`
`
`
`
`
`PAUL HOFFMAN #71244
`JOHN WASHINGTON #315991
`Schonbrun, Seplow, Harris,
`Hoffman & Zeldes LLP
`200 Pier Avenue, Suite 226
`Hermosa Beach, CA 90254
`T: (424) 297-0114
`F: (310) 399-7040
`hoffpaul@aol.com
`
`Counsel for all Plaintiffs*
`
`*See Signature Page for Complete List of
`Plaintiffs
`
`CARRIE DECELL**
`JAMEEL JAFFER**
`ALEX ABDO**
`STEPHANIE KRENT**
`EVAN WELBER FALCÓN**
`Knight First Amendment Institute
`at Columbia University
`475 Riverside Drive, Suite 302
`New York, NY 10115
`T: (646) 745-8500
`F: (646) 661-3361
`carrie.decell@knightcolumbia.org
`
`Counsel for all Plaintiffs*
`
`**Application for Admission Pro Hac Vice
`To Be Filed
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN JOSE DIVISION
`
`
`
`CARLOS DADA, SERGIO ARAUZ,
`GABRIELA CÁCERES GUTIÉRREZ, JULIA
`GAVARRETE, ROMAN GRESSIER,
`GABRIEL LABRADOR, ANA BEATRIZ
`LAZO ESCOBAR, EFREN LEMUS,
`CARLOS MARTÍNEZ, ÓSCAR MARTÍNEZ,
`MARÍA LUZ NÓCHEZ, VÍCTOR PEÑA,
`NELSON RAUDA ZABLAH, MAURICIO
`SANDOVAL SORIANO, and JOSÉ LUIS
`SANZ,
`
`Plaintiffs,
`
`v.
`
`NSO GROUP TECHNOLOGIES LIMITED
`and Q CYBER TECHNOLOGIES LIMITED,
`
`Defendants.
`
`
`
`
`
`
`
`
`Case No. __________
`
`COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`
`
`
` 1
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 2 of 41
`
`
`
`INTRODUCTION
`Defendants NSO Group Technologies Limited and Q Cyber
`1.
`Technologies Limited develop spyware—malicious surveillance software—and sell
`it to rights-abusing governments. With Defendants’ technology and assistance, these
`governments surveil journalists, human rights advocates, and political opponents,
`often in the service of broader campaigns of political intimidation and persecution.
`As the U.S. Department of Commerce observed last year when it added NSO Group
`to its “Entity List,” Defendants’ spyware has enabled authoritarian governments to
`“conduct transnational repression”—to reach across borders and stifle dissent. In
`recent years, the supply of spyware to authoritarian and other rights-abusing
`governments, by Defendants and other mercenary spyware companies, has become
`a grave and urgent threat to human rights and press freedom around the world.
`Defendants’ signature product, usually sold under the name “Pegasus,”
`2.
`is a particularly sophisticated and insidious type of spyware. Defendants and their
`clients can install Pegasus on a target’s smartphone remotely and surreptitiously,
`without any action by the target. Once installed, Pegasus gives its operators
`essentially full control of the device. They can covertly extract contact lists, calendar
`entries, text and instant messages, notes, emails, search histories, and GPS locations.
`They can turn on the smartphone’s microphone to record surrounding sounds. They
`can activate the smartphone’s camera to take photographs. They can also copy
`authentication keys to gain access to cloud-based accounts. Defendants highlight
`these and other capabilities in their marketing materials.
`Defendants developed Pegasus, and deploy it, by repeatedly accessing
`3.
`computer servers owned by U.S. technology companies, including Apple Inc., a
`company based in Cupertino, California. As relevant to this case, Defendants
`accessed Apple servers to identify and exploit vulnerabilities in Apple software and
`services, to enable the delivery of Pegasus to targets’ iPhones, and to allow Pegasus
`operators to extract data from their targets’ iPhones and their targets’ cloud-based
`
`
`
` 2
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 3 of 41
`
`
`
`accounts. On information and belief, some of the Apple servers that Defendants
`abused to facilitate the delivery and operation of Pegasus in this case are located in
`California. In November 2021, Apple sued Defendants in this district, asserting that,
`through their development and deployment of spyware, they had exploited Apple’s
`software and services, damaged its business and goodwill, and injured its users.
