throbber
Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 1 of 39
`
`No. 20-16408
`IN THE
`United States Court of Appeals for the Ninth Circuit
`NSO GROUP TECHNOLOGIES LTD. ET AL.,
`
`
`
`
`
`
`
`
`Defendants-Appellants,
`
`v.
`WHATSAPP INC. ET AL.,
`
`
`
`
`
`
`
`
`
`
`
`
`
`Plaintiffs-Appellees.
`On Appeal from the United States District Court for the
`Northern District of California
`No. 4:19-cv-07123-PJH
`BRIEF FOR AMICI CURIAE MICROSOFT CORP.,
`CISCO SYSTEMS, INC., GITHUB, INC., GOOGLE LLC,
` LINKEDIN CORPORATION, VMWARE, INC., AND
`INTERNET ASSOCIATION
`IN SUPPORT OF PLAINTIFFS-APPELLEES
`Michael Trinh
`Mark Parris
`GOOGLE LLC
`Carolyn Frantz
`1600 Amphitheatre Parkway
`Paul Rugani
`Mountain View, CA 94043
`Alyssa Barnard-Yanni
`(650) 253-0000
`ORRICK, HERRINGTON &
`
` SUTCLIFFE LLP
`701 5th Ave., Ste. 5600
`Counsel for Amicus Curiae
`Google LLC
`Seattle, WA 98104
`
`(206) 839-4300
`
`Counsel for Amici Curiae Microsoft
`Corp., Cisco Systems, Inc., GitHub,
`Inc., LinkedIn Corporation,
`VMware, Inc., and Internet
`Association
`
`
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 2 of 39
`
`CORPORATE DISCLOSURE STATEMENT
`Pursuant to Federal Rule of Appellate Procedure 26.1, counsel
`
`hereby state the following:
`
`Amicus Microsoft Corporation (“Microsoft”) is a publicly held
`
`corporation. Microsoft does not have a parent corporation and no
`
`publicly held corporation holds 10% or more of its stock.
`
`Amicus Cisco Systems, Inc. (“Cisco”) is a publicly held corporation.
`
`Cisco does not have a parent corporation and no publicly held
`
`corporation holds 10% or more of its stock.
`
`Amicus GitHub, Inc. (“GitHub”) is a wholly owned subsidiary of
`
`Microsoft, a publicly held corporation. Microsoft does not have a parent
`
`corporation and no publicly held corporation holds 10% or more of its
`
`stock.
`
`Amicus Google LLC (“Google”) is an indirect subsidiary of
`
`Alphabet Inc., a publicly held corporation. Alphabet Inc. does not have a
`
`parent corporation and no publicly held company owns 10% or more of
`
`its outstanding stock.
`
`i
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 3 of 39
`
`Amicus LinkedIn Corporation (“LinkedIn”) is a wholly owned
`
`subsidiary of Microsoft. Microsoft does not have a parent corporation
`
`and no publicly held corporation holds 10% or more of its stock.
`
`Amicus VMware, Inc. (“VMware”) is majority-owned by a series of
`
`entities including VMW Holdco LLC, EMC Corporation, Dell Inc.,
`
`Denali Intermediate Inc., and Dell Technologies Inc. The lone publicly
`
`held corporation directly or indirectly owning 10% or more of VMware is
`
`Dell Technologies Inc.
`
`Amicus Internet Association (“IA”) is not a publicly held
`
`corporation. It does not have a parent corporation and no publicly held
`
`corporation holds 10% or more of its stock.
