Hacker News new | past | comments | ask | show | jobs | submit login
Apple sues NSO Group to curb the abuse of state-sponsored spyware (apple.com)
1120 points by todsacerdoti 3 days ago | hide | past | favorite | 443 comments





It is great to see this happen.

It's also fascinating that the crux of the Apple's case against NSO hinges on NSO engineers that accepted iCloud's terms and conditions.

From related NYT article:

>The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”

The clause helped Apple bring its lawsuit against NSO in the Northern District of California.

https://www.nytimes.com/2021/11/23/technology/apple-nso-grou...


Is it great? The lawsuit is Apple trying to enforce the iCloud EULA to stop reverse engineering. While NSO Group created hacking tools, and then did some questionable things with them, do we really want those inane licenses no one reads, and everyone scrolls down to hit [agree]; do we really want them to legally binding? Put another way, if it was someone HN liked, would we still say this is actually good? Because compared to the corporation known as Apple, NSO Group and its parent corporation are still "a little guy", and this move really doesn't seem like a good thing. Not for hackers in the HN definition for hackers, ie highly motivated tinkerers.

This community features not just fans of reverse engineering, but number of practitioners, eg the popular Nvidia TSEC key extraction that was featured recently[0]. The defendant's actions make them an easy target, but, like the ACLU protecting the civil rights of murderers, because we still live in a nation of laws, I don't see this as great. This is a continuation of Apple's continued use of lawsuits to silence any challenges to their marketing of being the secure computer choice (eg Apple suing Corellium[1]) rather than their products actually being secure.

[0] https://news.ycombinator.com/item?id=29315378

[1] https://news.ycombinator.com/item?id=28219278


They are just using the EULA as the basis for claiming jurisdiction. They are actually suing not to stop reverse engineering but rather to recover damages incurred by unlawful business practices. Basically their argument is that:

0) The defendant's can be sued under California law because they accepted the EULA.

1) California law makes businesses liable for damages incurred by their unlawful business practices.

2) Business practices which violate any California or federal law are unlawful business practices in California.

3) The defendant violated the federal computer fraud and abuse act by hacking into users phones.

4) Apple incurred damages to their reputation and from expenses related to mitigating the hacking of their users.

5) Therefor the defendant is liable for Apple's damages under California law.

So the defendant could have been fine if they just done reverse engineering, or even if they developed the hacking tools, but actually using the tools against Apple's users in violation of the CFAA was going too far.

https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11...


The complaint does also have a straight-up breach of contract claim, in addition to the CFAA claim.

Nit (maybe moot):

> 4) Apple incurred damages […] from expenses related to mitigating the hacking of their users.

This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway. Put another way, that also sounds like the corporate open source push, "We love open source because we don't have to support it, the community will!"

"4)" says the community will pay for/support security, just wait for the hack and make 'em clean it up. Mitigation costs shouldn't be a recoverable damage, they should be doubled and paid out to the victims...maybe that'll incentivise better security over dollar dollar bills y'all.

This all maybe moot because this was a B2B action and I'm thinking from a non-monied, single user/security researcher perspective. What if the company was a non-profit security research group? Perhaps this is what the 90day grace periods are for when dealing with responsible disclosure?

Anyhow, my ignorance must be showing at this point.


From Facts(C),

"60. Defendants force Apple to engage in a continual arms race: Even as Apple develops solutions and enhances the security of its devices, Defendants are constantly updating their malware and exploits to overcome Apple’s own security upgrades.

61. These constant recovery and prevention efforts require significant resources and impose huge costs on Apple. Defendants’ unlawful malware activities have caused and continue to cause Apple significant damages in excess of $75,000 and in an amount to be proven at trial."

Hopefully the judgement is able to split the hairs between reputational and development harm to a company for security vulnerabilities, and harm to users for organized exploitation of those vulnerabilities.

The former feels like it should be free speech -- statement of facts related to the company's product(s). The latter is an obvious wrong.


Is it C that imposes huge costs here? Do they have a list what CVEs have what cost?

I don't know of any legitimate security research group that hacks user accounts they don't own.

NSO hacked devices they didn't own and infected them with spyware. Apple had to pay to repair / replace those devices.

I don't see how this sets any sort of precedent with security researchers are liable for the costs of fixing vulnerabilities that they uncover.


