical, to those brought in the still-pending WhatsApp suit from 2019. Both suits allege violations of the Computer Fraud and Abuse Act. The second count in each complaint is also a California law claim, although WhatsApp alleges a violation of state data law, while Apple alleges a violation of the state business and professions code. The third count in each complaint is a breach of contract claim based upon violation of company terms. Notably, Apple’s complaint lists five specific provisions of the iCloud Terms that it alleges were violated by defendants’ creation of more than 100 Apple IDs and spyware attacks.
The complaints depart from each other the most in their fourth counts. While WhatsApp alleges trespass to chattels, Apple alleges unjust enrichment based upon defendants’ granting third-parties access to Apple’s server without compensating Apple for its costs to investigate and remediate the breaches. Apple offered this count as an alternative to its breach of contract claim. In general, though, the claims for relief are remarkably similar and are distinguished most by their writing quality, rather than their facts or legal arguments.
When it comes to remedies, Apple wants to bite off as much as the courts will allow it to chew. The company seeks eight forms of relief. The first three are permanent injunctions barring defendants from using Apple products and services, mandating that defendants identify and delete all information obtained through their hacking activities, and cease developing malicious software of any sort. The next two prayers for relief are for compensatory damages in an amount to be proven at trial and punitive damages. Apple further seeks an accounting of defendants’ profits, disgorgement of said profits, and any other relief that the court deems just and proper.
Defendants will now have the opportunity to respond to Apple’s complaint. However, if history is any guide, this case could continue for years with lawyers using motions to delay its outcome and punish one another for any misstep. While WhatsApp’s case is first in time and also appears promising, the strength of Apple’s complaint leads me to believe that it is more likely to prevail on the merits independent of the outcome of the WhatsApp case. Apple also stands to benefit from a second-mover advantage, by being able to see how courts view WhatsApp’s claims and adjust its arguments accordingly.
It would also be no surprise if the Apple case ended up before the U.S. Supreme Court in some fashion, given that it involves state-sponsored espionage, novel technological issues, the First Amendment, and one of the leading technology companies of our era. Moreover, parts of the related WhatsApp case have already been heard before the 9th Circuit Court of Appeals. In that appeal, the Ninth Circuit upheld the district court’s ruling that defendants were not in a position to assert sovereign immunity as a means of having the case dismissed. It is therefore not unreasonable to assume that defendants will continue to fight unfavorable rulings to the highest court willing to hear their grievances.
If Apple were to win this case, it would deal a strong blow against malicious spyware operators, state-sponsored hacking, and the global oppression of democracy activists. However, if defendants were to somehow prevail, it could send a signal that we have entered a new age in which technological pirates are free to run amok without fear of judicial intervention. For the sake of our freedom and security, I hope that Pegasus is corralled.
Correction, Dec. 6, 2021: This piece originally misspelled Cyprus.