Apple sues Pegasus-maker for targeting its users

Apple files lawsuit against NSO Group, says US citizens were targets

Apple is also asking for unspecified damages for the time and cost to deal with what the company argues is NSO’s abuse of its products

Apple sued the NSO Group, the Israeli surveillance company, in federal court on Tuesday, another setback for the beleaguered firm and the unregulated spyware industry.

The lawsuit is the second of its kind — Facebook sued the NSO Group in 2019 for targeting its WhatsApp users — and represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools.

Apple, for the first time, seeks to hold NSO accountable for what it says was the surveillance and targeting of Apple users. Apple also wants to permanently prevent NSO from using any Apple software, services or devices, a move that could render the company’s Pegasus spyware product worthless, given that its core business is to give NSO’s government clients full access to a target’s iPhone or Android smartphone.

Apple is also asking for unspecified damages for the time and cost to deal with what the company argues is NSO’s abuse of its products. Apple said it would donate the proceeds from those damages to organizations that expose spyware.

Also Read | Italy fines Amazon, Apple $225 mn for alleged collusion 

Since NSO’s founding in 2010, its executives have said that they sell spyware to governments only for lawful interception, but a series of revelations by journalists and private researchers have shown the extent to which governments have deployed NSO’s Pegasus spyware against journalists, activists and dissidents.

Apple executives described the lawsuit as a warning shot to NSO and other spyware makers. “This is Apple saying: If you do this if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter,” Ivan Krstic, head of Apple security engineering and architecture, said Monday.

The NSO Group has dealt with a series of critical setbacks. Earlier this month, the Biden administration, in a notable breach with Israel, blacklisted NSO and Candiru, another Israeli surveillance company, saying that they supplied spyware to foreign governments that used it to target the phones of journalists, dissidents, human rights activists and others.

The ban, which means that no American organization can work with NSO, is the strongest step any United States administration has taken to bring the global marketplace for spyware to heel.

Also Read | Incoming CEO of Israeli spyware firm NSO steps down

The Israeli government, which approves any sale of NSO’s software to foreign governments and considers the software a critical foreign policy tool, is lobbying the US to remove the ban on NSO’s behalf. NSO has said it would fight the ban, but the executive set to take over NSO Group quit after the business was blacklisted, the company said.

One week after the federal ban, the 9th US Circuit Court of Appeals rejected NSO Group’s motion to dismiss Facebook’s lawsuit. The Israeli firm had argued that it “could claim foreign sovereign immunity.” A 3-0 decision by the court rejected NSO’s argument and allowed Facebook’s lawsuit to proceed.

Those developments helped pave the way for Apple’s lawsuit against NSO on Tuesday. Apple first found itself in NSO’s crosshairs in 2016, when researchers at Citizen Lab, a research institute of the Munk School of Global Affairs at the University of Toronto, and Lookout, the San Francisco mobile security company now owned by BlackBerry, discovered that NSO’s Pegasus spyware was taking advantage of three security vulnerabilities in Apple products to spy on dissidents, activists and journalists.

NSO’s spyware gave its government clients access to the full contents of a target’s phone, allowing agents to read a target’s text messages and emails, record phone calls, capture sounds and footage off their cameras and trace their whereabouts.

Also Read | Amnesty says NSO's Pegasus used to hack phones of Palestinian rights workers

Internal NSO documents, leaked to The New York Times in 2016, showed that the company charged government agencies $650,000 to spy on 10 iPhone users — along with a half-million dollar setup fee. Government agencies in the United Arab Emirates and Mexico were among NSO’s early customers, the documents showed.

Those revelations led to the discovery of NSO’s spyware on the phones of human rights activists in the UAE and journalists, activists and human rights lawyers in Mexico — even their teenage children living in the United States.

NSO said that it would investigate any accusations of abuse, but further revelations showed that it did not stop those governments from continuing to misuse NSO’s spyware.

An opening for Apple’s lawsuit emerged in March after NSO’s Pegasus spyware was discovered on the iPhone of a Saudi activist. Citizen Lab discovered that NSO’s Pegasus spyware had infected the iPhone without so much as a click. The spyware could invisibly infect iPhones, Mac computers and Apple Watches, then siphon their data back to government servers, without the target knowing about it.

Also Read | US blacklists Pegasus spyware maker NSO Group

Citizen Lab called the zero-click infection scheme “Forced Entry” and passed a sample of it to Apple in September. The discovery compelled Apple to issue emergency software updates for its iPhones, iPads, Apple Watches and Mac computers.

The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”

The clause helped Apple bring its lawsuit against NSO in the Northern District of California.

“This was in flagrant violation of our terms of service and our customers’ privacy,” said Heather Grenier, Apple’s senior director of commercial litigation. “This is our stake in the ground, to send a clear signal that we are not going to allow this type of abuse of our users.”

After filing its lawsuit Tuesday, Apple said it would offer free technical, threat intelligence and engineering assistance to Citizen Lab and other organizations engaged in rooting out digital surveillance. Apple also said it would donate $10 million, and any damages, to those organizations.

Watch the latest DH Videos here:

Get a round-up of the day's top stories in your inbox

Check out all newsletters

Get a round-up of the day's top stories in your inbox