They are just using the EULA as the basis for claiming jurisdiction. They are actually suing not to stop reverse engineering but rather to recover damages incurred by unlawful business practices. Basically their argument is that:
0) The defendant's can be sued under California law because they accepted the EULA.
1) California law makes businesses liable for damages incurred by their unlawful business practices.
2) Business practices which violate any California or federal law are unlawful business practices in California.
3) The defendant violated the federal computer fraud and abuse act by hacking into users phones.
4) Apple incurred damages to their reputation and from expenses related to mitigating the hacking of their users.
5) Therefor the defendant is liable for Apple's damages under California law.
So the defendant could have been fine if they just done reverse engineering, or even if they developed the hacking tools, but actually using the tools against Apple's users in violation of the CFAA was going too far.
> 4) Apple incurred damages […] from expenses related to mitigating the hacking of their users.
This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway. Put another way, that also sounds like the corporate open source push, "We love open source because we don't have to support it, the community will!"
"4)" says the community will pay for/support security, just wait for the hack and make 'em clean it up. Mitigation costs shouldn't be a recoverable damage, they should be doubled and paid out to the victims...maybe that'll incentivise better security over dollar dollar bills y'all.
This all maybe moot because this was a B2B action and I'm thinking from a non-monied, single user/security researcher perspective. What if the company was a non-profit security research group? Perhaps this is what the 90day grace periods are for when dealing with responsible disclosure?
Anyhow, my ignorance must be showing at this point.
"60. Defendants force Apple to engage in a continual arms race: Even as Apple develops solutions and enhances the security of its devices, Defendants are constantly updating their malware and exploits to overcome Apple’s own security upgrades.
61. These constant recovery and prevention efforts require significant resources and impose huge costs on Apple. Defendants’ unlawful malware activities have caused and continue to cause Apple significant damages in excess of $75,000 and in an amount to be proven at trial."
Hopefully the judgement is able to split the hairs between reputational and development harm to a company for security vulnerabilities, and harm to users for organized exploitation of those vulnerabilities.
The former feels like it should be free speech -- statement of facts related to the company's product(s). The latter is an obvious wrong.
> I don't know of any legitimate security research group that hacks user accounts they don't own.
nit: "user accounts to which they're not authorized"
I work with friends' accounts all the time provided they authorized me to do so and provided I'm permitted to do so as part of the vuln disclosure program terms and rules of engagement, though I usually split the bounty with them in a meaningful way to make it worth their while.
I know of several cases of reverse engineering of a bunch of hardware where the hardware is only available to a very limited subset of professionals. To gain access you either need to join that class and break the terms under which the devices are provided, get someone else to break the terms they agreed to or to steal a device (which for obvious reasons is at a somewhat different level than breach of terms and conditions). It is pretty clear that these restrictions exist to avoid reverse engineering of a - trivial - protection that makes making compatible products impossible, and which in turn protects a non-trivial revenue stream.
Apple is not really all that different. If they believe that suing to prevent reverse engineering is going to stop the bad guys they are delusional, I suspect that they are fully aware of this and are engaging in a very expensive bit of theater here: the NSO Group is not going to be overly impressed by this, whether they win or lose the case. If they lose they will be open to a damage claim, which in turn will have to be enforced through a court in a different country, if they win Apple will lose far more than just this case, they will lose the battle against everybody that wishes to engage in reverse engineering.
Another thing I suspect is that Apple is either very much concerned about the image/reputation damage, their supposedly highly secure platform/environment appears to be less secure than Apple wanted you to believe and a click-through EULA is not going to impress a law breaking entity, they probably should have anticipated that. And Apple may believe that other law breaking entities are going to stop doing their thing if they win this lawsuit, I'm a bit more pessimistic about that. Legal action is not a good way to recover from a technical failure, Apple needs to update their threat model and act accordingly.
>This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway.
No, read again, this only refers to damages from unlawful activity. "White hat hackers" need not fear.
I wouldn't be so sure about that. The difference between white hat and black hat is usually only determined once the destination of the results of the activity is known. Plenty of bug bounty programs appear to be one element in the marketplace for valuing an exploit. If the bounty isn't high enough your 'white hat' may well change the color of their hat.
>> They are just using the EULA as the basis for claiming jurisdiction.
IANAL but it's always seemed to me that if I reject the terms of a EULA then the EULA doesn't apply to me. Pushing the "button" does not mean anything because only the EULA gives it meaning and I reject that.
50 years from now if someone is doing software archaeology and they go to install some software from a long gone company, who does clicking the button form an agreement with? Will it be legal to try that software? Can existing software companies list people they have click-through agreements with? These things seem like a bad joke in practical terms.
US contract law jurisprudence doesn't really seem to support you here.