`
`
`
`GOOGLE LLC
`
`
`/s/Michael Trinh
`Michael Trinh
`Counsel for Amicus Google
`LLC
`
`
`
`
`
`
`
`
`
`ii
`
`
`
`ORRICK, HERRINGTON &
`SUTCLIFFE LLP
`
`/s/Mark Parris
`Mark Parris
`Counsel for Amici Curiae
`Microsoft Corp., Cisco
`Systems, Inc., GitHub, Inc.,
`LinkedIn Corporation,
`VMware, Inc., and Internet
`Association
`
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 4 of 39
`
`TABLE OF CONTENTS
`
`Page
`
`CORPORATE DISCLOSURE STATEMENT ............................................ i
`TABLE OF AUTHORITIES ..................................................................... iv
`INTERESTS OF AMICI CURIAE ............................................................ 1
`INTRODUCTION AND SUMMARY OF ARGUMENT ........................... 5
`STATEMENT OF THE CASE ................................................................ 10
`ARGUMENT ........................................................................................... 12
`Allowing Companies Like NSO To Deploy Powerful Cyber-
`Surveillance Tools Across U.S. Systems Creates Large-
`Scale, Systemic Cybersecurity Risk. ............................................. 12
`A. Expanding immunity to private cyber-surveillance
`companies would greatly increase access to and use
`of cyber-surveillance tools. ........................................... 13
`1.
`Expanding immunity would increase the
`number of governments and companies with
`access to these tools. ........................................... 13
`Expanding immunity would also increase the
`use of dangerous cyber-surveillance tools. ......... 17
`Increased access to and use of cyber-surveillance
`tools significantly raises systemic cybersecurity
`risk. ............................................................................... 21
`These increased systemic risks would do extensive
`damage. ........................................................................ 24
`CONCLUSION ........................................................................................ 28
`CERTIFICATE OF COMPLIANCE
`
`
`B.
`
`C.
`
`2.
`
`iii
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 5 of 39
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Statutes
`Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ............................ 1, 11
`Federal Rule of Appellate Procedure 29(a)(4)(e) ...................................... 1
`Other Authorities
`About Software Management and Patch Releases, Oracle
`Corporation, https://tinyurl.com/y5nvr7j8 ......................................... 18
`Amnesty International Among Targets of NSO-powered
`Campaign, Amnesty International (Aug. 1, 2018),
`https://tinyurl.com/y5vg6chz .............................................................. 12
`Andy Greenberg, Hacking Team Breach Shows a Global
`Spying Firm Run Amok, Wired (July 6, 2015),
`https://tinyurl.com/y2u5shjj .......................................................... 16, 22
`Andy Greenberg, New Dark-Web Market Is Selling Zero-Day
`Exploits to Hackers, Wired (Apr. 17, 2015),
`https://tinyurl.com/yyyk6n5w ............................................................. 20
`Andy Greenberg, Strange Journey of an NSA Zero-Day—Into
`Multiple Enemies’ Hands, Wired (May 7, 2019),
`https://tinyurl.com/y2nrvkf2 ....................................................... 7, 8, 26
`Andy Greenberg, This Map Shows the Global Spread of Zero-
`Day Hacking Techniques, Wired (April 6, 2020),
`https://tinyurl.com/tc8kwg9 ................................................................ 16
`Andy Greenberg, Triple Meltdown: How So Many
`Researchers Found a 20-Year-Old Chip Flaw at the Same
`Time, Wired (Jan. 7, 2018), https://tinyurl.com/ydbdjfp7 .................. 25
`Andy Greenberg, The Untold Story of NotPetya, the Most
`Devastating Cyberattack in History, Wired (Aug. 22,
`2018), https://tinyurl.com/y3o3pxq8 ..................................... 6, 7, 26, 28
`
`iv
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 6 of 39
`
`Azam Ahmed, A Journalist Was Killed in Mexico. Then His
`Colleagues Were Hacked., N.Y. Times (Nov. 27, 2018),
`https://tinyurl.com/y6zu8pth .............................................................. 12
`Bill Marczak & John Scott-Railton, The Citizen Lab, The
`Million Dollar Dissident: NSO Group’s iPhone Zero-Days
`used against a UAE Human Rights Defender 5 (Aug. 24,
`2016), https://tinyurl.com/y3uvmlev ................................................... 22
`Bill Marczak et al., The Kingdom Came to Canada: How
`Saudi-Linked Digital Espionage Reached Canadian Soil,
`The Citizen Lab (Oct. 1, 2018),
`https://tinyurl.com/y9yyhaz3 .............................................................. 12
`Christopher Bing & Joel Schectman, Inside the UAE’s Secret
`Hacking Team of American Mercenaries: Ex-NSA
`operatives reveal how they helped spy on targets for the
`Arab monarchy—dissidents, rival leaders and journalists,