`Plaintiffs in this case include journalists and others who write, produce,
`4.
`and publish El Faro, a digital newspaper based in El Salvador that has become one
`of the foremost sources of independent news in Central America—in the words of
`the International Press Institute, a “paragon of investigative journalism . . . with its
`fearless coverage of violence, corruption, inequality, and human rights violations.”
`El Faro has a broad readership not only in Central America, but also in the United
`States, and particularly here in California. Plaintiffs include Carlos Dada, El Faro’s
`co-founder and director; Roman Gressier, an El Faro reporter who is a U.S. citizen;
`Nelson Rauda Zablah, a former El Faro reporter who currently lives in the United
`States; José Luis Sanz, the Washington correspondent for El Faro, who also currently
`lives in the United States; and eleven other El Faro employees.
`Between June 2020 and November 2021, at least twenty-two people
`5.
`associated with El Faro, including Plaintiffs, were the victims of Pegasus attacks.
`Their devices were accessed remotely and surreptitiously, their communications and
`activities monitored, and their personal data accessed and stolen. Many of these
`attacks occurred when they were communicating with confidential sources,
`including U.S. Embassy officials, and reporting on abuses by the Salvadoran
`government. The journalists and others who were the victims of these Pegasus
`attacks learned of them only much later. When they came to light, the attacks were
`condemned by human rights and press freedom groups around the world. For
`example, a coalition of civil society groups from Central America and the United
`States issued a joint statement in January 2022 denouncing the attacks and decrying
`
`
`
`
`
` 3
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 4 of 41
`
`
`
`“[t]he lack of accountability for such egregious conduct by public authorities and
`private companies.”
`The Pegasus attacks have profoundly disrupted Plaintiffs’ lives and
`6.
`work. The attacks have compromised Plaintiffs’ safety as well as the safety of their
`colleagues, sources, and family members. The attacks have deterred some sources
`from sharing information with Plaintiffs. Some Plaintiffs have been diverted from
`pressing investigative projects by the necessity of assessing which data was stolen,
`and of taking precautions against the possibility that the stolen data will be exploited.
`Plaintiffs have also had to expend substantial resources to protect their devices
`against possible future attacks, to ensure their personal safety, and to address serious
`physical and mental health issues resulting from the attacks. The attacks have
`undermined the security that is a precondition for the independent journalism that El
`Faro strives to provide its readers, as well as the ability of El Faro’s readers,
`including those in the United States, to obtain independent analysis of events in
`Central America.
`Defendants’ development and deployment of Pegasus against Plaintiffs
`7.
`was unlawful. It violated the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and
`the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal
`Code § 502, and it constituted trespass to chattels and intrusion upon seclusion. This
`is a suit for injunctive and declaratory relief, as well as compensatory and punitive
`damages.
`
`JURISDICTION AND VENUE
`This Court has jurisdiction over Plaintiffs’ federal causes of action
`8.
`pursuant to 28 U.S.C. § 1331.
`This Court has jurisdiction over Plaintiffs’ state law causes of action
`9.
`pursuant to 28 U.S.C. § 1367, because these claims arise out of the same nucleus of
`operative fact as Plaintiffs’ federal statutory claims.
`
`
`
`
`
` 4
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 5 of 41
`
`
`
`10. This Court has personal jurisdiction over Defendants because
`Defendants have purposefully availed themselves of California as a forum and have
`purposefully directed their tortious activities at California. A court in this district
`exercised personal jurisdiction over Defendants based on substantially similar facts
`in WhatsApp Inc. v. NSO Group Technologies Limited, 472 F. Supp. 3d 649 (N.D.
`Cal. 2020).
`11. Alternatively, this Court has personal jurisdiction over Defendants
`pursuant to Federal Rule of Civil Procedure 4(k)(2), because Plaintiffs’ claims arise
`under federal law; if Defendants are not subject to jurisdiction in California, then
`they are not subject to jurisdiction in any state’s courts of general jurisdiction; and
`exercising jurisdiction over Defendants is consistent with U.S. law and the U.S.