> The mental assent of the parties is not requisite for the formation of a contract. If the words or other acts of one of the parties have but one reasonable meaning, his undisclosed intention is immaterial except when an unreasonable meaning which he attaches to his manifestations is known to the other party.
Well (IANAL) but if you want to get into contract law, my understanding is that a contract requires acknowledgement from both parties. It's not really fair to say "the functioning of the software is acknowledgement" when the company granting that permission has no record of it. Ask a CEO on the stand if his company has any binding agreements with the judge.
>Zehmer wrote on the back of the restaurant's receipt stating, "We hereby agree to sell to W. O. Lucy the Ferguson Farm complete for $50,000.00, title satisfactory to buyer". The note was signed by Zehmer and his wife.
> 50 years from now if someone is doing software archaeology and they go to install some software from a long gone company, who does clicking the button form an agreement with? Will it be legal to try that software? Can existing software companies list people they have click-through agreements with? These things seem like a bad joke in practical terms.
I mean, this seems pretty easily addressed:
I can't sign a contract with a dead company, can I? Well, literally I can, but the agreement wouldn't be binding.
Same applies here. Unless the entity still exists, in which case congratulations, you're in a binding agreement lol
Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software. Big Co. may not agree to the terms of the old license.
Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?
What if there are no heirs, so the assets go to the government? Do you now have a contract with the government? I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.
I like how suddenly the intense legal minuate are the most important details of a system as if we're in a contract law class, as opposed to the obvious point that in general these agreements are fairly obvious
What happens to contractual obligations when companies are acquired or dissolved is a matter that is settled law. It has been well thought out and is probably in scope for literally dozens of legal cases a day.
Just because something is new to you, doesn't mean that professionals that deal with this every day have never thought about it.
(The actual answer depends on the State, entity type, if it was dissolved or suspended, if a bankruptcy is involved, etc. and you should just consult a contracts lawyer)
Edge cases aren't consequences; they're trivia. And at the the of day, our legal system is governed by humans who interpret and argue. Until humans are perfect, we'll never write a perfect law.
> Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software
That's right, that's what they sold.
> Big Co. may not agree to the terms of the old license.
Then I guess maybe they shouldn't have bought it.
> Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?
Yes. They inherited the deceased's assets.
> What if there are no heirs, so the assets go to the government? Do you now have a contract with the government?
You'd probably have to ask an estate planning attorney about the specifics of this, but so what if you did?
> I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.
So if I sell you a magic rock under the contract that so long as you are in possession of said rock I have legal authority to monitor your household to make sure you don’t misuse the rock for evil, and you die and your heir comes in possession of the rock, I now have a contract with your heir? I can go set up cameras in their house and invade their privacy just because you wanted a magic rock? That doesn't seem right?..
Contract law isn't absolutist like that, and it can't bind both parties in a way that's unreasonable or contrary to certain basic rights-related laws.
That's why you can't contract yourself into slavery.
What'll happen in cases like that is that it'll be litigated, interpreted, and either amended through a settlement agreement or annulled.
As others have said, the law isn't a programming language. It's a human system that, while being rigorous, strict, structured, and binding for the most part, is nonetheless capable by design of nuance and interpretation within known and constrained bounds.
It sounds like that contract is a liability. Not a lawyer, but I don't think that liabilities are inherited the same way. Most likely if you wanted to do this, you would structure it as a rental agreement and get the rock back.
>0) The defendant's can be sued under California law because they accepted the EULA
The Court has personal jurisdiction over Defendants because, on information
and
belief, they created more than one hundred Apple IDs to carry out their
attacks and also agreed to
Apple’s iCloud Terms and Conditions (“iCloud Terms”), including a mandatory
and enforceable
forum selection and exclusive jurisdiction clause that constitutes express
consent to the jurisdiction
of this Court.7
I'm not a legal expert but shouldn't that be stupidly easy to deny?
Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
NSO representative: No, Your honor.
Apple Lawyer: Then how did you gain access to my clients services?
NSO Rep: A totally unrelated third party gave us 100 unlocked iPhones as a free gift. We never saw the terms and conditions, nor agreed to them. We can fully prove our claims. [edit: (fully proves his claims)]
Apple Lawyer: (spluttering) but... but... but...
Judge: (bangs gavel) case dismissed!
This is assuming NSO were far- sighted enough to actually create such a paper trail. Also, since Apple is disputing more then 100 accounts, maybe such a defence would be ruled as improbable, or some other legal jargon. Maybe someone better informed can chip in.
Nerds always want to interpret the law in some strict pedantic fashion, but in practice this is almost never how it works. Law is not applied stupidly or mechanically, you can't fashion yourself some ad hoc workaround unless you're extremely certain about what you're doing, preferably with a mountain of precedent behind you.