`Reuters (Jan. 30, 2019), https://tinyurl.com/y9qnsbs4 ...................... 21
`Communications Security Establishment, CSE’s Equities
`Management Framework (Mar. 11, 2019),
`https://tinyurl.com/y3mj3p97 ............................................................. 19
`David Murphy, This New Android Malware Can Survive a
`Factory Reset, LifeHacker (Oct. 30, 2019),
`https://tinyurl.com/yxwjut25 .............................................................. 27
`David Voreacos et al., Merck Cyberattack’s $1.3 Billion
`Question: Was It an Act of War?, Bloomberg (Dec. 2, 2019),
`https://tinyurl.com/usklyf3 ................................................................... 6
`How Google handles security vulnerabilities, Google LLC,
`https://tinyurl.com/lxspq7v ................................................................. 17
`How to detect spyware to safeguard your privacy?, Kaspersky
`Lab, https://tinyurl.com/y679odja ....................................................... 27
`
`v
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 7 of 39
`
`Ian Levy, National Cyber Security Centre, Equities process:
`Publication of the UK’s process for how we handle
`vulnerabilities (Nov. 29, 2018),
`https://tinyurl.com/y4x5eeft ................................................................ 19
`John Scott-Railton et al., Bitter Sweet: Supporters of Mexico’s
`Soda Tax Targeted With NSO Exploit Links, The Citizen
`Lab (Feb. 11, 2017), https://tinyurl.com/ya3tgrhr .............................. 12
`Kathleen Metrick et al., Zero-Day Exploitation Increasingly
`Demonstrates Access to Money, Rather than Skill, FireEye
`(Apr. 6, 2020), https://tinyurl.com/qrxk2vk)....................................... 16
`Keith Breene, Who are the cyberwar superpowers?, World
`Economic Forum (May 4, 2016),
`https://tinyurl.com/y359xprj ............................................................... 15
`Kelly Jackson Higgins, Unpatched Vulnerabilities the Source
`of Most Data Breaches, Dark Reading (April 5, 2018),
`https://tinyurl.com/y4xat346 .............................................................. 26
`Lance Whitney, How to handle the public disclosure of bugs
`and security vulnerabilities, TechRepublic (Sept. 19,
`2019), https://tinyurl.com/y3vupgfx ................................................... 18
`Lillian Ablon & Andy Bogart, RAND Corporation, Zero Days,
`Thousands of Nights: The Life and Times of Zero-Day
`Vulnerabilities and Their Exploits (2017),
`https://tinyurl.com/y27ssfau ........................................................... 7, 25
`Lorenzo Franceschi-Bicchierai, The Vigilante Who Hacked
`Hacking Team Explains How He Did It, Vice (Apr. 15,
`2016) https://tinyurl.com/y284rpou .................................................... 22
`Mark Mazzetti et al., A New Age of Warfare: How Internet
`Mercenaries Do Battle for Authoritarian Governments,
`N.Y. Times (Mar. 21, 2019), https://tinyurl.com/y39pzhtc 13, 14, 15, 21
`Mehul Srivastava & Tom Wilson, Inside the WhatsApp hack:
`how an Israeli technology was used to spy, Financial
`Times (Oct. 29, 2019), https://tinyurl.com/y8zwkcl9 .......................... 11
`
`vi
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 8 of 39
`
`Microsoft’s Approach to Coordinated Vulnerability
`Disclosure, Microsoft Corporation,
`https://tinyurl.com/y8snnzda .............................................................. 17
`Nicole Perlroth & David E. Sanger, Nations Buying as
`Hackers Sell Flaws in Computer Code, N.Y. Times (July
`13, 2013), https://tinyurl.com/yypwwa8c ............................................ 20
`Nicole Perlroth et al., Cyberattack Hits Ukraine Then
`Spreads Internationally, N.Y. Times (June 27, 2017),
`https://tinyurl.com/ydco89o5 ................................................................ 6
`Nicole Perlroth et al., How Chinese Spies Got the N.S.A.’s
`Hacking Tools, and Used Them for Attacks, N.Y. Times
`(May 6, 2019), https://tinyurl.com/yysm2c6a ................................. 8, 23
`Patrick Howell O’Neill, The Lucrative Government Spyware
`Industry Has a New ‘One-Stop-Shop’ for Hacking
`Everything, Gizmodo (Feb. 15, 2019),
`https://tinyurl.com/yxwwuktz ............................................................. 14
`Priscilla Moriuchi & Bill Ladd, China’s Ministry of State
`Security Likely Influences National Network Vulnerability
`Publications (2017), https://tinyurl.com/y32rn83m ........................... 19
`Scott Shane et al., Security Breach and Spilled Secrets Have
`Shaken the N.S.A. to Its Core, N.Y. Times (Nov. 12, 2017),
`https://tinyurl.com/yc7zvxap ................................................................ 7
`Scott Steadman, The Covert Reach of NSO Group, Forensic
`News (Apr. 29, 2020), https://tinyurl.com/y4vsrbh2 .......................... 21
`Statement from the Press Secretary, The White House (Feb.
