Apple Wins Early Victory Against Spyware Maker NSO Group in Court

[MacRumors]

Apple has dealt a blow against spyware maker NSO Group and the Israeli firm's efforts to move Apple's lawsuit against it to its home country. Apple in November 2021 sued the group and its parent company with the aim of holding it accountable for targeting Apple users with spyware used for surveillance purposes.

Judge Donato denied NSO's motion to dismiss Apple's case "in all respects," and rejected the group's arguments that Apple should be required to bring its lawsuit to Israel, deciding instead that the case will proceed in the United States.

The court also ruled that Apple had adequately alleged that NSO violated the Computer Fraud and Abuse Act (CFAA) and California’s Unfair Competition Law, breached its contract with Apple, and that NSO unjustly enriched itself at the expense of Apple and its users.

In the lawsuit, Apple offers up information on how NSO Group infiltrated the devices of iPhone owners and how it utilized the Pegasus spyware to do so. Apple is asking for a permanent injunction that would ban NSO Group from using Apple software, services, or devices.

An Apple spokesperson said the victory meant that Apple could proceed in U.S. court to hold NSO accountable and continue to protect Apple's users, products, and infrastructure from hacker groups like NSO.

NSO Group created invasive spyware known as "Pegasus" that was sold to various world governments and was used to access the devices of journalists, lawyers, and human rights activists.

Apple has been working on fixing exploits and has addressed major Pegasus-related hacks in updates to its software since iOS 14.6. In addition to filing a lawsuit against NSO Group, Apple plans to contribute $10 million to organizations pursuing cybersurveillance research and advocacy.

"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability," said Apple's software engineering chief Craig Federighi in 2021. "That needs to change."

NSO will have to answer Apple's complaint in a U.S. court by February 14, 2024.

Article Link: Apple Wins Early Victory Against Spyware Maker NSO Group in Court

 

[arkitect]

I don't usually cheer on Apple Inc with their legal battles, but this is one where I want to see Apple wipe the floor with their opponent.

 

[Will Co]

I don't usually cheer on Apple Inc with their legal battles, but this is one where I want to see Apple wipe the floor with their opponent.

Couldn't agree more. All power to their elbow.

 

[latergator116]

There’s a great podcast I just listened to about NSO and Pegasus and the murder of Jamal Khashoggi. It’s called “Shoot the Messenger: Espionage, Murder & Pegasus Spyware”

 

[mazz0]

If this is on behalf of Apple's users does that mean said users will all get a share of any money they get? I'll take $0.50 towards the cost of a Vision Pro thanks!

 

[koil]

NSO group wouldn't be in business if these giant corporations actually paid reasonable bounties to white hat hackers for serious vulnerabilites.

For example, for a "Zero-click kernel code execution with persistence and kernel PAC bypass" Apple pays $100K to $1M. If you bring something like that to NSO group (or other even shadier operators) you can easily get ten times that amount.

Sure, $100K to $1M isn't peanuts by any means, but only so many of those chains exist and finding them is hard work and is often based on months of work from several talented researchers.

 

[apparatchik]

I have two nationalities and in both countries Pegasus has been used against independent journalists and the political opposition. Even artists have been targeted.

One of said countries is descending into a dictatorship, Pegasus has been used and abused for the most perverse means against civil society and democracy. I really hope Apple wins this lawsuit.

 

[laptech]

Whilst the article mentions the spyware has been used against journalists, I have no doubt that journalists have used the exact same software against those who are high up in the public domain, basically royalty, politicians and those in the entertainment business, actors, actresses and musicians.

 

[0339327]

This feels like the craziness of suing gun manufacturers for murder.

Go after the user, not the tool. There are legal applications for the software. Further, if governments are buying it, then they feel, for better or worse, that it would be legal for law enforcement.

Going after the manufacturer seems a legal stretch. I’d be surprised to see how the courts view this because you know it’s going to be appealed either way.

 

[AgeOfSpiracles]

This feels like the craziness of suing gun manufacturers for murder.

Go after the user, not the tool. There are legal applications for the software. Further, if governments are buying it, then they feel, for better or worse, that it would be legal for law enforcement.

Going after the manufacturer seems a legal stretch. I’d be surprised to see how the courts view this because you know it’s going to be appealed either way.

They make a tool with a specific purpose of violating privacy and stealing private information, and sell it to known bad actors. Their business model necessarily leads to kidnapping, imprisonment, torture, and murder. They knowingly profit from this. So cry me a river. If a pharma company intentionally makes a profit at the expense of innocent people, they should be held accountable when it ruins lives and whole communites. If a tobacco company intentionally lies and obfuscates the health effects of smoking, the should be held accountable when it starts affecting people who don't even smoke. If a gun maker intentionally markets to insecure and violent gravy seals, they should be held accountable when classrooms get massacred.