`Constitution.
`12. Venue is proper in this district pursuant to 28 U.S.C. § 1391(b)(2) or,
`alternatively, 28 U.S.C. § 1391(b)(3).
`DIVISIONAL ASSIGNMENT
`13. Pursuant to Civil Local Rule 3-2(e), this case may be assigned to the
`San Jose division because a substantial part of the events giving rise to Plaintiffs’
`claims occurred in Santa Clara County, where Apple is located.
`PARTIES
`Plaintiffs
`14. Plaintiff Carlos Dada is the director of El Faro, which he co-founded in
`1998. His reporting focuses on corruption and violence, and he has reported from
`numerous conflict zones, including in Guatemala, Honduras, Iraq, Mexico, and
`Venezuela. In 2011, he won the Maria Moors Cabot Prize for Latin American
`Reporting. In 2022, he was honored by the International Press Institute and
`International Media Support with a World Press Freedom Hero award, which
`recognizes “journalists who have made significant contributions to promote press
`freedom, particularly in the face of great personal risk.” He also won the 2022
`
`
`
` 5
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 6 of 41
`
`
`
`International Center for Journalists’ Knight Trailblazer Award for “his hard-hitting
`investigative reporting, lyrical writing and visionary leadership.” He lives in San
`Salvador, El Salvador.
`15. Plaintiff Sergio Arauz is the deputy editor-in-chief of El Faro, where he
`has worked since 2001. His reporting focuses on politics and human rights. He lives
`in San Salvador.
`16. Plaintiff Gabriela Cáceres Gutiérrez is a reporter for El Faro, where she
`has worked since 2018. In 2021, she, along with Plaintiffs Carlos Martínez and Óscar
`Martínez, undertook one of El Faro’s most significant investigations, revealing
`secret negotiations held in maximum security prisons between the Bukele
`Administration and incarcerated members of El Salvador’s three main gangs: Mara
`Salvatrucha (“MS-13”), Barrio 18 Revolucionarios, and Barrio 18 Sureños. She lives
`in San Salvador.
`17. Plaintiff Julia Gavarrete is a reporter for El Faro, where she has worked
`since 2021. She has more than a decade of experience reporting in El Salvador and
`Central America, and her reporting focuses on vulnerable communities in Central
`America, on women’s rights, and on environmental issues. She currently lives in
`Berlin, Germany while on a four-month fellowship with Reporters Sans Frontières.
`18. Plaintiff Roman Gressier is a reporter for El Faro, where he has worked
`since November 2019. He writes El Faro’s English-language newsletter and has
`reported extensively on Central American politics, human rights, and press freedom.
`He is a dual citizen of the United States and France.
`19. Plaintiff Gabriel Labrador is a reporter for El Faro, where he has
`worked since 2011. He has been a reporter for more than eighteen years, and he has
`reported extensively on criminal justice and public corruption, including on a
`Salvadoran Supreme Court magistrate’s ties to the MS-13 gang, on the political and
`policymaking roles of President Bukele’s brothers, and on detentions during El
`Salvador’s recent “state of exception.” He lives in San Salvador.
`
`
` 6
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 7 of 41
`
`
`
`20. Plaintiff Ana Beatriz Lazo Escobar is a marketing manager for El Faro,
`where she has worked since 2015. She lives in Tamanique, El Salvador.
`21. Plaintiff Efren Lemus is a reporter for El Faro, where he has worked
`since 2011. He has written about gang violence and El Salvador’s attempts to curtail
`it, about the treatment of detainees during El Salvador’s state of exception, and about
`accusations of wrongdoing and corruption within the governing Nuevas Ideas party.
`He also co-wrote an in-depth profile of the MS-13 gang for The New York Times.
`He lives in San Salvador.
`22. Plaintiff Carlos Martínez is a reporter for El Faro, where he has worked
`since 2004. He is one of the founding members of Sala Negra, El Faro’s investigative
`journalism team. His reporting focuses on gang violence and official misconduct.