`15, 2018), https://tinyurl.com/y3fw6yea ............................................... 6
`Trey Herr et al., Taking Stock: Estimating Vulnerability
`Rediscovery (July 2017), https://tinyurl.com/y2udejph ........................ 7
`U.S. Department of State, State Sponsors of Terrorism,
`https://tinyurl.com/y3vtudya .............................................................. 22
`
`vii
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 9 of 39
`
`Vindu Goel & Nicole Perlroth, Spyware Maker NSO
`Promises Reform but Keeps Snooping, N.Y. Times (Nov.
`10, 2019), https://tinyurl.com/yxd2sne5 ............................................. 11
`VMware, Advisory VMSA-2020-0027.2 (Nov. 23, 2020),
`https://tinyurl.com/y2ofvx4c ............................................................... 19
`Vulnerabilities Equities Policy and Process for the United
`States Government (Nov. 15, 2017),
`https://tinyurl.com/ycj6dzw3 .............................................................. 19
`What is Ransomware?, Kaspersky Lab,
`https://tinyurl.com/y6w5ecl6 ................................................................ 5
`What is Spyware?, Kaspersky Lab,
`https://tinyurl.com/y4h43vsy .............................................................. 10
`
`
`
`viii
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 10 of 39
`
`INTERESTS OF AMICI CURIAE1
`Private-sector companies like NSO Group Technologies Ltd.
`
`(“NSO”) are investing heavily in creating cyber-surveillance tools and
`
`selling “cyber-surveillance as a service” to foreign governments and
`
`other customers. These tools allow the user to track someone’s
`
`whereabouts, listen in on their conversations, read their texts and
`
`emails, look at their photographs, steal their contacts list, download
`
`their data, review their internet search history, and more. Foreign
`
`governments are then using those surveillance tools, bought on the open
`
`market, to spy on human rights activists, journalists, and others,
`
`including U.S. citizens. The Computer Fraud and Abuse Act and other
`
`U.S. laws make it illegal to access a computing device without proper
`
`authorization. See, e.g., 18 U.S.C. § 1030. Here, NSO seeks immunity
`
`from these laws through an expansion of the common law of foreign
`
`sovereign immunity to cover private companies’ actions on behalf of
`
`foreign-government customers.
`
`
`1 Pursuant to Federal Rule of Appellate Procedure 29(a)(4)(e),
`amici certify that no counsel for a party authored the brief in whole or
`in part, and no person or entity other than amici and their counsel
`made a monetary contribution intended to fund the preparation or
`submission of the brief. All parties consented to the filing of this brief.
