>0) The defendant's can be sued under California law because they accepted the EULA
The Court has personal jurisdiction over Defendants because, on information
and
belief, they created more than one hundred Apple IDs to carry out their
attacks and also agreed to
Apple’s iCloud Terms and Conditions (“iCloud Terms”), including a mandatory
and enforceable
forum selection and exclusive jurisdiction clause that constitutes express
consent to the jurisdiction
of this Court.7
I'm not a legal expert but shouldn't that be stupidly easy to deny?
Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
NSO representative: No, Your honor.
Apple Lawyer: Then how did you gain access to my clients services?
NSO Rep: A totally unrelated third party gave us 100 unlocked iPhones as a free gift. We never saw the terms and conditions, nor agreed to them. We can fully prove our claims. [edit: (fully proves his claims)]
Apple Lawyer: (spluttering) but... but... but...
Judge: (bangs gavel) case dismissed!
This is assuming NSO were far- sighted enough to actually create such a paper trail. Also, since Apple is disputing more then 100 accounts, maybe such a defence would be ruled as improbable, or some other legal jargon. Maybe someone better informed can chip in.
Nerds always want to interpret the law in some strict pedantic fashion, but in practice this is almost never how it works. Law is not applied stupidly or mechanically, you can't fashion yourself some ad hoc workaround unless you're extremely certain about what you're doing, preferably with a mountain of precedent behind you.
How does that seem pedantic? It's incredibly straightforward.
On the other hand, creating some kind of convoluted, contrived paper trail to claim that mysterious third parties were the ones to have physically pressed the "Accept" button on your 100 fake accounts and so you didn't even know there was a EULA seems kind of like it might actually be fraud.
In addition, it doesn't survive past the moment it is discussed in court documents, at which point NSO are screwed if they ever pull the same shit again.
A full paper trail would also necessarily disclose the entity that provided those devices, which they may well be loathe to do (since it either drags in a related company, who Apple can then also target, or embarrasses a third party who would rather remain nameless).
However, in practice, a technology engineering firm claiming to have no knowledge of the licensing that applies to the devices in which they also claim expertise, is such a far-fetched statement that it's almost trivially set aside, and earns a rebuke from the bench to boot.
I don’t see how this differs much from a common “clean room” reverse engineering strategy where one set of engineers accepts the eula and then writes down in excruciating detail exactly how the target item works, then a second set of engineers that have never seen the item in question (or accepted a eula) takes these detailed writings and uses them to reverse engineer the item in question. (A mere description of a device or software is not protected)
This is standard practice at large companies when reverse engineering chips, devices and software and seems very similar to the above eula argument.
1a. one team examines the device and products a detailed specification of it
1b. another team works solely off that newly produced specification; this team has zero contact with the actual device
In this hypothetical case:
2a. a third party affiliate accepts the Apple EULA, and gives the Apple IDs to NSO Group
2b. NSO Group uses the Apple IDs as credential to obtain Apple services
Notice that in case 2b, NSO Group has actual contact with Apple in two ways. They used Apple IDs, and that they obtain Apple services. This didn't happen in the reverse engineering case.
Wouldn't there be an article in the EULA that states if you use an Apple device, regardless of clicking buttons, you automatically consent to the ToS? Or is that not how the law works ...?
Yes, American companies love to stack the deck against their users when it comes to selecting venue, but at the same time balk when the EU requires that they have an EU anchor to allow legal enforcement.
Speaking as someone who’s been on the unfortunate wrong end of it, the law is applied stupidly and mechanically. All the time. That’s the default. The judge will go to great pains to super pedantically apply the rule of the law, regardless of common sense and believe it or not in most cases also regardless of common sense.
As it should be. It doesn’t always work well for all circumstances, but we don’t have a better system
Irrespective of your personal experience, the law is nevertheless still not a programming language, thankfully.
However, "common sense" is also not how it works, so sure, when people rely on what they expect "common sense" to mean, then they too get screwed (the meaning of "common sense" after all varying dramatically from person to person).
Law has its own principles, philosophy, and practices, that's all. And judges, especially senior judges, do not like it one iota when folks try to circumvent the meaning, substance, and purpose of these elements.
This isn't the case everywhere. In some countries it is the intent of the law that matters, in others it is the letter of the law, in some a mix of both.
Nerds always want the law to be consistent. Lawyers are Machiavellian professionals trained in getting it to say "heads I win tails you lose" for their clients, and often succeed.
That doesn't mean the nerds are wrong to want what they want.
No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms. They expect it to be some sort of API spec that can be mechanically manipulated. Their own efforts at such intellectual mechanics are nothing but a trail of tears and failure, with bug after bug making a mockery of any claim they have about the benefits of such a system. Law has had millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people; coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions? Hard pass.
> No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms.
People have a pretty good idea of its mechanisms.
Powerful people break laws that are clear enough and then don't go to jail because of "prosecutorial discretion" or Johnnie Cochran or retroactive telecoms immunity for illegal mass surveillance.
Powerless people break laws that are ambiguous, or most people don't even know exist, or people know exist but they're only enforced against the nameless and poor, and the US has the largest prison population in the world.
This outcome is your great victory for "millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people"?
> trail of tears
Really?
> coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions?
We already have code running when it comes to actual life and death decisions. There is code running in aircraft and heart bypass machines, and it works, because then people care that it works. Nobody cares enough that some ad tracking code is perfectly reliable and efficient, so it isn't.
You're also asking for a double standard. The OpenBSD people do a nice job on OpenSSH. It's pretty good, not perfect. There have been vulnerabilities in even that. Then they get patched.
But you can't possibly be claiming that there are no "vulnerabilities" in the law. If that was the case then why do they have to keep passing new ones every year? The ask isn't that it never change, it's that it be changed by the legislature prospectively instead of being in a constant state of superposition until it's resolved by a court ex post facto.
That is why they included an alternative count of unjust enrichment. In the case the defense proves they never agreed to the user/license agreement then they will have also proven that they obtained Apple's software and accessed Apples services without a license and used them for their own profit and to Apples determent. Thereby unjustly enriching themselves.
The burden of proof should fall on Apple in an ideal world. Maybe a court ruling that one stupid checkbox at the end of a digital 10,000 word document isn't sufficient proof might be a good idea?
> The burden of proof should fall on Apple in an ideal world
It does, but its not an element of a crime being proven, so the burden isn't “beyond a reasonable doubt”, but (as for most things in a civil case, though sometimes other standards apply) “preponderance of the evidence", for which you need to convince the court that, based on the evidence provided, the facts you need are more likely than not to be true.
It does, but this is what the discovery process is for. If NSO wants to claim that they somehow got these accounts without agreeing to the EULA process themselves, Apple is going to request and the judge is going to approve a discovery request for NSO to turn over every record they have related to the accounts, when and how they were obtained, and who obtained them for NSO. If NSO wants to pretend that they have no such records, didn’t get the accounts themselves, and don’t know what third party obtained them, they’re going to get a very skeptical response from the judge, and they’re probably going to have to send a bunch of employees to go make statements that in addition to not having any records, none of them remember how this happened either. That’s probably the point at which Apple reveals that really they know via IP addresses or geolocation or something that all of the accounts were registered in an office building occupied by NSO, and then NSO gets sanctioned to hell and a bunch of employees are revealed to have lied in their testimony. That’s an absolute nightmare scenario for NSO.
When they say "No your honor" they would then have a charge of perjury added to the other charges. The apple lawyer doesn't say "Then how did you gain access to my client's services?" (because litigation 101 teaches you never ask a question you don't know the answer to).
...the lawyer enters into evidence the logs showing you accepting the EULA.
> Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
> NSO representative: No, Your honor.
IANAL, but the general understanding is: "Ignorance is not a defence". If your legal advisors did not flag this up then I think you are probably entitled to ask for your money back when Apple kicks your butt.
If we are all quibbling over the wording used in a hypothetical case, then I wonder what's going to happen when the lawyers get going with the real one.
I think that a much stronger argument here goes like this.
A developer accepted those terms of services. That developer is not authorized to accept contracts / deals for the company as a whole.
The issue here is that a single employee (which may carry out an unauthorized action) is unlikely to create a binding contract for a company.
Otherwise, by the same token, NSO can create a EULA that says that a use of their software requires 100 millions USD / month cost. Get an Apple employee to agree to that (probably unknowingly) and sue Apple for that amount, since their employee "agreed" to that.
Wouldn’t hold up. Otherwise you can just create fall guys/gals and never deal with fallout. There are certainly some circumstances like corporations aren’t held liable for murder of some employee, but if the employee was doing it on the factory floor they absolutely could get sued for it. Unfortunately it’s not clear cut, but generally if you’re doing something on or with company property, during work duty hours (these hours are always stated on corporate handbooks even for startups), and/or it’s during course of business you can and will get held liable for the employee’s actions.
The $100mm example you have would just get thrown out in court because it would be deemed unreasonable, even if Apple was ultimately responsible and the employee was acting as a representative of the company or on behalf of the company. Otherwise why can’t I just get a buddy to set up some random service and then have (let’s say I work at Apple) me sign a contract saying that Apple will give all of its corporate property and money to this contract for the rate of $5/month so this random service can “manage it” or something? Whoops guess Apple agreed to that!
> they created more than one hundred Apple IDs to carry out their attacks
Maybe the most interesting thing about this is how it proves that their code signing system is worthless. If the same bad actor can get a hundred Apple IDs to sign literal malware with, why are they imposing this burden on random small developers?
>50. On information and belief, Defendants created more than one hundred Apple IDs
using Apple’s systems to be used in their deployment of FORCEDENTRY
>51. On information and belief, after obtaining Apple IDs, Defendants executed the FORCEDENTRY exploit first by using their computers to contact Apple servers in the United States and abroad to identify other Apple devices. Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target.
The EULA is used to establish jurisdiction, and for the separate breach of contract claim. Apple has servers around the world, without the EULA the jurisdiction isn't necessarily obvious.
They are throwing the CFAA at then. However, the CFAA is an American law, which would be challenging to apply in a foreign court. So they are using the EULA to sue in California. It’s all in the article.
Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
NSO representative: No, Your honor.
Apple Lawyer: Then how did you gain access to my clients services?
NSO Rep: A totally unrelated third party gave us 100 unlocked iPhones as a free gift. We never saw the terms and conditions, nor agreed to them. We can fully prove our claims. [edit: (fully proves his claims)]
Apple Lawyer: (spluttering) but... but... but...
Judge: (bangs gavel) case dismissed!
This is assuming NSO were far- sighted enough to actually create such a paper trail. Also, since Apple is disputing more then 100 accounts, maybe such a defence would be ruled as improbable, or some other legal jargon. Maybe someone better informed can chip in.