`
`No. 20-16408
`IN THE
`United States Court of Appeals for the Ninth Circuit
`NSO GROUP TECHNOLOGIES LTD. ET AL.,
`
`
`
`
`
`
`
`
`Defendants-Appellants,
`
`v.
`WHATSAPP INC. ET AL.,
`
`
`
`
`
`
`
`
`
`
`
`
`
`Plaintiffs-Appellees.
`On Appeal from the United States District Court for the
`Northern District of California
`No. 4:19-cv-07123-PJH
`BRIEF FOR AMICI CURIAE MICROSOFT CORP.,
`CISCO SYSTEMS, INC., GITHUB, INC., GOOGLE LLC,
` LINKEDIN CORPORATION, VMWARE, INC., AND
`INTERNET ASSOCIATION
`IN SUPPORT OF PLAINTIFFS-APPELLEES
`Michael Trinh
`Mark Parris
`GOOGLE LLC
`Carolyn Frantz
`1600 Amphitheatre Parkway
`Paul Rugani
`Mountain View, CA 94043
`Alyssa Barnard-Yanni
`(650) 253-0000
`ORRICK, HERRINGTON &
`
` SUTCLIFFE LLP
`701 5th Ave., Ste. 5600
`Counsel for Amicus Curiae
`Google LLC
`Seattle, WA 98104
`
`(206) 839-4300
`
`Counsel for Amici Curiae Microsoft
`Corp., Cisco Systems, Inc., GitHub,
`Inc., LinkedIn Corporation,
`VMware, Inc., and Internet
`Association
`
`
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 2 of 39
`
`CORPORATE DISCLOSURE STATEMENT
`Pursuant to Federal Rule of Appellate Procedure 26.1, counsel
`
`hereby state the following:
`
`Amicus Microsoft Corporation (“Microsoft”) is a publicly held
`
`corporation. Microsoft does not have a parent corporation and no
`
`publicly held corporation holds 10% or more of its stock.
`
`Amicus Cisco Systems, Inc. (“Cisco”) is a publicly held corporation.
`
`Cisco does not have a parent corporation and no publicly held
`
`corporation holds 10% or more of its stock.
`
`Amicus GitHub, Inc. (“GitHub”) is a wholly owned subsidiary of
`
`Microsoft, a publicly held corporation. Microsoft does not have a parent
`
`corporation and no publicly held corporation holds 10% or more of its
`
`stock.
`
`Amicus Google LLC (“Google”) is an indirect subsidiary of
`
`Alphabet Inc., a publicly held corporation. Alphabet Inc. does not have a
`
`parent corporation and no publicly held company owns 10% or more of
`
`its outstanding stock.
`
`i
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 3 of 39
`
`Amicus LinkedIn Corporation (“LinkedIn”) is a wholly owned
`
`subsidiary of Microsoft. Microsoft does not have a parent corporation
`
`and no publicly held corporation holds 10% or more of its stock.
`
`Amicus VMware, Inc. (“VMware”) is majority-owned by a series of
`
`entities including VMW Holdco LLC, EMC Corporation, Dell Inc.,
`
`Denali Intermediate Inc., and Dell Technologies Inc. The lone publicly
`
`held corporation directly or indirectly owning 10% or more of VMware is
`
`Dell Technologies Inc.
`
`Amicus Internet Association (“IA”) is not a publicly held
`
`corporation. It does not have a parent corporation and no publicly held
`
`corporation holds 10% or more of its stock.