`
`1
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 11 of 39
`
`The cyber-surveillance tools at issue here take significant time,
`
`investment, and research to develop, as they need to evade detection by
`
`the device being attacked (e.g., a phone or personal computer), as well
`
`as each and every application from which the tools wish to extract
`
`information. Collectively, amici offer products and services, and rely on
`
`systems, that may be targeted by malicious actors, both foreign and
`
`domestic. Amici accordingly work hard to design and develop secure
`
`products, services, and systems, and to protect them—and, more
`
`importantly, the people who use them—from intrusion. Their efforts
`
`make up part of the more than $120 billion spent on cybersecurity
`
`worldwide every year. These investments preserve the functionality of
`
`their products and services, but also serve to maintain customer trust
`
`and privacy.
`
` Microsoft Corporation (“Microsoft”) is a leading innovator in
`computer software and online services. Its mission: To help
`individuals and businesses throughout the world realize
`their full potential by transforming the way people work,
`play, and communicate. Microsoft develops, manufactures,
`licenses, and supports a wide range of programs in service of
`that mission, including the flagship Windows operating
`system, the Microsoft Office suite, the Surface tablet, and
`the Xbox gaming system. Microsoft also acts as a global
`cybersecurity advocate across the industry to ensure safer
`and more trusted computer experiences for everyone.
`
`2
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 12 of 39
`
` Cisco Systems, Inc. (“Cisco”) is a worldwide leader in
`developing, implementing, and providing the technologies
`behind networking, communications, security, and
`information technology products and services. It develops
`and provides a broad range of networking products and
`services that enable seamless communication among
`individuals, businesses, public institutions, government
`agencies, and service providers. Cisco takes a security-first
`approach and has created a portfolio designed to prevent,
`detect, and remediate a cyber-attack and to integrate
`security across networking domains.
` GitHub, Inc. (“GitHub”) is the largest software code hosting
`and software development platform in the world. GitHub is
`committed to building the global platform for developer
`collaboration—one that everyone can use to secure the
`world’s software, together. GitHub helps developers stay
`ahead of security issues, leverage the community’s security
`expertise, and use open source securely. GitHub stands
`against hoarding and selling exploits and attack or
`surveillance tools. Such tools could be used not only to
`infiltrate GitHub, but the millions of developers and open
`source projects which rely on its platform, and the software
`supply chain which depends on them.
`
` Google LLC (“Google”) is a diversified technology company
`whose mission is to organize the world’s information and
`make it universally accessible and useful. Google offers a
`variety of online services, products, and platforms—
`including Search, Gmail, Maps, YouTube, Android, and
`Chrome, as well as enterprise-focused services such as
`Google Cloud Platform and G Suite—that are used by people
`and businesses throughout the United States and around the
`world.
`
` LinkedIn Corporation (“LinkedIn”) hosts a widely used social
`network, with over 720 million members worldwide and over
`170 million members in the United States. LinkedIn’s
`
`3
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 13 of 39
`
`mission is to connect the world’s professionals to enable
`them to be more productive and successful.
`
` VMware, Inc. (“VMware”) provides cloud computing and
`virtualization software and services and technologies to
`enable the development of applications in modern
`environments, as well as products and services designed to
`secure those environments.
` Internet Association (“IA”) represents the interests of
`leading internet companies and their customers, and it is the
`only trade association that exclusively represents such
`companies on matters of public policy. IA’s mission is to
`foster innovation, promote economic growth, and empower
`people through the free and open internet. A list of IA’s
`members is available at https://internetassociation.org/our-
`members/.
`Amici have an interest in ensuring that entities who access their
`
`products, services, and systems in violation of U.S. law are held
`
`accountable in U.S. courts. More broadly, amici have an interest in
`
`decreasing systemic cybersecurity risk by helping to ensure that
`
`cyberspace is itself secure. In this brief, amici explain how immunizing
`
`uses of privately developed cyber-surveillance tools would dramatically
`
`increase systemic cybersecurity risk.
`
`4
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 14 of 39
`
`INTRODUCTION AND SUMMARY OF ARGUMENT
`On June 27, 2017, the second-largest bank in Ukraine fell victim
`
`to a ransomware attack2 that crippled 90 percent of the bank’s
`
`computers. The attack spread quickly throughout the country. At the
`
`nuclear power plant in Chernobyl—the site of the largest nuclear
`
`disaster in history—the computers that monitor radiation levels went
`
`down, forcing workers to conduct monitoring manually. ATMs stopped
`
`working. The post office was forced to shut down, followed by hospitals,
`
`power companies, and airports. According to the Ukrainian minister of
`
`infrastructure, as a result of the attack, “The government was dead.”
