It's also fascinating that the crux of the Apple's case against NSO hinges on NSO engineers that accepted iCloud's terms and conditions.
From related NYT article:
>The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”
The clause helped Apple bring its lawsuit against NSO in the Northern District of California.
Is it great? The lawsuit is Apple trying to enforce the iCloud EULA to stop reverse engineering. While NSO Group created hacking tools, and then did some questionable things with them, do we really want those inane licenses no one reads, and everyone scrolls down to hit [agree]; do we really want them to legally binding? Put another way, if it was someone HN liked, would we still say this is actually good? Because compared to the corporation known as Apple, NSO Group and its parent corporation are still "a little guy", and this move really doesn't seem like a good thing. Not for hackers in the HN definition for hackers, ie highly motivated tinkerers.
This community features not just fans of reverse engineering, but number of practitioners, eg the popular Nvidia TSEC key extraction that was featured recently[0]. The defendant's actions make them an easy target, but, like the ACLU protecting the civil rights of murderers, because we still live in a nation of laws, I don't see this as great. This is a continuation of Apple's continued use of lawsuits to silence any challenges to their marketing of being the secure computer choice (eg Apple suing Corellium[1]) rather than their products actually being secure.
They are just using the EULA as the basis for claiming jurisdiction. They are actually suing not to stop reverse engineering but rather to recover damages incurred by unlawful business practices. Basically their argument is that:
0) The defendant's can be sued under California law because they accepted the EULA.
1) California law makes businesses liable for damages incurred by their unlawful business practices.
2) Business practices which violate any California or federal law are unlawful business practices in California.
3) The defendant violated the federal computer fraud and abuse act by hacking into users phones.
4) Apple incurred damages to their reputation and from expenses related to mitigating the hacking of their users.
5) Therefor the defendant is liable for Apple's damages under California law.
So the defendant could have been fine if they just done reverse engineering, or even if they developed the hacking tools, but actually using the tools against Apple's users in violation of the CFAA was going too far.
> 4) Apple incurred damages […] from expenses related to mitigating the hacking of their users.
This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway. Put another way, that also sounds like the corporate open source push, "We love open source because we don't have to support it, the community will!"
"4)" says the community will pay for/support security, just wait for the hack and make 'em clean it up. Mitigation costs shouldn't be a recoverable damage, they should be doubled and paid out to the victims...maybe that'll incentivise better security over dollar dollar bills y'all.
This all maybe moot because this was a B2B action and I'm thinking from a non-monied, single user/security researcher perspective. What if the company was a non-profit security research group? Perhaps this is what the 90day grace periods are for when dealing with responsible disclosure?
Anyhow, my ignorance must be showing at this point.
"60. Defendants force Apple to engage in a continual arms race: Even as Apple develops solutions and enhances the security of its devices, Defendants are constantly updating their malware and exploits to overcome Apple’s own security upgrades.
61. These constant recovery and prevention efforts require significant resources and impose huge costs on Apple. Defendants’ unlawful malware activities have caused and continue to cause Apple significant damages in excess of $75,000 and in an amount to be proven at trial."
Hopefully the judgement is able to split the hairs between reputational and development harm to a company for security vulnerabilities, and harm to users for organized exploitation of those vulnerabilities.
The former feels like it should be free speech -- statement of facts related to the company's product(s). The latter is an obvious wrong.
> I don't know of any legitimate security research group that hacks user accounts they don't own.
nit: "user accounts to which they're not authorized"
I work with friends' accounts all the time provided they authorized me to do so and provided I'm permitted to do so as part of the vuln disclosure program terms and rules of engagement, though I usually split the bounty with them in a meaningful way to make it worth their while.
I know of several cases of reverse engineering of a bunch of hardware where the hardware is only available to a very limited subset of professionals. To gain access you either need to join that class and break the terms under which the devices are provided, get someone else to break the terms they agreed to or to steal a device (which for obvious reasons is at a somewhat different level than breach of terms and conditions). It is pretty clear that these restrictions exist to avoid reverse engineering of a - trivial - protection that makes making compatible products impossible, and which in turn protects a non-trivial revenue stream.
Apple is not really all that different. If they believe that suing to prevent reverse engineering is going to stop the bad guys they are delusional, I suspect that they are fully aware of this and are engaging in a very expensive bit of theater here: the NSO Group is not going to be overly impressed by this, whether they win or lose the case. If they lose they will be open to a damage claim, which in turn will have to be enforced through a court in a different country, if they win Apple will lose far more than just this case, they will lose the battle against everybody that wishes to engage in reverse engineering.
Another thing I suspect is that Apple is either very much concerned about the image/reputation damage, their supposedly highly secure platform/environment appears to be less secure than Apple wanted you to believe and a click-through EULA is not going to impress a law breaking entity, they probably should have anticipated that. And Apple may believe that other law breaking entities are going to stop doing their thing if they win this lawsuit, I'm a bit more pessimistic about that. Legal action is not a good way to recover from a technical failure, Apple needs to update their threat model and act accordingly.
>This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway.
No, read again, this only refers to damages from unlawful activity. "White hat hackers" need not fear.
I wouldn't be so sure about that. The difference between white hat and black hat is usually only determined once the destination of the results of the activity is known. Plenty of bug bounty programs appear to be one element in the marketplace for valuing an exploit. If the bounty isn't high enough your 'white hat' may well change the color of their hat.
>> They are just using the EULA as the basis for claiming jurisdiction.
IANAL but it's always seemed to me that if I reject the terms of a EULA then the EULA doesn't apply to me. Pushing the "button" does not mean anything because only the EULA gives it meaning and I reject that.
50 years from now if someone is doing software archaeology and they go to install some software from a long gone company, who does clicking the button form an agreement with? Will it be legal to try that software? Can existing software companies list people they have click-through agreements with? These things seem like a bad joke in practical terms.
US contract law jurisprudence doesn't really seem to support you here.
> The mental assent of the parties is not requisite for the formation of a contract. If the words or other acts of one of the parties have but one reasonable meaning, his undisclosed intention is immaterial except when an unreasonable meaning which he attaches to his manifestations is known to the other party.
Well (IANAL) but if you want to get into contract law, my understanding is that a contract requires acknowledgement from both parties. It's not really fair to say "the functioning of the software is acknowledgement" when the company granting that permission has no record of it. Ask a CEO on the stand if his company has any binding agreements with the judge.
>Zehmer wrote on the back of the restaurant's receipt stating, "We hereby agree to sell to W. O. Lucy the Ferguson Farm complete for $50,000.00, title satisfactory to buyer". The note was signed by Zehmer and his wife.
> 50 years from now if someone is doing software archaeology and they go to install some software from a long gone company, who does clicking the button form an agreement with? Will it be legal to try that software? Can existing software companies list people they have click-through agreements with? These things seem like a bad joke in practical terms.
I mean, this seems pretty easily addressed:
I can't sign a contract with a dead company, can I? Well, literally I can, but the agreement wouldn't be binding.
Same applies here. Unless the entity still exists, in which case congratulations, you're in a binding agreement lol
Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software. Big Co. may not agree to the terms of the old license.
Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?
What if there are no heirs, so the assets go to the government? Do you now have a contract with the government? I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.
I like how suddenly the intense legal minuate are the most important details of a system as if we're in a contract law class, as opposed to the obvious point that in general these agreements are fairly obvious
What happens to contractual obligations when companies are acquired or dissolved is a matter that is settled law. It has been well thought out and is probably in scope for literally dozens of legal cases a day.
Just because something is new to you, doesn't mean that professionals that deal with this every day have never thought about it.
(The actual answer depends on the State, entity type, if it was dissolved or suspended, if a bankruptcy is involved, etc. and you should just consult a contracts lawyer)
Edge cases aren't consequences; they're trivia. And at the the of day, our legal system is governed by humans who interpret and argue. Until humans are perfect, we'll never write a perfect law.
> Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software
That's right, that's what they sold.
> Big Co. may not agree to the terms of the old license.
Then I guess maybe they shouldn't have bought it.
> Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?
Yes. They inherited the deceased's assets.
> What if there are no heirs, so the assets go to the government? Do you now have a contract with the government?
You'd probably have to ask an estate planning attorney about the specifics of this, but so what if you did?
> I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.
So if I sell you a magic rock under the contract that so long as you are in possession of said rock I have legal authority to monitor your household to make sure you don’t misuse the rock for evil, and you die and your heir comes in possession of the rock, I now have a contract with your heir? I can go set up cameras in their house and invade their privacy just because you wanted a magic rock? That doesn't seem right?..
Contract law isn't absolutist like that, and it can't bind both parties in a way that's unreasonable or contrary to certain basic rights-related laws.
That's why you can't contract yourself into slavery.
What'll happen in cases like that is that it'll be litigated, interpreted, and either amended through a settlement agreement or annulled.
As others have said, the law isn't a programming language. It's a human system that, while being rigorous, strict, structured, and binding for the most part, is nonetheless capable by design of nuance and interpretation within known and constrained bounds.
It sounds like that contract is a liability. Not a lawyer, but I don't think that liabilities are inherited the same way. Most likely if you wanted to do this, you would structure it as a rental agreement and get the rock back.
>0) The defendant's can be sued under California law because they accepted the EULA
The Court has personal jurisdiction over Defendants because, on information
and
belief, they created more than one hundred Apple IDs to carry out their
attacks and also agreed to
Apple’s iCloud Terms and Conditions (“iCloud Terms”), including a mandatory
and enforceable
forum selection and exclusive jurisdiction clause that constitutes express
consent to the jurisdiction
of this Court.7
I'm not a legal expert but shouldn't that be stupidly easy to deny?
Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
NSO representative: No, Your honor.
Apple Lawyer: Then how did you gain access to my clients services?
NSO Rep: A totally unrelated third party gave us 100 unlocked iPhones as a free gift. We never saw the terms and conditions, nor agreed to them. We can fully prove our claims. [edit: (fully proves his claims)]
Apple Lawyer: (spluttering) but... but... but...
Judge: (bangs gavel) case dismissed!
This is assuming NSO were far- sighted enough to actually create such a paper trail. Also, since Apple is disputing more then 100 accounts, maybe such a defence would be ruled as improbable, or some other legal jargon. Maybe someone better informed can chip in.
Nerds always want to interpret the law in some strict pedantic fashion, but in practice this is almost never how it works. Law is not applied stupidly or mechanically, you can't fashion yourself some ad hoc workaround unless you're extremely certain about what you're doing, preferably with a mountain of precedent behind you.
How does that seem pedantic? It's incredibly straightforward.
On the other hand, creating some kind of convoluted, contrived paper trail to claim that mysterious third parties were the ones to have physically pressed the "Accept" button on your 100 fake accounts and so you didn't even know there was a EULA seems kind of like it might actually be fraud.
In addition, it doesn't survive past the moment it is discussed in court documents, at which point NSO are screwed if they ever pull the same shit again.
A full paper trail would also necessarily disclose the entity that provided those devices, which they may well be loathe to do (since it either drags in a related company, who Apple can then also target, or embarrasses a third party who would rather remain nameless).
However, in practice, a technology engineering firm claiming to have no knowledge of the licensing that applies to the devices in which they also claim expertise, is such a far-fetched statement that it's almost trivially set aside, and earns a rebuke from the bench to boot.
I don’t see how this differs much from a common “clean room” reverse engineering strategy where one set of engineers accepts the eula and then writes down in excruciating detail exactly how the target item works, then a second set of engineers that have never seen the item in question (or accepted a eula) takes these detailed writings and uses them to reverse engineer the item in question. (A mere description of a device or software is not protected)
This is standard practice at large companies when reverse engineering chips, devices and software and seems very similar to the above eula argument.
1a. one team examines the device and products a detailed specification of it
1b. another team works solely off that newly produced specification; this team has zero contact with the actual device
In this hypothetical case:
2a. a third party affiliate accepts the Apple EULA, and gives the Apple IDs to NSO Group
2b. NSO Group uses the Apple IDs as credential to obtain Apple services
Notice that in case 2b, NSO Group has actual contact with Apple in two ways. They used Apple IDs, and that they obtain Apple services. This didn't happen in the reverse engineering case.
Wouldn't there be an article in the EULA that states if you use an Apple device, regardless of clicking buttons, you automatically consent to the ToS? Or is that not how the law works ...?
Yes, American companies love to stack the deck against their users when it comes to selecting venue, but at the same time balk when the EU requires that they have an EU anchor to allow legal enforcement.
Speaking as someone who’s been on the unfortunate wrong end of it, the law is applied stupidly and mechanically. All the time. That’s the default. The judge will go to great pains to super pedantically apply the rule of the law, regardless of common sense and believe it or not in most cases also regardless of common sense.
As it should be. It doesn’t always work well for all circumstances, but we don’t have a better system
Irrespective of your personal experience, the law is nevertheless still not a programming language, thankfully.
However, "common sense" is also not how it works, so sure, when people rely on what they expect "common sense" to mean, then they too get screwed (the meaning of "common sense" after all varying dramatically from person to person).
Law has its own principles, philosophy, and practices, that's all. And judges, especially senior judges, do not like it one iota when folks try to circumvent the meaning, substance, and purpose of these elements.
This isn't the case everywhere. In some countries it is the intent of the law that matters, in others it is the letter of the law, in some a mix of both.
Nerds always want the law to be consistent. Lawyers are Machiavellian professionals trained in getting it to say "heads I win tails you lose" for their clients, and often succeed.
That doesn't mean the nerds are wrong to want what they want.
No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms. They expect it to be some sort of API spec that can be mechanically manipulated. Their own efforts at such intellectual mechanics are nothing but a trail of tears and failure, with bug after bug making a mockery of any claim they have about the benefits of such a system. Law has had millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people; coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions? Hard pass.
> No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms.
People have a pretty good idea of its mechanisms.
Powerful people break laws that are clear enough and then don't go to jail because of "prosecutorial discretion" or Johnnie Cochran or retroactive telecoms immunity for illegal mass surveillance.