How does that seem pedantic? It's incredibly straightforward.
On the other hand, creating some kind of convoluted, contrived paper trail to claim that mysterious third parties were the ones to have physically pressed the "Accept" button on your 100 fake accounts and so you didn't even know there was a EULA seems kind of like it might actually be fraud.
In addition, it doesn't survive past the moment it is discussed in court documents, at which point NSO are screwed if they ever pull the same shit again.
A full paper trail would also necessarily disclose the entity that provided those devices, which they may well be loathe to do (since it either drags in a related company, who Apple can then also target, or embarrasses a third party who would rather remain nameless).
However, in practice, a technology engineering firm claiming to have no knowledge of the licensing that applies to the devices in which they also claim expertise, is such a far-fetched statement that it's almost trivially set aside, and earns a rebuke from the bench to boot.
I don’t see how this differs much from a common “clean room” reverse engineering strategy where one set of engineers accepts the eula and then writes down in excruciating detail exactly how the target item works, then a second set of engineers that have never seen the item in question (or accepted a eula) takes these detailed writings and uses them to reverse engineer the item in question. (A mere description of a device or software is not protected)
This is standard practice at large companies when reverse engineering chips, devices and software and seems very similar to the above eula argument.
1a. one team examines the device and products a detailed specification of it
1b. another team works solely off that newly produced specification; this team has zero contact with the actual device
In this hypothetical case:
2a. a third party affiliate accepts the Apple EULA, and gives the Apple IDs to NSO Group
2b. NSO Group uses the Apple IDs as credential to obtain Apple services
Notice that in case 2b, NSO Group has actual contact with Apple in two ways. They used Apple IDs, and that they obtain Apple services. This didn't happen in the reverse engineering case.
Wouldn't there be an article in the EULA that states if you use an Apple device, regardless of clicking buttons, you automatically consent to the ToS? Or is that not how the law works ...?
Yes, American companies love to stack the deck against their users when it comes to selecting venue, but at the same time balk when the EU requires that they have an EU anchor to allow legal enforcement.
Speaking as someone who’s been on the unfortunate wrong end of it, the law is applied stupidly and mechanically. All the time. That’s the default. The judge will go to great pains to super pedantically apply the rule of the law, regardless of common sense and believe it or not in most cases also regardless of common sense.
As it should be. It doesn’t always work well for all circumstances, but we don’t have a better system
Irrespective of your personal experience, the law is nevertheless still not a programming language, thankfully.
However, "common sense" is also not how it works, so sure, when people rely on what they expect "common sense" to mean, then they too get screwed (the meaning of "common sense" after all varying dramatically from person to person).
Law has its own principles, philosophy, and practices, that's all. And judges, especially senior judges, do not like it one iota when folks try to circumvent the meaning, substance, and purpose of these elements.
This isn't the case everywhere. In some countries it is the intent of the law that matters, in others it is the letter of the law, in some a mix of both.
Nerds always want the law to be consistent. Lawyers are Machiavellian professionals trained in getting it to say "heads I win tails you lose" for their clients, and often succeed.
That doesn't mean the nerds are wrong to want what they want.
No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms. They expect it to be some sort of API spec that can be mechanically manipulated. Their own efforts at such intellectual mechanics are nothing but a trail of tears and failure, with bug after bug making a mockery of any claim they have about the benefits of such a system. Law has had millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people; coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions? Hard pass.
> No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms.
People have a pretty good idea of its mechanisms.
Powerful people break laws that are clear enough and then don't go to jail because of "prosecutorial discretion" or Johnnie Cochran or retroactive telecoms immunity for illegal mass surveillance.
Powerless people break laws that are ambiguous, or most people don't even know exist, or people know exist but they're only enforced against the nameless and poor, and the US has the largest prison population in the world.
This outcome is your great victory for "millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people"?
> trail of tears
Really?
> coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions?
We already have code running when it comes to actual life and death decisions. There is code running in aircraft and heart bypass machines, and it works, because then people care that it works. Nobody cares enough that some ad tracking code is perfectly reliable and efficient, so it isn't.
You're also asking for a double standard. The OpenBSD people do a nice job on OpenSSH. It's pretty good, not perfect. There have been vulnerabilities in even that. Then they get patched.
But you can't possibly be claiming that there are no "vulnerabilities" in the law. If that was the case then why do they have to keep passing new ones every year? The ask isn't that it never change, it's that it be changed by the legislature prospectively instead of being in a constant state of superposition until it's resolved by a court ex post facto.
That is why they included an alternative count of unjust enrichment. In the case the defense proves they never agreed to the user/license agreement then they will have also proven that they obtained Apple's software and accessed Apples services without a license and used them for their own profit and to Apples determent. Thereby unjustly enriching themselves.