 

[Bob Bane]

This feels like the craziness of suing gun manufacturers for murder.

Go after the user, not the tool. There are legal applications for the software. Further, if governments are buying it, then they feel, for better or worse, that it would be legal for law enforcement.

Going after the manufacturer seems a legal stretch. I’d be surprised to see how the courts view this because you know it’s going to be appealed either way.

The problem with companies like NSO is they claim to only work with governments and law enforcement. Even if this is true, both of those can be bad actors - NSO has helped repressive governments spy on journalists and opposition party members, and helped law enforcement go around pesky restrictions like warrants.

 

[dmn11]

They make a tool with a specific purpose of violating the privacy and stealing private information, and sell it to known bad actors. Their business model necessarily leads to kidnapping, imprisonment, torture, and murder. They knowingly profit from this. So cry me a river. If a pharma company intentionally makes a profit at the expense of innocent people, they should be held accountable when it ruins lives and whole communites. If a tobacco company intentionally lies and obfuscates the health effects of smoking, the should be held accountable when it starts effecting people who don't even smoke. If a gun maker intentionally markets to insecure and violent gravy seals, they should be held accountable when classrooms get massacred.

And they sell a tool that its sole purpose is to kill... and the same as guns that can be used for protection the NSO tool is not publicly available they sell it to countries so that they will be able to fight criminals... unfortunately like guns... even countries can use it the wrong way and start war...

 

[dmn11]

The problem with companies like NSO is they claim to only work with governments and law enforcement. Even if this is true, both of those can be bad actors - NSO has helped repressive governments spy on journalists and opposition party members, and helped law enforcement go around pesky restrictions like warrants.

If the gun manufacturer was also the gun operator I would say you're right... even if it's gun for hire... so in NSO case, if NSO both develop the operated the system for a country I would say you're right... but all NSO is doing to the best of my knowledge is providing a tool that police can use to tap into someones phone... this is not new practice just new modern capabilities

 

[AgeOfSpiracles]

And they sell a tool that its sole purpose is to kill... and the same as guns that can be used for protection the NSO tool is not publicly available they sell it to countries so that they will be able to fight criminals... unfortunately like guns... even countries can use it the wrong way and start war...

Oh well, nothing to be done I guess. After a mass shooting, at least we'll be able to get into the shooter's phone.

 

[roar08]

This feels like the craziness of suing gun manufacturers for murder.

Go after the user, not the tool. There are legal applications for the software. Further, if governments are buying it, then they feel, for better or worse, that it would be legal for law enforcement.

Going after the manufacturer seems a legal stretch. I’d be surprised to see how the courts view this because you know it’s going to be appealed either way.

I see it as going after the source of the drugs instead of the dealer.

 

[laptech]

Apple should lose the case but as it's being tried in the US, Apple wins a lot more of it's cases than it loses in my opinion. NSO Group provides a tool for others to use. If the tool is misused then that is not NSO problem. Apple should be going after the abusers of the tool, not the makers of the tool. There are companies that make listening devices, surveillance devices, monitoring devices that are designed to be hidden, all such devices that can be misused but do the manufacturers of such devices ever get sued? no because what they are doing is perfectly legal. If the devices are used for the wrong reasons or misused then the issue is with those misusing the device. Therefore Apple by rights should lose this case but as it is being tried in Apple's backyard I doubt they will lose this one.

 

[blaureiter]

Apple has dealt a blow against spyware maker NSO Group and the Israeli firm's efforts to move Apple's lawsuit against it to its home country. Apple in November 2021 sued the group and its parent company with the aim of holding it accountable for targeting Apple users with spyware used for surveillance purposes.

Judge Donato denied NSO's motion to dismiss Apple's case "in all respects," and rejected the group's arguments that Apple should be required to bring its lawsuit to Israel, deciding instead that the case will proceed in the United States.

The court also ruled that Apple had adequately alleged that NSO violated the Computer Fraud and Abuse Act (CFAA) and California’s Unfair Competition Law, breached its contract with Apple, and that NSO unjustly enriched itself at the expense of Apple and its users.

In the lawsuit, Apple offers up information on how NSO Group infiltrated the devices of iPhone owners and how it utilized the Pegasus spyware to do so. Apple is asking for a permanent injunction that would ban NSO Group from using Apple software, services, or devices.

An Apple spokesperson said the victory meant that Apple could proceed in U.S. court to hold NSO accountable and continue to protect Apple's users, products, and infrastructure from hacker groups like NSO.

NSO Group created invasive spyware known as "Pegasus" that was sold to various world governments and was used to access the devices of journalists, lawyers, and human rights activists.