`
`
`
`GOOGLE LLC
`
`
`/s/Michael Trinh
`Michael Trinh
`Counsel for Amicus Google
`LLC
`
`
`
`
`
`
`
`
`
`ii
`
`
`
`ORRICK, HERRINGTON &
`SUTCLIFFE LLP
`
`/s/Mark Parris
`Mark Parris
`Counsel for Amici Curiae
`Microsoft Corp., Cisco
`Systems, Inc., GitHub, Inc.,
`LinkedIn Corporation,
`VMware, Inc., and Internet
`Association
`
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 4 of 39
`
`TABLE OF CONTENTS
`
`Page
`
`CORPORATE DISCLOSURE STATEMENT ............................................ i
`TABLE OF AUTHORITIES ..................................................................... iv
`INTERESTS OF AMICI CURIAE ............................................................ 1
`INTRODUCTION AND SUMMARY OF ARGUMENT ........................... 5
`STATEMENT OF THE CASE ................................................................ 10
`ARGUMENT ........................................................................................... 12
`Allowing Companies Like NSO To Deploy Powerful Cyber-
`Surveillance Tools Across U.S. Systems Creates Large-
`Scale, Systemic Cybersecurity Risk. ............................................. 12
`A. Expanding immunity to private cyber-surveillance
`companies would greatly increase access to and use
`of cyber-surveillance tools. ........................................... 13
`1.
`Expanding immunity would increase the
`number of governments and companies with
`access to these tools. ........................................... 13
`Expanding immunity would also increase the
`use of dangerous cyber-surveillance tools. ......... 17
`Increased access to and use of cyber-surveillance
`tools significantly raises systemic cybersecurity
`risk. ............................................................................... 21
`These increased systemic risks would do extensive
`damage. ........................................................................ 24
`CONCLUSION ........................................................................................ 28
`CERTIFICATE OF COMPLIANCE
`
`
`B.
`
`C.
`
`2.
`
`iii
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 5 of 39
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Statutes
`Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ............................ 1, 11
`Federal Rule of Appellate Procedure 29(a)(4)(e) ...................................... 1
`Other Authorities
`About Software Management and Patch Releases, Oracle
`Corporation, https://tinyurl.com/y5nvr7j8 ......................................... 18
`Amnesty International Among Targets of NSO-powered
`Campaign, Amnesty International (Aug. 1, 2018),
`https://tinyurl.com/y5vg6chz .............................................................. 12
`Andy Greenberg, Hacking Team Breach Shows a Global
`Spying Firm Run Amok, Wired (July 6, 2015),
`https://tinyurl.com/y2u5shjj .......................................................... 16, 22
`Andy Greenberg, New Dark-Web Market Is Selling Zero-Day
`Exploits to Hackers, Wired (Apr. 17, 2015),
`https://tinyurl.com/yyyk6n5w ............................................................. 20
`Andy Greenberg, Strange Journey of an NSA Zero-Day—Into
`Multiple Enemies’ Hands, Wired (May 7, 2019),
`https://tinyurl.com/y2nrvkf2 ....................................................... 7, 8, 26
`Andy Greenberg, This Map Shows the Global Spread of Zero-
`Day Hacking Techniques, Wired (April 6, 2020),
`https://tinyurl.com/tc8kwg9 ................................................................ 16
`Andy Greenberg, Triple Meltdown: How So Many
`Researchers Found a 20-Year-Old Chip Flaw at the Same
`Time, Wired (Jan. 7, 2018), https://tinyurl.com/ydbdjfp7 .................. 25
`Andy Greenberg, The Untold Story of NotPetya, the Most
`Devastating Cyberattack in History, Wired (Aug. 22,
`2018), https://tinyurl.com/y3o3pxq8 ..................................... 6, 7, 26, 28
`
`iv
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 6 of 39
`
`Azam Ahmed, A Journalist Was Killed in Mexico. Then His
`Colleagues Were Hacked., N.Y. Times (Nov. 27, 2018),
`https://tinyurl.com/y6zu8pth .............................................................. 12