`He has worked on some of El Faro’s most important stories, including an
`investigation into the Bukele Administration’s secret negotiations with incarcerated
`gang members, and co-wrote an in-depth profile of the MS-13 gang for The New
`York Times. He lives in La Libertad, El Salvador.
`23. Plaintiff Óscar Martínez is the editor-in-chief of El Faro, where he has
`worked since January 2007. A founding member of Sala Negra, he reports on issues
`of gang violence, migration, and official misconduct. He has been awarded the
`Fernando Benítez National Journalism Award in Mexico, the José Simeón Cañas
`Central American University in El Salvador Human Rights Prize, and the Maria
`Moors Cabot Prize. He lives in San Salvador.
`24. Plaintiff María Luz Nóchez is a reporter and the Opinion editor for El
`Faro, where she has worked since 2011. She reports on arts and culture, violence
`against women and the LGBTQ community, and the rights of Indigenous people.
`She lives in Santa Tecla, El Salvador.
`25. Plaintiff Víctor Peña is a photojournalist for El Faro, where he has
`worked since 2016. He contributes photography and other audiovisual and graphic
`
`
`
`
`
` 7
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 8 of 41
`
`
`
`material to El Faro, focusing on issues relating to women’s rights, inequality,
`pollution, and migration. He lives in San Salvador.
`26. Plaintiff Nelson Rauda Zablah worked as a reporter and hosted a twice-
`weekly radio show for El Faro from 2015 to August 2022. He has a decade of
`experience covering corruption, crime, the justice system, politics, migration, and
`human rights. His work has also been published in The New York Times, The
`Washington Post, the Los Angeles Times, ProPublica, the BBC, and El Diario. He
`previously served as secretary to the Board of Directors of the Asociación de
`Periodistas de El Salvador (APES), the Salvadoran journalists’ association. He
`currently lives in New York City while pursuing a master’s degree at Columbia
`Journalism School.
`the general
`is
`27. Plaintiff Mauricio Ernesto Sandoval Soriano
`administrator of El Faro, where he has worked since 2018. He lives in Antiguo
`Cuscatlán, El Salvador.
`28. Plaintiff José Luis Sanz is the Washington correspondent for El Faro,
`where he has worked since 2001. He was the director of El Faro from 2014 to
`December 2020. A founding member of Sala Negra, he previously reported on issues
`of violence, gangs, and organized crime in Central America. He now reports on
`human rights, migration, and corruption. He currently lives in Washington, D.C.
`Defendants
`29. Defendant NSO Group Technologies Limited is a limited liability
`company that was incorporated in Israel on January 25, 2010. NSO Group develops
`highly sophisticated spyware; sells that spyware to government clients around the
`world, including to governments associated with grave abuses of human rights;
`trains those clients in the use of the spyware; and assists those clients in its
`deployment. NSO Group is a subsidiary of Q Cyber Technologies Limited, and, on
`information and belief, it sometimes operates under that name.
`
`
`
`
`
` 8
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 9 of 41
`
`
`
` Defendant Q Cyber Technologies Limited is a limited liability
`30.
`company. It was originally incorporated in Israel on December 2, 2013 under the
`name L.E.G.D. Company Limited, but changed its name to Q Cyber Technologies
`on May 29, 2016. Q Cyber is the parent company of NSO Group and a subsidiary of
`OSY Technologies SARL.
`31. As discussed further below, Defendants have purposefully directed
`their tortious activities at the State of California. They have also purposefully availed
`themselves of the United States, and the State of California in particular. For
`example, for most of the past decade, NSO Group has been principally funded and
`controlled by California-based companies, including Francisco Partners and
`Berkeley Research Group. In addition, Q Cyber established a U.S. sales arm called
`Westbridge Technologies, Inc. to market Defendants’ spyware to law enforcement
`agencies across the United States. Omrie Lavie, one of the three co-founders of NSO
`Group, co-founded and served as the CEO of Westbridge. Defendants and
`Westbridge hired U.S.-based firms to help market Defendants’ spyware and oversee
`their public relations in the United States. Defendants and Westbridge endeavored
`to sell Defendants’ technology to U.S. government agencies, including the Central
`Intelligence Agency, the Drug Enforcement Administration, and the Secret Service,
`as well as to local law enforcement agencies, including the Los Angeles and San
`Diego Police Departments. In 2019, Defendants sold a version of Pegasus to the
`Federal Bureau of Investigation and trained FBI agents as they tested and evaluated
`the spyware. The FBI ultimately paid Defendants roughly $5 million in fees.