The burden of proof should fall on Apple in an ideal world. Maybe a court ruling that one stupid checkbox at the end of a digital 10,000 word document isn't sufficient proof might be a good idea?
> The burden of proof should fall on Apple in an ideal world
It does, but its not an element of a crime being proven, so the burden isn't “beyond a reasonable doubt”, but (as for most things in a civil case, though sometimes other standards apply) “preponderance of the evidence", for which you need to convince the court that, based on the evidence provided, the facts you need are more likely than not to be true.
It does, but this is what the discovery process is for. If NSO wants to claim that they somehow got these accounts without agreeing to the EULA process themselves, Apple is going to request and the judge is going to approve a discovery request for NSO to turn over every record they have related to the accounts, when and how they were obtained, and who obtained them for NSO. If NSO wants to pretend that they have no such records, didn’t get the accounts themselves, and don’t know what third party obtained them, they’re going to get a very skeptical response from the judge, and they’re probably going to have to send a bunch of employees to go make statements that in addition to not having any records, none of them remember how this happened either. That’s probably the point at which Apple reveals that really they know via IP addresses or geolocation or something that all of the accounts were registered in an office building occupied by NSO, and then NSO gets sanctioned to hell and a bunch of employees are revealed to have lied in their testimony. That’s an absolute nightmare scenario for NSO.
When they say "No your honor" they would then have a charge of perjury added to the other charges. The apple lawyer doesn't say "Then how did you gain access to my client's services?" (because litigation 101 teaches you never ask a question you don't know the answer to).
...the lawyer enters into evidence the logs showing you accepting the EULA.
> Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
> NSO representative: No, Your honor.
IANAL, but the general understanding is: "Ignorance is not a defence". If your legal advisors did not flag this up then I think you are probably entitled to ask for your money back when Apple kicks your butt.
If we are all quibbling over the wording used in a hypothetical case, then I wonder what's going to happen when the lawyers get going with the real one.
I think that a much stronger argument here goes like this.
A developer accepted those terms of services. That developer is not authorized to accept contracts / deals for the company as a whole.
The issue here is that a single employee (which may carry out an unauthorized action) is unlikely to create a binding contract for a company.
Otherwise, by the same token, NSO can create a EULA that says that a use of their software requires 100 millions USD / month cost. Get an Apple employee to agree to that (probably unknowingly) and sue Apple for that amount, since their employee "agreed" to that.
Wouldn’t hold up. Otherwise you can just create fall guys/gals and never deal with fallout. There are certainly some circumstances like corporations aren’t held liable for murder of some employee, but if the employee was doing it on the factory floor they absolutely could get sued for it. Unfortunately it’s not clear cut, but generally if you’re doing something on or with company property, during work duty hours (these hours are always stated on corporate handbooks even for startups), and/or it’s during course of business you can and will get held liable for the employee’s actions.
The $100mm example you have would just get thrown out in court because it would be deemed unreasonable, even if Apple was ultimately responsible and the employee was acting as a representative of the company or on behalf of the company. Otherwise why can’t I just get a buddy to set up some random service and then have (let’s say I work at Apple) me sign a contract saying that Apple will give all of its corporate property and money to this contract for the rate of $5/month so this random service can “manage it” or something? Whoops guess Apple agreed to that!
> they created more than one hundred Apple IDs to carry out their attacks
Maybe the most interesting thing about this is how it proves that their code signing system is worthless. If the same bad actor can get a hundred Apple IDs to sign literal malware with, why are they imposing this burden on random small developers?
>50. On information and belief, Defendants created more than one hundred Apple IDs
using Apple’s systems to be used in their deployment of FORCEDENTRY
>51. On information and belief, after obtaining Apple IDs, Defendants executed the FORCEDENTRY exploit first by using their computers to contact Apple servers in the United States and abroad to identify other Apple devices. Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target.
The EULA is used to establish jurisdiction, and for the separate breach of contract claim. Apple has servers around the world, without the EULA the jurisdiction isn't necessarily obvious.
They are throwing the CFAA at then. However, the CFAA is an American law, which would be challenging to apply in a foreign court. So they are using the EULA to sue in California. It’s all in the article.
0) The defendant's can be sued under California law because they accepted the EULA.
1) California law makes businesses liable for damages incurred by their unlawful business practices.
2) Business practices which violate any California or federal law are unlawful business practices in California.
3) The defendant violated the federal computer fraud and abuse act by hacking into users phones.
4) Apple incurred damages to their reputation and from expenses related to mitigating the hacking of their users.
5) Therefor the defendant is liable for Apple's damages under California law.
So the defendant could have been fine if they just done reverse engineering, or even if they developed the hacking tools, but actually using the tools against Apple's users in violation of the CFAA was going too far.
https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11...