`
`But the attack did not stop at the Ukrainian border. Denmark-
`
`based Maersk, the largest shipping company in the world, lost use of its
`
`computers, servers, routers, and even desk phones for days, resulting in
`
`stranded container ships and closed ports across the globe. A Cadbury
`
`chocolate factory in Australia had to stop production. In the U.S.,
`
`Pennsylvania hospitals had to cancel surgeries. Pharmaceutical giant
`
`
`2 “Ransomware is a malicious software that infects [a] computer
`and displays messages demanding a fee to be paid in order for [a]
`system to work again.” What is Ransomware?, Kaspersky Lab,
`https://tinyurl.com/y6w5ecl6.
`
`5
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 15 of 39
`
`Merck, which lost 30,000 computers and 7,500 servers to the attack,
`
`had to stop production of the Gardasil 9 vaccine for two weeks, and
`
`researchers reported losing years of research. All told, the attack—
`
`which came to be known as “NotPetya”—affected more than 60
`
`countries and inflicted more than $10 billion in damage.3 According to
`
`the United States government, it was “the most destructive and costly
`
`cyber-attack in history.” Statement from the Press Secretary, The
`
`White House (Feb. 15, 2018), https://tinyurl.com/y3fw6yea.
`
`Mounting an attack like NotPetya is a complex, expensive, and
`
`time-consuming undertaking. As noted above, see supra at 2, companies
`
`like Microsoft and other amici devote substantial time and resources to
`
`protecting their products, services, and systems from intrusion.
`
`Accordingly, someone who wishes to launch a cyberattack must figure
`
`out a way to access a device undetected—often by making use of what is
`
`
`3 The above narrative of NotPetya was sourced from the following
`articles: Andy Greenberg, The Untold Story of NotPetya, the Most
`Devastating Cyberattack in History, Wired (Aug. 22, 2018),
`https://tinyurl.com/y3o3pxq8 (hereinafter “Untold Story”); Nicole
`Perlroth et al., Cyberattack Hits Ukraine Then Spreads Internationally,
`N.Y. Times (June 27, 2017), https://tinyurl.com/ydco89o5; David
`Voreacos et al., Merck Cyberattack’s $1.3 Billion Question: Was It an Act
`of War?, Bloomberg (Dec. 2, 2019), https://tinyurl.com/usklyf3.
`
`6
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 16 of 39
`
`known in cybersecurity parlance as a “zero-day vulnerability.”4 By way
`
`of example, the NotPetya attack (eventually attributed to Russia) relied
`
`on a cyber-tool called “EternalBlue,” which made use of a vulnerability
`
`in the Windows operating system. See Untold Story, supra note 3. But
`
`Russia did not itself develop the technology employed in the attack.
`
`Russia seemingly obtained EternalBlue from an online leak by a
`
`“mysterious hacker group known as the Shadow Brokers”—but it has
`
`been widely accepted that the tool was actually created by the U.S.
`
`National Security Agency (NSA). Andy Greenberg, Strange Journey of
`
`an NSA Zero-Day—Into Multiple Enemies’ Hands, Wired (May 7, 2019),
`
`https://tinyurl.com/y2nrvkf2 (hereinafter “Strange Journey”); see also
`
`Scott Shane et al., Security Breach and Spilled Secrets Have Shaken the
`
`N.S.A. to Its Core, N.Y. Times (Nov. 12, 2017),
`
`
`4 “[V]ulnerabilities are flaws or features in code that allow a third
`party to manipulate the [device] running [the code].” Trey Herr et al.,
`Taking Stock: Estimating Vulnerability Rediscovery 3 (July 2017),
`https://tinyurl.com/y2udejph. “The term zero-day refers to the number of
`days a … vendor has known about the vulnerability.” Lillian Ablon &
`Andy Bogart, RAND Corporation, Zero Days, Thousands of Nights: The
`Life and Times of Zero-Day Vulnerabilities and Their Exploits ix (2017),
`https://tinyurl.com/y27ssfau. Thus, a “zero-day vulnerability” is a “flaw
`in code that [the vendor] doesn’t know about.” Andy Greenberg, The
`Strange Journey of an NSA Zero-Day—Into Multiple Enemies’ Hands,
`Wired (May 7, 2019), https://tinyurl.com/y2nrvkf2.
