An opening for Apple’s lawsuit emerged in March, after NSO’s Pegasus spyware was discovered on the iPhone of a Saudi activist. Citizen Lab discovered that NSO’s Pegasus spyware had infected the iPhone without so much as a click. The spyware could invisibly infect iPhones, Mac computers and Apple Watches, then siphon their data back to government servers, without the target knowing about it.
Citizen Lab called the zero-click infection scheme “Forced Entry” and passed a sample of it to Apple in September. The discovery compelled Apple to issue emergency software updates for its iPhones, iPads, Apple Watches and Mac computers.
The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”
The clause helped Apple bring its lawsuit against NSO in the Northern District of California.
“This was in flagrant violation of our terms of service and our customers’ privacy,” said Heather Grenier, Apple’s senior director of commercial litigation. “This is our stake in the ground, to send a clear signal that we are not going to allow this type of abuse of our users.”
After filing its lawsuit Tuesday, Apple said it would offer free technical, threat intelligence and engineering assistance to Citizen Lab and other organizations engaged in rooting out digital surveillance. Apple also said it would donate $10 million, and any damages, to those organizations.
Digital rights experts said Apple’s suit threatened NSO’s survival. “NSO is now poison,” said Ron Deibert, director of Citizen Lab. “No one in their right mind will want to touch that company. But it’s not just one company, this is an industrywide problem.”
He added that the suit could be a step toward more oversight of the unregulated spyware industry.
“Steps like this are useful, but incomplete,” Mr. Deibert said. “We need more action by governments.”