It's also fascinating that the crux of the Apple's case against NSO hinges on NSO engineers that accepted iCloud's terms and conditions.
From related NYT article:
>The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”
The clause helped Apple bring its lawsuit against NSO in the Northern District of California.
This community features not just fans of reverse engineering, but number of practitioners, eg the popular Nvidia TSEC key extraction that was featured recently. The defendant's actions make them an easy target, but, like the ACLU protecting the civil rights of murderers, because we still live in a nation of laws, I don't see this as great. This is a continuation of Apple's continued use of lawsuits to silence any challenges to their marketing of being the secure computer choice (eg Apple suing Corellium) rather than their products actually being secure.
0) The defendant's can be sued under California law because they accepted the EULA.
1) California law makes businesses liable for damages incurred by their unlawful business practices.
2) Business practices which violate any California or federal law are unlawful business practices in California.
3) The defendant violated the federal computer fraud and abuse act by hacking into users phones.
4) Apple incurred damages to their reputation and from expenses related to mitigating the hacking of their users.
5) Therefor the defendant is liable for Apple's damages under California law.
So the defendant could have been fine if they just done reverse engineering, or even if they developed the hacking tools, but actually using the tools against Apple's users in violation of the CFAA was going too far.
> 4) Apple incurred damages […] from expenses related to mitigating the hacking of their users.
This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway. Put another way, that also sounds like the corporate open source push, "We love open source because we don't have to support it, the community will!"
"4)" says the community will pay for/support security, just wait for the hack and make 'em clean it up. Mitigation costs shouldn't be a recoverable damage, they should be doubled and paid out to the victims...maybe that'll incentivise better security over dollar dollar bills y'all.
This all maybe moot because this was a B2B action and I'm thinking from a non-monied, single user/security researcher perspective. What if the company was a non-profit security research group? Perhaps this is what the 90day grace periods are for when dealing with responsible disclosure?
Anyhow, my ignorance must be showing at this point.
"60. Defendants force Apple to engage in a continual arms race: Even as Apple develops solutions and enhances the security of its devices, Defendants are constantly updating their malware and exploits to overcome Apple’s own security upgrades.
61. These constant recovery and prevention efforts require significant resources and impose huge costs on Apple. Defendants’ unlawful malware activities have caused and continue to cause Apple significant damages in excess of $75,000 and in an amount to be proven at trial."
Hopefully the judgement is able to split the hairs between reputational and development harm to a company for security vulnerabilities, and harm to users for organized exploitation of those vulnerabilities.
The former feels like it should be free speech -- statement of facts related to the company's product(s). The latter is an obvious wrong.
NSO hacked devices they didn't own and infected them with spyware. Apple had to pay to repair / replace those devices.
I don't see how this sets any sort of precedent with security researchers are liable for the costs of fixing vulnerabilities that they uncover.
nit: "user accounts to which they're not authorized"
I work with friends' accounts all the time provided they authorized me to do so and provided I'm permitted to do so as part of the vuln disclosure program terms and rules of engagement, though I usually split the bounty with them in a meaningful way to make it worth their while.
Apple is not really all that different. If they believe that suing to prevent reverse engineering is going to stop the bad guys they are delusional, I suspect that they are fully aware of this and are engaging in a very expensive bit of theater here: the NSO Group is not going to be overly impressed by this, whether they win or lose the case. If they lose they will be open to a damage claim, which in turn will have to be enforced through a court in a different country, if they win Apple will lose far more than just this case, they will lose the battle against everybody that wishes to engage in reverse engineering.
Another thing I suspect is that Apple is either very much concerned about the image/reputation damage, their supposedly highly secure platform/environment appears to be less secure than Apple wanted you to believe and a click-through EULA is not going to impress a law breaking entity, they probably should have anticipated that. And Apple may believe that other law breaking entities are going to stop doing their thing if they win this lawsuit, I'm a bit more pessimistic about that. Legal action is not a good way to recover from a technical failure, Apple needs to update their threat model and act accordingly.
No, read again, this only refers to damages from unlawful activity. "White hat hackers" need not fear.
IANAL but it's always seemed to me that if I reject the terms of a EULA then the EULA doesn't apply to me. Pushing the "button" does not mean anything because only the EULA gives it meaning and I reject that.
50 years from now if someone is doing software archaeology and they go to install some software from a long gone company, who does clicking the button form an agreement with? Will it be legal to try that software? Can existing software companies list people they have click-through agreements with? These things seem like a bad joke in practical terms.
> The mental assent of the parties is not requisite for the formation of a contract. If the words or other acts of one of the parties have but one reasonable meaning, his undisclosed intention is immaterial except when an unreasonable meaning which he attaches to his manifestations is known to the other party.
>Zehmer wrote on the back of the restaurant's receipt stating, "We hereby agree to sell to W. O. Lucy the Ferguson Farm complete for $50,000.00, title satisfactory to buyer". The note was signed by Zehmer and his wife.
I mean, this seems pretty easily addressed:
I can't sign a contract with a dead company, can I? Well, literally I can, but the agreement wouldn't be binding.
Same applies here. Unless the entity still exists, in which case congratulations, you're in a binding agreement lol
Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software. Big Co. may not agree to the terms of the old license.
Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?
What if there are no heirs, so the assets go to the government? Do you now have a contract with the government? I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.
Just because something is new to you, doesn't mean that professionals that deal with this every day have never thought about it.
(The actual answer depends on the State, entity type, if it was dissolved or suspended, if a bankruptcy is involved, etc. and you should just consult a contracts lawyer)
> Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software
That's right, that's what they sold.
> Big Co. may not agree to the terms of the old license.
Then I guess maybe they shouldn't have bought it.
> Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?
Yes. They inherited the deceased's assets.
> What if there are no heirs, so the assets go to the government? Do you now have a contract with the government?
You'd probably have to ask an estate planning attorney about the specifics of this, but so what if you did?
> I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.
You should totally do it lol
What'll happen in cases like that is that it'll be litigated, interpreted, and either amended through a settlement agreement or annulled.
As others have said, the law isn't a programming language. It's a human system that, while being rigorous, strict, structured, and binding for the most part, is nonetheless capable by design of nuance and interpretation within known and constrained bounds.
The Court has personal jurisdiction over Defendants because, on information
belief, they created more than one hundred Apple IDs to carry out their
attacks and also agreed to
Apple’s iCloud Terms and Conditions (“iCloud Terms”), including a mandatory
forum selection and exclusive jurisdiction clause that constitutes express
consent to the jurisdiction
of this Court.7
Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"
NSO representative: No, Your honor.
Apple Lawyer: Then how did you gain access to my clients services?
NSO Rep: A totally unrelated third party gave us 100 unlocked iPhones as a free gift. We never saw the terms and conditions, nor agreed to them. We can fully prove our claims. [edit: (fully proves his claims)]
Apple Lawyer: (spluttering) but... but... but...
Judge: (bangs gavel) case dismissed!
This is assuming NSO were far- sighted enough to actually create such a paper trail. Also, since Apple is disputing more then 100 accounts, maybe such a defence would be ruled as improbable, or some other legal jargon. Maybe someone better informed can chip in.