`32. On information and belief, at all times material to this case, each
`Defendant was the agent, partner, alter ego, subsidiary, parent, and/or co-conspirator
`of and with the other Defendant, and the acts of each Defendant were within the
`scope of that relationship; each Defendant knowingly and intentionally agreed with
`the other to carry out the acts alleged in this Complaint; and in carrying out the acts
`
`
`
`
`
` 9
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 10 of 41
`
`
`
`alleged in this Complaint, each Defendant acted with the knowledge, permission,
`and consent of the other, and each Defendant aided and abetted the other.
`FACTUAL ALLEGATIONS
`Pegasus
`33. Defendants develop highly sophisticated spyware; sell that spyware to
`government clients around the world, including to governments associated with
`grave abuses of human rights; train those clients in the use of the spyware; and assist
`those clients in its deployment.
`34. Defendants’ signature product is called Pegasus. Plaintiffs use the term
`“Pegasus” throughout this Complaint to refer to any of the products that Defendants
`market that are identical or substantially similar to Pegasus.
`35. Pegasus enables its operators to take full control of a target’s
`smartphone remotely and surreptitiously. According to Defendants’ marketing
`materials, Pegasus can be used to remotely and covertly surveil and extract contact
`details, text messages, instant messages, notes, emails, web-browsing activity, files,
`and passwords. It can be used to monitor phone calls and VoIP calls, as well as user
`activity on different applications, including WhatsApp, Facebook, and Skype. It can
`be used to track and log a device’s GPS location. And it can be used to activate the
`device’s microphone to record surrounding sounds, and to activate the device’s
`camera to take photographs.
`36. Pegasus can also give its operators access to data stored in the cloud.
`According to news reports, Pegasus allows its operators to copy the authentication
`keys that smartphones use to access U.S.-based cloud services such as iCloud,
`Google Drive, and Facebook Messenger. Pegasus operators can use those keys to
`gain access to data stored on those cloud servers—including documents and
`photographs—without the knowledge of the smartphone’s user.
`It is practically impossible for individuals to protect themselves against
`37.
`Pegasus attacks. Pegasus can be installed surreptitiously, without the smartphone
`
`
`
` 10
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 11 of 41
`
`
`
`user’s involvement or awareness, through “zero-click” attacks. It can be installed
`remotely, eliminating the need for physical proximity to a target’s smartphone as
`well as any reliance on local mobile network operators. It can also circumvent
`ordinary security measures—such as the use of encryption—because it allows its
`operators to access an infected device as though they were the device’s user. In
`addition, it is designed to subvert safeguards that would otherwise alert the target to
`its presence. On iPhones, for example, Pegasus disables crash reporting to Apple,
`and many of the malicious processes that Pegasus runs on a device following an
`infection have been given names similar to those of legitimate iOS system processes.
`Independent security researchers at the Citizen Lab, Access Now, and
`38.
`Amnesty
`International—all organizations
`that have conducted
`in-depth
`investigations of spyware attacks around the world—have concluded that Plaintiffs
`in this case were targeted through zero-click attacks directed at their iPhones.
`Investigations by these researchers indicate that Defendants carried out these attacks
`in the stages described below. On information and belief, the Pegasus attacks against
`Plaintiffs required Defendants to interact extensively with Apple’s U.S.-based
`servers, many of which are in California.
`39. First, Defendants identified vulnerabilities in Apple software and
`services that could be used in the process of infecting targeted iPhones with Pegasus.