Powerless people break laws that are ambiguous, or most people don't even know exist, or people know exist but they're only enforced against the nameless and poor, and the US has the largest prison population in the world.
This outcome is your great victory for "millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people"?
> trail of tears
Really?
> coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions?
We already have code running when it comes to actual life and death decisions. There is code running in aircraft and heart bypass machines, and it works, because then people care that it works. Nobody cares enough that some ad tracking code is perfectly reliable and efficient, so it isn't.
You're also asking for a double standard. The OpenBSD people do a nice job on OpenSSH. It's pretty good, not perfect. There have been vulnerabilities in even that. Then they get patched.
But you can't possibly be claiming that there are no "vulnerabilities" in the law. If that was the case then why do they have to keep passing new ones every year? The ask isn't that it never change, it's that it be changed by the legislature prospectively instead of being in a constant state of superposition until it's resolved by a court ex post facto.
That is why they included an alternative count of unjust enrichment. In the case the defense proves they never agreed to the user/license agreement then they will have also proven that they obtained Apple's software and accessed Apples services without a license and used them for their own profit and to Apples determent. Thereby unjustly enriching themselves.
The burden of proof should fall on Apple in an ideal world. Maybe a court ruling that one stupid checkbox at the end of a digital 10,000 word document isn't sufficient proof might be a good idea?
> The burden of proof should fall on Apple in an ideal world
It does, but its not an element of a crime being proven, so the burden isn't “beyond a reasonable doubt”, but (as for most things in a civil case, though sometimes other standards apply) “preponderance of the evidence", for which you need to convince the court that, based on the evidence provided, the facts you need are more likely than not to be true.
It does, but this is what the discovery process is for. If NSO wants to claim that they somehow got these accounts without agreeing to the EULA process themselves, Apple is going to request and the judge is going to approve a discovery request for NSO to turn over every record they have related to the accounts, when and how they were obtained, and who obtained them for NSO. If NSO wants to pretend that they have no such records, didn’t get the accounts themselves, and don’t know what third party obtained them, they’re going to get a very skeptical response from the judge, and they’re probably going to have to send a bunch of employees to go make statements that in addition to not having any records, none of them remember how this happened either. That’s probably the point at which Apple reveals that really they know via IP addresses or geolocation or something that all of the accounts were registered in an office building occupied by NSO, and then NSO gets sanctioned to hell and a bunch of employees are revealed to have lied in their testimony. That’s an absolute nightmare scenario for NSO.
When they say "No your honor" they would then have a charge of perjury added to the other charges. The apple lawyer doesn't say "Then how did you gain access to my client's services?" (because litigation 101 teaches you never ask a question you don't know the answer to).
...the lawyer enters into evidence the logs showing you accepting the EULA.
> Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
> NSO representative: No, Your honor.
IANAL, but the general understanding is: "Ignorance is not a defence". If your legal advisors did not flag this up then I think you are probably entitled to ask for your money back when Apple kicks your butt.
If we are all quibbling over the wording used in a hypothetical case, then I wonder what's going to happen when the lawyers get going with the real one.
I think that a much stronger argument here goes like this.
A developer accepted those terms of services. That developer is not authorized to accept contracts / deals for the company as a whole.
The issue here is that a single employee (which may carry out an unauthorized action) is unlikely to create a binding contract for a company.
Otherwise, by the same token, NSO can create a EULA that says that a use of their software requires 100 millions USD / month cost. Get an Apple employee to agree to that (probably unknowingly) and sue Apple for that amount, since their employee "agreed" to that.
Wouldn’t hold up. Otherwise you can just create fall guys/gals and never deal with fallout. There are certainly some circumstances like corporations aren’t held liable for murder of some employee, but if the employee was doing it on the factory floor they absolutely could get sued for it. Unfortunately it’s not clear cut, but generally if you’re doing something on or with company property, during work duty hours (these hours are always stated on corporate handbooks even for startups), and/or it’s during course of business you can and will get held liable for the employee’s actions.
The $100mm example you have would just get thrown out in court because it would be deemed unreasonable, even if Apple was ultimately responsible and the employee was acting as a representative of the company or on behalf of the company. Otherwise why can’t I just get a buddy to set up some random service and then have (let’s say I work at Apple) me sign a contract saying that Apple will give all of its corporate property and money to this contract for the rate of $5/month so this random service can “manage it” or something? Whoops guess Apple agreed to that!
> they created more than one hundred Apple IDs to carry out their attacks
Maybe the most interesting thing about this is how it proves that their code signing system is worthless. If the same bad actor can get a hundred Apple IDs to sign literal malware with, why are they imposing this burden on random small developers?
>50. On information and belief, Defendants created more than one hundred Apple IDs
using Apple’s systems to be used in their deployment of FORCEDENTRY
>51. On information and belief, after obtaining Apple IDs, Defendants executed the FORCEDENTRY exploit first by using their computers to contact Apple servers in the United States and abroad to identify other Apple devices. Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target.
The EULA is used to establish jurisdiction, and for the separate breach of contract claim. Apple has servers around the world, without the EULA the jurisdiction isn't necessarily obvious.
They are throwing the CFAA at then. However, the CFAA is an American law, which would be challenging to apply in a foreign court. So they are using the EULA to sue in California. It’s all in the article.
> do we really want those inane licenses no one reads, and everyone scrolls down to hit [agree]; do we really want them to legally binding?
for commercial interactions in particular between two businesses? Yes, absolutely. How else are two entities supposed to come to legally binding terms without a contract?
I'm all for a little bit of lenience when an end user didn't read the terms but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?
The little guy isn't always right because he's little. If the little guy hacks my software to sell spyware to dictators and war criminals you bet I want the right to take him to court
As much as people might look at this and think Apple is being heavy-handed, it comes down to the fact that iCloud, iOS, and the App Store are their IP and they can (within legal limits) set whatever terms they please.
Especially for these sorts of arrangements, it seems like a problem to me if the platform/IP owner doesn't have absolute, final discretion over what happens.
Giving them the right to destroy your business at any time or at least try very hard to make it unprofitable shouldn't be a surprise to anyone.
This sits so unwell with me, gives such limitless tyrannical & dictatorial control to a company.
> As much as people might look at this and think Apple is being heavy-handed, it comes down to the fact that iCloud, iOS, and the App Store are their IP and they can (within legal limits) set whatever terms they please.
Agreed. That's exactly what it seems like. And that sounds like immoral, unjustifiable, sickening hell. That Apple gets to hold all the cards, no one else on the planet gets any say in how a device might be used.
It seems to me like the law is immoral. The law is heavy handed, an idiot, and wrong. And it seems like Apple is a user/abuser of unjust power which it does not have any moral or ethical right to wield.
> Especially for these sorts of arrangements, it seems like a problem to me if the platform/IP owner doesn't have absolute, final discretion over what happens.
This sounds like a nightmare hell world to me. It contravenes the idea that any of us can ever be owners of anything. This sounds like the logic that says that only Tesla can repair Tesla cars, the logic that says only John Deere can repair John Deere tractors. This is an anti-human world, this is a bad world, this is immoral, this is wrong, this destroys & rots away at humanity as a can-do toolmaker, as an improver of the world about them. It consigns power away to fragile, remote, limited corporations. That is not a world I ever want to let happen to us. I tend towards aethism/agnosticism, but if there is a god, this flies against what graces the gods have given us to let ourselves be constrained so. It is unnatural & against the spirit of the human enterprise.
I have no love for NSO Group. It feels great seeing such a group of shady, underhanded, anti-democratic punks get served. But this is absolutely going to be yet another move in the ongoing shift towards top-down combined technocratic/legal control. It's absolutely a demonstration of Apple wielding legal power to obstruct & defend that which it simply doesn't want to have to deal with, brushing aside something inconvenient. It's absolutely a battle over what terms of service mean & whether the world has any rights of their own. I for one am not cheering for Apple's victory in having their massive iron-clad armor further enhanced.
>Agreed. That's exactly what it seems like. And that sounds like immoral, unjustifiable, sickening hell. That Apple gets to hold all the cards, no one else on the planet gets any say in how a device might be used.
I'm not a big proponent of IP, but you're basically saying it is immoral, unjustifiable, and sickening as hell that Apple enforces the rules that Apple wants on Apple products/services, which were created and offered by Apple? Who should be making the rules if not the creator and maintainer of the product/service? Why is using another product/service not an acceptable alternative?
I agree with the general direction of your comment, but certainly not with the same voracity that wouldn't allow my own company to create the rules for my own service offerings (within the confines of state/national law).
Replace "Apple" by any traditional car company and you should immediately become concerned. Shouldn't a car company have absolute, one-sided control over the cars they sell? Like should the car stop working if you agreed to obey the speed limit but then sped? Or stop working if you didn't use their branded fluids?
The fact that the modern world exists in an corporate-owned, proprietary cloud, versus the era of personal computers & personally-owned systems, is greatly greatly greatly confusing. I don't fully well know how to handle this great confusion. But ultimately, the trend of all rights being reserved by the megacorp is, ultimately, a vulgar anti-human anathema which we must shake off. Humanity must be allowed to pick up our microscopes & magnifying glasses, to peer in, to meddle. No legal contract preventing the natural sciences is ethical nor godly.
I have no idea how we do that. Perhaps decoupling the data-processing services from the data-holding entity might be a possible frontier. One could imagine being able to keep their identity, their core systems & datum wherever they want, & to convert Apple into a mere processor of those personal systems. That way we might not know what Apple is doing, but we at least can watch their black box act against us.
In general, trying to draw further extenuating circumstances, trying to say "except except except" is simply not ok. The phones we carry are part & parcel to their many services, in this weird conflux of computing. It reduces basic core human integrity to be denied access, to be rebuffed by EULA from understanding & witnessing & probing into these core techno-vessels we navigate about with. These mere technicalities presented, that our homes happen to be located inside Apple data-centers, is to me uninteresting & unimportant in the moral, ethical, humanistic & religious discussion and/or reckoning we have fallen into.
I mean, broadly speaking, I agree, but do you really think that "state-sponsored hacking group that provides the ability to break into people's phones to the worst regimes the world has to offer" is the use case you want to be enabling here...?
If I'm understanding correctly, this wasn't a case of "they agreed to the iCloud EULA because you have to have iCloud to use an iPhone". You don't, in fact. Yes, some services will be unavailable, and...it might occasionally bug you about it? (Not sure about the last, as I do have iCloud) No; they agreed to the iCloud EULA because they were trying to take advantage of unpatched iMessage bugs to break into other people's phones.
I fully agree that the scope of EULAs today is terribly overbroad, but I do not believe that making a legally-binding agreement not to abuse the service to harm other people or steal their data is an inappropriate use of them.
This and more. I find it beyond farce that Apple & it's adherents chief defense seems to be that there are other people making products that aren't Lawful-Evil to humanity. If Google one day woke up and said, we're just going to try to do what Apple does to it's users, there would be nothing left. This pretense that Apple's behavior is anything but anti-competitive, anti-trust worthy rings so hollow to me. The excuses that there are other places to go completely fail to wash for me.
It's as if these folks are saying the Carterphone victory was only won because AT&T was a monopoly. That's not how consumer rights work. That's not a solid enough platform for humanity to remain upright.
Put another way, I don't really have a problem with 3rd parties - or individuals who are so inclined - repairing Apple gear, but the recent moves have shown that the company would much rather deal with the small headaches of setting up and administering such a program if they can set the terms under which it happens.
Otherwise, legislators (think: US Congress) will do it for them, with disastrous results. Doing it like this means everybody gets something out of the deal: Consumers can choose the best repair option for them, Independent shops now can take Apple business and without worrying about warranties, and all of this happens in full view of the company and people who are watching them closely (Again, legislators).
It's a closed system and Apple sets the rules, but just about anyone can participate. On the whole, that seems like a net good to me.
* The same sentiment might apply to Deere as well, but I don't know enough about that particular situation to say if it would still be impractical to take a similar approach.
>This sits so unwell with me, gives such limitless tyrannical & dictatorial control to a company.
Do you think Apple could get some "hackers" extradited if they don't live in the US? Its that old adage, one mans terrorist is another mans freedom fighter and some country's like Russia will point blank refuse extradition to the US as will other countries.
Any business can put what they like in their terms and conditions, those T's & C's are still tertiary to regional and state law if they are even enforceable.
Lawyers will let your put what ever you like in a contract, whether its reasonable and enforceable is another matter which only judges can decide.
Now if you live in the EU, there is nothing wrong with reverse engineering code, the EU court has ruled this https://news.ycombinator.com/item?id=28809559 but the definition of a bug can be more vague because a coder might suggest a user reported bug is working as its coded, so the coder may not see it as a bug but the user might and her you just need to convince the judge. Grey area.
Another example of what was a grey area of law was initiating an email send to an email server in order to track whether an email address existed or not. Once the status of an email address was known abort the reset of the communication. It was useful for tracking people globally, and spam filters were not that good at picking this up in the past. Anyway that process has effectively been ruled illegal by the EU now as your email address supplied by your employer has to be treated as a private and personal email address so then other personal & privacy laws come into play to make the game more complicated, but you used to be able to track people globally in businesses & military to spot when people had left an employer or been moved in some cases.
Now whilst the law might seem absolute, legislation is very intentionally left vague and its judges who make it closer to being absolute with narrow specific definitions when they make a judgement, but if there's one thing I have learnt, interpretation of the law can be surprisingly vague even by judges.
So all in all this could actually be a marketing or reputation management exercise or both involving lawyers to reassure Apple customers they have made the right purchase. Running an entity beit a business or a govt can be incredibly nuanced like playing a game of chess, and sometimes its not the initial action we need to be concerned with but the resulting action.
Personally, generally I could not be more uninterested in the international legal politics behind this all. None of it is at all progressive, none of it speaks to what humanity can or could do. It's the most anodyne, boring, real world, un-possible way to take the discussion. It's mired in endless fun-house mirrors of shit-show politics that hasn't wont and can't figure out how to adapt. I can't think of a single nation that shows leadership, that has anything interesting or useful to say, any means of embracing humanity, of raising potential.
