SAN FRANCISCO — Apple sued the NSO Group, the Israeli surveillance company, in federal court on Tuesday, another setback for the beleaguered firm and the unregulated spyware industry.
The lawsuit is the second of its kind — Facebook sued the NSO Group in 2019 for targeting its WhatsApp users — and represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools.
Apple, for the first time, seeks to hold NSO accountable for what it says was the surveillance and targeting of Apple users. Apple also wants to permanently prevent NSO from using any Apple software, services or devices, a move that could render the company’s Pegasus spyware product worthless, given that its core business is to give NSO’s government clients full access to a target’s iPhone or Android smartphone.
Apple is also asking for unspecified damages for the time and cost to deal with what the company argues is NSO’s abuse of its products. Apple said it would donate the proceeds from those damages to organizations that expose spyware.
Since NSO’s founding in 2010, its executives have said that they sell spyware to governments only for lawful interception, but a series of revelations by journalists and private researchers have shown the extent to which governments have deployed NSO’s Pegasus spyware against journalists, activists and dissidents.
Apple executives described the lawsuit as a warning shot to NSO and other spyware makers. “This is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter,” Ivan Krstic, head of Apple security engineering and architecture, said in an interview on Monday.
The NSO Group has dealt with a series of critical setbacks. Earlier this month, the Biden administration, in a notable breach with Israel, blacklisted NSO and Candiru, another Israeli surveillance company, saying that they supplied spyware to foreign governments that used it to target the phones of journalists, dissidents, human rights activists and others.
The ban, which means that no American organization can work with NSO, is the strongest step any American administration has taken to bring the global marketplace for spyware to heel.
The Israeli government, which approves any sale of NSO’s software to foreign governments and considers the software a critical foreign policy tool, is lobbying the United States to remove the ban on NSO’s behalf. NSO has said it would fight the ban, but the executive set to take over NSO Group quit after the business was blacklisted, the company said.
One week after the federal ban, the United States Court of Appeals for the Ninth Circuit rejected NSO Group’s motion to dismiss Facebook’s lawsuit. The Israeli firm had argued that it “could claim foreign sovereign immunity.” A 3-0 decision by the court rejected NSO’s argument and allowed Facebook’s lawsuit to proceed.
Those developments helped pave the way for Apple’s lawsuit against NSO on Tuesday. Apple first found itself in NSO’s cross hairs in 2016, when researchers at Citizen Lab, a research institute of the Munk School of Global Affairs at the University of Toronto, and Lookout, the San Francisco mobile security company now owned by BlackBerry, discovered that NSO’s Pegasus spyware was taking advantage of three security vulnerabilities in Apple products to spy on dissidents, activists and journalists.
NSO’s spyware gave its government clients access to the full contents of a target’s phone, allowing agents to read a target’s text messages and emails, record phone calls, capture sounds and footage off their cameras and trace their whereabouts.
Internal NSO documents, leaked to The New York Times in 2016, showed that the company charged government agencies $650,000 to spy on 10 iPhone users — along with a half-million dollar setup fee. Government agencies in the United Arab Emirates and Mexico were among NSO’s early customers, the documents showed.
Those revelations led to the discovery of NSO’s spyware on the phones of human rights activists in the U.A.E. and journalists, activists and human rights lawyers in Mexico — even their teenage children living in the United States.
NSO said it would investigate any accusations of abuse, but further revelations showed that it did not stop those governments from continuing to misuse NSO’s spyware.
Understand the Facebook Papers
An opening for Apple’s lawsuit emerged in March, after NSO’s Pegasus spyware was discovered on the iPhone of a Saudi activist. Citizen Lab discovered that NSO’s Pegasus spyware had infected the iPhone without so much as a click. The spyware could invisibly infect iPhones, Mac computers and Apple Watches, then siphon their data back to government servers, without the target knowing about it.
Citizen Lab called the zero-click infection scheme “Forced Entry” and passed a sample of it to Apple in September. The discovery compelled Apple to issue emergency software updates for its iPhones, iPads, Apple Watches and Mac computers.
The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”
The clause helped Apple bring its lawsuit against NSO in the Northern District of California.
“This was in flagrant violation of our terms of service and our customers’ privacy,” said Heather Grenier, Apple’s senior director of commercial litigation. “This is our stake in the ground, to send a clear signal that we are not going to allow this type of abuse of our users.”
After filing its lawsuit Tuesday, Apple said it would offer free technical, threat intelligence and engineering assistance to Citizen Lab and other organizations engaged in rooting out digital surveillance. Apple also said it would donate $10 million, and any damages, to those organizations.
Digital rights experts said Apple’s suit threatened NSO’s survival. “NSO is now poison,” said Ron Deibert, director of Citizen Lab. “No one in their right mind will want to touch that company. But it’s not just one company, this is an industrywide problem.”
He added that the suit could be a step toward more oversight of the unregulated spyware industry.
“Steps like this are useful, but incomplete,” Mr. Deibert said. “We need more action by governments.”