`Defendants created Apple ID accounts specifically for the purpose of identifying
`these vulnerabilities. Ordinarily, Apple ID accounts are used by Apple to
`authenticate its customers when they use Apple services. In contrast, Defendants
`used their Apple ID accounts to discover vulnerabilities in Apple’s software, to
`probe Apple’s servers and services, and to test the software that Defendants
`developed to infect iPhones with Pegasus.
`40. Second, Defendants and their clients exploited the vulnerabilities that
`they identified to infect targeted iPhones with Pegasus. To initiate a zero-click
`attack, Defendants and their clients used the target’s Apple ID or other information
`
`
`
` 11
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 12 of 41
`
`
`
`to confirm that the target was in fact using an iPhone, and then Defendants used their
`own Apple ID accounts to send malicious data to the device by leveraging the
`communications between Apple’s services and the targeted iPhone. The malicious
`data caused the device to retrieve Pegasus (and other malicious data precipitating the
`Pegasus infection) through a network of servers operated and/or maintained by
`Defendants. In this case, Plaintiffs’ iPhones were infected using zero-click exploits
`known as KISMET and FORCEDENTRY. Defendants and their clients appear to
`have executed both of these exploits by using Apple ID accounts to send malicious
`data through Apple’s iMessage service. In the case of at least FORCEDENTRY, the
`Pegasus file was stored temporarily, in encrypted form, on one of Apple’s iCloud
`servers before delivery to a target’s iPhone.
`41. Third, Pegasus operators used command-and-control servers to exploit
`the Pegasus infection, taking control of the infected iPhone. The operators could use
`these servers to issue commands to each infected device—for example, to exfiltrate
`data, to enable location tracking, or to record audio and take photographs using the
`device’s microphone and camera. If a Pegasus operator extracted authentication keys
`from an infected iPhone, the operator could use those keys to access and extract data
`from the targeted individual’s cloud-based accounts. Pegasus infections were
`sometimes short-lived (allowing operators to hack their targets’ iPhones, exfiltrate
`data of potential interest, and then attempt to cover their tracks by deleting traces of
`the infection) and sometimes prolonged or “active” (allowing operators to conduct
`ongoing surveillance, albeit at greater risk of discovery). Even when Defendants’
`employees were not themselves the Pegasus operators at this stage of the attacks,
`Defendants remained involved by configuring and maintaining the operators’
`command-and-control servers, ensuring that infected devices were running the latest
`version of the Pegasus software, and providing ongoing technical assistance to the
`operators. Defendants also offered extensive customer support, including on-the-
`ground support during the initial deployment and/or continued operation of Pegasus,
`
`
`
` 12
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 13 of 41
`
`
`
`technical support by email and phone, and engineer support through remote desktop
`software and/or a virtual private network.
`In July 2021, Amnesty International concluded that Defendants were,
`42.
`at that time, able to remotely and covertly compromise all recent iPhone models and
`versions of Apple’s mobile operating system using the process described above or
`one similar to it.
`The Threat Pegasus Poses to Press Freedom and Human Rights
`43. Defendants have sold Pegasus to authoritarian and rights-abusing
`governments around the world, and many of those governments have used the
`spyware to target journalists, human rights activists, and political opponents.
`44. According to the Pegasus Project, a collaboration of more than eighty
`journalists from seventeen media organizations in ten countries, at least 180
`journalists from twenty countries have been the victims of Pegasus attacks directed
`by authoritarian or rights-abusing governments. For example, Saudi authorities used
`Pegasus to surveil family members and close associates of journalist Jamal
`Khashoggi—whom Saudi agents brutally murdered in 2018—as well as other Saudi
`activists, an Amnesty International researcher, and an American New York Times
`journalist who has reported extensively on the country. Morocco used Pegasus to
`spy on journalist Omar Radi. Mexican officials used Pegasus to surveil journalists
`and lawyers investigating corruption and human rights abuses in the country.
`Hungarian Prime Minister Viktor Orbán also used Pegasus to surveil journalists,
`lawyers, and social activists.
`45. Prominent human rights activists, diplomats, and political opposition
`figures, too, have been frequent victims of Pegasus attacks. For example, in 2021
`alone, Defendants’ clients used Pegasus to surveil U.S. diplomats working in
`Uganda; Carine Kanimba, a dual U.S.–Belgian citizen who was targeted while she
`was campaigning for the release of her father, Hotel Rwanda hero Paul
`Rusesabagina, from detention; Lama Fakih, a prominent Lebanese activist and
`
`
`
` 13
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 14 of 41
`
`
`
`Human Rights Watch director; at least four members of the civic youth movement
`“Oyan, Qazaqstan” (“Wake Up, Khazakhstan”); and at least thirty pro-democracy
`protesters and activists in Thailand. In 2020, more than sixty pro-Catalonian
`independence activists were the victims of Pegasus attacks. And in 2019, at least
`three human rights activists in India were surveilled with Pegasus while they were
`advocating for the release of other imprisoned activists, and Polish senator Krzysztof
`Brejza was surveilled with Pegasus while he was running a parliamentary election
`campaign.
`46. The supply of spyware to authoritarian and rights-abusing regimes, by
`Defendants and other mercenary spyware manufacturers like them, is now widely
`understood to present an urgent challenge to press freedom around the world.
`In November 2021, the U.S. Department of Commerce added NSO
`47.
`Group to its “Entity List” based on evidence that it had “supplied spyware to foreign
`governments that used” the spyware “to maliciously target government officials,
`journalists, businesspeople, activists, academics, and embassy workers,” as well as
`to target “dissidents, journalists and activists outside of their sovereign borders to
`silence dissent.” The Commerce Department described the designation of NSO
`Group as part of a broader effort to “stem the proliferation of digital tools used for
`repression” and to “improv[e] citizens’ digital security, combat[] cyber threats, and
`mitigat[e] unlawful surveillance.” In June 2022, the Biden Administration opposed
`U.S. government contractor L3Harris Technologies’ bid to acquire NSO Group,
`observing that Pegasus had been “misused around the world to enable human rights
`abuses, including to target journalists, human rights activists, or others perceived as
`dissidents and critics.” And in its October 2022 National Security Strategy, the Biden
`Administration pledged “to counter the exploitation of American’s [sic] sensitive
`data and illegitimate use of technology, including commercial spyware and
`surveillance technology,” and to “stand against digital authoritarianism.”
`
`
`
`
`
` 14
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 3:22-cv-07513-WHA Document 1 Filed 11/30/22 Page 15 of 41
`
`
`
`48. Congress has also begun to act against the threats posed by spyware.
`On July 27, 2022, the Chair of the U.S. House Permanent Select Committee on
`Intelligence called the widespread availability of spyware like Pegasus a “game-
`changer for autocratic regimes that are looking for new means to surveil, intimidate,
`imprison, or even kill dissidents, journalists, and others who they view as a threat.”
`The Committee subsequently approved legislation that would empower the Director
`of National Intelligence to prohibit the U.S. intelligence community from buying
`and using foreign spyware, and that would authorize the President to impose
`sanctions on foreign firms and individuals that sell, purchase, or use spyware.
`49. Digital security researchers and human rights advocates have also
`expressed increasing alarm about the implications of spyware for privacy, free
`speech, and other human rights. Ronald Deibert, Director of the Citizen Lab at the
`University of Toronto’s Munk School of Global Affairs & Public Policy, has warned
`that “[a]dvanced spyware is to surveillance [what] nuclear technology is to
`weapons—it represents a quantum leap forward in sophistication and power.” David
`Kaye, former UN Special Rapporteur on freedom of expression and opinion, has
`explained that “spyware with the characteristics of Pegasus—the capability to access
`one’s entire device and data connected to it, without discrimination, and without
`constraint—already violates . . . international human rights law,” concluding that
`“[n]o government should have such a tool, and no private company should be able
`to sell such a tool to governments or others.” Dr. Agnès Callamard, Secretary
`General of Amnesty International and former UN Special Rapporteur on
`extrajudicial, summary or arbitrary executions, has explained that “[w]e are