Apple has been working on fixing exploits and has addressed major Pegasus-related hacks in updates to its software since iOS 14.6. In addition to filing a lawsuit against NSO Group, Apple plans to contribute $10 million to organizations pursuing cybersurveillance research and advocacy.

"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability," said Apple's software engineering chief Craig Federighi in 2021. "That needs to change."

NSO will have to answer Apple's complaint in a U.S. court by February 14, 2024.

Article Link: Apple Wins Early Victory Against Spyware Maker NSO Group in Court

This is an important case well beyond Apple's complaint. Israel is an ally of the United States and yet they have encourged these rogue Mossad agents in their private enterprise. The Pegasus software has been sold to many authoritarian regimes who are clearly not allies of the US or Israel. The targeting of journalists, disidents and other civilians is akin to the rise of the new Soviet Union under Putin. NSO needs to be made an example of and forced into the court of law and made to pay a price and the court of public opinion and admonished as an adversary.

 

[IllegitimateValor]

NSO Group created invasive spyware known as "Pegasus" that was sold to various world governments and was used to access the devices of journalists, lawyers, and human rights activists.

Power hates accountability; look at their targets.

 

[Yammabot]

Apple should gather a top team and destroy this organization as this is the foundation of Apple products. Privacy and security, without it what’s the point of iPhone and for that matter the entire Apple ecosystem.

 

[0339327]

They make a tool with a specific purpose of violating privacy and stealing private information, and sell it to known bad actors. Their business model necessarily leads to kidnapping, imprisonment, torture, and murder. They knowingly profit from this. So cry me a river. If a pharma company intentionally makes a profit at the expense of innocent people, they should be held accountable when it ruins lives and whole communites. If a tobacco company intentionally lies and obfuscates the health effects of smoking, the should be held accountable when it starts affecting people who don't even smoke. If a gun maker intentionally markets to insecure and violent gravy seals, they should be held accountable when classrooms get massacred.

This just further pushes the misguided notion of removing personal accountability. People need to stop blaming everything and everyone else and start looking in the mirror to address their problems.

The problem with companies like NSO is they claim to only work with governments and law enforcement. Even if this is true, both of those can be bad actors - NSO has helped repressive governments spy on journalists and opposition party members, and helped law enforcement go around pesky restrictions like warrants.

True. But then again, should we shut down all hacking tools and conferences because not everyone works for the good guys? A knife can be used for surgery or as a murder weapon.

I see it as going after the source of the drugs instead of the dealer.

Except that what they sell is not illegal. It’s all dependent on how it’s used.


I know in the modern world, many people disagree, but I believe very strongly in the need of furthering, personal accountability. As a society, we must stop blaming everything on everyone else.

I see this software as remarkably similar to the Lock Picking Lawyer. What LPL teaches can very well be used for nefarious activities, yet no one is suggesting we sue him and shut down his YouTube channel.

 

[powermacuser]

A court can stop the company from selling their product, that’s all. The vulnerabilities still exist and sophisticated actors can exploit the vulnerabilities secretly.

So, not knowing about spying makes everyone happier? Sheesh.

 

[aloysiusfreeman]

I know in the modern world, many people disagree, but I feel very strongly in the need of furthering, personal accountability. As a society, we stop blaming everything on everyone else.

This personal accountability stance is weird when:

Further, if governments are buying it, then they feel, for better or worse, that it would be legal for law enforcement.

So, governments have no accountability for how it is used, because they deem it legal?

 

[AgeOfSpiracles]

This just further pushes the misguided notion of removing personal accountability. People need to stop blaming everything and everyone else and start looking in the mirror to address their problems.

Who said individuals aren't accountable for their own actions? And why's it always got to be about personal accountability, but never corporate accountability?

 

[bousozoku]

NSO group wouldn't be in business if these giant corporations actually paid reasonable bounties to white hat hackers for serious vulnerabilites.

For example, for a "Zero-click kernel code execution with persistence and kernel PAC bypass" Apple pays $100K to $1M. If you bring something like that to NSO group (or other even shadier operators) you can easily get ten times that amount.

Sure, $100K to $1M isn't peanuts by any means, but only so many of those chains exist and finding them is hard work and is often based on months of work from several talented researchers.

I still remember some interviews during pwn2own where the contestants said that it was surprising that Apple didn't see some of the vulnerabilities because they were so simple.

Apple has the money, but Apple doesn't like to part with money.

 

[farmboy]

A court can stop the company from selling their product, that’s all. The vulnerabilities still exist and sophisticated actors can exploit the vulnerabilities secretly.

So, not knowing about spying makes everyone happier? Sheesh.

The court can also award damages, which could be extensive.
Yeah, the spying, and against whom it's directed to date, is evil.