Israeli-based spyware firm seeks to dismiss Apple suit

Apple Inc. is battling Israeli-based technology firm NSO Group Technologies Ltd. and its parent company Q Cyber Technologies Ltd., the companies behind the FORCEDENTRY exploit in September 2021 that allowed NSO's Pegasus spyware to access Apple users' devices without requiring user interaction.

Joseph N. Akrotirianakis of King & Spalding LLP represents NSO Group and filed the company's motion to dismiss Thursday. He did not respond to requests for comment. NSO says the matter belongs in Israeli, not U.S. courts, and that the company, as an agent of foreign governments that combats terrorism, has immunity from the lawsuit.

In its complaint, Apple called NSO Group "amoral 21st century mercenaries" who "design, develop, sell, deliver, deploy, operate and maintain offensive and destructive malware and spyware products" that have been used to target Apple, its products and its users.

Specifically, the Nov. 23 complaint said, government officials, journalists, business people, activists, academics and many U.S. citizens have been targets of the spyware tactic known as a "zero-click" exploit.

Apple is seeking compensation for alleged violations of federal and state law and security attacks against Apple and its users arising from the FORCEDENTRY exploit and Pegasus spyware. Apple also seeks a permanent injunction restraining NSO from creating or distributing any more spyware or malware on Apple devices or software, preventing NSO from accessing or using any Apple products or services and requiring NSO to delete all information NSO gained from Apple users. In addition it asks that NSO be made to identify which entities received that information as well as a record of NSO's allegedly ill-gotten profits and disgorgement in the form of compensatory and punitive damages.

The matter is before U.S. District Judge James Donato in San Francisco. Apple Inc. v. NSO Group Technologies Ltd. et al., 3:21-cv-09078, (N.D. Cal., filed Nov. 23, 2021).

Benjamin A. Powell, David W. Bowker, Molly M. Jennings and Sonal N. Mehta of Wilmer Cutler Pickering Hale and Dorr LLP represent Apple and did not respond to requests for comment Friday.

"NSO's products are not ordinary consumer malware," Apple's counsel wrote in the complaint. "They permit attacks, including from sovereign governments that pay hundreds of millions of dollars to target and attack a tiny fraction of users with information of particular interest to NSO's customers. Average consumers are not of interest to or attacked by NSO or its customers."

The tech firm points to the U.S. Commerce Department's Nov. 3 announcement adding NSO to the Entity List for Malicious Cyber Activities, in which the government body said NSO "enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent." The decision is "based on evidence that [NSO] developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers," the announcement asserted.

Apple also referenced a Guardian article which reported Dublin-based human rights organization Front Line Defenders discovered six Palestinian human rights defenders, one of whom is a U.S. citizen, were victims of NSO spyware. According to Apple, the U.S. government has also imposed sanctions on NSO, prohibiting NSO from receiving any U.S. exports of hardware or software.

NSO contends in court filings that it "designs and markets a highly regulated technology to government agencies for uses such as counterterrorism and investigating serious crimes." It alleges Apple devices are used as "cloaks for nefarious criminals who only care about privacy to the extent their illegal, dangerous actions are concealable." It referenced the December 2015 San Bernardino terror attack, after which the Federal Bureau of Investigation requested Apple unlock the shooters' phones to determine if there were additional threats to national security they could discover but the tech firm refused to cooperate. NSO accuses Apple of attempting to "prevent law enforcement and national security agencies of governments from enlisting contractors to develop technical solutions to do so, as the FBI did."

The company also said it is heavily regulated by Israeli law, is licensed by the Israeli Ministry of Defense and goes above and beyond to follow regulations by conforming to U.S. and European Union export control restrictions, including having end-users sign certificates saying NSO products will be used only to investigate terrorism and serious crimes and having region-locking safeguards, preventing their use against devices located within U.S. borders.

Apple asserted that NSO technology had been used against U.S. citizens and NSO spyware can and has crossed international borders.

Akrotirianakis asserted that Apple's suit has no standing because NSO did not cause any harm to Apple and Apple cannot sue NSO using the Computer Fraud and Abuse Act because Apple did not allege NSO accessed any computers owned by Apple. Even if Apple can prove NSO accessed Apple's operating system on users' devices, an operating system does not constitute a computer, Apple does not own its users devices and Apple cannot prove it suffered any damages or loss, therefore Apple's claim is invalid, he said.

Furthermore, Akrotirianakis wrote NSO is immune from suit because it is "an agent of foreign governments" and the conduct plaintiff is alleging has "no significant relationship to California, and Israeli courts would be an adequate forum for this action."

Apple argued that in carrying out attacks, NSO created over 100 Apple ID accounts, which requires agreeing to Apple's iCloud terms and conditions. Those conditions include an agreement that "the relationship between you and Apple shall be governed by the laws of the State of California, excluding its conflicts of law provisions" and that "[y]ou ... agree to submit to the personal and exclusive jurisdiction of the courts located within the county of Santa Clara, California, to resolve any dispute or claim arising from this Agreement." Moreover, Apple claims that California courts have jurisdiction because defendants did business in California and their conduct involved Apple servers and services, which are primarily located in California.

Akrotirianakis contends that Apple cannot identify any unlawful conduct NSO committed in California and "the alleged happenstance that messages allegedly sent from foreign countries to foreign countries happened to pass through Apple servers in California does not establish that NSO committed any of its alleged conduct with California borders," he said.

If any claims exist, he said, they would be between Apple users and the governments that used NSO products, not NSO, Akrotirianakis said. He claimed NSO only provides "advice and technical support to assist its customers with setting up, as opposed to operating, NSO's technologies." The company has no part in how governments choose to use NSO products, in fact, export control licenses prohibit NSO from remote access for reasons aside from maintenance, he said.

Apple disagreed and pointed to a recent Ninth Circuit case, WhatsApp Inc. v NSO Group Technologies Ltd., 20-16408, (9th Cir., filed Nov. 8, 2021), in which the court held NSO and Q Cyber are not sovereigns and are not entitled to sovereign immunity.