On the other hand, creating some kind of convoluted, contrived paper trail to claim that mysterious third parties were the ones to have physically pressed the "Accept" button on your 100 fake accounts and so you didn't even know there was a EULA seems kind of like it might actually be fraud.
A full paper trail would also necessarily disclose the entity that provided those devices, which they may well be loathe to do (since it either drags in a related company, who Apple can then also target, or embarrasses a third party who would rather remain nameless).
However, in practice, a technology engineering firm claiming to have no knowledge of the licensing that applies to the devices in which they also claim expertise, is such a far-fetched statement that it's almost trivially set aside, and earns a rebuke from the bench to boot.
This is standard practice at large companies when reverse engineering chips, devices and software and seems very similar to the above eula argument.
1a. one team examines the device and products a detailed specification of it
1b. another team works solely off that newly produced specification; this team has zero contact with the actual device
In this hypothetical case:
2a. a third party affiliate accepts the Apple EULA, and gives the Apple IDs to NSO Group
2b. NSO Group uses the Apple IDs as credential to obtain Apple services
Notice that in case 2b, NSO Group has actual contact with Apple in two ways. They used Apple IDs, and that they obtain Apple services. This didn't happen in the reverse engineering case.
Lots of people negotiated these things and agreed to make commerce happen.
Novel to you does not mean novel to humanity.
As it should be. It doesn’t always work well for all circumstances, but we don’t have a better system
However, "common sense" is also not how it works, so sure, when people rely on what they expect "common sense" to mean, then they too get screwed (the meaning of "common sense" after all varying dramatically from person to person).
Law has its own principles, philosophy, and practices, that's all. And judges, especially senior judges, do not like it one iota when folks try to circumvent the meaning, substance, and purpose of these elements.
That doesn't mean the nerds are wrong to want what they want.
People have a pretty good idea of its mechanisms.
Powerful people break laws that are clear enough and then don't go to jail because of "prosecutorial discretion" or Johnnie Cochran or retroactive telecoms immunity for illegal mass surveillance.
Powerless people break laws that are ambiguous, or most people don't even know exist, or people know exist but they're only enforced against the nameless and poor, and the US has the largest prison population in the world.
This outcome is your great victory for "millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people"?
> trail of tears
> coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions?
We already have code running when it comes to actual life and death decisions. There is code running in aircraft and heart bypass machines, and it works, because then people care that it works. Nobody cares enough that some ad tracking code is perfectly reliable and efficient, so it isn't.
You're also asking for a double standard. The OpenBSD people do a nice job on OpenSSH. It's pretty good, not perfect. There have been vulnerabilities in even that. Then they get patched.
But you can't possibly be claiming that there are no "vulnerabilities" in the law. If that was the case then why do they have to keep passing new ones every year? The ask isn't that it never change, it's that it be changed by the legislature prospectively instead of being in a constant state of superposition until it's resolved by a court ex post facto.
Anything is easy to deny.
Denial isn't sufficient to win the point.
> We can fully prove our claims.
Saying “we can fully prove our claims” is stupid easy. Being able to is harder.
> This is assuming NSO were far- sighted enough to actually create such a paper trail
But they probably weren't, because they didn't anticipate being sued in California based on jurisdiction gained via the iCloud T&C.
It does, but its not an element of a crime being proven, so the burden isn't “beyond a reasonable doubt”, but (as for most things in a civil case, though sometimes other standards apply) “preponderance of the evidence", for which you need to convince the court that, based on the evidence provided, the facts you need are more likely than not to be true.
When they say "No your honor" they would then have a charge of perjury added to the other charges. The apple lawyer doesn't say "Then how did you gain access to my client's services?" (because litigation 101 teaches you never ask a question you don't know the answer to).
...the lawyer enters into evidence the logs showing you accepting the EULA.
IANAL, but the general understanding is: "Ignorance is not a defence". If your legal advisors did not flag this up then I think you are probably entitled to ask for your money back when Apple kicks your butt.
If we are all quibbling over the wording used in a hypothetical case, then I wonder what's going to happen when the lawyers get going with the real one.
The issue here is that a single employee (which may carry out an unauthorized action) is unlikely to create a binding contract for a company.
Otherwise, by the same token, NSO can create a EULA that says that a use of their software requires 100 millions USD / month cost. Get an Apple employee to agree to that (probably unknowingly) and sue Apple for that amount, since their employee "agreed" to that.
The $100mm example you have would just get thrown out in court because it would be deemed unreasonable, even if Apple was ultimately responsible and the employee was acting as a representative of the company or on behalf of the company. Otherwise why can’t I just get a buddy to set up some random service and then have (let’s say I work at Apple) me sign a contract saying that Apple will give all of its corporate property and money to this contract for the rate of $5/month so this random service can “manage it” or something? Whoops guess Apple agreed to that!
Maybe the most interesting thing about this is how it proves that their code signing system is worthless. If the same bad actor can get a hundred Apple IDs to sign literal malware with, why are they imposing this burden on random small developers?
>50. On information and belief, Defendants created more than one hundred Apple IDs
using Apple’s systems to be used in their deployment of FORCEDENTRY
>51. On information and belief, after obtaining Apple IDs, Defendants executed the FORCEDENTRY exploit first by using their computers to contact Apple servers in the United States and abroad to identify other Apple devices. Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target.
From the complaint:
>Violations of Computer Fraud and Abuse Act
The EULA is used to establish jurisdiction, and for the separate breach of contract claim. Apple has servers around the world, without the EULA the jurisdiction isn't necessarily obvious.
for commercial interactions in particular between two businesses? Yes, absolutely. How else are two entities supposed to come to legally binding terms without a contract?
I'm all for a little bit of lenience when an end user didn't read the terms but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?
The little guy isn't always right because he's little. If the little guy hacks my software to sell spyware to dictators and war criminals you bet I want the right to take him to court
As much as people might look at this and think Apple is being heavy-handed, it comes down to the fact that iCloud, iOS, and the App Store are their IP and they can (within legal limits) set whatever terms they please.
Especially for these sorts of arrangements, it seems like a problem to me if the platform/IP owner doesn't have absolute, final discretion over what happens.
Giving them the right to destroy your business at any time or at least try very hard to make it unprofitable shouldn't be a surprise to anyone.
> As much as people might look at this and think Apple is being heavy-handed, it comes down to the fact that iCloud, iOS, and the App Store are their IP and they can (within legal limits) set whatever terms they please.
Agreed. That's exactly what it seems like. And that sounds like immoral, unjustifiable, sickening hell. That Apple gets to hold all the cards, no one else on the planet gets any say in how a device might be used.
It seems to me like the law is immoral. The law is heavy handed, an idiot, and wrong. And it seems like Apple is a user/abuser of unjust power which it does not have any moral or ethical right to wield.
> Especially for these sorts of arrangements, it seems like a problem to me if the platform/IP owner doesn't have absolute, final discretion over what happens.
This sounds like a nightmare hell world to me. It contravenes the idea that any of us can ever be owners of anything. This sounds like the logic that says that only Tesla can repair Tesla cars, the logic that says only John Deere can repair John Deere tractors. This is an anti-human world, this is a bad world, this is immoral, this is wrong, this destroys & rots away at humanity as a can-do toolmaker, as an improver of the world about them. It consigns power away to fragile, remote, limited corporations. That is not a world I ever want to let happen to us. I tend towards aethism/agnosticism, but if there is a god, this flies against what graces the gods have given us to let ourselves be constrained so. It is unnatural & against the spirit of the human enterprise.
I have no love for NSO Group. It feels great seeing such a group of shady, underhanded, anti-democratic punks get served. But this is absolutely going to be yet another move in the ongoing shift towards top-down combined technocratic/legal control. It's absolutely a demonstration of Apple wielding legal power to obstruct & defend that which it simply doesn't want to have to deal with, brushing aside something inconvenient. It's absolutely a battle over what terms of service mean & whether the world has any rights of their own. I for one am not cheering for Apple's victory in having their massive iron-clad armor further enhanced.
I'm not a big proponent of IP, but you're basically saying it is immoral, unjustifiable, and sickening as hell that Apple enforces the rules that Apple wants on Apple products/services, which were created and offered by Apple? Who should be making the rules if not the creator and maintainer of the product/service? Why is using another product/service not an acceptable alternative?
I agree with the general direction of your comment, but certainly not with the same voracity that wouldn't allow my own company to create the rules for my own service offerings (within the confines of state/national law).
They agreed to the EULA on the services, then, in part, abused their access to those services to hack into other people's iPhones.
I have no idea how we do that. Perhaps decoupling the data-processing services from the data-holding entity might be a possible frontier. One could imagine being able to keep their identity, their core systems & datum wherever they want, & to convert Apple into a mere processor of those personal systems. That way we might not know what Apple is doing, but we at least can watch their black box act against us.
In general, trying to draw further extenuating circumstances, trying to say "except except except" is simply not ok. The phones we carry are part & parcel to their many services, in this weird conflux of computing. It reduces basic core human integrity to be denied access, to be rebuffed by EULA from understanding & witnessing & probing into these core techno-vessels we navigate about with. These mere technicalities presented, that our homes happen to be located inside Apple data-centers, is to me uninteresting & unimportant in the moral, ethical, humanistic & religious discussion and/or reckoning we have fallen into.
If I'm understanding correctly, this wasn't a case of "they agreed to the iCloud EULA because you have to have iCloud to use an iPhone". You don't, in fact. Yes, some services will be unavailable, and...it might occasionally bug you about it? (Not sure about the last, as I do have iCloud) No; they agreed to the iCloud EULA because they were trying to take advantage of unpatched iMessage bugs to break into other people's phones.
I fully agree that the scope of EULAs today is terribly overbroad, but I do not believe that making a legally-binding agreement not to abuse the service to harm other people or steal their data is an inappropriate use of them.
Many things should be up to them, but many things should be up to the buyer.
The customer? Thats the whole point of a market
But since Apple has 50% of the market share, the law doesn't work well anymore.
Apple has 60% of the mobile market in the US.
It's as if these folks are saying the Carterphone victory was only won because AT&T was a monopoly. That's not how consumer rights work. That's not a solid enough platform for humanity to remain upright.
Otherwise, legislators (think: US Congress) will do it for them, with disastrous results. Doing it like this means everybody gets something out of the deal: Consumers can choose the best repair option for them, Independent shops now can take Apple business and without worrying about warranties, and all of this happens in full view of the company and people who are watching them closely (Again, legislators).
It's a closed system and Apple sets the rules, but just about anyone can participate. On the whole, that seems like a net good to me.
* The same sentiment might apply to Deere as well, but I don't know enough about that particular situation to say if it would still be impractical to take a similar approach.
Do you think Apple could get some "hackers" extradited if they don't live in the US? Its that old adage, one mans terrorist is another mans freedom fighter and some country's like Russia will point blank refuse extradition to the US as will other countries.
Any business can put what they like in their terms and conditions, those T's & C's are still tertiary to regional and state law if they are even enforceable.
Lawyers will let your put what ever you like in a contract, whether its reasonable and enforceable is another matter which only judges can decide.
Now if you live in the EU, there is nothing wrong with reverse engineering code, the EU court has ruled this https://news.ycombinator.com/item?id=28809559 but the definition of a bug can be more vague because a coder might suggest a user reported bug is working as its coded, so the coder may not see it as a bug but the user might and her you just need to convince the judge. Grey area.
Another example of what was a grey area of law was initiating an email send to an email server in order to track whether an email address existed or not. Once the status of an email address was known abort the reset of the communication. It was useful for tracking people globally, and spam filters were not that good at picking this up in the past. Anyway that process has effectively been ruled illegal by the EU now as your email address supplied by your employer has to be treated as a private and personal email address so then other personal & privacy laws come into play to make the game more complicated, but you used to be able to track people globally in businesses & military to spot when people had left an employer or been moved in some cases.
Then you have the NSA putting out reverse engineering tools for free like https://ghidra-sre.org/ making one wonder what is the point of law especially when you reproduce parts of the AT&T infrastructure in Romania? https://news.ycombinator.com/item?id=29135559
Now whilst the law might seem absolute, legislation is very intentionally left vague and its judges who make it closer to being absolute with narrow specific definitions when they make a judgement, but if there's one thing I have learnt, interpretation of the law can be surprisingly vague even by judges.
So all in all this could actually be a marketing or reputation management exercise or both involving lawyers to reassure Apple customers they have made the right purchase. Running an entity beit a business or a govt can be incredibly nuanced like playing a game of chess, and sometimes its not the initial action we need to be concerned with but the resulting action.
> Its that old adage, one mans terrorist is another mans freedom fighter and some country's like Russia will point blank refuse extradition to the US as will other countries.
This is a great mentality, and I'd love to see more dynamic behind it. Alas. I see no nations espousing & helping the actual obvious Open Source & other progressive & pro-human, pro-enlightenment, anti-proprietary freedom fighters. I see no one standing up for more personal computing liberties. The international regime is hostile & un-comprehending of tech & it's possibilities, more interested in businesses & big tech than it is in trying to help good tech happen, which is the real oppression, the real struggle, one enacted via pervasive & harsh IP laws & seemingly ever-expanding copyright length. Sure, some nations celebrate punk-ish behavior & sticking it to the west, but I can think of precious few examples of nations actually helping the good. The recent AskHN about software/tech monastaries, & the complete worldwide lack of any answers whatsoever indicates to me that there is no real help or interest in the actual freedom fighters, anywhere in the world.
If you want to look at the law, I think today's example, of Russia telling 13 big tech companies they have to establish offices in Russia, is a near perfect example of how tech and law intersect. This is particularly menacing & threatening & scary, but it mirrors most of the relationship worldwide: aggressive, at ends, seeking constraint & control & dominance, no interest in growth or humans or improving the human-computer relationship. The law rarely serves the people, rarely amplifies possibility. It's here to insist that some antiquated self-obsessed notion of justice can be served, even when that justice so often only serves a fading out of touch law, or big vested interests, not the people.
Generally I consider myself extremely progressive & hopeful for what governance & governments can do and should do. And I think if government wanted to deploy tech to help the people, if it would stop allowing endless private control to reign, great things would happen (Ron Wyden for president, 2028). But right now trying to frame questions & challenges in terms of the law is not-great. The law affords deep & vast powers to it's vested interests & the ideas of law itself. Yet in your particular scenario, it also simultaneously jealously & vengefully guards actual access to it's means power, to the reigns of state-sponsored violence & enforcement. The question posed, about whether Apple could get access to this executive use of force, isn't particularly relevant to me, and I don't think it reflects on the widescale systematic bureaucratic control companies like Apple & the prevailing worldwide laws get to impose via EULAs against the people of humanity.
Some of the comments on Facebook getting the OK from federal US Court of Appeals to also try to sue the NSO Group are somewhat in line with your questions & scenarios. The comments there talk to the ability to try to pursue legal action, but the inability to actually get the state/states to do anything about it. In some ways, this is an ideal case. It shows that a state that wanted to support freedom fighters, that wanted to support emancipatory, liberated, pro-personal computing, might be able to. There's just not a lot of good guys out there trying to help spring us free from the walled gardens we're locked in.
My apologies for not trying to take up the question better. I think there's interesting material here. But to me, these questions return us to a not-compelling legalistic mindset, a practical view, that isn't capable of adequately considering how entrapped humanity at large is by the corporation's abilities to write it's own rules, by the de-personalization & de-accessing of computing that the cloudification of the world has brought upon us, & consigned us into. Whether or not this tyranny has the power to cross international boundaries & come get us isn't a particularly interesting subproblem to me. Generally I feel like the world has conformed to the prevailing notions of corporate techno-sovereignty.
 https://news.ycombinator.com/item?id=29309794 (12 comments)
 https://www.reuters.com/markets/europe/moscow-says-13-foreig... https://news.ycombinator.com/item?id=29320398 (7 comments)
 https://www.reuters.com/technology/facebook-can-pursue-malwa... https://news.ycombinator.com/item?id=29323095 (15 comments)
AFAIK there is not a country on this planet that does not believe in sky faeries in one form or another (?Antarctica?), likewise we generally all eat the same things, with minor regional differences, similar practices and needs so until you can get the main users ie humans to increase their intelligence and knowledge, it would seem this planet is stuck in a slowly evolving pattern of operation which still has various self destruct risks, some easily quantifiable others not.
The problem still remains, Apple have massaged the Ego of many via advertising and functionality creating this walled garden.
Russia telling 13 mostly US tech companies has already been done by the EU with servers having to be located in the EU, so the EU has led the way on that issue apart from the obvious US data gathering in the first place by building the services and tech!
To me its just survival of the fittest of entities and whether cultures/country's are now holding back some of these entities which can then come back and bite the culture and country into non existence.
When is an action a Zerohedge?
My issue here is that every time this kind of thing comes up, it becomes a sounding board for how (any) company has too much power...
Ever wonder why that is? The laws are written in such a way to allow it to happen, and they are more or less required to do what is in the best interest of shareholders.
If this doesn't suit you, bug your Congressperson to work to change the laws - just don't take a page from Newt Gingrich and burn the house down.
I see this in companies I work for all the time, so, yes, I can see that being the case here.
(I'm not saying that's a good or professional thing.)
Yes! They don't seem like people who think through or care about the consequences of their actions.
Not being a lawyer and having no clue abou US jurisdiction: I am really curious if this EULA thing works though. Normally under copyright law wrongdoing would normally just mean that your licence is terminated. Illegal use typically just requires paying damages twice the licence cost afaik. I would actually find it kind of scary if I could be pulled into any kind of jurisdiction about something not directly related to the contract just because I accepted a software licence agreement.
The question is what's the threshold for the existence of a contract. You both go into a conference room with lawyers and negotiate over the terms and sign it in ink, that's some pretty good yes vibes. Somebody clicks a button on an un-negotiated text form in a piece of software, maybe it should take more than that.
> I'm all for a little bit of lenience when an end user didn't read the terms but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?
Tons of bureaucracies do exactly that. The boss says they need a way to do this thing, so some Danny from the IT department finds some software to do that thing, it's free or costs less than the amount he's authorized to spend from petty cash, so he clicks accept and installs it on the user's machine.
My litmus test is I don't consider a contract valid unless I've actually had a chance to do a counteroffer.
It would be really interesting to see what precedent comes out of this case and especially how that would affect a future case where Apple claims a violation of their terms of service but the user fully consented to that use.
What's their theory of standing to sue over damage to their customers?
Edit: the main point is this (from the CFAA count):
Defendants’ actions caused Apple to incur a loss as defined by 18 U.S.C.
§ 1030(e)(11), in an amount in excess of $5,000 during a one-year period, including the
expenditure of resources to investigate and remediate Defendants’ conduct. Apple is entitled to
compensatory damages in an amount to be proven at trial, as well as injunctive relief or other
equitable relief. See 18 U.S.C. § 1030(g).
"(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service;"
18 U.S.C. § 1030(g) "
"(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses  (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware."
I assume "negligent" is used in the legal sense? But it'll be curious if NSO claims they're not liable for selling flaws that already existed in Apple *ware.
It does carry a strange irony when Apple keep saying they have the best security after iOS has been very badly hacked by nation state actors, though. I'm not saying their security isn't good, but I would have rathered "we're fixing X things" than security hyperbole.
Such as selling their software to the Saudi Government which in turn used the software in a highly targeted cyber attack leading to the grisly murder of a dissident journalist?
A ruling against the EULA might bring some clarity to the limits of powers tech companies have over us.
A ruling for the EULA might shine a light the power these companies DO have and force governments to bring in laws to curb them.
It is not a good situation, where Apple / Microsoft could turn around and say to someone who broke the EULA or perhaps even to someone who didn't, we are revoking our agreement you can no longer use our software. Leaving them virtually unemployable in many sectors, and similarly they are in the position to absolutely cripple the vast majority of businesses with the same tactics.
Government (legislative) mandates via law what rights consumers are entitled to, that cannot be stripped from them.
Companies are free to request waiving or agreeing to anything not enumerated in the above.
What's broken down recently is that legislatures aren't doing their job of proactively mandating consumer rights, and consequently companies are requiring whatever they think they can get away with: forced arbitration, lease-not-own, arbitrary right to revoke usage grants, prohibiting user / independent repairs, etc.
Admittedly not the best numbers, but not terrible either.
I think if Trump proposed the very same bill more or less all republicans would have been on board.
Wow, that's some serious softballing there. At a minimum, The NSO Group knowingly facilitates criminal activity. They shouldn't be treated as if they were a legitimate organization.
In this case the contract was made between two businesses. Consumers deserve protection because they are naturally disadvantaged. Companies with fully staffed legal departments really have no excuse.
In particular, by any standard, it certainly seems reasonable for Apple (or even companies we don't like) to prevent the use of its own tools and accounts for the purposes of attacking its products and attacking its customers. Especially when the attackers have explicitly promised not to do so.
So if Apple added a term that said "you will owe use $1000 per day and give us license to harvest your organs", it would be nullified even if the user agreed. They would have to have something like a big payment screen showing $1000 and clearly marking out the terms without being lost in a wall of text.
Unlike individuals, organizations are expected to be have the resources to handle the legalities and to not be pressured into a terrible deal by circumstances.
What all would be possible if software EULAs weren't legally binding?
One thing that EULAs typically do is reduce liability for the company producing the software. Imagine if Google/Apple were liable for damages from all the miscommunications caused by autocorrect?
On the other hand, if a click-through license can expose users to a potential lawsuit then that fundamentally changes the regime we all live in. It creates a world where the countless pieces of software we all use on a daily basis become hidden legal threats, lurking in the shadows like so many snakes waiting to strike. That’s not a world I want to live in and I think most HNers would agree.
I'm sure no one reads TSLA EULAs either.
A lot of the commentary, accusations, and opinions in the comments here would be addressed or better colored if you're interested enough to read her book (https://www.amazon.com/This-They-Tell-World-Ends/dp/16355760...).
Also, just to be clear, one of the reasons I like the book is because it's written by a person that doesn't understand all the deep technical aspects of these things.
I discovered darknet diaries listening to that episode. It’s very accessible and excellent storytelling.
Par for the course when trying to explain things to non-technical people.
People joke but you can see the thought process in explaining to a politician that the internet is a "series of tubes" for example.
We introduced the T+Cs from one major online provider to show how the government violated them. The government stipulated that they had violated the T+Cs and that they had broken the law. Two different courts both stated that government agents are allowed to violate federal and state computer and data access laws to conduct intelligence-gathering operations, and they are certainly allowed to violate T+Cs even when a violation of a T+C is a criminal act (which it is in many jurisdictions).
One thing that is lulzy is that I recently received a letter from one government agency stating that the evidence I had requested by subpoena was no longer available because they left it on a server in violation of the T+Cs and never took a copy of it and the provider deleted the account.
It hasn't reached the appellate courts yet.
If a lawyer makes an argument in court about the law governing a case (as opposed to the facts of the case), and the judge accepts the argument, and the judge's decision survives all its appeals, then the lawyer's argument is, by definition, true.
EDIT: I'm objecting here to the characterization of the lawyers' arguments as "lying". The judge's "power" to suboena digital evidence sounds like a question of interpretation of the law. Many (all?) US court cases have at least one question of law in which the parties make opposing arguments. One party prevails, the other does not, or maybe one party prevails on some points and the other prevails on other points. But however those questions are ultimately decided, that's the law, as it pertains to that case. In that context, it seems very strange to characterize either party as "lying" in such arguments.
If, on the other hand, "the judge's power to subpoena digital evidence" really means Apple's technical ability to produce such evidence, then I would agree that those are facts about which some statements could be considered truthful or not.
This is a Kafkaesque and wrong understanding of the legal system. There are all sorts of errors of law and errors of fact that are non-appealable.
In the USA you often get one direct appeal - an appeal by right - and then if that fails, a discretionary appeal by a more superior court.
I've seen some bone-headed decisions made by the trial judge, then the same error made by the appellate judges, and you know the superior court would reverse, but they only take 0.01% of the cases they see every year and so they just don't have time to fix every mistake. So some really stupid legal decisions become "the law of the case" simply because society doesn't have the funds to pay more judges to check the work of lesser judges.
Trial court judges in jury trials do not (in principal) decide fact questions (though even that is misleading, since they can decide “as a matter of law” that offered evidence is insufficient for a particular fact conclusion even over the jury’s determination of fact, except in the case where that would be unfavorable to the defense in a criminal trial.)
Judges in bench trial, and appellate judges in many cases, do, in fact, decide matters of fact, though in the latter case the usual rules are generally, but not infinitely, deferential to trial court decisions.
Is violating a T&C criminal in the US, if the violating action itself is not a crime? I have not heard of this. Are there any examples that can be linked to? I thought it was always a civil matter.
Yes it is a federal crime, but was recently limited by https://en.wikipedia.org/wiki/Van_Buren_v._United_States
"This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States."
720 ILCS 5/17-51(a-10)(1) Computer tampering
You're being unreasonable here since it is a very grey area.
If Apple is compelled for example to hand over encryption keys to a judge (which often means a bunch of junior lawyers) then that would infringe everybody's right to have their information be secure.
In computer terms a choice of law clause in a contract is essentially a macro that when the contract is interpreted in a court expands to the contract law of the jurisdiction named in the clause.
If a court in, say, Kentucky hears a contract dispute and the contract has a choice of law clause specifying California it is essentially as if the parties wrote California contract law into their contract. For things that a contract does not have the power to alter in Kentucky, Kentucky law would apply regardless of what California law said. E.g., the Kentucky court would use Kentucky rules of civil procedure and would use Kentucky rules of evidence.
A choice of forum clause requires the parties to use a particular jurisdiction to settle disputes. When you agree to such a contract you are agreeing to give the courts of that jurisdiction personal jurisdiction over you for matters involving that contract.
PS: I found the EULA. In addition to a choice of law clause it has a choice of forum clause:
> Except to the extent expressly provided in the following paragraph, this Agreement and the relationship between you and Apple shall be governed by the laws of the State of California, excluding its conflicts of law provisions. You and Apple agree to submit to the personal and exclusive jurisdiction of the courts located within the county of Santa Clara, California, to resolve any dispute or claim arising from this Agreement
PPS: note that the choice of law clause excludes California's conflict of law provisions. That's to avoid the situation where California's law says that some third jurisdiction's law should apply. In theory you could even end up in a situation where jurisdiction X says to use Y's laws and Y says to use X's, and then you've really got a mess.
If I sign an agreement with Apple on behalf of <faang company>, even as, let's say, an intern at that FAANG company, Apple should probably sue me, not the FAANG.
I know this, because I did exactly that, and was given a right good talkin’ to, by our General Counsel.
If anything lawsuit-worthy had come from it, then I suspect that I would have gotten more than just a lecture.
Also, if they weren’t, then NSO presumably violated the Computer Fraud and Abuse Act by accessing Apple’s services and systems without prior permission. Maybe that nixes Apple’s jurisdiction argument for this lawsuit, but Apple can also sue for criminal damages, and is presumably entitled to do so in their home jurisdiction since that’s where they exist and so that’s where they suffered the damages. And I think Apple notes this also in the lawsuit.
Sounds not right, regardless of what you think of NSO's actions.
The information on fake accounts was passed to Apple by Citizen Lab, which discovered the zero click vulnerability.
A hard blow to Israel's policy just as much as it is to NSO itself.
Though the fact the US has sanctioned an Israeli business does seem to have potential implications on Israeli policy. 
That's a level of sponsorship way beyond simply being a customer... that's state espionage served with a side of profit. It's evil when the USA does it, it's evil when the Russians do it, it's evil when China does it, it's evil when Israel does it... but nobody does anything about it because all those states would prefer strong surveillance rather than rights for activists and journalists.
> NSO is one of the most active Israeli companies in the Gulf, and its Pegasus 3 software permits law enforcement authorities to hack into cellphones, copy their contents and sometimes even to control their camera and audio recording capabilities
> Israel put NSO in touch with Arab states in the region, and Israeli representatives even took part in marketing meetings between intelligence officials in the Arab states and NSO executives. Some of the meetings were held in Israel.
Further reading on just how intertwined NSO group was with the government:
A crash course in Israeli national export control:
1. You can sell everything except for nuclear tech (and maybe even that, I don't know).
2. If the client is not officially an enemy of Israel then do whatever you want, we don't give an f'ing f'.
3. If the client _is_ officially an enemy of Israel, then all sales must be conducted through official (secret) state channels. Independent side-action will not be tolerated (see the cases of Nahum Manbar or Shim'on Sheves). This might be a hassle, but the upside is that the courts will uphold complete secrecy of your affairs and the military censorship (yes, Israel has that) will likely prevent any nasty exposes.
4. If the US throws a tantrum, then sections (1.) and (2.) are abrogated. But don't worry: There plenty of generals and other high-ranking retired officers are in key positions in politics, and a bunch of us are wanted for war crimes anyways with ICC cases pending, so... we're all friends here and we got your back.
* Less effective government control of the press (although that seems to be tightening up in recent years).
* Less use of secrecy, i.e. more of the sales happen in the open.
* The US has more enemies which it actually doesn't sell to.
* No outside boss country to prevent the US from doing what it wants.
They both have this old-guard mentality of "might makes right" hegemony, which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview that favors the pipe dream of peaceful multilateral democracies. Count myself as someone who dislikes this approach.
Whether it's planes or surveillance tech or reactor malware doesn't really matter, all just ammunition for their goals.
Israel at least has a survival need; it learned the (very) hard way that it has many enemies constantly seeking to destroy it. It's an us-or-them mentality hardened by centuries of oppression and decades of war.
America... now that's much harder to find an excuse for. And arguably we've spent all our resources on attacking Muslim scapegoats while China leapfrogs us. But hey, I don't make global policy, I just comment on it on the internet.
At least you are honest enough to say it's a pipe dream.
It really is.
The world is pretty brutal and liberal democracy is a value shared by a minority of humanity. If liberal democracy wants to survive it sometimes has to defend itself. The minimum it needs is an army to protect its people.
Does that absolve U.S or Israel from every arms sell they do? Probably not. But it's a broad context we need to understand when we talk about this issue.
> which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview
I understand that's the liberal and progressive thing to say. But if you really think about it, it reeks from hypocrisy. The "progressive" countries (who are they exactly?) like Canada, Sweden, Australia etc all need the U.S to protect them. They wouldn't want the U.S to go away, not in a million years.
Yes, I agree to a large extent. Most of the world's strong extant states were forged in war (or is a quasi vassal state to one which was). We didn't get here by being nice to each other. A strong defensive military is something I think every state would be wise to have, so long as human nature remains what it is... we're not wizened philosopher-kings, more just horny, hungry apes.
The distinction I draw is in foreign interference in matters that do not directly threaten us. I would rather see us resign from our role as world police/bully and focus more on domestic affairs, severely scaling back our force projection abilities (namely, carrier groups whose homeland defense uses are limited). I don't believe in this idea that "the only way to protect ourselves is to shape the world in our image, and forcibly subjugate those who will not willingly convert". Yes, there are shitty dictators out there, there is real evil in the world, but we're no angels and we've done a really shitty job of trying to make other countries better (with limited exceptions, like post-WW2 Japan and Germany).
The thing is, sustainable peace through militant nationalism is also a pipe dream. It's never stable for long and it creates vast power differentials that breeds discontent and violence; eventually it bleeds back over to us. I'd bet, measured across a few decades, our forays in Afghanistan and Iraq will create more terrorists than we've actually stopped... our administrations think in 4-8 year terms, not 20+, incurring foreign policy debts that later generations will have to try to pay off in an increasingly unstable world compounded by not just virally-amplified ideologies but also skyrocketing inequality and climate change. There is no military force that can keep an unstable, discontent world of ~8 billion apes in check for long.
Absent either a world dictatorship or peaceful multilateral democracies, I'd settle for regional hegemonies and old-school spheres of influence instead... we stay out of China's way, they stay out of ours, we trade peacefully. That means some nations will fall, whether it's Israel (possible, but unlikely?) or Taiwan (probably), Ukraine, etc. Sucks for those countries, but by % of world population, I believe that will result in greater overall peace and prosperity.
Shrug. It's all pipe dreams. Always has been. Some of us just have bigger pipes, I guess.
>> I understand that's the liberal and progressive thing to say. But if you really think about it, it reeks from hypocrisy. The "progressive" countries (who are they exactly?) like Canada, Sweden, Australia etc all need the U.S to protect them. They wouldn't want the U.S to go away, not in a million years.
Yeah, even a self-identified progressive, I unfortunately still mostly agree with you. Most of the liberals/progressives I've discussed foreign affairs with seem to have a pretty limited understanding of (or even interest in) military history. Not that I'm an expert by any stretch, but I do worry that they naively see the world as an unreasonably safe place. I don't think it is.
The American progressive strong suit is in domestic affairs -- leftist populism, basically -- not military strategy or even foreign policy at large.
Broadly, I suppose I believe in big hugs for my fellow citizens, big talks with our competitors, and big guns for our enemies (but we sure as heck shouldn't shoot first).
> Canada, Sweden, Australia etc all need the U.S to protect them
Y'know, Trump wasn't right about much, but maybe NATO really ought to pay its fair share in regional defense. Our forces are so disproportionate that NATO is less like an alliance and more like a protectorate. It can't just forever be "the Western world will fall apart absent American carriers"... if for no other reason than hypersonic missiles. We cemented global hegemon status in the post-WW2 years, but it's not a responsibility we should have to single-handedly carry into the indefinite future. If our allies need to build up their defenses, maybe we could encourage them by gradually bringing ours home. And if we have fewer foreign expeditions, cool, maybe we'd make fewer enemies.
In other words, I think our military should be strong enough to defend against homeland invasions and provide limit support to our allies, but not so strong that it runs the entire world's geosecurity. Somewhere in between is the question of what to do about Eurasia and specifically China... ideally we'd find some Cold-War like balance of mutually assured destruction, with neither side really wanting a hot war. Even better would be if we just cooperated economically with them and worked together on climate change, and let them run their social experiment while we run ours. We need to stop thinking we can singlehandedly liberate the world from oppression, or bring light to darkness, or whatever. We're just another country with big guns and small hearts... there's been many through history, none of which ended particularly well.
Every state has a "survival need"
> it learned the (very) hard way that it has many enemies constantly seeking to destroy it.
While that might be true at the level of people in the Arab East, but as far as states are concerned, that isn't actually the case. Unfortunately, repressive governments in Jordan, Egypt and elsewhere are supportive of Israel; and Lebanon and Syria are effectively quiescent long-term.
And that's despite Israel's best efforts to trigger enmity...
> It's an us-or-them mentality hardened by centuries of oppression and decades of war.
Israel has only existed for 73 years. And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign. It's only the gulf war in which Israeli was "just attacked" (by Scud rockets from Iraq).
That's a very naive way to look at things, I really doubt you bothered looking into it deeply. Israel had little choice to go to the 1967 war, Egypt was preparing for war both rhetorically and in action (blockade of the Straits of Tiran among others). If you actually care about History and read about that period you'd understand Israel felt it was facing an existential threat. Was it the case? We don't really know. There was a good chance Egypt would have started invading. I agree that Arab states tend to sometimes speak a lot (even threatening genocide) without doing much, but Israel couldn't really know.
IMO that's the direct result of Israel being strong militarily, a reluctant status quo arrived at by the immense competence of the IDF. Earlier in history much of the Arab world would've much preferred Israel to not have existed at all. They Israelis had to carve out a niche for themselves through sheer force of will (and firepower).
> And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign.
I don't think that's a very fair framing of the situation. I despise Israeli militancy, and I feel sorry for the Palestinians, and I wish we wouldn't support Israel's efforts to displace them... but that land has been contested since biblical times.
For many centuries the Jews lacked a proper homeland, and that did not at all end well for them. Most of the world's population lives on stolen or conquered land. Who "originally" owned the now-contested area isn't really relevant; both sides claim it as their ancestral homeland (and both sides are partially right, as far as I can tell as an outsider). More importantly, both sides live there now, regardless of who got there "first".
If Israel gave up arms, it would cease to exist within the week. If Israel did not so strongly defend itself, as in the Six-Day War, it would almost certainly have ceased to exist by now. Some of the Arab world tolerates Israel and may make tactical decisions to cooperate with them on limited bases. But that is a very far cry from outright accepting them as a friendly neighbor, E.U. style. Israel's survival needs are unlike those of most other developed nations in the world, who are largely surrounded by stable neighbors... it's comparable maybe only to Taiwan, Ukraine, South Korea, and other situations facing immediate volatility.
This isn't to excuse (what I consider) the excessive use of force on the Israeli part, but it's the excessive that I take issue with. If they didn't use force at all (or at least threaten to and actually have the capacity for), they really wouldn't exist for very long... history has shown that time and time again, and it's the very reason Israel was founded as such. They have been challenged, life-or-death style, in a way that very few other countries have been or foreseeably will be. If the USA lost a war, maybe we'd fail to accomplish some geopolitical objective... but it's unlikely the country would simply disappear altogether. If Israel lost a war, it's the next Holocaust.
You literally cannot find an Israeli company that isn't founded, run, and staffed by people with military or intelligence links, unless you're only dealing with religious extremists.
> Novalpina Capital is an independent European private equity firm that focuses on making control equity investments in middle market companies throughout the continent. Novalpina Capital has a solution-orientated, entrepreneurial approach to investing and creating value in its portfolio companies.
> Novalpina Capital was established by Stephen Peel, Stefan Kowski and Bastian Lueken in 2017. The Founding Partners bring combined experience of 48 years in private equity investing, including senior positions in the European operations of leading global private equity investment firms, and have a shared history of working together for nearly a decade.
This isn't some far-flung conspiracy about dark forces puppeteering seemingly innocent companies. It's just people valuing profit over concern for human rights. It's a surveillance firm, what would you expect? What would be a benevolent use of this technology even be?
In this case it is clear that the Israeli government is sponsoring NSO.
you get my point?
And I thought I was pedantic.
And I thought I was pedantic. "
I don't think I'm being pedantic, it seems like people use the word 'sponsor' in these contexts to exaggerate and vilify.
Nobody seems to have used the word 'nation-state' in this post; what made you think of it?
As for sponsorship, states sponsor their industries by providing labor trained at public expense, promoting them abroad through trade agreements, access to trade representation etc. so there is the technical definition of sponsorship met.
The revolving door between Unit 8200 and surveillance startups is documented as is Israel's courting of KSA and the UAE with access to intelligence sharing and capabilities as a bargaining chip. And why wouldn't they? It's good for the state and its industry. Just sucks for everyone else.
The definition of sponsorship doesn't matter when it is met in every sense of the word.
Not necessarily. I assume you mean it fortifies despot regimes in the Middle East right? I no longer think at this time there is any sane alternative.
Do you think the path to end tyranny was so smooth in developed countries? Think back through Western revolutionary history and now immediately forget the name of every leader the moment you think of them - because that's what's happening, right now, in these countries at this exact stage of their political development. The technology now exists to make effective popular resistance impossible. Every possible rebellion strangled at birth. Every potential leader, every sympathetic journalist, religious or opposition figure, immediately identified, located and silenced.
And apparently that's worth a comfortable 6 figure salary to a lot of engineers and managers in comfortable, developed countries.
Do you really think you'd be in the position you're in if your ancestors never had the chance to remove their despotic king/emperor/dear leader? If you don't think it would be another North Korea, maybe it's because of some ahistorical belief that your culture is inherently more civilised. So you probably don't see the racism that's implicit in your statement.
From my experience in the Middle East, seeing people march for an end to corruption, for justice, for a chance for their kids, I realise I hardly know anyone back home as brave, as prepared to risk everything for their political and civil rights. They aren't marching for another ruler. They deserve a chance.
So fuck NSO and its deplorable staff.
You say "if the alternative is between...", and then proceed to just accept the false choice that it's either tyranny or anarchy, using that reasoning to give a pass to the scum making a buck from some of the most disgusting regimes on the planet. Western countries took generations of incremental improvements to arrive here, all while tyrants always used that argument to try stay on top.
You're uncritically buying the line that Iran or the Muslim Brotherhood are the worst (which could be argued) but the other less so, because they are on "our side". If you prioritise human rights, that lives on both sides are equally valuable (and I suspect from this thread that you don't) then such a distinction is meaningless.
It's a fear-driven siege mentality and terribly short sighted to think that in the region that brought us Gadhafi, Saddam, Daesh and the Mujahaddin, somehow KSA, Egypt or the UAE will magically always align with however your interests evolve.
Thanks to NSO they ARE a step closer to North Korea and destabilising the region in the long term with repression and misery. But you're only interested in short term outcomes for Israel/Western countries, kicking the can down the road when the consequences of such sales will have unknown impacts for decades.
After seeing how it's played out, it's just exhausting to see this kind of mentality after all these years, lost lives and lessons apparently unlearned. Along with greed, this mentality is why the mercenary surveillance industry exists. For the sake of everyones kids both need to end.
The Houthis are an extremely well armed group supported by Iran, please read about the topic you are uninformed. I am not saying what's going on there isn't tragic but it's far from "good guys vs bad guys". Iran had a role in what happened in Yemen as it had a role in what happened in Syria.
Saudi Arabia is as far from liberalism as Iran, I acknowledge that. But they have much less of a will to export "the revolution" to other places - unlike Iran. They kinda mind their own business most of the time.
> You're uncritically buying the line that Iran or the Muslim Brotherhood are the worst (which could be argued) but the other less so, because they are on "our side".
You are being uncritical as well. If you have any info that suggests otherwise you can share it, otherwise don't just contradict me and call me uncritical.
> If you prioritise human rights, that lives on both sides are equally valuable
I prioritise human rights within reason. Since the Arab Spring we've seen the whole area can in fact get much worse for humans very quickly. "Democratizing" a place like Egypt probably means bringing a hostile (to the West and to freedom in general) Islamic Caliphate of some sort, which I don't like.
All this means is that the NSO Group is an Israeli company staffed by Israeli citizens. I don't know what export controls have to do with anything since those apply categories of products, regardless of whether or not you have business with the Israeli government.
Export controls means, one, that the product they're selling is likely a concern of national security, unlike, say, your average lockpick kit or GPS tracker. Two, it means the state gets to selectively pick and choose who it shares this technology with, using it as a tool of statecraft/diplomacy/subterfuge/sabotage. It's a recognition of the value of the technology, along with a desire to limit its availability to Israel's enemies.
NSO's own website says "NSO Group, develops best-in-class technology to help government agencies detect and prevent a wide-range of local and global threats." It wouldn't exist if not for state sponsorship.
I have no problem believing that Israel "sponsors" them, but your justifications are baseless. Ex-intelligence officers are not government officials, they are civilians. And government contracts don't imply "sponsorship" in the usual sense, e.g. a landscaping company would not be said to be "state-sponsored" just because they are contracted to work around a government property.
You, and Apple, have to demonstrate how Israel materially supports the NSO Group outside of usual business practices.
Export controls means, one, that the product they're selling is likely a concern of national security, unlike, say, your average lockpick kit or GPS tracker.
GPS devices of almost any kind are subject to ITAR/EAR in the USA. It is extremely easy to run afoul of weapons export controls and there is quite a large market for ITAR-free products. It means extraordinarily little if a product is subject to these type of controls.
I am no longer sure what we're arguing about. Is it the meaning of the word "sponsor"? That's not my word choice, that was just what the OP used and I mirrored it.
I think the bigger point is that states (no matter WHICH state) are funding private companies to surveil citizens in a way that genuinely threatens what few civil rights they have left.
Secondarily, are we arguing about the degree of connection between NSO, the company, and the State of Israel? If so, I used "sponsorship" in the revolving door sense, as in intimate relationships between the staff and government officials, not entirely unlike the US and Blackwater/Xe/Academi or Halliburton or Diebold/Premier. The discomfort there is not just in the amount of dollars exchanged, but in the offloading of legal and criminal responsibility to what is essentially a front company used to do the dirty work of the state. Outsourced oppression.
> GPS devices of almost any kind are subject to ITAR/EAR in the USA. It is extremely easy to run afoul of weapons export controls and there is quite a large market for ITAR-free products. It means extraordinarily little if a product is subject to these type of controls.
OK, without looking this up, I'll take your word for it and I stand corrected. Sorry for the mistake about GPS. But that's really a technicality. Surveillance tech of this sort IS a weapon, capable of suppressing not just external enemies but internal citizens, especially if it falls into the hands of nations participating in "Five Eyes"-style surveillance exchanges of each other's citizens. And this in particular is a lot more dangerous than a GPS receiver. And unlike GPS, it has no real "benevolent" civilian purpose. Its primary (only?) customers are oppressive states.
Sorry if this wasn't clear -- I thought it was implied -- but the worry behind the state-private connection here is that this company is getting the kind of resources (and thus effectiveness) that only states can provide, thus making it a dangerous tool. Another implied fear is that the NSO group can also get special extrajudicial treatment because of their usefulness and close connections to the Israeli state, and thus risk breaking checks and balances in a way that a landscaping company would simply not.
I feel like we're running circles around semantics here. Am I fundamentally misunderstanding your argument?
I have no sympathy for NSO.
I've never heard anyone but a despot (or vendor to despots) claim anything untoward about Citizen Lab, it sure seems like they're genuine "good" folks. They do great work, and they'll do better with support and access. The announcement makes it sound like Apple is willing to offer similar support to other good actors. I imagine Apple putting the word out will yield a few more.
It raises - again - the question of what we expect from big companies vs governments, and questions of sovereignty. Where's the line between supporting good work and cyber vigilantes (if it's not a thing today, it will be, and what will society's place be with respect to them)?
And what if NSO Group closed the branch in US? I assume you cant really do anything to an Israeli company.
Because half of it reads a lot like a PR pieces to me. And Apple easily gets the marketing message response they wanted. They are fighting "State Sponsored" spyware. The privacy message they are sending out ( fighting on behalf of their user ), in the mist of a worldwide App Store battle and Anti-Trust.
And I am willing to bet this message will be used in their future PR message when they discuss it in Anti-Trust to gain public support.
Apparently Facebook has a similar suit against NSO and just had a significant ruling go their way. NSO had claimed they were immune since they were acting as foreign government agent.
I’m guessing Apple was waiting to see how that ruling went before proceeding, since if NSO had won Apple would have to take a completely different approach.
... except for how Apple sends a copy of all of your data that passes through their servers to the NSA. No, I'm not espousing a conspiracy theory, this has been brought to light by Edward Snowden's revelations. Now, we don't know how much of the data on Apple phones gets sent to Apple's servers, so it's not literally everything on your phone, but at least everything that's backed up remotely, and possibly more.
So, pot calling the kettle black.
*"to curb the abuse of state-sponsored spyware"*
Note that Apple is not saying "to prevent", only "to curb". But even worse than that, they're saying "curb abuse", not "curb use", as though that type of state spying is not inherently abusive.
*"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,"*
Apple has a larger R&D budget than most world states. In fact, Apple themselves probably spend more money on sophisticated surveillance technologies than half the world's states combined. Certainly if we count things like dynamic image analysis from all those cameras on phones and cars and such. Why is it an unaccountable foreign corporation better than a government? They're both pretty bad.
Care to explain what you mean? When the U.S sells arms by the billions to despot regimes is it also a state-sponsored terrorism around the world? Or just when Israel sells a cyber app you call it that?
Yes I also believe that financing NSO goes against the founding principles of Israel.
NSO Pegasus was used by the Hungarian secret service to spy on journalists.
Orban, the prime minister of Hungary is turning more authoritarian by the day.
Hungary displayed plenty of antisemitism well before the Nazi German occupation in 1944:
I'm not an Israelian and I'm not Jewish but if I was I would most certainly be even more opposed to sell cyber weapons to authoritian governments, especially the ones whose authoritarians regimes of the past contributed to the holocaust.
I'm quite cynical about this press release. The key point in the title is that Apple are cool with state-sponsored spyware, it's just abuse of it that bothers them. Also why did they wait so long to file this. I don't think it's because they lacked evidence until now. Perhaps they think such a lawsuit will is now expected of them otherwise they will lose face, and that they have the general backing of the public now. I remember some months ago showed that Apple already had grounds to sue for copyright infringement. Either way, Apple is stepping into a political minefield. Buy popcorn and expect fireworks. Big ones.
They made their choices. Their victims had none.
Make them explain their kids that they can't play games on Xbox or listen to music on Spotify because their daddy is a terrorist.
So whatabout someother asshole? Come back when you have an argument.
For governments, standard CT/AML financial intelligence: identify employees, shareholders/UBOs and add them and subsequent companies they start to the various watchlists/blacklists. For the public: open source intelligence, post info on forums, name and shame etc.