Apple’s NSO trial is aimed at illegal espionage by oppressive regimes

Apple says its lawsuit against the NSO Group this week is an attempt to hold the monitoring company “responsible for … the monitoring and targeting of Apple users.” And it did not spare the inconvenience of accusing the Israeli spyware company of selling surveillance software to authoritarian governments – whether those governments use it to target dissidents, journalists and activists.

NSO Group was already facing legal issues after messenger platform provider WhatsApp filed a lawsuit in 2019 for similar reasons. Earlier this month, the US Ninth Circuit Court of Appeals rejected the spyware company’s claim that it should be protected under sovereign immunity laws. In the high-profile case, WhatsApp claimed that NSO’s spyware was used to hack 1,400 users of the messaging app.

The two lawsuits open the company to discovery claims as the cases progress. Until now, the NSO Group has been able to hide its business practices in secrecy.

In September, Citizen Lab, a cybersecurity surveillance organization, released a report outlining what it found to be zero-day zero-click exploits of NSO Groups Pegasus spyware against various electronic devices and digital documents.

“I think it’s very unlikely that they had any ability to control and no idea of ​​misuse of their software – especially over the last year or two, because Citizen Lab and other organizations have documented misuse of the software. , “said Cindy Cohn, executive. director of the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. “I mean, after [Jamal] Khashoggi was killed, how do you not wonder.

Various media outlets have claimed that NSO Group’s hacking malware was used to monitor people close to Saudi journalist and dissident Jamal Khashoggi both before and after his death at the Saudi consulate in Istanbul in 2018.

The NSO group vehemently denied that its government clients used spyware to target the journalist or his family.

The EFF published a paper, Know Your Customer, arguing that the burden should be on the technology company to document its customers’ human rights records before selling software that can be used to spy on citizens.

“It does not require a rocket scientist to realize that if you sell to the Saudi government, it is quite likely that this software will be used against dissidents,” Cohn said.

Apple has made four claims for relief against NSO Group, specifically:

  • Violations of computer fraud and abuse law;
  • Violations of California Business and Professions Code § 17200;
  • Breach of contract (specifically regarding iCloud terms of use);
  • Unfair enrichment (as an alternative to the third point).

In Apple’s application, it described the NSO Group as “infamous hackers – 21st century amoral mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and overt abuse. They design, develop, sell, implement, operate and maintain offensive. and destructive malware and spyware products and services that have been used to target, attack and harm Apple users, Apple products and Apple. “

Apple created the NSO group to trade in spyware for its own commercial gain, allowing customers to abuse their offerings “to target individuals, including officials, journalists, businessmen, activists, academics, and even U.S. citizens.”

Apple revealed that the NSO Group’s “FORCEDENTRY” exploit had also been used to hack into an Apple customer’s device to install the latest version of Pegasus.

Apple claimed that the NSO Group’s software did not infringe data contained on Apple’s servers, but it misused the company’s services and servers to carry out attacks on users’ users and the data stored on their devices. (The Israeli company sells software that can help governments and security personnel hack iPhones.)

The EFF raised the question of whether the legal action now under way could set a precedent that allows the Computer Fraud and Abuse Act to be used against legitimate actors such as Citizens Lab or other entities investigating technology companies for inappropriate.

“It’s a vague law that is being abused a lot by prosecutors and private companies,” Cohn said. “… We are going to follow this case very closely to ensure that the impact of this case remains rooted in these bad actors and does not spread to the very researchers like Citizen Lab who published this information. Unfortunately, the law is not well defined in a way that makes us feel confident that it will happen automatically. “

Jack Gold, president and chief analyst at J. Gold Associates, said that if successful, Apple’s lawsuit has the potential to make NSO’s core product “worthless” as it depends on giving customers “full access” to targeted smartphones. But Gold also questioned how effective a victory would be in the end because the NSO group is headquartered in Israel, not the United States, and Apple would have to file separate lawsuits in each country in which they operate.

“Apple can win in the U.S. courts and exclude the NSO here, but that’s only in the United States,” Gold said. “The EU and other countries would somehow have to sign on to any lawsuit. It’s not clear to me whether Apple intends to prosecute the NSO in any country in the world where they operate, which it would be. need to do to completely prevent the NSO from working on Apple devices. “

It is also not clear to Gold how Apple as a company has been harmed. “It has caused harm to a few Apple users, but it can be difficult for Apple to prove any harm to its reputation,” he said. “So essentially it’s suing on behalf of its users and I do not know if it will fly.”

The jurisdictional scope of the Computer Fraud and Abuse Act (CFAA) is broad, according to Cohn. The US government regularly uses it to bring international actions against entities that are not based within its borders.

“So I’m not so worried about jurisdiction. There’s some risks in an overly broad interpretation of the CFAA and some of the other claims Apple makes, but I think if done correctly, it can be extremely affective, Said Cohn.

In some ways, Apple’s case may rely on the economic impact spyware can have on the bottom line, according to Cohn.

“These companies have to spend a lot of resources trying to block these bad actors,” she said. “I appreciate that these companies are ultimately standing up for the human rights of these users. But what comes out clearly from the complaint is [Apple has] also had a financial interest in stopping this arms race situation and protecting their own bottom line and the amount of money they need to try to deal with these malicious programs, ”Cohn said.

EFF is an unlikely cheerleader for Apple; it has been very critical of the company for its own monitoring efforts.

Over the past few months, the digital rights group has been protesting against Apple’s new scanning system for material on child sexual abuse on users’ devices. In September, the EFF flew a protest banner over Apple’s headquarters in Cupertino, California, urging the company to stop scanning users’ iPhones.

They still do things we do not like, but now they are finally doing something we like, ”said Cohn. “So it’s a much better way to start the holiday by praising them instead of complaining about them.”

Copyright © 2021 IDG Communications, Inc.

Leave a Comment