`
`7
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 17 of 39
`
`https://tinyurl.com/yc7zvxap. And the Shadow Brokers were not the
`
`only ones to steal this tool from the NSA; press reports indicate that
`
`China did as well, apparently by reverse-engineering it after they
`
`detected it deployed against them. See Strange Journey, supra at 7; see
`
`also Nicole Perlroth et al., How Chinese Spies Got the N.S.A.’s Hacking
`
`Tools, and Used Them for Attacks, N.Y. Times (May 6, 2019),
`
`https://tinyurl.com/yysm2c6a (hereinafter “Chinese Spies”).
`
`No matter how damaging, the actions of the NSA in creating
`
`EternalBlue and Russia in using it would be protected from liability by
`
`long-standing principles of sovereign immunity. The risks posed by
`
`governments creating and using these tools themselves, however, are
`
`minimized considerably by the fact that only a handful of countries
`
`have the ability to independently create or use such tools. Moreover, the
`
`countries with such capabilities have internal processes to determine
`
`when it is worth the risk to the broader cybersecurity ecosystem (which
`
`they and their citizens also depend on) to do so.
`
`But thanks to a nascent—and profitable—private industry that
`
`has sprung up to develop and then use powerful cyber-tools for foreign-
`
`government customers, these tools are much more widely available than
`
`8
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 18 of 39
`
`they used to be. Accordingly, this Court must now decide whether to
`
`radically expand the risks these powerful tools pose by also immunizing
`
`private companies’ use of commercially developed cyber-surveillance
`
`tools when they act on behalf of their foreign-government customers.
`
`The NotPetya attack shows just how dangerous cyber-surveillance tools
`
`can be—in particular, how they can be repurposed to cause harms far
`
`beyond their intended uses (even if those uses are themselves
`
`appropriate). If the NSA—which has a technical capability advanced
`
`enough to create its own powerful cyber-surveillance tools and an
`
`equally advanced policy infrastructure designed to restrict the use of
`
`such tools only to appropriate cases—could not keep EternalBlue under
`
`control, what chance is there to keep these powerful tools from spiraling
`
`out of control if they are made and used indiscriminately by private
`
`companies on behalf of any government who is willing to pay for them?
`
`Expanding foreign sovereign immunity to private companies that
`
`use their own cyber-surveillance tools at the behest of their numerous
`
`foreign-government customers would dramatically increase the creation
`
`and use of cyber-surveillance tools globally. In particular, it would place
`
`these tools in the hands of more governments, including governments
`
`9
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 19 of 39
`
`likely to engage in riskier behaviors and at greater risk of losing control
`
`of such tools. As more companies develop these tools and more
`
`governments buy them, the risk that they will fall into the wrong hands
`
`increases exponentially and threatens all of us. This court should
`
`decline to extend foreign sovereign immunity to the use of cyber-
`
`surveillance tools by private companies at the behest of foreign
`
`government customers.
`
`STATEMENT OF THE CASE
`Defendants NSO and Q Cyber Technologies Ltd. (collectively,
`
`NSO) are Israeli corporations that develop, sell, and operate
`
`“surveillance technology or ‘spyware’ designed to intercept and extract
`
`information and communications from mobile phones and devices” for
`
`their foreign-government clients. ER 53, 66.5 One of NSO’s products is
`
`“Pegasus,” a program “designed to be remotely installed and enable the
`
`remote access and control of information—including calls, messages,
`
`and location—on mobile devices.” ER 66. Until recently, Pegasus could
`
`
`5 “Spyware is loosely defined as malicious software designed to
`enter your … device, gather data about you, and forward it to a third-
`party without your consent.” What is Spyware?, Kaspersky Lab,
`https://tinyurl.com/y4h43vsy.