`Bill Marczak & John Scott-Railton, The Citizen Lab, The
`Million Dollar Dissident: NSO Group’s iPhone Zero-Days
`used against a UAE Human Rights Defender 5 (Aug. 24,
`2016), https://tinyurl.com/y3uvmlev ................................................... 22
`Bill Marczak et al., The Kingdom Came to Canada: How
`Saudi-Linked Digital Espionage Reached Canadian Soil,
`The Citizen Lab (Oct. 1, 2018),
`https://tinyurl.com/y9yyhaz3 .............................................................. 12
`Christopher Bing & Joel Schectman, Inside the UAE’s Secret
`Hacking Team of American Mercenaries: Ex-NSA
`operatives reveal how they helped spy on targets for the
`Arab monarchy—dissidents, rival leaders and journalists,
`Reuters (Jan. 30, 2019), https://tinyurl.com/y9qnsbs4 ...................... 21
`Communications Security Establishment, CSE’s Equities
`Management Framework (Mar. 11, 2019),
`https://tinyurl.com/y3mj3p97 ............................................................. 19
`David Murphy, This New Android Malware Can Survive a
`Factory Reset, LifeHacker (Oct. 30, 2019),
`https://tinyurl.com/yxwjut25 .............................................................. 27
`David Voreacos et al., Merck Cyberattack’s $1.3 Billion
`Question: Was It an Act of War?, Bloomberg (Dec. 2, 2019),
`https://tinyurl.com/usklyf3 ................................................................... 6
`How Google handles security vulnerabilities, Google LLC,
`https://tinyurl.com/lxspq7v ................................................................. 17
`How to detect spyware to safeguard your privacy?, Kaspersky
`Lab, https://tinyurl.com/y679odja ....................................................... 27
`
`v
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 7 of 39
`
`Ian Levy, National Cyber Security Centre, Equities process:
`Publication of the UK’s process for how we handle
`vulnerabilities (Nov. 29, 2018),
`https://tinyurl.com/y4x5eeft ................................................................ 19
`John Scott-Railton et al., Bitter Sweet: Supporters of Mexico’s
`Soda Tax Targeted With NSO Exploit Links, The Citizen
`Lab (Feb. 11, 2017), https://tinyurl.com/ya3tgrhr .............................. 12
`Kathleen Metrick et al., Zero-Day Exploitation Increasingly
`Demonstrates Access to Money, Rather than Skill, FireEye
`(Apr. 6, 2020), https://tinyurl.com/qrxk2vk)....................................... 16
`Keith Breene, Who are the cyberwar superpowers?, World
`Economic Forum (May 4, 2016),
`https://tinyurl.com/y359xprj ............................................................... 15
`Kelly Jackson Higgins, Unpatched Vulnerabilities the Source
`of Most Data Breaches, Dark Reading (April 5, 2018),
`https://tinyurl.com/y4xat346 .............................................................. 26
`Lance Whitney, How to handle the public disclosure of bugs
`and security vulnerabilities, TechRepublic (Sept. 19,
`2019), https://tinyurl.com/y3vupgfx ................................................... 18
`Lillian Ablon & Andy Bogart, RAND Corporation, Zero Days,
`Thousands of Nights: The Life and Times of Zero-Day
`Vulnerabilities and Their Exploits (2017),
`https://tinyurl.com/y27ssfau ........................................................... 7, 25
`Lorenzo Franceschi-Bicchierai, The Vigilante Who Hacked
`Hacking Team Explains How He Did It, Vice (Apr. 15,
`2016) https://tinyurl.com/y284rpou .................................................... 22
`Mark Mazzetti et al., A New Age of Warfare: How Internet
`Mercenaries Do Battle for Authoritarian Governments,
`N.Y. Times (Mar. 21, 2019), https://tinyurl.com/y39pzhtc 13, 14, 15, 21
`Mehul Srivastava & Tom Wilson, Inside the WhatsApp hack:
`how an Israeli technology was used to spy, Financial
`Times (Oct. 29, 2019), https://tinyurl.com/y8zwkcl9 .......................... 11
`
`vi
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 8 of 39
`
`Microsoft’s Approach to Coordinated Vulnerability
`Disclosure, Microsoft Corporation,
`https://tinyurl.com/y8snnzda .............................................................. 17