> Its that old adage, one mans terrorist is another mans freedom fighter and some country's like Russia will point blank refuse extradition to the US as will other countries.
This is a great mentality, and I'd love to see more dynamic behind it. Alas. I see no nations espousing & helping the actual obvious Open Source & other progressive & pro-human, pro-enlightenment, anti-proprietary freedom fighters. I see no one standing up for more personal computing liberties. The international regime is hostile & un-comprehending of tech & it's possibilities, more interested in businesses & big tech than it is in trying to help good tech happen, which is the real oppression, the real struggle, one enacted via pervasive & harsh IP laws & seemingly ever-expanding copyright length. Sure, some nations celebrate punk-ish behavior & sticking it to the west, but I can think of precious few examples of nations actually helping the good. The recent AskHN about software/tech monastaries[1], & the complete worldwide lack of any answers whatsoever indicates to me that there is no real help or interest in the actual freedom fighters, anywhere in the world.
If you want to look at the law, I think today's example, of Russia telling 13 big tech companies they have to establish offices in Russia[2], is a near perfect example of how tech and law intersect. This is particularly menacing & threatening & scary, but it mirrors most of the relationship worldwide: aggressive, at ends, seeking constraint & control & dominance, no interest in growth or humans or improving the human-computer relationship. The law rarely serves the people, rarely amplifies possibility. It's here to insist that some antiquated self-obsessed notion of justice can be served, even when that justice so often only serves a fading out of touch law, or big vested interests, not the people.
Generally I consider myself extremely progressive & hopeful for what governance & governments can do and should do. And I think if government wanted to deploy tech to help the people, if it would stop allowing endless private control to reign, great things would happen (Ron Wyden for president, 2028). But right now trying to frame questions & challenges in terms of the law is not-great. The law affords deep & vast powers to it's vested interests & the ideas of law itself. Yet in your particular scenario, it also simultaneously jealously & vengefully guards actual access to it's means power, to the reigns of state-sponsored violence & enforcement. The question posed, about whether Apple could get access to this executive use of force, isn't particularly relevant to me, and I don't think it reflects on the widescale systematic bureaucratic control companies like Apple & the prevailing worldwide laws get to impose via EULAs against the people of humanity.
Some of the comments on Facebook getting the OK from federal US Court of Appeals to also try to sue the NSO Group[3] are somewhat in line with your questions & scenarios. The comments there talk to the ability to try to pursue legal action, but the inability to actually get the state/states to do anything about it. In some ways, this is an ideal case. It shows that a state that wanted to support freedom fighters, that wanted to support emancipatory, liberated, pro-personal computing, might be able to. There's just not a lot of good guys out there trying to help spring us free from the walled gardens we're locked in.
My apologies for not trying to take up the question better. I think there's interesting material here. But to me, these questions return us to a not-compelling legalistic mindset, a practical view, that isn't capable of adequately considering how entrapped humanity at large is by the corporation's abilities to write it's own rules, by the de-personalization & de-accessing of computing that the cloudification of the world has brought upon us, & consigned us into. Whether or not this tyranny has the power to cross international boundaries & come get us isn't a particularly interesting subproblem to me. Generally I feel like the world has conformed to the prevailing notions of corporate techno-sovereignty.
In a way, we are just witnessing and commenting on the survival needs and actions of different entities, beit a country, laws, finance, companys, groups, religions or individuals. They all have different needs for their survival and this is just one story on one entity and the interactions of those involved like the courts, law, Apple, NSO, The Press, consumers or users, Judges, Govts, administrations, etc etc.
AFAIK there is not a country on this planet that does not believe in sky faeries in one form or another (?Antarctica?), likewise we generally all eat the same things, with minor regional differences, similar practices and needs so until you can get the main users ie humans to increase their intelligence and knowledge, it would seem this planet is stuck in a slowly evolving pattern of operation which still has various self destruct risks, some easily quantifiable others not.
The problem still remains, Apple have massaged the Ego of many via advertising and functionality creating this walled garden.
Russia telling 13 mostly US tech companies has already been done by the EU with servers having to be located in the EU, so the EU has led the way on that issue apart from the obvious US data gathering in the first place by building the services and tech!
To me its just survival of the fittest of entities and whether cultures/country's are now holding back some of these entities which can then come back and bite the culture and country into non existence.
When is an action a Zerohedge?
My issue here is that every time this kind of thing comes up, it becomes a sounding board for how (any) company has too much power...
Ever wonder why that is? The laws are written in such a way to allow it to happen, and they are more or less required to do what is in the best interest of shareholders.
If this doesn't suit you, bug your Congressperson to work to change the laws - just don't take a page from Newt Gingrich and burn the house down.
There's always the problem with a little one that has to accept the big one's terms. Actually in Germany and probably elsewhere there is clear jurisdiction what is allowed in a terms and conditions type contract. It actually applies to any contract that is not created from scratch on an eye to eye basis. Other laws like the GDPR also restrict what can be part of a contract. So while nobody is reading all this stuff at least we have some assurance that it's not totally unfair. Otherwise is typically safe to assume that companies try to shape everything to their own benefit. So it boils down to trusting a company in general.
Not being a lawyer and having no clue abou US jurisdiction: I am really curious if this EULA thing works though. Normally under copyright law wrongdoing would normally just mean that your licence is terminated. Illegal use typically just requires paying damages twice the licence cost afaik. I would actually find it kind of scary if I could be pulled into any kind of jurisdiction about something not directly related to the contract just because I accepted a software licence agreement.
> How else are two entities supposed to come to legally binding terms without a contract?
The question is what's the threshold for the existence of a contract. You both go into a conference room with lawyers and negotiate over the terms and sign it in ink, that's some pretty good yes vibes. Somebody clicks a button on an un-negotiated text form in a piece of software, maybe it should take more than that.
> I'm all for a little bit of lenience when an end user didn't read the terms but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?
Tons of bureaucracies do exactly that. The boss says they need a way to do this thing, so some Danny from the IT department finds some software to do that thing, it's free or costs less than the amount he's authorized to spend from petty cash, so he clicks accept and installs it on the user's machine.
It's not just the iCloud terms of service, though — they're using that to strengthen the case that NSO agreed to the jurisdiction of California courts but they're relying on the CFAA and especially the claim that the access to the users' device was not authorized by that user.
It would be really interesting to see what precedent comes out of this case and especially how that would affect a future case where Apple claims a violation of their terms of service but the user fully consented to that use.
>they're relying on the CFAA and especially the claim that the access to the users' device was not authorized by that user.
What's their theory of standing to sue over damage to their customers?
Edit: the main point is this (from the CFAA count):
Defendants’ actions caused Apple to incur a loss as defined by 18 U.S.C.
§ 1030(e)(11), in an amount in excess of $5,000 during a one-year period, including the
expenditure of resources to investigate and remediate Defendants’ conduct. Apple is entitled to
compensatory damages in an amount to be proven at trial, as well as injunctive relief or other
equitable relief. See 18 U.S.C. § 1030(g).
"(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service;"
18 U.S.C. § 1030(g) "
"(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware."
I assume "negligent" is used in the legal sense? But it'll be curious if NSO claims they're not liable for selling flaws that already existed in Apple *ware.
Agreed. I'd assume that's what the large number of words related to "Apple demonstrates an outstanding security record, etc etc" is aimed at. And it's a fair argument: nothing is bugless.
> They'd have to prove that Apple was negligent to sell software with flaws, but that's gonna be tough considering that much software has flaws.
It does carry a strange irony when Apple keep saying they have the best security after iOS has been very badly hacked by nation state actors, though. I'm not saying their security isn't good, but I would have rathered "we're fixing X things" than security hyperbole.
> While NSO Group created hacking tools, and then did some questionable things with them
Such as selling their software to the Saudi Government which in turn used the software in a highly targeted cyber attack leading to the grisly murder of a dissident journalist?
What is great is it could bring some much needed clarity on the subject.
A ruling against the EULA might bring some clarity to the limits of powers tech companies have over us.
A ruling for the EULA might shine a light the power these companies DO have and force governments to bring in laws to curb them.
It is not a good situation, where Apple / Microsoft could turn around and say to someone who broke the EULA or perhaps even to someone who didn't, we are revoking our agreement you can no longer use our software. Leaving them virtually unemployable in many sectors, and similarly they are in the position to absolutely cripple the vast majority of businesses with the same tactics.
What normal people probably want is the state of affairs that historically existed:
Government (legislative) mandates via law what rights consumers are entitled to, that cannot be stripped from them.
Companies are free to request waiving or agreeing to anything not enumerated in the above.
What's broken down recently is that legislatures aren't doing their job of proactively mandating consumer rights, and consequently companies are requiring whatever they think they can get away with: forced arbitration, lease-not-own, arbitrary right to revoke usage grants, prohibiting user / independent repairs, etc.
In the sense that new laws are really difficult to do in the age of polarization. So instead the executive branch issues orders and the judiciary interprets laws in creative ways.
H.R.3684 (aka "Infrastructure Investment and Jobs Act" aka "INVEST in America Act" aka "the Infrastructure Bill") passed the House 221/201/8 [0] and the Senate 69/30/1 [1].
Admittedly not the best numbers, but not terrible either.
I think this is my point, this was a very non-controversial bill made in as much as a bi-partisan way as we can. It is also very similar to what Trump called infrastructure week. Still it got 2!! republican votes in the house. In the senate it was a bit better, but still 30/50 republicans voted no.
I think if Trump proposed the very same bill more or less all republicans would have been on board.
Actually, it's worse. The legislature creates executive Agencies to create Administrative Law, thus freeing them of any responsibility besides budget, political theater, and insider trading.
> While NSO Group created hacking tools, and then did some questionable things with them
Wow, that's some serious softballing there. At a minimum, The NSO Group knowingly facilitates criminal activity. They shouldn't be treated as if they were a legitimate organization.
> do we really want those inane licenses no one reads, and everyone scrolls down to hit [agree]; do we really want them to legally binding?
In this case the contract was made between two businesses. Consumers deserve protection because they are naturally disadvantaged. Companies with fully staffed legal departments really have no excuse.
I am a straight-up GPL coder and advocate, and I find this line of reasoning, difficult to support. Additionally, it is a habit of lying, thieving security people to use every inch of freedom that GPL-advocates give them.. really torn here
Yes. We emphatically want the rule of law to persist, and for legal avenues to be open for combating conduct like what NSO Group has done here.
In particular, by any standard, it certainly seems reasonable for Apple (or even companies we don't like) to prevent the use of its own tools and accounts for the purposes of attacking its products and attacking its customers. Especially when the attackers have explicitly promised not to do so.
hmmm, I mean if we have to agree to things that are supposedly legally binding, I would like them to be so. If they are not legally binding, I would like to know that and not have to agree to them.
Terms of services place an unreasonable burden on the average person. No one reads them and it isn't at all practical to do so. It's been demonstrated before that if the ToS contain unreasonable terms and that the users were not adequately warned, the terms become nullified anyway.
So if Apple added a term that said "you will owe use $1000 per day and give us license to harvest your organs", it would be nullified even if the user agreed. They would have to have something like a big payment screen showing $1000 and clearly marking out the terms without being lost in a wall of text.
> those inane licenses no one reads, do we really want them to legally binding?
What all would be possible if software EULAs weren't legally binding?
One thing that EULAs typically do is reduce liability for the company producing the software. Imagine if Google/Apple were liable for damages from all the miscommunications caused by autocorrect?
There’s a difference between clauses in an EULA that release the software vendor from liability and those that impose additional liability on the user. I think it’s perfectly fine for an EULA or “non-warranty warranty” to be included in open source software. If a person or a company wants to release software and they should be able to do so without being held liable for damages caused by the user’s improper use of the software.
On the other hand, if a click-through license can expose users to a potential lawsuit then that fundamentally changes the regime we all live in. It creates a world where the countless pieces of software we all use on a daily basis become hidden legal threats, lurking in the shadows like so many snakes waiting to strike. That’s not a world I want to live in and I think most HNers would agree.
EULAs are also used to protect IP, such as by prohibiting reverse engineering. Preventing reverse engineering would prevent modding games, fixing bugs in software that aren't supported anymore, security analysis, etc... In my view, it'd be a net negative for society.
Forcing opaque, possibly abusive EULAs on individuals is one thing, using them against organizations is another. In most jurisdictions, many terms routinely found in contracts between businesses are invalid when an individual is a party due to consumer protection laws. Take renting. In many places you typically can't rent out a dilapidated home to someone even if they agreed to it explicitly, but you can lease any location in any state to a business.
Unlike individuals, organizations are expected to be have the resources to handle the legalities and to not be pressured into a terrible deal by circumstances.
It seems many laws are written in the hopes everyone just agrees, but secretly hoping it is never challenged in court. The easiest hurdle put in place is standing in legal terms. That's one bit I have trouble with how laws are challenged is that if a bad law is enacted, it should be able to be challenged immediately through courts to knock it back vs having to wait for the first person to be directly affected by the law to also have the means to mount the legal challenge.
They are legally binding if the parties agree, but there's a catch: a checkbox is repudiable. You can reject EULA, then you will be judged for unlicensed usage of the service.
This is a rare insightful comment from the usual mainstream thought you find on hn. Exactly, what if it's someone you like? So few people consider this when they give up their rights for the "common good" eula's are just one these things we just allow to happen to us because we assume good intentions.
I will just add, the author of the NYT piece has a book out on this subject. The book is decent, has some cringe worthy descriptions of technical things if you are a technical person, but overall I learned a huge amount reading it.
Also, just to be clear, one of the reasons I like the book is because it's written by a person that doesn't understand all the deep technical aspects of these things.
The justices clearly boned up on the technical aspects of the case though as their opinion shows a good grasp of what is going on in the underlying dispute over Android.
I was the victim of a state-sponsored attack. I took it to court. I tried to subpoena the contents of the government agents' iPhones but Apple came and filed a Joinder in Motion and sent expensive lawyers to lie to the judge about the judge's power to subpoena digital evidence. The lawyer specifically told me all he does is go around the country and lie to judges to get them to cancel subpoenas.
We introduced the T+Cs from one major online provider to show how the government violated them. The government stipulated that they had violated the T+Cs and that they had broken the law. Two different courts both stated that government agents are allowed to violate federal and state computer and data access laws to conduct intelligence-gathering operations, and they are certainly allowed to violate T+Cs even when a violation of a T+C is a criminal act (which it is in many jurisdictions).
One thing that is lulzy is that I recently received a letter from one government agency stating that the evidence I had requested by subpoena was no longer available because they left it on a server in violation of the T+Cs and never took a copy of it and the provider deleted the account.
> Apple came and filed a Joinder in Motion and sent expensive lawyers to lie to the judge about the judge's power to subpoena digital evidence.
If a lawyer makes an argument in court about the law governing a case (as opposed to the facts of the case), and the judge accepts the argument, and the judge's decision survives all its appeals, then the lawyer's argument is, by definition, true.
EDIT: I'm objecting here to the characterization of the lawyers' arguments as "lying". The judge's "power" to suboena digital evidence sounds like a question of interpretation of the law. Many (all?) US court cases have at least one question of law in which the parties make opposing arguments. One party prevails, the other does not, or maybe one party prevails on some points and the other prevails on other points. But however those questions are ultimately decided, that's the law, as it pertains to that case. In that context, it seems very strange to characterize either party as "lying" in such arguments.
If, on the other hand, "the judge's power to subpoena digital evidence" really means Apple's technical ability to produce such evidence, then I would agree that those are facts about which some statements could be considered truthful or not.
>"If a lawyer makes an argument in court about the law governing a case (as opposed to the facts of the case), and the judge accepts the argument, and the judge's decision survives all its appeals, then the lawyer's argument is, by definition, true. "
This is a Kafkaesque and wrong understanding of the legal system. There are all sorts of errors of law and errors of fact that are non-appealable.
I think poster above is right, certainly with respect to the legal system in the USA.
In the USA you often get one direct appeal - an appeal by right - and then if that fails, a discretionary appeal by a more superior court.
I've seen some bone-headed decisions made by the trial judge, then the same error made by the appellate judges, and you know the superior court would reverse, but they only take 0.01% of the cases they see every year and so they just don't have time to fix every mistake. So some really stupid legal decisions become "the law of the case" simply because society doesn't have the funds to pay more judges to check the work of lesser judges.
Trial court judges in jury trials do not (in principal) decide fact questions (though even that is misleading, since they can decide “as a matter of law” that offered evidence is insufficient for a particular fact conclusion even over the jury’s determination of fact, except in the case where that would be unfavorable to the defense in a criminal trial.)
Judges in bench trial, and appellate judges in many cases, do, in fact, decide matters of fact, though in the latter case the usual rules are generally, but not infinitely, deferential to trial court decisions.
US based? I understand if you can't divulge any specifics, but I'm always curious about the nature of these attacks, e.g. we know certain types of journalists/activists are often targeted.
> and they are certainly allowed to violate T+Cs even when a violation of a T+C is a criminal act (which it is in many jurisdictions).
Is violating a T&C criminal in the US, if the violating action itself is not a crime? I have not heard of this. Are there any examples that can be linked to? I thought it was always a civil matter.
The CFAA includes this. I am not sure it's possible for US government actors to violate the CFAA unless they're violating some other law also. It seems very unlikely Congress intended to make T&Cs binding on law enforcement or intelligence investigations.
"This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States."
This is correct, although most US States have their own version of CFAA which aren't so limited and don't include any exceptions or exemptions, either.
> sent expensive lawyers to lie to the judge about the judge's power to subpoena digital evidence.
You're being unreasonable here since it is a very grey area.
If Apple is compelled for example to hand over encryption keys to a judge (which often means a bunch of junior lawyers) then that would infringe everybody's right to have their information be secure.
As quoted that sounds like a choice of law clause, not a choice of forum clause, and so wouldn't necessarily help in bringing suit in California.
In computer terms a choice of law clause in a contract is essentially a macro that when the contract is interpreted in a court expands to the contract law of the jurisdiction named in the clause.
If a court in, say, Kentucky hears a contract dispute and the contract has a choice of law clause specifying California it is essentially as if the parties wrote California contract law into their contract. For things that a contract does not have the power to alter in Kentucky, Kentucky law would apply regardless of what California law said. E.g., the Kentucky court would use Kentucky rules of civil procedure and would use Kentucky rules of evidence.
A choice of forum clause requires the parties to use a particular jurisdiction to settle disputes. When you agree to such a contract you are agreeing to give the courts of that jurisdiction personal jurisdiction over you for matters involving that contract.
PS: I found the EULA. In addition to a choice of law clause it has a choice of forum clause:
> Except to the extent expressly provided in the following paragraph, this Agreement and the relationship between you and Apple shall be governed by the laws of the State of California, excluding its conflicts of law provisions. You and Apple agree to submit to the personal and exclusive jurisdiction of the courts located within the county of Santa Clara, California, to resolve any dispute or claim arising from this Agreement
PPS: note that the choice of law clause excludes California's conflict of law provisions. That's to avoid the situation where California's law says that some third jurisdiction's law should apply. In theory you could even end up in a situation where jurisdiction X says to use Y's laws and Y says to use X's, and then you've really got a mess.
I guess they haven't done this, but isn't this trivially mitigated by hiring someone to create the accounts, outside of the US entirely, in a jurisdiction where T&C violation doesn't mean anything? Especially if the accounts are needed in bulk, where it makes sense not just to work around the legal arguments but simply economically.
They presumably created the accounts in Israel in any case. It doesn’t matter though, because they’re being sued in the United States. Apple is a US company, and the EULA says that disputes will be resolved according to California law, so according to US law, Apple can sue NSO in California. The jurisdiction where NSO (or their designee) agreed to the EULA isn’t important because contracts have two parties, and Apple is in the US.
Were those engineers authorized to act on NSO's behalf?
If I sign an agreement with Apple on behalf of <faang company>, even as, let's say, an intern at that FAANG company, Apple should probably sue me, not the FAANG.
Probably, there are shades of grey in this sort of thing, but that’s usually for low-level employees agreeing to stuff wildly out of their responsibilities. For engineers agreeing to the EULA for a service that they use as part of their job, the court will probably agree that is sufficient for this lawsuit, even if NSO has policies that notionally should have prevented the engineers from agreeing to the EULA.
Also, if they weren’t, then NSO presumably violated the Computer Fraud and Abuse Act by accessing Apple’s services and systems without prior permission. Maybe that nixes Apple’s jurisdiction argument for this lawsuit, but Apple can also sue for criminal damages, and is presumably entitled to do so in their home jurisdiction since that’s where they exist and so that’s where they suffered the damages. And I think Apple notes this also in the lawsuit.
One could interpret this as the software is "sponsored" by the governments that finance their operations and purchase their products. This would be countries like Saudi Arabia, Mexico, Germany, and Kazakhstan, not necessarily Israel.
Though the fact the US has sanctioned an Israeli business does seem to have potential implications on Israeli policy. [1]
Beyond merely selling their products to Israel, the NSO Group itself is an Israeli firm, founded by ex-Israeli intelligence, and whose products are subject to Israeli national export controls.
That's a level of sponsorship way beyond simply being a customer... that's state espionage served with a side of profit. It's evil when the USA does it, it's evil when the Russians do it, it's evil when China does it, it's evil when Israel does it... but nobody does anything about it because all those states would prefer strong surveillance rather than rights for activists and journalists.
Further to this there has been some recent coverage in the Israeli press about the strong relationship between NSO Group and the Israeli government. The gov used NSO and it's products as a lure to the Gulf states to bring them on-side as a wedge against Iran
> NSO is one of the most active Israeli companies in the Gulf, and its Pegasus 3 software permits law enforcement authorities to hack into cellphones, copy their contents and sometimes even to control their camera and audio recording capabilities
> Israel put NSO in touch with Arab states in the region, and Israeli representatives even took part in marketing meetings between intelligence officials in the Arab states and NSO executives. Some of the meetings were held in Israel.
Further reading on just how intertwined NSO group was with the government:
A crash course in Israeli national export control:
1. You can sell everything except for nuclear tech (and maybe even that, I don't know).
2. If the client is not officially an enemy of Israel then do whatever you want, we don't give an f'ing f'.
3. If the client _is_ officially an enemy of Israel, then all sales must be conducted through official (secret) state channels. Independent side-action will not be tolerated (see the cases of Nahum Manbar or Shim'on Sheves). This might be a hassle, but the upside is that the courts will uphold complete secrecy of your affairs and the military censorship (yes, Israel has that) will likely prevent any nasty exposes.
4. If the US throws a tantrum, then sections (1.) and (2.) are abrogated. But don't worry: There plenty of generals and other high-ranking retired officers are in key positions in politics, and a bunch of us are wanted for war crimes anyways with ICC cases pending, so... we're all friends here and we got your back.
Are you sure about that? The English translation of the export control law seem to imply that companies exporting defense equipment must have a license and that that license can be revoked whenever for almost whatever reason: http://www.exportctrl.mod.gov.il/Documents/%D7%97%D7%95%D7%A... I may be misunderstanding it though.
Is that so much different than how the U.S operates, other than Israel is really fun to demonize? The U.S arms whoever it wants to arm, Europe as well. So selling F-15's is cool but cyber hacks isn't. Got it.
There's definitely parallels to be drawn between the Israeli and the American conservative/right-wing/militant nationalist elements. Both countries operate as global bullies, using military force to subjugate externally and propaganda and fear of replacement to subjugate internally, heavily enhanced by the use of technology.
They both have this old-guard mentality of "might makes right" hegemony, which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview that favors the pipe dream of peaceful multilateral democracies. Count myself as someone who dislikes this approach.
Whether it's planes or surveillance tech or reactor malware doesn't really matter, all just ammunition for their goals.
Israel at least has a survival need; it learned the (very) hard way that it has many enemies constantly seeking to destroy it. It's an us-or-them mentality hardened by centuries of oppression and decades of war.
America... now that's much harder to find an excuse for. And arguably we've spent all our resources on attacking Muslim scapegoats while China leapfrogs us. But hey, I don't make global policy, I just comment on it on the internet.
> it learned the (very) hard way that it has many enemies constantly seeking to destroy it.
While that might be true at the level of people in the Arab East, but as far as states are concerned, that isn't actually the case. Unfortunately, repressive governments in Jordan, Egypt and elsewhere are supportive of Israel; and Lebanon and Syria are effectively quiescent long-term.
And that's despite Israel's best efforts to trigger enmity...
> It's an us-or-them mentality hardened by centuries of oppression and decades of war.
Israel has only existed for 73 years. And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign. It's only the gulf war in which Israeli was "just attacked" (by Scud rockets from Iraq).
> And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign. It's only the gulf war in which Israeli was "just attacked" (by Scud rockets from Iraq).
That's a very naive way to look at things, I really doubt you bothered looking into it deeply. Israel had little choice to go to the 1967 war, Egypt was preparing for war both rhetorically and in action (blockade of the Straits of Tiran among others). If you actually care about History and read about that period you'd understand Israel felt it was facing an existential threat. Was it the case? We don't really know. There was a good chance Egypt would have started invading. I agree that Arab states tend to sometimes speak a lot (even threatening genocide) without doing much, but Israel couldn't really know.
> Unfortunately, repressive governments in Jordan, Egypt and elsewhere are supportive of Israel; and Lebanon and Syria are effectively quiescent long-term.
IMO that's the direct result of Israel being strong militarily, a reluctant status quo arrived at by the immense competence of the IDF. Earlier in history much of the Arab world would've much preferred Israel to not have existed at all. They Israelis had to carve out a niche for themselves through sheer force of will (and firepower).
> And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign.
I don't think that's a very fair framing of the situation. I despise Israeli militancy, and I feel sorry for the Palestinians, and I wish we wouldn't support Israel's efforts to displace them... but that land has been contested since biblical times.
For many centuries the Jews lacked a proper homeland, and that did not at all end well for them. Most of the world's population lives on stolen or conquered land. Who "originally" owned the now-contested area isn't really relevant; both sides claim it as their ancestral homeland (and both sides are partially right, as far as I can tell as an outsider). More importantly, both sides live there now, regardless of who got there "first".
If Israel gave up arms, it would cease to exist within the week. If Israel did not so strongly defend itself, as in the Six-Day War, it would almost certainly have ceased to exist by now. Some of the Arab world tolerates Israel and may make tactical decisions to cooperate with them on limited bases. But that is a very far cry from outright accepting them as a friendly neighbor, E.U. style. Israel's survival needs are unlike those of most other developed nations in the world, who are largely surrounded by stable neighbors... it's comparable maybe only to Taiwan, Ukraine, South Korea, and other situations facing immediate volatility.
This isn't to excuse (what I consider) the excessive use of force on the Israeli part, but it's the excessive that I take issue with. If they didn't use force at all (or at least threaten to and actually have the capacity for), they really wouldn't exist for very long... history has shown that time and time again, and it's the very reason Israel was founded as such. They have been challenged, life-or-death style, in a way that very few other countries have been or foreseeably will be. If the USA lost a war, maybe we'd fail to accomplish some geopolitical objective... but it's unlikely the country would simply disappear altogether. If Israel lost a war, it's the next Holocaust.
> hey both have this old-guard mentality of "might makes right" hegemony, which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview that favors the pipe dream of peaceful multilateral democracies.
At least you are honest enough to say it's a pipe dream.
It really is.
The world is pretty brutal and liberal democracy is a value shared by a minority of humanity. If liberal democracy wants to survive it sometimes has to defend itself. The minimum it needs is an army to protect its people.
Does that absolve U.S or Israel from every arms sell they do? Probably not. But it's a broad context we need to understand when we talk about this issue.
> which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview
I understand that's the liberal and progressive thing to say. But if you really think about it, it reeks from hypocrisy. The "progressive" countries (who are they exactly?) like Canada, Sweden, Australia etc all need the U.S to protect them. They wouldn't want the U.S to go away, not in a million years.
> The world is pretty brutal and liberal democracy is a value shared by a minority of humanity. If liberal democracy wants to survive it sometimes has to defend itself. The minimum it needs is an army to protect its people.
Yes, I agree to a large extent. Most of the world's strong extant states were forged in war (or is a quasi vassal state to one which was). We didn't get here by being nice to each other. A strong defensive military is something I think every state would be wise to have, so long as human nature remains what it is... we're not wizened philosopher-kings, more just horny, hungry apes.
The distinction I draw is in foreign interference in matters that do not directly threaten us. I would rather see us resign from our role as world police/bully and focus more on domestic affairs, severely scaling back our force projection abilities (namely, carrier groups whose homeland defense uses are limited). I don't believe in this idea that "the only way to protect ourselves is to shape the world in our image, and forcibly subjugate those who will not willingly convert". Yes, there are shitty dictators out there, there is real evil in the world, but we're no angels and we've done a really shitty job of trying to make other countries better (with limited exceptions, like post-WW2 Japan and Germany).
The thing is, sustainable peace through militant nationalism is also a pipe dream. It's never stable for long and it creates vast power differentials that breeds discontent and violence; eventually it bleeds back over to us. I'd bet, measured across a few decades, our forays in Afghanistan and Iraq will create more terrorists than we've actually stopped... our administrations think in 4-8 year terms, not 20+, incurring foreign policy debts that later generations will have to try to pay off in an increasingly unstable world compounded by not just virally-amplified ideologies but also skyrocketing inequality and climate change. There is no military force that can keep an unstable, discontent world of ~8 billion apes in check for long.
Absent either a world dictatorship or peaceful multilateral democracies, I'd settle for regional hegemonies and old-school spheres of influence instead... we stay out of China's way, they stay out of ours, we trade peacefully. That means some nations will fall, whether it's Israel (possible, but unlikely?) or Taiwan (probably), Ukraine, etc. Sucks for those countries, but by % of world population, I believe that will result in greater overall peace and prosperity.
Shrug. It's all pipe dreams. Always has been. Some of us just have bigger pipes, I guess.
> which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview
>> I understand that's the liberal and progressive thing to say. But if you really think about it, it reeks from hypocrisy. The "progressive" countries (who are they exactly?) like Canada, Sweden, Australia etc all need the U.S to protect them. They wouldn't want the U.S to go away, not in a million years.
Yeah, even a self-identified progressive, I unfortunately still mostly agree with you. Most of the liberals/progressives I've discussed foreign affairs with seem to have a pretty limited understanding of (or even interest in) military history. Not that I'm an expert by any stretch, but I do worry that they naively see the world as an unreasonably safe place. I don't think it is.
The American progressive strong suit is in domestic affairs -- leftist populism, basically -- not military strategy or even foreign policy at large.
Broadly, I suppose I believe in big hugs for my fellow citizens, big talks with our competitors, and big guns for our enemies (but we sure as heck shouldn't shoot first).
> Canada, Sweden, Australia etc all need the U.S to protect them
Y'know, Trump wasn't right about much, but maybe NATO really ought to pay its fair share in regional defense. Our forces are so disproportionate that NATO is less like an alliance and more like a protectorate. It can't just forever be "the Western world will fall apart absent American carriers"... if for no other reason than hypersonic missiles. We cemented global hegemon status in the post-WW2 years, but it's not a responsibility we should have to single-handedly carry into the indefinite future. If our allies need to build up their defenses, maybe we could encourage them by gradually bringing ours home. And if we have fewer foreign expeditions, cool, maybe we'd make fewer enemies.
In other words, I think our military should be strong enough to defend against homeland invasions and provide limit support to our allies, but not so strong that it runs the entire world's geosecurity. Somewhere in between is the question of what to do about Eurasia and specifically China... ideally we'd find some Cold-War like balance of mutually assured destruction, with neither side really wanting a hot war. Even better would be if we just cooperated economically with them and worked together on climate change, and let them run their social experiment while we run ours. We need to stop thinking we can singlehandedly liberate the world from oppression, or bring light to darkness, or whatever. We're just another country with big guns and small hearts... there's been many through history, none of which ended particularly well.
Every Israeli citizen, except religious extremists, serves in the IDF or equivalent; if you look useful to the intelligence apparatus, that's where you'll end up.
You literally cannot find an Israeli company that isn't founded, run, and staffed by people with military or intelligence links, unless you're only dealing with religious extremists.
A bit more nuanced; Israeli Arab Muslims (besides Bedouins) and Arab Christians don't go to the army besides some very small number of volunteers. Bedouins are a special case but I think going to the army isn't as prevalent with them as it used to be.
Druze all go to the army but they are not Muslim and don't see themselves as connected to the Palestinians.
It makes it a nothingburger. Your Israeli barista has past involvement with the security forces. In and of itself it's basically a meaningless statement.
Yeah, an intelligence firm founded by ex intelligence is absolutely a coincidence. There's no chance they would use their skills or connections in their new firm.
The very wikipedia article you linked to says that the NSO Group is owned by " Novalpina Capital" They describe themselves this way:
> Novalpina Capital is an independent European private equity firm that focuses on making control equity investments in middle market companies throughout the continent. Novalpina Capital has a solution-orientated, entrepreneurial approach to investing and creating value in its portfolio companies.
> Novalpina Capital was established by Stephen Peel, Stefan Kowski and Bastian Lueken in 2017. The Founding Partners bring combined experience of 48 years in private equity investing, including senior positions in the European operations of leading global private equity investment firms, and have a shared history of working together for nearly a decade.
Capital may be liquid, but staff nationalities, values, ideals, and goals...not so much.
This isn't some far-flung conspiracy about dark forces puppeteering seemingly innocent companies. It's just people valuing profit over concern for human rights. It's a surveillance firm, what would you expect? What would be a benevolent use of this technology even be?
None of this seems like 'sponsorship' to me, it seems more like 'restriction' or 'regulation'. 'Sponsorship' implies that someone is providing a level of funding beyond just being a paying customer. Is there any evidence that the government of Israel (or any of the other governments you mention) are actually providing loans or share capital to NSO Group?
I agree that the word 'sponsorship' has been quite diluted, as you point out, but it should mean something more than 'be a customer of'. Do I sponsor my local sports team when I buy tickets to a game? Am I sponsoring Netflix by subscribing? Do I sponsor my local government by paying property taxes? On the flip side, does my government sponsor me by granting a driver's license?
It's used throughout the comments and the topic generally. I don't call it out (for meaning a state with borders aligned with an ethnicity) because I get the point being made.
As for sponsorship, states sponsor their industries by providing labor trained at public expense, promoting them abroad through trade agreements, access to trade representation etc. so there is the technical definition of sponsorship met.
The revolving door between Unit 8200 and surveillance startups is documented as is Israel's courting of KSA and the UAE with access to intelligence sharing and capabilities as a bargaining chip. And why wouldn't they? It's good for the state and its industry. Just sucks for everyone else.
The definition of sponsorship doesn't matter when it is met in every sense of the word.
Because that's worked out so well until now. So may as well make a little cash on the side of it, eh?
Do you think the path to end tyranny was so smooth in developed countries? Think back through Western revolutionary history and now immediately forget the name of every leader the moment you think of them - because that's what's happening, right now, in these countries at this exact stage of their political development. The technology now exists to make effective popular resistance impossible. Every possible rebellion strangled at birth. Every potential leader, every sympathetic journalist, religious or opposition figure, immediately identified, located and silenced.
And apparently that's worth a comfortable 6 figure salary to a lot of engineers and managers in comfortable, developed countries.
Do you really think you'd be in the position you're in if your ancestors never had the chance to remove their despotic king/emperor/dear leader? If you don't think it would be another North Korea, maybe it's because of some ahistorical belief that your culture is inherently more civilised. So you probably don't see the racism that's implicit in your statement.
From my experience in the Middle East, seeing people march for an end to corruption, for justice, for a chance for their kids, I realise I hardly know anyone back home as brave, as prepared to risk everything for their political and civil rights. They aren't marching for another ruler. They deserve a chance.
I don't care about NSO at all, they can shut down tomorrow for all I care.
I'm just saying if the alternative is between something like the Islamic Revolution of Iran and the Muslim Brotherhood type movements - to something like the military regime Egypt has now or whatever the Saudis came up with, I take the latter. What you said about resistance being impossible - it won't get any better under a radical Islamic rule as we are seeing in Iran.
All I am saying it can get way worse. it CAN become North Korea. What we have now in several areas there may be the best we can get for now.
And a big part of how I feel about this is about self survival - the Iranian regime hates the West (and especially the U.S but not only) in very deep ways that Saudi Arabia/UAE/Egypt/etc do not. That's how it is. As long as it is what it is selling stuff to Saudi Arabia doesn't sound super terrible.
They don't just use sales to oppose the Muslim Brotherhood! They are bombing innocent Yemenis who have ZERO connection to Iran. They backed Salafis, like Al-Qaeda for decades (forgotten about those guys?) They use them to jail journalists for reporting on corruption, women rights activists for driving. People just trying to make their countries a bit better.
You say "if the alternative is between...", and then proceed to just accept the false choice that it's either tyranny or anarchy, using that reasoning to give a pass to the scum making a buck from some of the most disgusting regimes on the planet. Western countries took generations of incremental improvements to arrive here, all while tyrants always used that argument to try stay on top.
You're uncritically buying the line that Iran or the Muslim Brotherhood are the worst (which could be argued) but the other less so, because they are on "our side". If you prioritise human rights, that lives on both sides are equally valuable (and I suspect from this thread that you don't) then such a distinction is meaningless.
It's a fear-driven siege mentality and terribly short sighted to think that in the region that brought us Gadhafi, Saddam, Daesh and the Mujahaddin, somehow KSA, Egypt or the UAE will magically always align with however your interests evolve.
Thanks to NSO they ARE a step closer to North Korea and destabilising the region in the long term with repression and misery. But you're only interested in short term outcomes for Israel/Western countries, kicking the can down the road when the consequences of such sales will have unknown impacts for decades.
After seeing how it's played out, it's just exhausting to see this kind of mentality after all these years, lost lives and lessons apparently unlearned. Along with greed, this mentality is why the mercenary surveillance industry exists. For the sake of everyones kids both need to end.
> They are bombing innocent Yemenis who have ZERO connection to Iran
The Houthis are an extremely well armed group supported by Iran, please read about the topic you are uninformed. I am not saying what's going on there isn't tragic but it's far from "good guys vs bad guys". Iran had a role in what happened in Yemen as it had a role in what happened in Syria.
Saudi Arabia is as far from liberalism as Iran, I acknowledge that. But they have much less of a will to export "the revolution" to other places - unlike Iran. They kinda mind their own business most of the time.
> You're uncritically buying the line that Iran or the Muslim Brotherhood are the worst (which could be argued) but the other less so, because they are on "our side".
You are being uncritical as well. If you have any info that suggests otherwise you can share it, otherwise don't just contradict me and call me uncritical.
> If you prioritise human rights, that lives on both sides are equally valuable
I prioritise human rights within reason. Since the Arab Spring we've seen the whole area can in fact get much worse for humans very quickly. "Democratizing" a place like Egypt probably means bringing a hostile (to the West and to freedom in general) Islamic Caliphate of some sort, which I don't like.
Yeah yeah, I read the news too. I'm not going to go into my personal experience, but from my time there knowing political actors, I followed the Houthi rebellion and southern secession movement, and the Iran connection very closely. The link had always been tenuous and was cynically and successfully played up by Saleh to gather billions in Saudi and US financial and military aid, before he switched sides and was killed before he could switch back. Until that point the evidence pointed to the Houthis purchasing weapons from a corrupt Yemeni military. Saleh was Zaydi, a fact conveniently overlooked by the media in an attempt to lazily drive a Shia vs. Sunni narrative that people ate up bought. There is only evidence of Iran getting involved after the Houthis took Sana'a, where as KSA had been destabilising the Houthi border region, funding Salafists and building extremist madrassas for decades before then. That's not even in dispute.
"But (KSA) have much less of a will to export "the revolution" to other places - unlike Iran. They kinda mind their own business most of the time." This is laughably ill informed. They've built over 10,000 new Hanbali, Salafist Wahabi madrassas in Pakistan over the past 50 years. Sent extremist imams everywhere from the Philippines, Indonesia, Mali, Bosnia, UK, the Netherlands. Backing the Janjaweed and ISIS affiliated groups around the world. You don't like an Islamic Caliphate? ISIS's principle enemy was not the US, not Israel but Iran which fought them with existential zeal in Iraq. Ignore the posturing, check the last time Iran actually invaded a country. Educate yourself. Stop just repeating the news.
Soo just how is the statement "They are bombing innocent Yemenis who have ZERO connection to Iran" contradicted by anything you've added? It's just a fact, as is the fact that KSA also bomb militants, using them and Iran as the pretext to do whatever they want, including using economic warfare against one of the poorest, hungriest populations in the world.
It's the standard 'but they're killing the bad guys' guilt-by-association, collective punishment line you seem strangely prepared to toe as a justification for brushing off the well documented bombing of innocent civilians. That mindset is probably the single biggest perpetuator of human rights violations on all sides in the Middle East. The casual cruelty of that and the ignorance are bad enough, but to then actively say "As long as it is what it is selling stuff to Saudi Arabia doesn't sound super terrible.", brushing off criticism of both the KSA and those making a buck off the situation, is abhorrent.
You'll happily buy the old, and false, pick-your-poison, brutal dictator vs. extremist Islamism dichotomy that lets you overlook human rights by "our sons of bitches", even while knowing how obviously bad that has worked out until today. But sure, you're "prioritising it within reason". Please. That's just the easy way out.
I don't want to be harsh but you don't seem to be well informed, reasoned or particularly concerned with ethical choices on this issue. Don't think I have much more to add.
the NSO Group itself is an Israeli firm, founded by ex-Israeli intelligence, and whose products are subject to Israeli national export controls.
All this means is that the NSO Group is an Israeli company staffed by Israeli citizens. I don't know what export controls have to do with anything since those apply categories of products, regardless of whether or not you have business with the Israeli government.
It's a little disingenuous to suggest that an intelligence firm founded by state intelligence officers is just another "Israeli company staffed by Israeli citizens", as though it were a street-corner restaurant. Other threads here have mentioned the close ties between that company and the government. Is this really controversial? Who else would a hardcore surveillance company's primary customers be..? Cheating spouses?
Export controls means, one, that the product they're selling is likely a concern of national security, unlike, say, your average lockpick kit or GPS tracker. Two, it means the state gets to selectively pick and choose who it shares this technology with, using it as a tool of statecraft/diplomacy/subterfuge/sabotage. It's a recognition of the value of the technology, along with a desire to limit its availability to Israel's enemies.
NSO's own website says "NSO Group, develops best-in-class technology to help government agencies detect and prevent a wide-range of local and global threats." It wouldn't exist if not for state sponsorship.
It's a little disingenuous to suggest that an intelligence firm founded by state intelligence officers is just another "Israeli company staffed by Israeli citizens", as though it were a street-corner restaurant. Other threads here have mentioned the close ties between that company and the government.
I have no problem believing that Israel "sponsors" them, but your justifications are baseless. Ex-intelligence officers are not government officials, they are civilians. And government contracts don't imply "sponsorship" in the usual sense, e.g. a landscaping company would not be said to be "state-sponsored" just because they are contracted to work around a government property.
You, and Apple, have to demonstrate how Israel materially supports the NSO Group outside of usual business practices.
Export controls means, one, that the product they're selling is likely a concern of national security, unlike, say, your average lockpick kit or GPS tracker.
GPS devices of almost any kind are subject to ITAR/EAR in the USA. It is extremely easy to run afoul of weapons export controls and there is quite a large market for ITAR-free products. It means extraordinarily little if a product is subject to these type of controls.
> I have no problem believing that Israel "sponsors" them, but your justifications are baseless. Ex-intelligence officers are not government officials, they are civilians. And government contracts don't imply "sponsorship" in the usual sense, e.g. a landscaping company would not be said to be "state-sponsored" just because they are contracted to work around a government property.
I am no longer sure what we're arguing about. Is it the meaning of the word "sponsor"? That's not my word choice, that was just what the OP used and I mirrored it.
I think the bigger point is that states (no matter WHICH state) are funding private companies to surveil citizens in a way that genuinely threatens what few civil rights they have left.
Secondarily, are we arguing about the degree of connection between NSO, the company, and the State of Israel? If so, I used "sponsorship" in the revolving door sense, as in intimate relationships between the staff and government officials, not entirely unlike the US and Blackwater/Xe/Academi or Halliburton or Diebold/Premier. The discomfort there is not just in the amount of dollars exchanged, but in the offloading of legal and criminal responsibility to what is essentially a front company used to do the dirty work of the state. Outsourced oppression.
> GPS devices of almost any kind are subject to ITAR/EAR in the USA. It is extremely easy to run afoul of weapons export controls and there is quite a large market for ITAR-free products. It means extraordinarily little if a product is subject to these type of controls.
OK, without looking this up, I'll take your word for it and I stand corrected. Sorry for the mistake about GPS. But that's really a technicality. Surveillance tech of this sort IS a weapon, capable of suppressing not just external enemies but internal citizens, especially if it falls into the hands of nations participating in "Five Eyes"-style surveillance exchanges of each other's citizens. And this in particular is a lot more dangerous than a GPS receiver. And unlike GPS, it has no real "benevolent" civilian purpose. Its primary (only?) customers are oppressive states.
Sorry if this wasn't clear -- I thought it was implied -- but the worry behind the state-private connection here is that this company is getting the kind of resources (and thus effectiveness) that only states can provide, thus making it a dangerous tool. Another implied fear is that the NSO group can also get special extrajudicial treatment because of their usefulness and close connections to the Israeli state, and thus risk breaking checks and balances in a way that a landscaping company would simply not.
I feel like we're running circles around semantics here. Am I fundamentally misunderstanding your argument?
Export controls of weapons, not simply customs laws. Every NSO group contract needs Israeli government approval similar to how Lockheed Martin cannot simply sell weapons to any country.
NSO would not sell to those countries if the regional interests of Saudi /UAE were unaligned with the Israeli desires for the regions. Israel wants dictatorships throughout the Arabian peninsula and turmoil within the borders of all of its neighbors. The NSO software helps advance Israeli interests on both those fronts.
The framing is "abuse" of state-sponsored spyware, not necessarily spyware in-and-of itself. As seen with PRISM, Apple has no problem putting state-sponsored spyware on millions of phones, so long as they (or the US government) doesn't consider it "abuse".
I think the most important part of this announcement (I cried genuine tears of joy when I read it) is that Apple is committing to give Citizen Lab whatever they need. That kind of internal access to Apple's people and infrastructure is tremendous.
I've never heard anyone but a despot (or vendor to despots) claim anything untoward about Citizen Lab, it sure seems like they're genuine "good" folks. They do great work, and they'll do better with support and access. The announcement makes it sound like Apple is willing to offer similar support to other good actors. I imagine Apple putting the word out will yield a few more.
It raises - again - the question of what we expect from big companies vs governments, and questions of sovereignty. Where's the line between supporting good work and cyber vigilantes (if it's not a thing today, it will be, and what will society's place be with respect to them)?
I guess I am getting cynical. What is the context in which trigger Apple to sue them now, and not any time before?
And what if NSO Group closed the branch in US? I assume you cant really do anything to an Israeli company.
Because half of it reads a lot like a PR pieces to me. And Apple easily gets the marketing message response they wanted. They are fighting "State Sponsored" spyware. The privacy message they are sending out ( fighting on behalf of their user ), in the mist of a worldwide App Store battle and Anti-Trust.
And I am willing to bet this message will be used in their future PR message when they discuss it in Anti-Trust to gain public support.
> What is the context in which trigger Apple to sue them now, and not any time before?
Apparently Facebook has a similar suit against NSO and just had a significant ruling go their way. NSO had claimed they were immune since they were acting as foreign government agent.
I’m guessing Apple was waiting to see how that ruling went before proceeding, since if NSO had won Apple would have to take a completely different approach.
*Apple VP of SW Engineering: "Apple devices are the most secure consumer hardware on the market"*
... except for how Apple sends a copy of all of your data that passes through their servers to the NSA. No, I'm not espousing a conspiracy theory, this has been brought to light by Edward Snowden's revelations. Now, we don't know how much of the data on Apple phones gets sent to Apple's servers, so it's not literally everything on your phone, but at least everything that's backed up remotely, and possibly more.
So, pot calling the kettle black.
---
*"to curb the abuse of state-sponsored spyware"*
Note that Apple is not saying "to prevent", only "to curb". But even worse than that, they're saying "curb abuse", not "curb use", as though that type of state spying is not inherently abusive.
---
*"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,"*
Apple has a larger R&D budget than most world states. In fact, Apple themselves probably spend more money on sophisticated surveillance technologies than half the world's states combined. Certainly if we count things like dynamic image analysis from all those cameras on phones and cars and such. Why is it an unaccountable foreign corporation better than a government? They're both pretty bad.
This isn't remotely true, as anyone can see for themselves using the search box at the bottom of every page.
Please don't post unsubstantive comments here, such as spurious generalizations about the community. The people who feel the opposite way about $BigCo make exactly the opposite spurious generalizations—the dominant variable affecting this is the passions of the perceiver. In other words, it is in the eye of the beholder.
I respectfully disagree. No matter how arbitrary or obliquely bad of a decision Apple makes (supporting mass-surveillance, adding a notch to a laptop, buying out the entire 5nm node from TSMC), there are people on this site that will defend it. These people represent the majority of interactions I've had on the subject over the past year, because anyone who criticizes the dominant culture of the site gets run out of town on a rail. Every attempt I make at good-faith discussion around Apple ends with accusations, dogpiled downvotes and completely off-topic flamewars. I'm not the sort of person who cares about those things, but denying that they happen? It's in every $BigCo thread, every day. Without healthy skepticism to balance blind support, meaningful conversations cannot happen. When we fail to hold companies accountable for their actions, innovation dies. As this is a site made for entrepreneurs and starry-eyed startup jockeys, I think fostering discussions around the shortcomings of bigger companies opens the dialogue around creative solutions and novel products. Some people treat this site as a place to do battle for their favorite companies though, which ultimately harms the quality of discourse and reduces us to nothing more than tribal warfare.
Of course you're going to get pushback when you post grand claims, provocations, and outright flamebait like https://news.ycombinator.com/item?id=29344580. Your own posts are generating it. That's not evidence of bias in the community, it's a reflection of what you're doing on the site.
Please stop that. It's not what this site is for, and we ban accounts that keep doing it.
Let's see the big picture: It's not only about a spyware, but it's about a vast range of malicious tools used for targeting human right activists around the world, at first through spywares and other malicious software, but if they needed, physically harming them.
It is actually part of the Israeli state-sponsored terrorism around the world. Other dictatorships like Saudi Arabia also use their tools. Brutally killing Jamal Khashoggi was one of the instances.
> It is actually part of the Israeli state-sponsored terrorism around the world
Care to explain what you mean? When the U.S sells arms by the billions to despot regimes is it also a state-sponsored terrorism around the world? Or just when Israel sells a cyber app you call it that?
Thank you for sharing. Even though I'm not Israelian and Jewish and I speak for someone else country I support your idea and provide these arguments in favor:
I'm not an Israelian and I'm not Jewish but if I was I would most certainly be even more opposed to sell cyber weapons to authoritian governments, especially the ones whose authoritarians regimes of the past contributed to the holocaust.
Apple sues NSO Group to curb the abuse of state-sponsored spyware
I'm quite cynical about this press release. The key point in the title is that Apple are cool with state-sponsored spyware, it's just abuse of it that bothers them. Also why did they wait so long to file this. I don't think it's because they lacked evidence until now. Perhaps they think such a lawsuit will is now expected of them otherwise they will lose face, and that they have the general backing of the public now. I remember some months ago showed that Apple already had grounds to sue for copyright infringement. Either way, Apple is stepping into a political minefield. Buy popcorn and expect fireworks. Big ones.
We need to target the pos engineers and management at NSO, Finfisher, Hacking Group etc. who sell their souls for a fast buck. These pricks are likely already setting up the next corporate front for when this one collapses. Let's make the mercenary business a cripplingly expensive line of work.
An often cited rule on HN is that you should assume the most charitable interpretation... Parent might be suggesting that those that make money on NSO Group's spyware should be treated in the same way that we treat others that make money on deeply immoral or illegal businesses. E.g it is not illegal to optimize online casinos to suck money out of gambling addicts, but many of us thinks that it is immoral.
Firstly, chill.
Secondly, focus attention on them so they feel the legal, civil and reputational consequences (in line with the theme of this entire post) of their career choices. Draining a disgusting industry of expertise that it couldn't exist without.
They support oppressive regimes with their products and services, thereby suppressing public revolts and preempting civil wars that doubtlessly would claim the lives of many. Very noble of them. /S
The U.S supports the same regimes. The U.S made huge weapons deals with UAE, Saudi Arabia and more. Selling actual fighting jets that destroy thousands of people, not some cyber app.
Based on context, and the phrase “expensive”, I assume they mean they want prosecution/legal action against the individual engineers and management. Not threatening
Wouldn't it be better to target the one outfit (NSO), and not its workers? Then again, I suppose the workers would setup another underground business to do the same thing, with the same exploits, and the same people. What is the solution for this?
For governments, standard CT/AML financial intelligence: identify employees, shareholders/UBOs and add them and subsequent companies they start to the various watchlists/blacklists. For the public: open source intelligence, post info on forums, name and shame etc.
Wait what? You don't hire people from Microsoft? Let's say I get Facebook (I don't really) but what's wrong with Microsoft?
How about people who eat meat? Or vote for the other party - the one you don't like? Are you trying to hire people who are morally compatible with you on every single question? That's gonna be rough hiring.
Even the weapons industry is a tough one. The knee jerk reaction says it's immoral to work for them. But after contemplating - if the U.S (or Europe, or anyone else) doesn't have an advanced military it will be taken over by its enemies (Chinese, Russians etc). Yes, the fact that "they" build their own militaries for the exact same reason is tragic. But if the U.S just dismantled it's arms industries what do you think would happen in a few decades?
The thought of any military being advanced due to Microsoft’s help made me giggle.
My opinion is that the best you can do is to hire people with a similar set of core values and there’s nothing wrong with everybody having their own ethical scale that they act upon accordingly.
> My opinion is that the best you can do is to hire people with a similar set of core values
Not working with people who worked at Microsoft is a huge inflation of the concept "core values". There are terrific people who work for Microsoft who are far better than you or I (statistically it must be true), yet they are somehow not good enough to pass your "core values". Which are what exactly?
Also - would you be as liberal for the opposite discrimination? Someone who thinks progressive politics should be banned in his company?
It also runs on Intel and probably gets some supplies from Europe. It's pretty insane to boycott any company that indirectly works with the U.S military.
> Blog about their names and the work they do and their employer, so anyone searching for them on Google knows that they are military-industrial complex scumbags.
I don't see how this is constructive. Some companies are actively seeking out people from SV companies, especially Google and Facebook.
> No, publishing and free expression (especially of factually accurate information) is extremely democratic.
If I publish someone's name, address, and personal routine to am online forum and ask someone to assassinate them, is that "democratic"? It's "factually accurate information", right?
No, obviously not. People's personal information is off-limits.
Unless, you think that it's not - in which case it's ok for large companies like Google and Facebook to gather it, as well, and I expect you to hand yours over to them (as well as the US government).
Regardless, it's quite clearly false that publishing someone's personal information with the intent to make them unemployable because of your partisan political opinions is "democratic" - you're doing your best to enforce your own values on someone else as an individual. That's the opposite of democracy - tyranny.
> It's really surprising to see people pushing back lately against free speech and a free press.
I'm calling this for what it is - feigned surprise and an appeal to emotion used for the purposes of emotional manipulation.
And if you think that doxxing people counts as a "free press" that explains a lot about the other things you've written.
> If you find the truth to be malicious, perhaps it's reality you have the issue with, not the speaker.
As we've seen, your claims have no relation to reality, and are additionally indicative of extremely malicious intent (truth and malice are not exclusive anyway - you can say "I'm going to mess you up" and that's both truthful and malicious). Please stop trying to justify doxxing people - it's both evil by itself and completely inconsistent with the other positions that you've stated on freedom and privacy.
It's pretty clear that you don't know what doxxing means, and have constructed a strawman ("publish someone's name, address, and personal routine") which is completely unrelated to my suggested course of action.
Any country that engages in such heinous practices needs sanctions. We need to stop sheltering the Israeli government and hold them accountable for their international crimes.
A world where western nations haven't formed an international cabal of gang stalkers which silence oppositional countries that refuse to surrender their natural resources or exploit their populations.
So that we are only spied on by bigger agents (e.g., China), and Apple can continue to lie to the roof about how its anti-user, anti-competitive behaviors are for our own good, and are not mere security theater designed first and foremost to enforce Apple’s rent-seeking.
Nice! I'm not sure if I want them to win though. Perhaps this may create a precedent also applicable to people exploring Apple firmwares for sake of user freedom and privacy rather than spying on people.
Anyone have a sense of the odds that the state secrets privilege gets invoked, and if so how damaging it's likely to be to Apple's case? Most examples involve a government entity being a party to the case, but the privilege did shut down a patent infringement suit between private entities not too long ago (Crater v. Lucent) [1].
Very unlikely. If anyone is conscious of the United States' push for domestic surveillance, it's Apple. I imagine the reason this case took so long to draft is because it was a lateral effort involving lawyers, intelligence agencies and Apple's own corporate bigwigs. It's reflected in phrasing like "the abuse of state-sponsored spyware" rather than just "state-sponsored spyware" period. The only thing the government wants to do is arbitrate the case, because obviously they have an interest in maintaining their monopoly on surveillance.
apple builds their own hardware and software. security, or lack thereof, is clearly apples choice. apple blaming nso here is pure public relations and optics, nee propaganda, which many on this board drink like the koolaid it is. it’s confirmation bias.
If you're interested in Apple & privacy, you should listen to Polymatter's videos on Apple, in particular https://www.youtube.com/watch?v=CjLHuhOTnaI - it really helped me understand their whole strategy around privacy and PR "stunts" like this. From that video:
"Google embraces gathering your data, arguing you shouldn't just tolerate them using your data, you should want it - first, because giving your phone more information makes it more useful. And second, because all this data [...] makes this services cheaper and more accessible to, say, people in poverty. [...] Apple, meanwhile, rejects the whole concept. Tim Cook argues that’s a fake trade-off designed to justify a business model where you are the product, not the customer.
Not only does your iPhone not need your data to be useful, it says, it doesn’t even want it. For Apple, storing your information is only a liability.
Now, whether you buy that logic or not, you have to stop and admire its genius.
Because, if Google says your data is what allows it to sell cheaper products, then Apple can argue it’s higher prices are a feature.
You should feel good paying more for an iPhone, because it’s proof Apple doesn’t need to sell you out to advertisers. On the other hand, this argument is also harder to explain. While Tim is busy waxing poetic about privacy, Google just points to the price tag - everyone wants to save money.
[...] Whenever there’s a big hack, Tim Cook will, predictably, do a few interviews about privacy, trying to convince you that Apple’s interests are most aligned with yours.
"
> to hold it accountable for the surveillance and targeting of Apple users.
What exactly does that mean? Fine them? Get them to stop? Have them publicly say, "my bad?" I suspect the larger goal is to find out exactly how NSO is bypassing Apple's very expensive security and plugging it? Is that specific info the type of thing Apple can get their hands on (actual code, etc) for this type of trial?
> bypassing Apple's very expensive security and plugging it?
Most likely, they're either finding new exploits continuously, or finding exploits and keeping them for later. The fact that Pegasus is being reserved for people with more importance to NSO (journalists, nation state actors, etc. etc.) may confirm the latter.
Also, not sure but can case be made against Apple that they haven’t done any such litigation and shown heavy-handedness against jailbreaking community? At the very basic level, both Jailbreaking communities and NSO are using loopholes in iOS’s security to do whatever the hell they want to do with it.
The amount of time that Apple sat on this is telling.
First reports on NSO activity are from 2016, Facebook filed in 2019, Apple iOS 14.8 fix released in Sept 2021.
Only when the constant negative news about NSO started chipping at their reputation, did they decide to make this symbolic (and ultimately ineffective) move.
Read the New York Times article. It says that Apple was only able to file this suit because of a court ruling in a similar suit by Facebook and because it was given code that showed it how Pegasus works.
There is nothing at all "telling" about Apple's timing.
I think it also didn't hurt for the US Dept. of Commerce to add NSO Group to the Entity List for Malicious Cyber Activities just 2 weeks ago. It certainly doesn't hurt your case for the US Gov't to officially list them.
> NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.
But it reads to me as: Apple legal team has to act because Facebook suit (and the info made public) makes it impossible to say that "Apple was not aware" of such and such details.
To me it is much easier to believe the above, compared to your "Apple is only now seeing this info, and only now is aware, and only now can act".
Look, if you don't know how legal standing works, that's one thing. But to reject the explanation provided to you and to cite your own ignorance as a legitimate source of disbelief while you poo-poo away a dispositive fact isn't reasoning.
It's as if you don't get the point about legal standing. Apple can only take action now because of a court deciding that Facebook's TOS forum clause is actually binding. If they filed the case prior to such a holding, it'd have been dismissed.
>If they filed the case prior to such a holding, it'd have been dismissed.
...Or when Facebook eventually followed up, you'd be making the excuse Facebook was justified in waiting for Apple to test the waters? Somebody has to move first.
No, but Apple probably didn't want to spend 4 years litigating the TOS issue prior to ever reaching the merits. There's also the risk that they lose the TOS issue.
Indeed, a wonderland where it is OK for a 2 trillion dollar company to take 5 years to fix vulnerabilities that put in danger many of its users worldwide.
That assumes, wrongly, that Apple only patched the vulnerabilities used by NSO since 2016 in iOS 14.8.
In reality, Apple has been reacting to and fixing new exploits all the time, with NSO Group (and others) successfully finding new ones to replace those that got patched.
For instance, the main class of NSO-related attacks has been via the Messages app and related frameworks, which were relatively poorly designed in terms of their original security architecture. Apple has since 2016 substantially hardened those subsystems, including with a new 'BlastDoor' isolation layer specifically for Messages in iOS 14. That closed off entire classes of exploits, but is clearly not perfect.
except thats it’s curiously well timed for this news to drop at the beginning of holiday shopping, like an advertisement, or possibly, this is pure marketing. nso and apple are partners. apple leaves holes, nso exploit, said holes.
That's a pretty massive thing to imply without any followup. As someone who understands how tech, business, governments and security services work, care to enlighten the rest of us?
What about Apples own spyware they were going to force on users to scan for CSAM did they ever make a final decision on what they were going to do with that? Update to iOS 15 is what they recommend but then it is Apple spying on you not some foreign companies. I don’t want either.
>sue others to make them stop trying to hack your products/services
Chooses the second one. I'm pretty sure this is just a PR stunt for Apple to try to appeal and brand themselves as "oh, we stand for security" and all the other bullshit.
Both is the best option. Unfortunately there is just about nothing you can do to prevent a government sponsored org from building exploits from scratch to target certain individuals. Apple is doing pretty well at protecting the average person from mass malware like we see on windows and outdated androids.
I can see why you think the need for legal intervention suggests fundamental insecurities in Apple's devices, but wouldn't you agree that it (in theory) is better to take both approaches?
Peculiar stance from a company that has repeatedly ignored critical security issues when reported directly to them, on their own preferred channel, sometimes for as long as 10 months.
Only U.S-controlled spyware is to be allowed on iPhones.
I’ve been heavily critical of Apple for their on device scanning plans but credit where it’s due. This act hopefully exposes the sheer abuse of Public funds to find and exploit vulnerabilities and somehow those same vulns find themselves in the commercial domain, available to the fucking despots in the Middle East and wherever else?
It’s about time those that took the oath to protect the nation from harm step up and do so instead of creating a million more problems by shipping these exploits off to a later time while they sit on them.
Apple mentions PAC, PPL, and BlastDoor, and I'm left wondering if SELinux+JIT sanboxing on Android isn't better than all three combined. Though, I can't wait to see ARMv9/Intel CET processors and associated software being more widespread as well for CFI+W^X+Sandbox/Memory Encryption features.
What does state-sponsor mean here exactly? Is NSO supported by Israel intelligence?
And if charges are laid against NSO, will its sponsors be charged/sanctioned too (for sponsoring terrorism)?
If this was a company in another country, the reaction would have been totally different (in some cases calls for bombing would have been made, and continued for decades).
Can an upset judge decide to put the NSO leaders and employees on a terrorist list? They could argue it was an attack on national security if they can show some important person from US would have been hacked by a foreign government.
Then if EU could put the same guys also on the list maybe there would be some effects.
> Can an upset judge decide to put the NSO leaders and employees on a terrorist list?
They can hold them in contempt, which leads to arrest warrants. Default judgements can then enable the creditor, in this case Apple, to start seizing assets. But TL; DR no, a judge can't put someone on a terrorist list; that's a national security and thus executive function.
At least one of the founders can be found from American homesoil NYC but we know very well nothing will come out of it because of the Israeli love story Americans have.
A piece of advice I was given once and try to remember to follow is to, when commenting online, think "does this comment seem wrong if read out of context".
For example you wouldn't have had to come back to explain the context of your comment if your "I strongly doubt anything will come of this." had ended with "..come of this in discovery."
source? My thought is if you tried this in israel the actual intelligence apparatus would have you picked up pretty quickly and in a dark hole for as long as they wanted.
They are part of the actual intelligence apparatus, or at least former. The execs are former members of Unit 8200, the Israeli SIGINT org. And companies like their's are where former IDF SIGINT officers go after service. And their company is a major piece of Israeli diplomacy; access to their software was one of the carrots Israel has been using to push gulf state away from Iran.
So no source and no understanding that because of compulsive military service most of Israel is ex military and no intelligence agency will allow the government to be blackmailed by a private intelligence firm?
Good, I hope this is just the start of a crackdown on the whole offensive cybersecurity industry of Israel, which is an extension arm of the intelligence departments of the IDF.
Do you have some statistical evidence that macOS is fundamentally more insecure than other operating systems ? That would be surprising to me given many controls e.g. application signing I've not seen implemented on other platforms.
Because their targets are on iOS and exploits garner more money. That sounds like a signal that the supply of exploits are lower or the demand very high. This doesn’t, to me, seem to signal that it’s more insecure, in fact, it may signal that it’s more secure.
If you think that israel is doing anything not sanctioned by the US government you are mistaken. In Israel NSO cant make a move without 7 agencies regulating it. This is considered a weapon sale. The same weapons the US are sponsoring israel and buy them from israeli industry. There is no way NSO will fail from this. So eula or whatever these are matters between states for national security interests.
You are extrapolating very tight Israeli state control of the Israeli arms industry (very true) to very tight US state control of the Israeli arms industry, which is not actually how the relationship works.
The US has influence over Israeli sales of Israeli-made arms, but this is costly to exert and only used sparingly. Historically, it's restricted to preventing Israeli arms sales to direct US rivals like China or Russia. When Israel sells guns to dictatorships in Africa or Southeast Asia that the US doesn't like, the Americans are perfectly willing to agree to disagree.
EULAs and other civilian contractual arrangements are important here because these weapons were used against US civilians and US civilian property. When Soltam howitzers kill villagers in Myanmar, the US executive branch doesn't give a damn; but as soon as a US corporation (Apple) has to pay for warranty returns the courts wake up and pay attention.
Yes, the many US government 3 letter agencies would love to have full read access to every single iPhone in the world. It doesn't mean Apple needs to comply, or that doing so without a search warrant is legal in California
I think you are confusing the rights under US law of US citizens compared to everybody else in the world.
For example, as a New Zealand citizen, I don't expect to have many constitutional rights, nor do I expect I can easily enforce any residual rights I might have using the US justice system (especially against three letter agencies).
Baseless? Police even have access to tools like grayshift/graykey to unlock all but the newest iphones (which inevitably will be supported in time). That is what is known publicly because it is so ubiquitous, plenty of leaks suggest far more sophisticated tools among the FBI let alone agencies with a national security interest.
I would suggest doing some reading on AFU (After First Unlock) and BFU (Before First Unlock) unlocked states. In short, BFU is when you restart your phone without unlocking it: the decryption keys for the user storage are unknown until your credentials are entered. When your device is locked after a restart, you're in AFU mode where the decryption keys are stored in memory.
Devices such as Cellebrite use exploits to extrapolate the decryption key from memory, then use that key on the user storage. This is fundamentally how those tools work. If the device is in BFU, they can't collect nearly as much data.
TL;DR: if you're under threat of having your device taken from you, restart it!
Actually, the US allows Israel quite a bit of leeway in its underhanded weapons and security services trade. There was that time when Israel almost sold AWACS systems to China:
The only thing I can add to what you said is another cynical thought of mine, starting with the question of why would Apple waste the money in this case? And the only answer I can come up with is that they need to re-establish their image of "security". I can't help but feel with various actions taken by them in recent times this being anything more than theatre unfortunately. If they prevail, I wonder if it will simply be a case of Blackwater renaming themselves.
Agreed, there is a channel for private entities to resolve matters of the state and that is via lobbying the executive or the legislative. Going after Israel's outsourced intelligence technology research group via the judiciary branch risks Apple being caught in the political crossfire. Apple at the end of the day is not Blackwater, they do not have any form of influence over force if things really hits the fan. Israel isn't a South American banana republic that can be easily overthrown by private corporations either. To put it in perspective, how would you react if (hypothetically) Lockheed Martin gets sued by Yandex if one of their missiles blew up a self driving car being tested in some far flung Central Asian state? Do you expect Lockheed Martin to be bound by contractual laws in the city of Moscow and for the matter to be settled via civilian lawsuit or arbitration?
The US Government is not a single-minded entity. Covert actions sanctioned by a balding old men in a dingy fluorescent lit room can still end up quashed when they come to light and the courts get involved.
A portion of the community only reads the headlines and forms their opinion based on that alone, I'm not saying it's right, I'm just trying to add some context to what appears to be your incredulity at the parent commenter's question.
"Venue", meaning where the suit may take place, is a complicated legal beast. Apple is in the US. NSO Group agreed to certain T+Cs when they opened their fake iCloud accounts. That T+C probably says you agreed to be sued in California.
NSO used Apple's services, thereby agreeing to U.S. jurisdiction. (It also deals in dollars and has customers in America.) If it ignores U.S. courts, it would be held in contempt at the very least. That enables the Feds to start freezing and confiscating assets, possibly even issuing arrest warrants. That happens domestically first and through treaties second.
Given how much bad blood NSO has generated for itself in D.C., it would be more surprising if this didn't get escalated to a diplomatic level.
There's no way it hasn't been escalated to a diplomatic level already, that's probably the biggest impediment to the suit doing anything. Both NSO's host country and client base get an incredible amount of protection from the state department.
This doesn't take into account recent events, e.g. the U.S. sanctioning NSO after their dealings in India and with American police departments was confirmed.
In any case, this is a civil suit in federal courts. Even if State wanted to intervene, it would have to do so through informal channels.
> Extradition has next to nothing to do with a civil EULA suit
The following has been mentioned elsewhere in the thread. If NSO blows off the EULA suit, they'll be held in contempt of court. That tends to escalate into the type of thing for which one can be extradited.
You say that tends to happen, but I can't seem to find a single case where civil no show and non payment escalated to criminal foreign extradition. Do you have any examples of this?
"That enables the Feds to start freezing and confiscating assets, possibly even issuing arrest warrants. That happens domestically first and through treaties second."
> More lobbying and political pressure than the Israeli government already exudes over the US?
NSO is already on the Entity List, a part of the U.S. sanctions regime. This has been amply discussed, but TL; DR they lost their friends in Washington.
Legal methods are a crutch at best. Apple would be wise to put forth the same budget into their security team's research and development and properly address these weaknesses.
Ok normally I’d just let something like this go but I just have to pull my hair out when I see a comment like this.
The attack surface of software as complicated as a modern operating system (iOS or MacOS, etc.) is simply too large to lockdown without dramatically hurting the user experience (assuming you could actually achieve a lockdown in the first place!!).
Let’s, just for a second, propose that apple went full Monty and locked the whole shebang down with the kind of tech they’d need to resist NSO. That’s more custom silicon, signed binaries everywhere, even fewer per app permissions, literally treating any piece of software running on the device as a potential threat vector even more than they already do. What would this get you?
The BoM cost would go up, a lot. The cost of writing software would go up, a lot. And perhaps worst of all: it would only raise the cost of a chain of exploits, not eradicate it.
Right now a chain of exploits is ~$5M on iOS. What if it was $50M? Would that actually stop a nation state?
I’m sorry but there’s no world where Apple can make perfect security.
Finally, the cost of this lawsuit is a drop in the ocean compared to what they already spend trying to secure the software and hardware in iOS devices.
You’re not wrong about the impossibility of perfect security.
But Apple is praising and promising to support independent security research in this press release. Meanwhile they have a reputation among independent security researchers for being standoffish, opaque, slow to respond, and even outright hostile in suing Corellium. They settled that suit but the reputation remains.
Apple is the most valuable company in the world. They do not appear to have the best security program in the world. Whatever Citizen Lab can do, Apple should be able to do better; they have a lot more resources and expertise.
I’m not doubting that Apple puts a lot of effort into securing their products. But it seems like they still have significant room for improvement.
Seconded. There are many, many low hanging fruits that would substantially improve Apple users' security that Apple has not yet implemented, for example delivering Safari updates independently from macOS updates and having a seamless auto-update mechanism equivalent to every other modern browser. Apple repeatedly claims that most malware targets Android, which is true, but it includes Play Store adware and side-loaded malware; if you only take RCE exploits, which are the relevant class of malware here, one could argue Android is as secure, or more secure than iOS. I would argue the latter, given that Safari and iMessage (as well as integrated WebKit webviews, like Apple Music) seem like the primary attack vectors, and the ones used by NSO; and that security updates to those components, unlike the Android equivalents, are delayed to match Apple's preferred iOS release schedule, instead of being autoupdated separately and transparently to the user.
One could also argue, that as Apple is commonly branded as "secure" alternative, and therefore high profile targets are potentially using their products. This might mean that interest is much higher for attackers on that side. They might not care so much about Android. Increased interest and effort means that more likely something is found.
Also, Apple's sandboxing settings and permission managing makes the most malware pretty useless with App store policies (no sideloading), so only RCE exploits are kinda useful.
What it comes to iMessages, that is the most interesting channel with Safari to deliver exploits, iMessage without user interaction and Safari with some. All you need to know is that target is using iPhone. Other non-default applications as target introduces new challenges. iMessage and Safaring being part of OS updates might indicate, that they are handled differently compared to other apps - is security policy same, worse or better? Is there larger attack interface to system by using these apps?
> They do not appear to have the best security program in the world.
By what measure? That they don’t find all the security bugs? Have you seen what iOS exploit chains look like these days? They’re not exactly simple. I think there is literally no amount of money that could be spent that would eliminate all the security bugs in iOS, or Apple would be figuring out how to spend that much right now. So yes, you can always argue that they should spend more, and I’m sure they do spend more every time something like Pegasus happens, but it’s not some grand revelation. This is just how things are.
> Whatever Citizen Lab can do, Apple should be able to do better; they have a lot more resources and expertise.
At the tail, this doesn’t matter. Other people find bugs because there are always more bugs to be found. There will never be a situation where only Apple can find more bugs in its operating system.
> I’m sorry but there’s no world where Apple can make perfect security
i think everyone knows that perfect security is not possible, the operative word being ‘perfect’. i think what we want is for apple to ‘actually try’ to provide security, in some way that results in security order of magnitudes better than we enjoy today, which would still be miles and miles away from ‘perfect’, vulnerable to nation state actors etc etc etc
Can you point to a single instance of a cellphone vendor who takes security more seriously than Apple?
Put a different way, is there any device with a high monthly active user count that has a higher cost to purchase a black market exploit than the iPhone?
Apple can always do better. It should also scare the living hell out of us that they’re currently the best in the world.
My point is that if Apple can’t secure your phones, who can? It’s enough to make one think about security through obscurity.
> Put a different way, is there any device with a high monthly active user count that has a higher cost to purchase a black market exploit than the iPhone?
I'm going to answer about operating system rather than device.
The selling price of an Android full chain with persistence zero click is up to $2.5 million. The selling price of an iOS full chain with persistence zero click is up to $2 million.
This isn't the benchmark of how secure those systems are, just a benchmark of how valuable exploiting them is. Hypothetically speaking, iOS could be more secure, but an Android exploit could be valued more if high valued targets tend to use Android. Keep in mind that phone OS usage varies quite a bit by country and wealth.
I was responding to a specific comment about prices.
You're right that the price doesn't fully correlate with security. It will reflect supply (security and interest of researchers) and demand (how much there is to be gained by breaking into each platform).
Android is more widely used, but I gather more money is spent in the app store than the play store. I don't know the market share of "interesting" users.
My analysis would be that the number shows they're not that far apart. I'd be skeptical of anyone (IE apple's press release) saying that either platform is more secure. Security is too nuanced to be expressed as a total order.
100%, thank you. I had spoken to someone at Apple who said Apple was $5M and Android was $2M, but I hadn’t bothered to check. Thanks for posting data!!
> is there any device with a high monthly active user count that has a higher cost to purchase a black market exploit than the iPhone?
This is unfair, because there is a duopoly and the only alternative on mass market is Android. Of course in such circumstances the exploits will be expensive, even if security is awful.
Ignoring this, Purism takes security more seriously, because they give the user full control over the OS with possibility to replace/reinstall or harden it. In contrast to that, rarely updated iMessage is impossible to uninstall on iOs.
> i think what we want is for apple to ‘actually try’ to provide security, in some way that results in security order of magnitudes better than we enjoy today
That's a pretty tall order, and would likely result in a device that is much more expensive and has a user experience that users would not like. Assuming "orders of magnitude better" is even possible, of which I am skeptical.
I co-sign this whole comment and answer the rhetorical question: $50MM for an exploit chain would not stop a state-level adversary. Their alternatives for these kinds of operations is human intelligence; they'd pay more just in health benefits to staff those operations.
> literally treating any piece of software running on the device as a potential threat vector even more than they already do
Sounds amazing. Every operating system should be designed this way. Only free software should have full access. Proprietary software cannot be trusted and must be regulated and controlled.
It's not clear the user experience would have to suffer. Maybe there are more groups doing for software architecture what Signal did for messaging. Groups like Heisers' SEL4 and Qubes. As for expense, imagine how much more we would have paid today, in real and opportunity costs, if over the last 20 years everyone used this "no such thing a perfect security" fatalism as the excuse to not just do things a bit better.
Apple will advance the security of their platform more by suing NSO and lobbying the US gov to position the official view of the US gov regarding nation-state sponsorship for malicious software as reprehensible efforts which harm everyone (eg like biological/chemical weapons). If the US sanctioned Israel and critiqued them as reckless maybe less countries will support organizations like the NSO group.
> The attack surface of software as complicated as a modern operating system (iOS or MacOS, etc.) is simply too large to lockdown without dramatically hurting the user experience (assuming you could actually achieve a lockdown in the first place!!).
The problem is that this approach requires that Apple expend enough resources for their security to be perfect all the time. Outfits like NSO Group need only be lucky once (well, with some consistency, as Apple finds and fixes the vulnerabilities they use).
It's a cat-and-mouse game where Apple has a distinct disadvantage, one that's likely impossible to fully overcome.
They certainly should (continue to) spend a bunch of money to make their OS and hardware as secure as possible. But at a point returns start to diminish, and perfection just isn't an attainable goal.
Some people even can conclude from this that being evil is better idea.
A fictional example: there is a character in Wheel of Time, that realized that for the good guys to win, they must win every time the bad guy attempts something, but the bad guy must win only once (since his goal is destruction of the universe), thus this character concludes that being evil is a better goal, since you can keep trying until you succeed, he imagines eventually he WILL succeed, as a matter of "when", not of "if".
apple controls the hardware and software on apple devices. nso does not. this is public relations for apple, as much as a holiday advert as any they put on tv. if apple wanted to provide their customers secure devices, apple would provide their customers secure devices.
As if there’s a magic button trillion dollar companies can buy that, when pushed, removed all security vulnerabilities from software and hardware, no matter how complex!
Apple simply needs to exercise its right to deplatform everyone who works for NSO. Oh and deplatform all government wonks of government of Israel as it is allowing NSO Group to operate.
Life in 2021 is very difficult without a smartphone. In fact it is so difficult that if working for NSO comes with "no smartphone forever" sticker NSO won't be able to find people to work for it.
It would be quite a blow if the 5% of Israeli government who use IPhones (IPhones aren't really popular outside the U.S) suddenly have to switch to Android. As an extreme measure I suggest blocking their itunes accounts. And no more Macbooks! Settle for some cheaper superior hardware elsewhere!
I know a dozen or so people who don't have smartphones. They are also work in the tech sector and are the exact opposite of being luddites.
But the comment I was responding to was asserting that going without a smartphone is difficult. It most certainly is not. It's less convenient, but not difficult.
> But the comment I was responding to was asserting that going without a smartphone is difficult. It most certainly is not. It's less convenient, but not difficult.
Court has no jurisdiction over NSO. At most, it was foreign international persons who accepted iCloud's terms and conditions. They'd have to identify them, prove that they are linked to NSO, and in fact acting on behalf of NSO in their official capacity. And even after that, they'd just not travel under their real names, or even not travel at all, and that's that.
Ellsworth is a personal hero of mine - incredibly smart, wildly talented and has a real vision for this space.
All that being said, it's a nightmare of a space which is why I don't think there's been a big funding event for Tilt5.
"Meta View" was an AR company that raised $75mil, had a star studded list of VR/AR technology folks, only ever shipped a couple thousand units and now is defunct.
Magic Leap raised $3.5 Billion and now has given up on shipping a consumer device (Enterprise only).
Microsoft's Hololens exited consumer applications even earlier, enterprise only.
Oculus Quest is the most successful consumer VR tech (about 5 million sold) but it's really unclear if they're anywhere close to turning a profit and they've spent tons to try and jump start game developers in VR.
Tilt5 would require from the ground up games to be made, large volumes of orders/units to be profitable and even if all that came together could still be kneecapped by chip shortages and supply chain issues.
It's also fascinating that the crux of the Apple's case against NSO hinges on NSO engineers that accepted iCloud's terms and conditions.
From related NYT article:
>The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”
The clause helped Apple bring its lawsuit against NSO in the Northern District of California.
https://www.nytimes.com/2021/11/23/technology/apple-nso-grou...