`
`10
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 20 of 39
`
`be remotely installed through the WhatsApp app on a person’s mobile
`
`device: the program used vulnerabilities in WhatsApp’s code to
`
`“emulate legitimate … network traffic,” thereby “transmit[ting]
`
`malicious code—undetected.” ER 69. As a result, Pegasus could be
`
`installed on a device simply by calling that device—“even when the
`
`[user] did not answer the call.” Id.
`
`Pegasus was installed in this manner on at least 1,400 mobile
`
`devices. ER 70.6 WhatsApp and Facebook (which handles cybersecurity
`
`for WhatsApp) eventually identified and closed the vulnerabilities NSO
`
`had used. ER 63, 71. WhatsApp and Facebook then sued NSO in federal
`
`court, alleging NSO had gained unauthorized access to WhatsApp’s
`
`network and servers in violation of the Computer Fraud and Abuse Act,
`
`18 U.S.C. § 1030, and also state law. ER 71-74. NSO moved to dismiss,
`
`arguing it should be afforded foreign sovereign immunity because it
`
`accessed WhatsApp as an agent of its foreign-government customers.
`
`
`6 For information about some of the targets, see, e.g., Vindu Goel
`& Nicole Perlroth, Spyware Maker NSO Promises Reform but Keeps
`Snooping, N.Y. Times (Nov. 10, 2019), https://tinyurl.com/yxd2sne5
`(lawyers and human rights activists in India); Mehul Srivastava & Tom
`Wilson, Inside the WhatsApp hack: how an Israeli technology was used
`to spy, Financial Times (Oct. 29, 2019), https://tinyurl.com/y8zwkcl9
`(political dissidents from Rwanda).
`
`11
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 21 of 39
`
`The district court denied NSO’s motion in relevant part, holding that,
`
`as a private company, NSO was not entitled to sovereign immunity. ER
`
`9-15. NSO now appeals.
`
`ARGUMENT
`
`Allowing Companies Like NSO To Deploy Powerful Cyber-
`Surveillance Tools Across U.S. Systems Creates Large-
`Scale, Systemic Cybersecurity Risk.
`Cyber-surveillance tools like NSO’s Pegasus are powerful, and
`
`dangerous. Such tools depend on vulnerabilities in code that allow one
`
`person to access another person’s device, network, or system. If those
`
`tools are misused, the results can be disastrous. Foreign governments
`
`may use the technology in problematic ways,7 but beyond idiosyncratic
`
`
`7 NSO attempts to characterize its customers’ intended uses as
`appropriate. There is substantial reason to doubt this characterization.
`According to public reporting, foreign governments have used NSO’s
`tools to surveil a wide variety of private citizens, from journalists to
`human rights activists to supporters of a soda tax. See, e.g., Azam
`Ahmed, A Journalist Was Killed in Mexico. Then His Colleagues Were
`Hacked., N.Y. Times (Nov. 27, 2018), https://tinyurl.com/y6zu8pth;
`Amnesty International Among Targets of NSO-powered Campaign,
`Amnesty International (Aug. 1, 2018), https://tinyurl.com/y5vg6chz; Bill
`Marczak et al., The Kingdom Came to Canada: How Saudi-Linked
`Digital Espionage Reached Canadian Soil, The Citizen Lab (Oct. 1,
`2018), https://tinyurl.com/y9yyhaz3; John Scott-Railton et al., Bitter
`Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit
`Links, The Citizen Lab (Feb. 11, 2017), https://tinyurl.com/ya3tgrhr.
`
`12
`
`

`

`Case: 20-16408, 12/21/2020, ID: 11935084, DktEntry: 37, Page 22 of 39
`
`misuse is a much greater systemic risk. Widespread creation and
`
`deployment of these tools by private companies acting for profit
`
`dramatically increases the risk that these vulnerabilities will be
`
`obtained and exploited by malicious actors other than the

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket