`
`
`
`
`
`COOLEY LLP
`TRAVIS LEBLANC (251097) (tleblanc@cooley.com)
`JOSEPH D. MORNIN (307766) (jmornin@cooley.com)
`101 California Street, 5th floor
`San Francisco, CA 94111-5800
`Telephone:
`(415) 693-2000
`Facsimile:
`(415) 693-2222
`
`DANIEL J. GROOMS (D.C. Bar No. 219124) (pro hac vice forthcoming)
`(dgrooms@cooley.com)
`1299 Pennsylvania Avenue, NW, Suite 700
`Washington, DC 20004-2400
`Telephone:
`(202) 842-7800
`Facsimile:
`(202) 842-7899
`
`Attorneys for Plaintiffs
`WHATSAPP INC. and FACEBOOK, INC.
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`WHATSAPP INC., a Delaware corporation,
`and FACEBOOK, INC., a Delaware
`corporation,
`
`
`Plaintiffs,
`
`v.
`
`NSO GROUP TECHNOLOGIES LIMITED
`and Q CYBER TECHNOLOGIES LIMITED,
`
`Case No.
`
`COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`
`
`Defendants.
`
`
`
`
`
`
`
`
`
`
`1
`
`COMPLAINT
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 2 of 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`Plaintiffs WhatsApp Inc. and Facebook, Inc. (collectively, “Plaintiffs”) allege the following
`
`against Defendants NSO Group Technologies Ltd. (“NSO Group”) and Q Cyber Technologies Ltd.
`
`(“Q Cyber”) (collectively, “Defendants”):
`
`INTRODUCTION
`
`1.
`
`Between in and around April 2019 and May 2019, Defendants used WhatsApp servers,
`
`located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones
`
`and devices (“Target Devices”). Defendants’ malware was designed to infect the Target Devices for
`
`the purpose of conducting surveillance of specific WhatsApp users (“Target Users”). Unable to break
`
`WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages
`
`and other communications after they were decrypted on Target Devices. Defendants’ actions were
`
`not authorized by Plaintiffs and were in violation of WhatsApp’s Terms of Service. In May 2019,
`
`Plaintiffs detected and stopped Defendants’ unauthorized access and abuse of the WhatsApp Service
`
`and computers.
`
`2.
`
`Plaintiffs bring this action for injunctive relief and damages pursuant to the Computer
`
`Fraud and Abuse Act, 18 U.S.C. § 1030, and the California Comprehensive Computer Data Access
`
`and Fraud Act, California Penal Code § 502, and for breach of contract and trespass to chattels.
`
`PARTIES
`
`3.
`
`Plaintiff WhatsApp Inc. (“WhatsApp”) is a Delaware corporation with its principal
`
`place of business in Menlo Park, California.
`
`4.
`
`Plaintiff Facebook, Inc. (“Facebook”) is a Delaware corporation with its principal place
`
`of business in Menlo Park, California. Facebook acts as WhatsApp’s service provider for security-
`
`related issues.
`
`5.
`
`Defendant NSO Group was incorporated in Israel on January 25, 2010, as a limited
`
`liability company. Ex. 1. NSO Group had a marketing and sales arm in the United States called
`
`WestBridge Technologies, Inc. Ex. 2 and 3. Between 2014 and February 2019, NSO Group obtained
`
`financing from a San Francisco–based private equity firm, which ultimately purchased a controlling
`
`stake in NSO Group. Ex. 4. In and around February 2019, NSO Group was reacquired by its founders
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`2
`
`COMPLAINT
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 3 of 15
`
`
`
`and management. Id. NSO Group’s annual report filed on February 28, 2019, listed Defendant Q
`
`Cyber as the only active director of NSO Group and its majority shareholder. Ex. 5.
`
`6.
`
`Defendant Q Cyber was incorporated in Israel on December 2, 2013, under the name
`
`L.E.G.D. Company Ltd. Ex. 6 and 7. On May 29, 2016, L.E.G.D. Company Ltd. changed its name
`
`to Q Cyber. Ex. 7. Until at least June 2019, NSO Group’s website stated that NSO Group was “a Q
`
`Cyber Technologies company.” Ex. 8. Q Cyber’s annual report filed on June 17, 2019, listed OSY
`
`Technologies S.A.R.L. as the only Q Cyber shareholder and active Director. Ex. 9
`
`7.
`
`At all times material to this action, each Defendant was the agent, partner, alter ego,
`
`subsidiary, and/or coconspirator of and with the other Defendant, and the acts of each Defendant were
`
`in the scope of that relationship. In doing the acts and failing to act as alleged in this Complaint, each
`
`Defendant acted with the knowledge, permission, and consent of each other; and, each Defendant
`
`aided and abetted each other.
`
`JURISDICTION AND VENUE
`
`8.
`
`The Court has federal question jurisdiction over the federal causes of action alleged in
`
`this Complaint pursuant to 28 U.S.C. § 1331.
`
`9.
`
`The Court has supplemental jurisdiction over the state law causes of action alleged in
`
`this Complaint pursuant to 28 U.S.C. § 1367 because these claims arise out of the same nucleus of
`
`operative fact as Plaintiffs’ federal claims.
`
`10.
`
`In addition, the Court has jurisdiction over all the causes of action alleged in this
`
`Complaint pursuant to 28 U.S.C. § 1332 because complete diversity between the Plaintiffs and each
`
`of the named Defendants exists, and because the amount in controversy exceeds $75,000.
`
`11.
`
`The Court has personal jurisdiction over Defendants because they obtained financing
`
`from California and directed and targeted their actions at California and its residents, WhatsApp and
`
`Facebook. The claims in this Complaint arise from Defendants’ actions, including their unlawful
`
`access and use of WhatsApp computers, several of which are located in California.
`
`12.
`
`The Court also has personal jurisdiction over Defendants because Defendants agreed
`
`to WhatsApp’s Terms of Service (“WhatsApp Terms”) by accessing and using WhatsApp. In relevant
`
`part, the WhatsApp Terms required Defendants to submit to the personal jurisdiction of this Court.
`
`
`
`
`
`3
`
`COMPLAINT
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 4 of 15
`
`
`
`13.
`
`Venue is proper in this Judicial District pursuant to 28 U.S.C. § 1391(b), as the
`
`threatened and actual harm to WhatsApp and Facebook occurred in this District.
`
`14.
`
`Pursuant to Civil L.R. 3-2(d), this case may be assigned to either the San Francisco or
`
`Oakland division because WhatsApp and Facebook are located in San Mateo County.
`
`FACTUAL ALLEGATIONS
`
`Background on Facebook
`
`Facebook is a social networking website and mobile application that enables its users
`
`A.
`
`15.
`
`to create their own personal profiles and connect with each other on their personal computers and
`
`mobile devices. As of June 2019, Facebook daily active users averaged 1.59 billion and monthly active
`
`users averaged 2.41 billion.
`
`16.
`
`In October 2014, Facebook acquired WhatsApp. At all times relevant to this action,
`
`Facebook has served as WhatsApp’s service provider, which entails providing both infrastructure and
`
`security for WhatsApp.
`
`
`
`B.
`
`Background on WhatsApp
`
`1.
`
`The WhatsApp Service
`
`17.
`
` WhatsApp provides an encrypted communication service available on mobile devices
`
`and desktop computers (the “WhatsApp Service”). Approximately 1.5 billion people in 180 countries
`
`use the WhatsApp Service. Users must install the WhatsApp app to use the WhatsApp Service.
`
`18.
`
`Every type of communication (calls, video calls, chats, group chats, images, videos,
`
`voice messages, and file transfers) on the WhatsApp Service is encrypted during its transmission
`
`between users. This encryption protocol was designed to ensure that no one other than the intended
`
`recipient could read any communication sent using the WhatsApp Service.
`
`2. WhatsApp’s Terms of Service
`
`19.
`
`Every WhatsApp user must create an account and agree and consent to WhatsApp’s
`
`Terms (available at https://www.whatsapp.com/legal?eea=0#terms-of-service).
`
`20.
`
`The WhatsApp Terms stated that “You must use our Services according to our Terms
`
`and policies” and that users agreed to “access and use [WhatsApp’s] Services only for legal,
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`authorized, and acceptable purposes.”
`
`
`
`
`
`4
`
`COMPLAINT
`
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 5 of 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`21.
`
`The WhatsApp Terms prohibited using the WhatsApp services in ways that (a) “violate,
`
`misappropriate, or infringe the rights of WhatsApp, our users, or others, including privacy;” (b) “are
`
`illegal, intimidating, harassing, . . . or instigate or encourage conduct that would be illegal, or otherwise
`
`inappropriate;” [or] . . . (e) “involve sending illegal or impermissible communications.”
`
`22.
`
`The WhatsApp Terms prohibited users from “exploiting [WhatsApp’s] Services in
`
`impermissible or unauthorized manners, or in ways that burden, impair, or harm us, our Services,
`
`systems, our users, or others.” The Terms also required users to agree not to: “(a) reverse engineer,
`
`alter, modify, create derivative works from, decompile, or extract code from our Services; (b) send,
`
`store, or transmit viruses or other harmful computer code through or onto our Services; (c) gain or
`
`attempt to gain unauthorized access to our Services or systems; (d) interfere with or disrupt the safety,
`
`security, or performance of our Services; [or] . . . (f) collect the information of or about our users in
`
`any impermissible or unauthorized manner.”
`
`23.
`
`The WhatsApp Terms prohibited users not just from personally engaging in the conduct
`
`listed above, but also from assisting others in doing so.
`
`C.
`
`24.
`
`Background on NSO Group and Pegasus
`
`Defendants manufactured, distributed, and operated surveillance technology or
`
`“spyware” designed to intercept and extract information and communications from mobile phones and
`
`devices. Defendants’ products included “Pegasus,” a type of spyware known as a remote access trojan.
`
`Ex. 10 and 11. According to Defendants, Pegasus and its variants (collectively, “Pegasus”) were
`
`designed to be remotely installed and enable the remote access and control of information—including
`
`calls, messages, and location—on mobile devices using the Android, iOS, and BlackBerry operating
`
`systems. Id.
`
`25.
`
`On information and belief, in order to enable Pegasus’ remote installation, Defendants
`
`exploited vulnerabilities in operating systems and applications (e.g., CVE-2016-4657) and used other
`
`malware delivery methods, like spearphishing messages containing links to malicious code. Id.
`
`26.
`
`According to media reports and NSO documents, Defendants claimed that Pegasus
`
`could be surreptitiously installed on a victim’s phone without the victim taking any action, such as
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`5
`
`COMPLAINT
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 6 of 15
`
`
`
`clicking a link or opening a message (known as remote installation).1 Id. Defendants promoted that
`
`Pegasus’s remote installation feature facilitated infecting victims’ phones without using spearphishing
`
`messages that could be detected and reported by the victims.
`
`27.
`
`According to NSO Group, Pegasus could “remotely and covertly extract valuable
`
`intelligence from virtually any mobile device.” Id. Pegasus was designed, in part, to intercept
`
`communications sent to and from a device, including communications over iMessage, Skype,
`
`Telegram, WeChat, Facebook Messenger, WhatsApp, and others. Id. On information and belief,
`
`Pegasus was modular malware, which meant that it could be customized for different purposes,
`
`including to intercept communications, capture screenshots, and exfiltrate browser history and
`
`contacts from the device. Id.
`
`28.
`
`Defendants used a network of computers to monitor and update the version of Pegasus
`
`implanted on the victims’ phones. Id. These Defendant-controlled computers relayed malware,
`
`commands, and data between a compromised phone, Defendants, and Defendants’ customers. This
`
`network served as the nerve center through which Defendants supported and controlled their
`
`customers’ operation and use of Pegasus. In some instances, Defendants limited the number of
`
`concurrent devices that their customers could compromise with Pegasus to 25. Ex. 11.
`
`29.
`
`Defendants profited by licensing Pegasus and selling support services to their
`
`customers, which included Pegasus installation, monitoring, and training. Ex. 10 and 11. Defendants
`
`also offered technical support to customers using Pegasus to infect victims’ phones, including: (a)
`
`technical support by email and phone; and (b) remote troubleshooting by Defendants’ engineers
`
`through remote desktop software and a virtual private network. Id.
`
`
`
` 1
`
` See Financial Times, “Israel’s NSO: the business of spying on your iPhone” (May 14, 2019),
`available at https://www.ft.com/content/7f2f39b2-733e-11e9-bf5c-6eeb837566c5; Vice, “They Got
`Everything” (September 20, 2018), available at https://www.vice.com/en_us/article/qvakb3/inside-
`nso-group-spyware-demo.
`
`
`
`
`
`6
`
`COMPLAINT
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 7 of 15
`
`
`
`D.
`
`30.
`
`Defendants Agreed to the WhatsApp Terms
`
`Between January 2018 and May 2019, Defendants created and caused to be created
`
`various WhatsApp accounts and agreed to the WhatsApp Terms. Defendants’ employees and agents
`
`accepted and agreed to be bound by the Terms on behalf of Defendants.
`
`31.
`
`At all times relevant to this Complaint, Defendants were bound by the WhatsApp
`
`Terms.
`
`E.
`
`Defendants Accessed and Used Plaintiffs’ Servers Without Authorization
`
`and Infected Target Users’ Devices With Malware
`
`1.
`
`Overview
`
`32.
`
`Defendants took a number of steps, using WhatsApp servers and the WhatsApp Service
`
`without authorization, to send discrete malware components (“malicious code”) to Target Devices.
`
`First, Defendants set up various computer infrastructure, including WhatsApp accounts and remote
`
`servers, used to infect the Target Devices and conceal Defendants’ identity and involvement. Second,
`
`Defendants used and caused to be used WhatsApp accounts to initiate calls through Plaintiffs’ servers
`
`that were designed to secretly inject malicious code onto Target Devices. Third, Defendants caused
`
`the malicious code to execute on some of the Target Devices, creating a connection between those
`
`Target Devices and computers controlled by Defendants (the “remote servers”). Fourth, on
`
`information and belief, Defendants caused Target Devices to download and install additional
`
`malware—believed to be Pegasus or another remote access trojan developed by Defendants—from
`
`the remote servers for the purpose of accessing data and communications on Target Devices.
`
`2.
`
`Defendants Set Up Computer Infrastructure Used to Infect the Target
`
`Devices
`
`33.
`
`Between approximately January 2018 and May 2019, Defendants created WhatsApp
`
`accounts that they used and caused to be used to send malicious code to Target Devices in April and
`
`May 2019. The accounts were created using telephone numbers registered in different counties,
`
`including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands.
`
`34.
`
`Beginning no later than 2019, Defendants leased and caused to be leased servers and
`
`internet hosting services in different countries, including the United States, in order to connect the
`
`
`
`
`
`7
`
`COMPLAINT
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 8 of 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`Target Devices to a network of remote servers intended to distribute malware and relay commands to
`
`the Target Devices. This network included proxy servers and relay servers (collectively, “malicious
`
`servers”). The malicious servers were owned by Choopa, Quadranet, and Amazon Web Services
`
`(“AWS”), among others. The IP address of one of the malicious servers was previously associated
`
`with subdomains used by Defendants.
`
`3.
`
`Defendants’ Unauthorized Access of Plaintiff’s Servers
`
`35.
`
`On information and belief, Defendants reverse-engineered the WhatsApp app and
`
`developed a program to enable them to emulate legitimate WhatsApp network traffic in order to
`
`transmit malicious code—undetected—to Target Devices over WhatsApp servers. Defendants’
`
`program was sophisticated, and built to exploit specific components of WhatsApp network protocols
`
`and code. Network protocols generally define rules that control communications between network
`
`computers, including protocols for computers to identify and connect with other computers, as well as
`
`formatting rules that specify how data is packaged and transmitted.
`
`36.
`
`In order to compromise the Target Devices, Defendants routed and caused to be routed
`
`malicious code through Plaintiffs’ servers—including Signaling Servers and Relay Servers—
`
`concealed within part of the normal network protocol. WhatsApp’s Signaling Servers facilitated the
`
`initiation of calls between different devices using the WhatsApp Service. WhatsApp’s Relay Servers
`
`facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to
`
`use Plaintiffs’ servers in this manner.
`
`37.
`
`Between approximately April and May 2019, Defendants used and caused to be used,
`
`without authorization, WhatsApp Signaling Servers, in an effort to compromise Target Devices. To
`
`avoid the technical restrictions built into WhatsApp Signaling Servers, Defendants formatted call
`
`initiation messages containing malicious code to appear like a legitimate call and concealed the code
`
`within call settings. Disguising the malicious code as call settings enabled Defendants to deliver it to
`
`the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling
`
`Servers. Once Defendants’ calls were delivered to the Target Device, they injected the malicious code
`
`into the memory of the Target Device—even when the Target User did not answer the call.
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`8
`
`COMPLAINT
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 9 of 15
`
`
`
`38.
`
`For example, on May 9, 2019, Defendants used WhatsApp servers to route malicious
`
`code, which masqueraded as a series of legitimate calls and call settings, to a Target Device using
`
`telephone number (202) XXX-XXXX. On information and belief, the malicious code concealed
`
`within the calls was then installed in the memory of the Target Device.
`
`39.
`
`Between April and May 2019, Defendants also used and caused to be used WhatsApp’s
`
`Relay Servers without authorization to send encrypted data packets designed to activate the malicious
`
`code injected into the memory of the Target Devices. When successfully executed, the malicious code
`
`caused the Target Device to send a request to one of the malicious servers controlled by Defendants.
`
`40.
`
`On information and belief, the malicious servers connected the Target Devices to
`
`remote servers hosting Defendants’ malware. The malicious code on the Target Devices then
`
`downloaded and installed Defendants’ malware from those servers.
`
`41.
`
`On information and belief, after it was installed, Defendants’ malware was designed to
`
`give Defendants and their customers access to information and data stored on the Target Devices,
`
`including their communications.
`
`42.
`
`Between approximately April 29, 2019, and May 10, 2019, Defendants caused their
`
`malicious code to be transmitted over WhatsApp servers in an effort to infect approximately 1,400
`
`Target Devices. The Target Users included attorneys, journalists, human rights activists, political
`
`dissidents, diplomats, and other senior foreign government officials.
`
`43.
`
`The Target Users had WhatsApp numbers with country codes from several countries,
`
`including the Kingdom of Bahrain, the United Arab Emirates, and Mexico. According to public
`
`reporting, Defendants’ clients include, but are not limited to, government agencies in the Kingdom of
`
`Bahrain, the United Arab Emirates, and Mexico as well as private entities.2
`
`
`2 See Fast Company, “Israeli cyberweapon targeted the widow of a slain Mexican journalist” (March
`20, 2019), available at https://www.fastcompany.com/90322618/nso-group-pegasus-cyberweapon-
`targeted-the-widow-of-a-slain-mexican-journalist; New York Times, “Hacking a Prince, and Emir and
`a
`Journalist
`to
`Impress
`a
`Client”
`(August
`31,
`2018),
`available
`at
`https://www.nytimes.com/2018/08/31/world/middleeast/hacking-united-arab-emirates-nso-
`group.html; The Guardian, “Israeli firm linked to WhatsApp spyware attack faces lawsuit” (May 18,
`2019), available at https://www.theguardian.com/world/2019/may/18/israeli-firm-nso-group-linked-
`to-whatsapp-spyware-attack-faces-lawsuit.
`
`
`
`
`
`
`9
`
`COMPLAINT
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 10 of 15
`
`
`
`44.
`
`On or about May 13, 2019, Facebook publicly announced that it had investigated and
`
`identified a vulnerability involving the WhatsApp Service (CVE-2019-3568). WhatsApp and
`
`Facebook closed the vulnerability, contacted law enforcement, and advised users to update the
`
`WhatsApp app.
`
`45.
`
`Defendants subsequently complained that WhatsApp had closed the vulnerability.
`
`Specifically, NSO Employee 1 stated, “You just closed our biggest remote for cellular . . . It’s on the
`
`news all over the world.”
`
`F.
`
`Defendants’ Unlawful Acts Have Caused Damage and Loss to WhatsApp and
`
`
`46.
`
`Defendants’ actions and omissions interfered with the WhatsApp Service and burdened
`
`Plaintiffs’ computer network.
`
`47.
`
`48.
`
`Defendants’ actions injured Plaintiffs’ reputation, public trust, and goodwill.
`
`Defendants have caused Plaintiffs damages in excess of $75,000 and in an amount to
`
`be proven at trial.
`
`FIRST CAUSE OF ACTION
`
`(Computer Fraud and Abuse Act, 18 U.S.C. § 1030)
`
`49.
`
`50.
`
`Plaintiffs reallege and incorporate by reference all preceding paragraphs.
`
`At various times between April 29, 2019, and May 10, 2019, Defendants accessed,
`
`used, or caused to be accessed or used Plaintiffs’ Signaling Servers and Relay Servers without
`
`authorization in an effort to compromise approximately 1,400 Target Devices.
`
`51.
`
`Plaintiffs’ Signaling Servers and Relay Servers and the Target Devices were
`
`“computers” as defined by 18 U.S.C. § 1030(e)(1).
`
`52.
`
`Plaintiffs’ Signaling Servers and Relay Servers and the Target Devices were “protected
`
`computers” as defined by 18 U.S.C. § 1030(e)(2)(B) because they are “used in or affecting interstate
`
`or foreign commerce or communication.”
`
`53.
`
`Defendants violated 18 U.S.C. § 1030(a)(2) because they intentionally accessed and
`
`caused to be accessed (a) Plaintiffs’ computers, and (b) Target Devices, without authorization and, on
`
`information and belief, obtained data from the Target Devices.
`
`
`
`
`
`10
`
`COMPLAINT
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 11 of 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`54.
`
`Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with intent to
`
`defraud accessed and caused to be accessed (a) Plaintiffs’ protected computers and (b) Target Devices
`
`without authorization, and by means of such conduct furthered the intended fraud and obtained
`
`something of value. Defendants’ fraud included falsely agreeing to the WhatsApp Terms, sending
`
`unauthorized commands to Plaintiffs’ computers and concealing the commands as legitimate network
`
`traffic, in order to gain access of the Target Devices without the Target Users’ knowledge or consent.
`
`As a result of the fraud, Defendants obtained money, customers, remote access and control of the
`
`Target Devices, data from the Target Devices, and unauthorized use of the WhatsApp service, the
`
`value of which exceeds $5,000.
`
`55.
`
`Defendants violated 18 U.S.C. § 1030(b) by conspiring and attempting to commit the
`
`violations alleged in the preceding paragraphs.
`
`56.
`
`Defendants’ conduct caused a loss to Plaintiffs and the Target Users in excess of $5,000
`
`during a one-year period.
`
`57.
`
`Defendants’ actions caused Plaintiffs to incur a loss as defined in 18 U.S.C.
`
`§ 1030(e)(11), including the expenditure of resources to investigate and remediate Defendants’ fraud
`
`and unauthorized access. Plaintiffs are entitled to be compensated for losses and damages, and any
`
`other amount to be proven at trial.
`
`SECOND CAUSE OF ACTION
`
`(California Comprehensive Computer Data Access and Fraud Act,
`California Penal Code § 502)
`
`Plaintiffs reallege and incorporate by reference all of the preceding paragraphs.
`
`Defendants knowingly accessed and without permission altered and used Plaintiffs’
`
`
`
`58.
`
`59.
`
`data, computer, computer system, and computer network in order to (a) devise and execute a scheme
`
`and artifice to defraud and deceive, and (b) wrongfully control and obtain money, property, and data
`
`in violation of California Penal Code § 502(c)(1).
`
`60.
`
`Defendants knowingly and without permission used and caused to be used WhatsApp
`
`Signaling Servers and Relay Servers, including servers located in California, in violation of California
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`Penal Code § 502(c)(3).
`
`
`
`
`
`11
`
`COMPLAINT
`
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 12 of 15
`
`
`
`61.
`
`Defendants knowingly and without permission provided and assisted in providing a
`
`means of accessing Plaintiffs’ computers, computer systems, and computer networks, including those
`
`located in California, in violation of California Penal Code § 502(c)(6).
`
`62.
`
`Defendants knowingly and without permission accessed and caused to be accessed
`
`Plaintiffs’ computers, computer systems, and computer networks, including those located in
`
`California, in violation of California Penal Code § 502(c)(7).
`
`63.
`
`Defendants knowingly introduced a computer contaminant into Plaintiffs’ computers,
`
`computer systems, and computer networks in violation of California Penal Code § 502(c)(8).
`
`64.
`
`Defendants’ actions caused Plaintiffs to incur losses and damages, including, among
`
`other things, the expenditure of resources to investigate and remediate Defendants’ conduct, damage
`
`to Plaintiffs’ reputation, and damage to the relationships and goodwill between Plaintiffs and their
`
`users and potential users. Plaintiffs have been damaged in an amount to be proven at trial.
`
`65.
`
`Because Plaintiffs suffered damages and a loss as a result of Defendants’ actions and
`
`continue to suffer damages as result of Defendants’ actions, Plaintiffs are entitled to compensatory
`
`damages, attorneys’ fees, and any other amount of damages to be proven at trial, as well as injunctive
`
`relief under California Penal Code §§ 502(e)(1) and (2).
`
`66.
`
`Because Defendants willfully violated California Penal Code § 502, and there is clear
`
`and convincing evidence that Defendants acted with malice and oppression and committed “fraud” as
`
`defined by section 3294 of the Civil Code, Plaintiffs are entitled to punitive and exemplary damages
`
`under California Penal Code § 502(e)(4).
`
`THIRD CAUSE OF ACTION
`
`(Breach of Contract)
`
`67.
`
`68.
`
`Plaintiffs reallege and incorporate by reference all preceding paragraphs.
`
`Access to and use of WhatsApp is governed by the WhatsApp’s Terms and related
`
`WhatsApp policies.
`
`69.
`
`Defendants agreed to and became bound by the WhatsApp’s Terms when they used
`
`WhatsApp and the WhatsApp Service.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`
`
`
`
`12
`
`COMPLAINT
`
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 13 of 15
`
`
`
`70. WhatsApp and Facebook have performed all conditions, covenants, and promises
`
`required of it in accordance with the WhatsApp’s Terms.
`
`71.
`
`Defendants’ violations of the WhatsApp’s Terms have directly and proximately caused
`
`and continue to cause harm and injury to WhatsApp.
`
`72. When Defendants agreed to and became bound by the WhatsApp Terms, both Plaintiffs
`
`and Defendants knew or could have reasonably foreseen that the harm and injury to Plaintiffs was
`
`likely to occur in the ordinary course of events as a result of Defendants’ breach.
`
`73.
`
`Defendants’ actions caused Plaintiffs to incur losses and other economic damages,
`
`including, among other things, the expenditure of resources to investigate and remediate Defendants’
`
`conduct, damage to Plaintiffs’ reputation, and damage to the relationships and goodwill between
`
`Plaintiffs and their users and potential users. Plaintiffs have been damaged in an amount to be proven
`
`at trial, and in excess of $75,000.
`
`FOURTH CAUSE OF ACTION
`
`(Trespass to Chattels)
`
`74.
`
`75.
`
`Plaintiffs reallege and incorporate by reference all of the preceding paragraphs.
`
`At all times mentioned in this Complaint, Plaintiffs had legal title to and actual
`
`possession of their computer systems.
`
`76.
`
`Defendants intentionally and without authorization interfered with Plaintiffs’
`
`possessory interest in their computer systems, including by accessing and using Plaintiffs’ servers to
`
`transmit malicious code for the purpose of unlawfully compromising Target Users’ devices, all
`
`without authorization from Plaintiffs and Target Users.
`
`77.
`
`Defendants’ access to Plaintiffs’ computer systems exceeded the scope of the
`
`conditional access that Plaintiffs grant to legitimate users of the WhatsApp Service.
`
`78.
`
`Defendants’ actions caused Plaintiffs to incur losses and other economic damages,
`
`including, among other things, the expenditure of resources to investigate and remediate Defendants’
`
`conduct, damage to Plaintiffs’ reputation, and damage to the relationships and goodwill between
`
`Plaintiffs and their users and potential users. Plaintiffs have been damaged in an amount to be proven
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`COOLEY LLP
`A TTO RN EY S A T L A W
`SA N FRA N CI S CO
`
`at trial, and in excess of $75,000.
`
`
`
`
`
`13
`
`COMPLAINT
`
`
`
`
`
`
`Case 3:19-cv-07123-JSC Document 1 Filed 10/29/19 Page 14 of 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`REQUEST FOR RELIEF
`
`WHEREFORE, Plaintiffs request judgment against Defendants as follows:
`
`1.
`
`That the Court enter judgment against Defendants that Defendants have:
`
`a. Violated the Computer Fraud and Abuse Act, in violation of 18 U.S.C. § 1030;
`
`b. Violated the California Comprehensive Computer Data Access and Fraud Act, in
`
`violation California Penal Code § 502;
`
`c. Breached their cont