`Nicole Perlroth & David E. Sanger, Nations Buying as
`Hackers Sell Flaws in Computer Code, N.Y. Times (July
`13, 2013), https://tinyurl.com/yypwwa8c ............................................ 20
`Nicole Perlroth et al., Cyberattack Hits Ukraine Then
`Spreads Internationally, N.Y. Times (June 27, 2017),
`https://tinyurl.com/ydco89o5 ................................................................ 6
`Nicole Perlroth et al., How Chinese Spies Got the N.S.A.’s
`Hacking Tools, and Used Them for Attacks, N.Y. Times
`(May 6, 2019), https://tinyurl.com/yysm2c6a ................................. 8, 23
`Patrick Howell O’Neill, The Lucrative Government Spyware
`Industry Has a New ‘One-Stop-Shop’ for Hacking
`Everything, Gizmodo (Feb. 15, 2019),
`https://tinyurl.com/yxwwuktz ............................................................. 14
`Priscilla Moriuchi & Bill Ladd, China’s Ministry of State
`Security Likely Influences National Network Vulnerability
`Publications (2017), https://tinyurl.com/y32rn83m ........................... 19
`Scott Shane et al., Security Breach and Spilled Secrets Have
`Shaken the N.S.A. to Its Core, N.Y. Times (Nov. 12, 2017),
`https://tinyurl.com/yc7zvxap ................................................................ 7
`Scott Steadman, The Covert Reach of NSO Group, Forensic
`News (Apr. 29, 2020), https://tinyurl.com/y4vsrbh2 .......................... 21
`Statement from the Press Secretary, The White House (Feb.
`15, 2018), https://tinyurl.com/y3fw6yea ............................................... 6
`Trey Herr et al., Taking Stock: Estimating Vulnerability
`Rediscovery (July 2017), https://tinyurl.com/y2udejph ........................ 7
`U.S. Department of State, State Sponsors of Terrorism,
`https://tinyurl.com/y3vtudya .............................................................. 22
`
`vii
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 9 of 39
`
`Vindu Goel & Nicole Perlroth, Spyware Maker NSO
`Promises Reform but Keeps Snooping, N.Y. Times (Nov.
`10, 2019), https://tinyurl.com/yxd2sne5 ............................................. 11
`VMware, Advisory VMSA-2020-0027.2 (Nov. 23, 2020),
`https://tinyurl.com/y2ofvx4c ............................................................... 19
`Vulnerabilities Equities Policy and Process for the United
`States Government (Nov. 15, 2017),
`https://tinyurl.com/ycj6dzw3 .............................................................. 19
`What is Ransomware?, Kaspersky Lab,
`https://tinyurl.com/y6w5ecl6 ................................................................ 5
`What is Spyware?, Kaspersky Lab,
`https://tinyurl.com/y4h43vsy .............................................................. 10
`
`
`
`viii
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 10 of 39
`
`INTERESTS OF AMICI CURIAE1
`Private-sector companies like NSO Group Technologies Ltd.
`
`(“NSO”) are investing heavily in creating cyber-surveillance tools and
`
`selling “cyber-surveillance as a service” to foreign governments and
`
`other customers. These tools allow the user to track someone’s
`
`whereabouts, listen in on their conversations, read their texts and
`
`emails, look at their photographs, steal their contacts list, download
`
`their data, review their internet search history, and more. Foreign
`
`governments are then using those surveillance tools, bought on the open
`
`market, to spy on human rights activists, journalists, and others,
`
`including U.S. citizens. The Computer Fraud and Abuse Act and other
`
`U.S. laws make it illegal to access a computing device without proper
`
`authorization. See, e.g., 18 U.S.C. § 1030. Here, NSO seeks immunity
`
`from these laws through an expansion of the common law of foreign
`
`sovereign immunity to cover private companies’ actions on behalf of
`
`foreign-government customers.
`
`
`1 Pursuant to Federal Rule of Appellate Procedure 29(a)(4)(e),
`amici certify that no counsel for a party authored the brief in whole or
`in part, and no person or entity other than amici and their counsel
`made a monetary contribution intended to fund the preparation or
`submission of the brief. All parties consented to the filing of this brief.
`
`1
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 11 of 39
`
`The cyber-surveillance tools at issue here take significant time,
`
`investment, and research to develop, as they need to evade detection by
`
`the device being attacked (e.g., a phone or personal computer), as well
`
`as each and every application from which the tools wish to extract
`
`information. Collectively, amici offer products and services, and rely on
`
`systems, that may be targeted by malicious actors, both foreign and
`
`domestic. Amici accordingly work hard to design and develop secure
`
`products, services, and systems, and to protect them—and, more
`
`importantly, the people who use them—from intrusion. Their efforts
`
`make up part of the more than $120 billion spent on cybersecurity
`
`worldwide every year. These investments preserve the functionality of
`
`their products and services, but also serve to maintain customer trust
`
`and privacy.
`
` Microsoft Corporation (“Microsoft”) is a leading innovator in
`computer software and online services. Its mission: To help
`individuals and businesses throughout the world realize
`their full potential by transforming the way people work,
`play, and communicate. Microsoft develops, manufactures,
`licenses, and supports a wide range of programs in service of
`that mission, including the flagship Windows operating
`system, the Microsoft Office suite, the Surface tablet, and
`the Xbox gaming system. Microsoft also acts as a global
`cybersecurity advocate across the industry to ensure safer
`and more trusted computer experiences for everyone.
`
`2
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 12 of 39
`
` Cisco Systems, Inc. (“Cisco”) is a worldwide leader in
`developing, implementing, and providing the technologies
`behind networking, communications, security, and
`information technology products and services. It develops
`and provides a broad range of networking products and
`services that enable seamless communication among
`individuals, businesses, public institutions, government
`agencies, and service providers. Cisco takes a security-first
`approach and has created a portfolio designed to prevent,
`detect, and remediate a cyber-attack and to integrate
`security across networking domains.
` GitHub, Inc. (“GitHub”) is the largest software code hosting
`and software development platform in the world. GitHub is
`committed to building the global platform for developer
`collaboration—one that everyone can use to secure the
`world’s software, together. GitHub helps developers stay
`ahead of security issues, leverage the community’s security
`expertise, and use open source securely. GitHub stands
`against hoarding and selling exploits and attack or
`surveillance tools. Such tools could be used not only to
`infiltrate GitHub, but the millions of developers and open
`source projects which rely on its platform, and the software
`supply chain which depends on them.
`
` Google LLC (“Google”) is a diversified technology company
`whose mission is to organize the world’s information and
`make it universally accessible and useful. Google offers a
`variety of online services, products, and platforms—
`including Search, Gmail, Maps, YouTube, Android, and
`Chrome, as well as enterprise-focused services such as
`Google Cloud Platform and G Suite—that are used by people
`and businesses throughout the United States and around the
`world.
`
` LinkedIn Corporation (“LinkedIn”) hosts a widely used social
`network, with over 720 million members worldwide and over
`170 million members in the United States. LinkedIn’s
`
`3
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 13 of 39
`
`mission is to connect the world’s professionals to enable
`them to be more productive and successful.
`
` VMware, Inc. (“VMware”) provides cloud computing and
`virtualization software and services and technologies to
`enable the development of applications in modern
`environments, as well as products and services designed to
`secure those environments.
` Internet Association (“IA”) represents the interests of
`leading internet companies and their customers, and it is the
`only trade association that exclusively represents such
`companies on matters of public policy. IA’s mission is to
`foster innovation, promote economic growth, and empower
`people through the free and open internet. A list of IA’s
`members is available at https://internetassociation.org/our-
`members/.
`Amici have an interest in ensuring that entities who access their
`
`products, services, and systems in violation of U.S. law are held
`
`accountable in U.S. courts. More broadly, amici have an interest in
`
`decreasing systemic cybersecurity risk by helping to ensure that
`
`cyberspace is itself secure. In this brief, amici explain how immunizing
`
`uses of privately developed cyber-surveillance tools would dramatically
`
`increase systemic cybersecurity risk.
`
`4
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 14 of 39
`
`INTRODUCTION AND SUMMARY OF ARGUMENT
`On June 27, 2017, the second-largest bank in Ukraine fell victim
`
`to a ransomware attack2 that crippled 90 percent of the bank’s
`
`computers. The attack spread quickly throughout the country. At the
`
`nuclear power plant in Chernobyl—the site of the largest nuclear
`
`disaster in history—the computers that monitor radiation levels went
`
`down, forcing workers to conduct monitoring manually. ATMs stopped
`
`working. The post office was forced to shut down, followed by hospitals,
`
`power companies, and airports. According to the Ukrainian minister of
`
`infrastructure, as a result of the attack, “The government was dead.”
`
`But the attack did not stop at the Ukrainian border. Denmark-
`
`based Maersk, the largest shipping company in the world, lost use of its
`
`computers, servers, routers, and even desk phones for days, resulting in
`
`stranded container ships and closed ports across the globe. A Cadbury
`
`chocolate factory in Australia had to stop production. In the U.S.,
`
`Pennsylvania hospitals had to cancel surgeries. Pharmaceutical giant
`
`
`2 “Ransomware is a malicious software that infects [a] computer
`and displays messages demanding a fee to be paid in order for [a]
`system to work again.” What is Ransomware?, Kaspersky Lab,
`https://tinyurl.com/y6w5ecl6.
`
`5
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 15 of 39
`
`Merck, which lost 30,000 computers and 7,500 servers to the attack,
`
`had to stop production of the Gardasil 9 vaccine for two weeks, and
`
`researchers reported losing years of research. All told, the attack—
`
`which came to be known as “NotPetya”—affected more than 60
`
`countries and inflicted more than $10 billion in damage.3 According to
`
`the United States government, it was “the most destructive and costly
`
`cyber-attack in history.” Statement from the Press Secretary, The
`
`White House (Feb. 15, 2018), https://tinyurl.com/y3fw6yea.
`
`Mounting an attack like NotPetya is a complex, expensive, and
`
`time-consuming undertaking. As noted above, see supra at 2, companies
`
`like Microsoft and other amici devote substantial time and resources to
`
`protecting their products, services, and systems from intrusion.
`
`Accordingly, someone who wishes to launch a cyberattack must figure
`
`out a way to access a device undetected—often by making use of what is
`
`
`3 The above narrative of NotPetya was sourced from the following
`articles: Andy Greenberg, The Untold Story of NotPetya, the Most
`Devastating Cyberattack in History, Wired (Aug. 22, 2018),
`https://tinyurl.com/y3o3pxq8 (hereinafter “Untold Story”); Nicole
`Perlroth et al., Cyberattack Hits Ukraine Then Spreads Internationally,
`N.Y. Times (June 27, 2017), https://tinyurl.com/ydco89o5; David
`Voreacos et al., Merck Cyberattack’s $1.3 Billion Question: Was It an Act
`of War?, Bloomberg (Dec. 2, 2019), https://tinyurl.com/usklyf3.
`
`6
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 16 of 39
`
`known in cybersecurity parlance as a “zero-day vulnerability.”4 By way
`
`of example, the NotPetya attack (eventually attributed to Russia) relied
`
`on a cyber-tool called “EternalBlue,” which made use of a vulnerability
`
`in the Windows operating system. See Untold Story, supra note 3. But
`
`Russia did not itself develop the technology employed in the attack.
`
`Russia seemingly obtained EternalBlue from an online leak by a
`
`“mysterious hacker group known as the Shadow Brokers”—but it has
`
`been widely accepted that the tool was actually created by the U.S.
`
`National Security Agency (NSA). Andy Greenberg, Strange Journey of
`
`an NSA Zero-Day—Into Multiple Enemies’ Hands, Wired (May 7, 2019),
`
`https://tinyurl.com/y2nrvkf2 (hereinafter “Strange Journey”); see also
`
`Scott Shane et al., Security Breach and Spilled Secrets Have Shaken the
`
`N.S.A. to Its Core, N.Y. Times (Nov. 12, 2017),
`
`
`4 “[V]ulnerabilities are flaws or features in code that allow a third
`party to manipulate the [device] running [the code].” Trey Herr et al.,
`Taking Stock: Estimating Vulnerability Rediscovery 3 (July 2017),
`https://tinyurl.com/y2udejph. “The term zero-day refers to the number of
`days a … vendor has known about the vulnerability.” Lillian Ablon &
`Andy Bogart, RAND Corporation, Zero Days, Thousands of Nights: The
`Life and Times of Zero-Day Vulnerabilities and Their Exploits ix (2017),
`https://tinyurl.com/y27ssfau. Thus, a “zero-day vulnerability” is a “flaw
`in code that [the vendor] doesn’t know about.” Andy Greenberg, The
`Strange Journey of an NSA Zero-Day—Into Multiple Enemies’ Hands,
`Wired (May 7, 2019), https://tinyurl.com/y2nrvkf2.
`
`7
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 17 of 39
`
`https://tinyurl.com/yc7zvxap. And the Shadow Brokers were not the
`
`only ones to steal this tool from the NSA; press reports indicate that
`
`China did as well, apparently by reverse-engineering it after they
`
`detected it deployed against them. See Strange Journey, supra at 7; see
`
`also Nicole Perlroth et al., How Chinese Spies Got the N.S.A.’s Hacking
`
`Tools, and Used Them for Attacks, N.Y. Times (May 6, 2019),
`
`https://tinyurl.com/yysm2c6a (hereinafter “Chinese Spies”).
`
`No matter how damaging, the actions of the NSA in creating
`
`EternalBlue and Russia in using it would be protected from liability by
`
`long-standing principles of sovereign immunity. The risks posed by
`
`governments creating and using these tools themselves, however, are
`
`minimized considerably by the fact that only a handful of countries
`
`have the ability to independently create or use such tools. Moreover, the
`
`countries with such capabilities have internal processes to determine
`
`when it is worth the risk to the broader cybersecurity ecosystem (which
`
`they and their citizens also depend on) to do so.
`
`But thanks to a nascent—and profitable—private industry that
`
`has sprung up to develop and then use powerful cyber-tools for foreign-
`
`government customers, these tools are much more widely available than
`
`8
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 18 of 39
`
`they used to be. Accordingly, this Court must now decide whether to
`
`radically expand the risks these powerful tools pose by also immunizing
`
`private companies’ use of commercially developed cyber-surveillance
`
`tools when they act on behalf of their foreign-government customers.
`
`The NotPetya attack shows just how dangerous cyber-surveillance tools
`
`can be—in particular, how they can be repurposed to cause harms far
`
`beyond their intended uses (even if those uses are themselves
`
`appropriate). If the NSA—which has a technical capability advanced
`
`enough to create its own powerful cyber-surveillance tools and an
`
`equally advanced policy infrastructure designed to restrict the use of
`
`such tools only to appropriate cases—could not keep EternalBlue under
`
`control, what chance is there to keep these powerful tools from spiraling
`
`out of control if they are made and used indiscriminately by private
`
`companies on behalf of any government who is willing to pay for them?
`
`Expanding foreign sovereign immunity to private companies that
`
`use their own cyber-surveillance tools at the behest of their numerous
`
`foreign-government customers would dramatically increase the creation
`
`and use of cyber-surveillance tools globally. In particular, it would place
`
`these tools in the hands of more governments, including governments
`
`9
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 19 of 39
`
`likely to engage in riskier behaviors and at greater risk of losing control
`
`of such tools. As more companies develop these tools and more
`
`governments buy them, the risk that they will fall into the wrong hands
`
`increases exponentially and threatens all of us. This court should
`
`decline to extend foreign sovereign immunity to the use of cyber-
`
`surveillance tools by private companies at the behest of foreign
`
`government customers.
`
`STATEMENT OF THE CASE
`Defendants NSO and Q Cyber Technologies Ltd. (collectively,
`
`NSO) are Israeli corporations that develop, sell, and operate
`
`“surveillance technology or ‘spyware’ designed to intercept and extract
`
`information and communications from mobile phones and devices” for
`
`their foreign-government clients. ER 53, 66.5 One of NSO’s products is
`
`“Pegasus,” a program “designed to be remotely installed and enable the
`
`remote access and control of information—including calls, messages,
`
`and location—on mobile devices.” ER 66. Until recently, Pegasus could
`
`
`5 “Spyware is loosely defined as malicious software designed to
`enter your … device, gather data about you, and forward it to a third-
`party without your consent.” What is Spyware?, Kaspersky Lab,
`https://tinyurl.com/y4h43vsy.
`
`10
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 20 of 39
`
`be remotely installed through the WhatsApp app on a person’s mobile
`
`device: the program used vulnerabilities in WhatsApp’s code to
`
`“emulate legitimate … network traffic,” thereby “transmit[ting]
`
`malicious code—undetected.” ER 69. As a result, Pegasus could be
`
`installed on a device simply by calling that device—“even when the
`
`[user] did not answer the call.” Id.
`
`Pegasus was installed in this manner on at least 1,400 mobile
`
`devices. ER 70.6 WhatsApp and Facebook (which handles cybersecurity
`
`for WhatsApp) eventually identified and closed the vulnerabilities NSO
`
`had used. ER 63, 71. WhatsApp and Facebook then sued NSO in federal
`
`court, alleging NSO had gained unauthorized access to WhatsApp’s
`
`network and servers in violation of the Computer Fraud and Abuse Act,
`
`18 U.S.C. § 1030, and also state law. ER 71-74. NSO moved to dismiss,
`
`arguing it should be afforded foreign sovereign immunity because it
`
`accessed WhatsApp as an agent of its foreign-government customers.
`
`
`6 For information about some of the targets, see, e.g., Vindu Goel
`& Nicole Perlroth, Spyware Maker NSO Promises Reform but Keeps
`Snooping, N.Y. Times (Nov. 10, 2019), https://tinyurl.com/yxd2sne5
`(lawyers and human rights activists in India); Mehul Srivastava & Tom
`Wilson, Inside the WhatsApp hack: how an Israeli technology was used
`to spy, Financial Times (Oct. 29, 2019), https://tinyurl.com/y8zwkcl9
`(political dissidents from Rwanda).
`
`11
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 21 of 39
`
`The district court denied NSO’s motion in relevant part, holding that,
`
`as a private company, NSO was not entitled to sovereign immunity. ER
`
`9-15. NSO now appeals.
`
`ARGUMENT
`
`Allowing Companies Like NSO To Deploy Powerful Cyber-
`Surveillance Tools Across U.S. Systems Creates Large-
`Scale, Systemic Cybersecurity Risk.
`Cyber-surveillance tools like NSO’s Pegasus are powerful, and
`
`dangerous. Such tools depend on vulnerabilities in code that allow one
`
`person to access another person’s device, network, or system. If those
`
`tools are misused, the results can be disastrous. Foreign governments
`
`may use the technology in problematic ways,7 but beyond idiosyncratic
`
`
`7 NSO attempts to characterize its customers’ intended uses as
`appropriate. There is substantial reason to doubt this characterization.
`According to public reporting, foreign governments have used NSO’s
`tools to surveil a wide variety of private citizens, from journalists to
`human rights activists to supporters of a soda tax. See, e.g., Azam
`Ahmed, A Journalist Was Killed in Mexico. Then His Colleagues Were
`Hacked., N.Y. Times (Nov. 27, 2018), https://tinyurl.com/y6zu8pth;
`Amnesty International Among Targets of NSO-powered Campaign,
`Amnesty International (Aug. 1, 2018), https://tinyurl.com/y5vg6chz; Bill
`Marczak et al., The Kingdom Came to Canada: How Saudi-Linked
`Digital Espionage Reached Canadian Soil, The Citizen Lab (Oct. 1,
`2018), https://tinyurl.com/y9yyhaz3; John Scott-Railton et al., Bitter
`Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit
`Links, The Citizen Lab (Feb. 11, 2017), https://tinyurl.com/ya3tgrhr.
`
`12
`
`
`
`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 22 of 39
`
`misuse is a much greater systemic risk. Widespread creation and
`
`deployment of these tools by private companies acting for profit
`
`dramatically increases the risk that these vulnerabilities will be
`
`obtained and exploited by malicious actors other than the