> I don't know of any legitimate security research group that hacks user accounts they don't own.

nit: "user accounts to which they're not authorized"

I work with friends' accounts all the time provided they authorized me to do so and provided I'm permitted to do so as part of the vuln disclosure program terms and rules of engagement, though I usually split the bounty with them in a meaningful way to make it worth their while.


I know of several cases of reverse engineering of a bunch of hardware where the hardware is only available to a very limited subset of professionals. To gain access you either need to join that class and break the terms under which the devices are provided, get someone else to break the terms they agreed to or to steal a device (which for obvious reasons is at a somewhat different level than breach of terms and conditions). It is pretty clear that these restrictions exist to avoid reverse engineering of a - trivial - protection that makes making compatible products impossible, and which in turn protects a non-trivial revenue stream.

Apple is not really all that different. If they believe that suing to prevent reverse engineering is going to stop the bad guys they are delusional, I suspect that they are fully aware of this and are engaging in a very expensive bit of theater here: the NSO Group is not going to be overly impressed by this, whether they win or lose the case. If they lose they will be open to a damage claim, which in turn will have to be enforced through a court in a different country, if they win Apple will lose far more than just this case, they will lose the battle against everybody that wishes to engage in reverse engineering.

Another thing I suspect is that Apple is either very much concerned about the image/reputation damage, their supposedly highly secure platform/environment appears to be less secure than Apple wanted you to believe and a click-through EULA is not going to impress a law breaking entity, they probably should have anticipated that. And Apple may believe that other law breaking entities are going to stop doing their thing if they win this lawsuit, I'm a bit more pessimistic about that. Legal action is not a good way to recover from a technical failure, Apple needs to update their threat model and act accordingly.


>This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway.

No, read again, this only refers to damages from unlawful activity. "White hat hackers" need not fear.


I wouldn't be so sure about that. The difference between white hat and black hat is usually only determined once the destination of the results of the activity is known. Plenty of bug bounty programs appear to be one element in the marketplace for valuing an exploit. If the bounty isn't high enough your 'white hat' may well change the color of their hat.

Assuming they're lawyers who know every law and don't get skewered by something like DMCA 1201.

>> They are just using the EULA as the basis for claiming jurisdiction.

IANAL but it's always seemed to me that if I reject the terms of a EULA then the EULA doesn't apply to me. Pushing the "button" does not mean anything because only the EULA gives it meaning and I reject that.

50 years from now if someone is doing software archaeology and they go to install some software from a long gone company, who does clicking the button form an agreement with? Will it be legal to try that software? Can existing software companies list people they have click-through agreements with? These things seem like a bad joke in practical terms.


US contract law jurisprudence doesn't really seem to support you here.

> The mental assent of the parties is not requisite for the formation of a contract. If the words or other acts of one of the parties have but one reasonable meaning, his undisclosed intention is immaterial except when an unreasonable meaning which he attaches to his manifestations is known to the other party.

https://en.wikipedia.org/wiki/Lucy_v._Zehmer


That looks very different:

>Zehmer wrote on the back of the restaurant's receipt stating, "We hereby agree to sell to W. O. Lucy the Ferguson Farm complete for $50,000.00, title satisfactory to buyer". The note was signed by Zehmer and his wife.


Well (IANAL) but if you want to get into contract law, my understanding is that a contract requires acknowledgement from both parties. It's not really fair to say "the functioning of the software is acknowledgement" when the company granting that permission has no record of it. Ask a CEO on the stand if his company has any binding agreements with the judge.

> 50 years from now if someone is doing software archaeology and they go to install some software from a long gone company, who does clicking the button form an agreement with? Will it be legal to try that software? Can existing software companies list people they have click-through agreements with? These things seem like a bad joke in practical terms.

I mean, this seems pretty easily addressed:

I can't sign a contract with a dead company, can I? Well, literally I can, but the agreement wouldn't be binding.

Same applies here. Unless the entity still exists, in which case congratulations, you're in a binding agreement lol


There are some practical problems with this.

Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software. Big Co. may not agree to the terms of the old license.

Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?

What if there are no heirs, so the assets go to the government? Do you now have a contract with the government? I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.


I like how suddenly the intense legal minuate are the most important details of a system as if we're in a contract law class, as opposed to the obvious point that in general these agreements are fairly obvious

Making up rules without thinking about the consequences of those rules is a Bad Idea.

What happens to contractual obligations when companies are acquired or dissolved is a matter that is settled law. It has been well thought out and is probably in scope for literally dozens of legal cases a day.

Just because something is new to you, doesn't mean that professionals that deal with this every day have never thought about it.

(The actual answer depends on the State, entity type, if it was dissolved or suspended, if a bankruptcy is involved, etc. and you should just consult a contracts lawyer)


Edge cases aren't consequences; they're trivia. And at the the of day, our legal system is governed by humans who interpret and argue. Until humans are perfect, we'll never write a perfect law.

"Perfection is impossible, therefore don't try" is a dodge.

We're not making the laws, we are observers commenting on the status quo. I'm sure no one's losing sleep over hacker news commenters being upset

Are you a practicing attorney?

What are the problems here?

> Suppose that Small Co sells the assets of a business unit to Big Co. Do you now have a contract with Small Co. or Big Co.? Small Co. no longer has the rights to the software

That's right, that's what they sold.

> Big Co. may not agree to the terms of the old license.

Then I guess maybe they shouldn't have bought it.

> Suppose someone dies and their assets go to their heirs. Do you now have a contract with the heirs?

Yes. They inherited the deceased's assets.

> What if there are no heirs, so the assets go to the government? Do you now have a contract with the government?

You'd probably have to ask an estate planning attorney about the specifics of this, but so what if you did?

> I can think of some fun terms to add to a software license from someone on their deathbed if that's the case.

You should totally do it lol


So if I sell you a magic rock under the contract that so long as you are in possession of said rock I have legal authority to monitor your household to make sure you don’t misuse the rock for evil, and you die and your heir comes in possession of the rock, I now have a contract with your heir? I can go set up cameras in their house and invade their privacy just because you wanted a magic rock? That doesn't seem right?..

Contract law isn't absolutist like that, and it can't bind both parties in a way that's unreasonable or contrary to certain basic rights-related laws. That's why you can't contract yourself into slavery.

What'll happen in cases like that is that it'll be litigated, interpreted, and either amended through a settlement agreement or annulled.

As others have said, the law isn't a programming language. It's a human system that, while being rigorous, strict, structured, and binding for the most part, is nonetheless capable by design of nuance and interpretation within known and constrained bounds.


It sounds like that contract is a liability. Not a lawyer, but I don't think that liabilities are inherited the same way. Most likely if you wanted to do this, you would structure it as a rental agreement and get the rock back.

Probably if the heir accepted the rock during the estate proceedings, but im just speculating.

>0) The defendant's can be sued under California law because they accepted the EULA

  The Court has personal jurisdiction over Defendants because, on information 
  and
  belief, they created more than one hundred Apple IDs to carry out their 
  attacks and also agreed to
  Apple’s iCloud Terms and Conditions (“iCloud Terms”), including a mandatory 
  and enforceable
  forum selection and exclusive jurisdiction clause that constitutes express 
  consent to the jurisdiction
  of this Court.7
I'm not a legal expert but shouldn't that be stupidly easy to deny?

Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree"

NSO representative: No, Your honor.

Apple Lawyer: Then how did you gain access to my clients services?

NSO Rep: A totally unrelated third party gave us 100 unlocked iPhones as a free gift. We never saw the terms and conditions, nor agreed to them. We can fully prove our claims. [edit: (fully proves his claims)]

Apple Lawyer: (spluttering) but... but... but...

Judge: (bangs gavel) case dismissed!

This is assuming NSO were far- sighted enough to actually create such a paper trail. Also, since Apple is disputing more then 100 accounts, maybe such a defence would be ruled as improbable, or some other legal jargon. Maybe someone better informed can chip in.


Nerds always want to interpret the law in some strict pedantic fashion, but in practice this is almost never how it works. Law is not applied stupidly or mechanically, you can't fashion yourself some ad hoc workaround unless you're extremely certain about what you're doing, preferably with a mountain of precedent behind you.

"NSO can be sued under California law because they accepted the EULA" seems like a mechanical, strict, pedantic application of law though.

How does that seem pedantic? It's incredibly straightforward.

On the other hand, creating some kind of convoluted, contrived paper trail to claim that mysterious third parties were the ones to have physically pressed the "Accept" button on your 100 fake accounts and so you didn't even know there was a EULA seems kind of like it might actually be fraud.


In addition, it doesn't survive past the moment it is discussed in court documents, at which point NSO are screwed if they ever pull the same shit again.

A full paper trail would also necessarily disclose the entity that provided those devices, which they may well be loathe to do (since it either drags in a related company, who Apple can then also target, or embarrasses a third party who would rather remain nameless).

However, in practice, a technology engineering firm claiming to have no knowledge of the licensing that applies to the devices in which they also claim expertise, is such a far-fetched statement that it's almost trivially set aside, and earns a rebuke from the bench to boot.


I don’t see how this differs much from a common “clean room” reverse engineering strategy where one set of engineers accepts the eula and then writes down in excruciating detail exactly how the target item works, then a second set of engineers that have never seen the item in question (or accepted a eula) takes these detailed writings and uses them to reverse engineer the item in question. (A mere description of a device or software is not protected)

This is standard practice at large companies when reverse engineering chips, devices and software and seems very similar to the above eula argument.


In the clean room reverse engineering case:

1a. one team examines the device and products a detailed specification of it

1b. another team works solely off that newly produced specification; this team has zero contact with the actual device

In this hypothetical case:

2a. a third party affiliate accepts the Apple EULA, and gives the Apple IDs to NSO Group

2b. NSO Group uses the Apple IDs as credential to obtain Apple services

Notice that in case 2b, NSO Group has actual contact with Apple in two ways. They used Apple IDs, and that they obtain Apple services. This didn't happen in the reverse engineering case.


Good points - thank you!

Wouldn't there be an article in the EULA that states if you use an Apple device, regardless of clicking buttons, you automatically consent to the ToS? Or is that not how the law works ...?

EULA isn't ToS. If you accept EULA and EULA automatically joins you to ToS, then you also accept ToS, usually including all its future versions.

Yes, American companies love to stack the deck against their users when it comes to selecting venue, but at the same time balk when the EU requires that they have an EU anchor to allow legal enforcement.

Who balked? Apple anchored in Ireland and got an amazing deal. I doubt they balked at that.

That's how law works.

Taken out of its context to prove a point on a web forum and I would agree

Lots of people negotiated these things and agreed to make commerce happen.

Novel to you does not mean novel to humanity.


Speaking as someone who’s been on the unfortunate wrong end of it, the law is applied stupidly and mechanically. All the time. That’s the default. The judge will go to great pains to super pedantically apply the rule of the law, regardless of common sense and believe it or not in most cases also regardless of common sense.

As it should be. It doesn’t always work well for all circumstances, but we don’t have a better system


Irrespective of your personal experience, the law is nevertheless still not a programming language, thankfully.

However, "common sense" is also not how it works, so sure, when people rely on what they expect "common sense" to mean, then they too get screwed (the meaning of "common sense" after all varying dramatically from person to person).

Law has its own principles, philosophy, and practices, that's all. And judges, especially senior judges, do not like it one iota when folks try to circumvent the meaning, substance, and purpose of these elements.


This isn't the case everywhere. In some countries it is the intent of the law that matters, in others it is the letter of the law, in some a mix of both.

Your argument loses weight with the ad homonym attack.

Disagree. It was the cherry on top.

Nerds always want the law to be consistent. Lawyers are Machiavellian professionals trained in getting it to say "heads I win tails you lose" for their clients, and often succeed.

That doesn't mean the nerds are wrong to want what they want.


No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms. They expect it to be some sort of API spec that can be mechanically manipulated. Their own efforts at such intellectual mechanics are nothing but a trail of tears and failure, with bug after bug making a mockery of any claim they have about the benefits of such a system. Law has had millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people; coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions? Hard pass.

> No, it is just that most nerds are too ignorant to understand how law works and its purpose and mechanisms.

People have a pretty good idea of its mechanisms.

Powerful people break laws that are clear enough and then don't go to jail because of "prosecutorial discretion" or Johnnie Cochran or retroactive telecoms immunity for illegal mass surveillance.

Powerless people break laws that are ambiguous, or most people don't even know exist, or people know exist but they're only enforced against the nameless and poor, and the US has the largest prison population in the world.

This outcome is your great victory for "millennia to work out the kinks in the system and develop practices that are robust in the face of adversarial attack by actual smart people"?

> trail of tears

Really?

> coders can't seem to keep basic services operating in ideal conditions and yet you expect anyone to look to this group when it comes to actual life and death decisions?

We already have code running when it comes to actual life and death decisions. There is code running in aircraft and heart bypass machines, and it works, because then people care that it works. Nobody cares enough that some ad tracking code is perfectly reliable and efficient, so it isn't.

You're also asking for a double standard. The OpenBSD people do a nice job on OpenSSH. It's pretty good, not perfect. There have been vulnerabilities in even that. Then they get patched.

But you can't possibly be claiming that there are no "vulnerabilities" in the law. If that was the case then why do they have to keep passing new ones every year? The ask isn't that it never change, it's that it be changed by the legislature prospectively instead of being in a constant state of superposition until it's resolved by a court ex post facto.


The is also why the Crypto-bro dream of having "smart" contracts manage the entire global financial system is insane.

That is why they included an alternative count of unjust enrichment. In the case the defense proves they never agreed to the user/license agreement then they will have also proven that they obtained Apple's software and accessed Apples services without a license and used them for their own profit and to Apples determent. Thereby unjustly enriching themselves.

> I'm not a legal expert but shouldn't that be stupidly easy to deny?

Anything is easy to deny.

Denial isn't sufficient to win the point.

> We can fully prove our claims.

Saying “we can fully prove our claims” is stupid easy. Being able to is harder.

> This is assuming NSO were far- sighted enough to actually create such a paper trail

But they probably weren't, because they didn't anticipate being sued in California based on jurisdiction gained via the iCloud T&C.


The burden of proof should fall on Apple in an ideal world. Maybe a court ruling that one stupid checkbox at the end of a digital 10,000 word document isn't sufficient proof might be a good idea?

> The burden of proof should fall on Apple in an ideal world

It does, but its not an element of a crime being proven, so the burden isn't “beyond a reasonable doubt”, but (as for most things in a civil case, though sometimes other standards apply) “preponderance of the evidence", for which you need to convince the court that, based on the evidence provided, the facts you need are more likely than not to be true.


It does, but this is what the discovery process is for. If NSO wants to claim that they somehow got these accounts without agreeing to the EULA process themselves, Apple is going to request and the judge is going to approve a discovery request for NSO to turn over every record they have related to the accounts, when and how they were obtained, and who obtained them for NSO. If NSO wants to pretend that they have no such records, didn’t get the accounts themselves, and don’t know what third party obtained them, they’re going to get a very skeptical response from the judge, and they’re probably going to have to send a bunch of employees to go make statements that in addition to not having any records, none of them remember how this happened either. That’s probably the point at which Apple reveals that really they know via IP addresses or geolocation or something that all of the accounts were registered in an office building occupied by NSO, and then NSO gets sanctioned to hell and a bunch of employees are revealed to have lied in their testimony. That’s an absolute nightmare scenario for NSO.

That's not how it works.

When they say "No your honor" they would then have a charge of perjury added to the other charges. The apple lawyer doesn't say "Then how did you gain access to my client's services?" (because litigation 101 teaches you never ask a question you don't know the answer to).

...the lawyer enters into evidence the logs showing you accepting the EULA.


> Judge: did you, NSO agree to the Terms and conditions by pressing "I Agree" > NSO representative: No, Your honor.

IANAL, but the general understanding is: "Ignorance is not a defence". If your legal advisors did not flag this up then I think you are probably entitled to ask for your money back when Apple kicks your butt.


IAANAL, but the expression is, "Ignorance of the law is no defense." That differs from ignorance of the circumstances.

Good point. Well spotted.

If we are all quibbling over the wording used in a hypothetical case, then I wonder what's going to happen when the lawyers get going with the real one.


Apple will have the IP addresses of every “I agree” click. Maybe some of them are traceable to NSO.

How would they even be able to sign in without clicking "I agree"?

What if the devices are not connected to the internet?

I think that a much stronger argument here goes like this. A developer accepted those terms of services. That developer is not authorized to accept contracts / deals for the company as a whole.

The issue here is that a single employee (which may carry out an unauthorized action) is unlikely to create a binding contract for a company.

Otherwise, by the same token, NSO can create a EULA that says that a use of their software requires 100 millions USD / month cost. Get an Apple employee to agree to that (probably unknowingly) and sue Apple for that amount, since their employee "agreed" to that.


Wouldn’t hold up. Otherwise you can just create fall guys/gals and never deal with fallout. There are certainly some circumstances like corporations aren’t held liable for murder of some employee, but if the employee was doing it on the factory floor they absolutely could get sued for it. Unfortunately it’s not clear cut, but generally if you’re doing something on or with company property, during work duty hours (these hours are always stated on corporate handbooks even for startups), and/or it’s during course of business you can and will get held liable for the employee’s actions.

The $100mm example you have would just get thrown out in court because it would be deemed unreasonable, even if Apple was ultimately responsible and the employee was acting as a representative of the company or on behalf of the company. Otherwise why can’t I just get a buddy to set up some random service and then have (let’s say I work at Apple) me sign a contract saying that Apple will give all of its corporate property and money to this contract for the rate of $5/month so this random service can “manage it” or something? Whoops guess Apple agreed to that!


> they created more than one hundred Apple IDs to carry out their attacks

Maybe the most interesting thing about this is how it proves that their code signing system is worthless. If the same bad actor can get a hundred Apple IDs to sign literal malware with, why are they imposing this burden on random small developers?


When did anyone mention code signing or developer accounts?

What did you suppose they needed a hundred Apple IDs for?

I have no idea why people are speculating about this. Unsurprisingly the publicly available complaint explains exactly what the Apple IDs were used for. https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11...

>50. On information and belief, Defendants created more than one hundred Apple IDs using Apple’s systems to be used in their deployment of FORCEDENTRY

>51. On information and belief, after obtaining Apple IDs, Defendants executed the FORCEDENTRY exploit first by using their computers to contact Apple servers in the United States and abroad to identify other Apple devices. Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target.


Sending the malware via iMessage, assuming the flaw was part of iMessage and not standard SMS.

But if they did that, Apple wouldn't need the EULA because then they could throw the CFAA at them.

... That's exactly what they did?

From the complaint:

>Count One

>Violations of Computer Fraud and Abuse Act

https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11...

The EULA is used to establish jurisdiction, and for the separate breach of contract claim. Apple has servers around the world, without the EULA the jurisdiction isn't necessarily obvious.


I believe the CFAA is a criminal law, and charges would have to be brought by an AG. This is a civil case.

This is not correct, civil suits over CFAA violations are common.

They are throwing the CFAA at then. However, the CFAA is an American law, which would be challenging to apply in a foreign court. So they are using the EULA to sue in California. It’s all in the article.

Does the CFAA apply to an Isreali firm sending a text message from Isreal?

Yes, it can. You can find Apple's lawyers explanation in the complaint under the "JURISDICTION AND VENUE" heading https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11...

Could be used for attempting to find metadata on users then, etc. there’s a few things I could guess.

The article doesn’t say. I’m curious to find out myself.

A detailed forensic report was published by Amnesty on some of the methodologies NSO used.

https://www.amnesty.org/en/latest/research/2021/07/forensic-...


> do we really want those inane licenses no one reads, and everyone scrolls down to hit [agree]; do we really want them to legally binding?

for commercial interactions in particular between two businesses? Yes, absolutely. How else are two entities supposed to come to legally binding terms without a contract? I'm all for a little bit of lenience when an end user didn't read the terms but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?

The little guy isn't always right because he's little. If the little guy hacks my software to sell spyware to dictators and war criminals you bet I want the right to take him to court


(Not a lawyer, but this is the correct answer)

As much as people might look at this and think Apple is being heavy-handed, it comes down to the fact that iCloud, iOS, and the App Store are their IP and they can (within legal limits) set whatever terms they please.

Especially for these sorts of arrangements, it seems like a problem to me if the platform/IP owner doesn't have absolute, final discretion over what happens.

Giving them the right to destroy your business at any time or at least try very hard to make it unprofitable shouldn't be a surprise to anyone.


This sits so unwell with me, gives such limitless tyrannical & dictatorial control to a company.

> As much as people might look at this and think Apple is being heavy-handed, it comes down to the fact that iCloud, iOS, and the App Store are their IP and they can (within legal limits) set whatever terms they please.

Agreed. That's exactly what it seems like. And that sounds like immoral, unjustifiable, sickening hell. That Apple gets to hold all the cards, no one else on the planet gets any say in how a device might be used.

It seems to me like the law is immoral. The law is heavy handed, an idiot, and wrong. And it seems like Apple is a user/abuser of unjust power which it does not have any moral or ethical right to wield.

> Especially for these sorts of arrangements, it seems like a problem to me if the platform/IP owner doesn't have absolute, final discretion over what happens.

This sounds like a nightmare hell world to me. It contravenes the idea that any of us can ever be owners of anything. This sounds like the logic that says that only Tesla can repair Tesla cars, the logic that says only John Deere can repair John Deere tractors. This is an anti-human world, this is a bad world, this is immoral, this is wrong, this destroys & rots away at humanity as a can-do toolmaker, as an improver of the world about them. It consigns power away to fragile, remote, limited corporations. That is not a world I ever want to let happen to us. I tend towards aethism/agnosticism, but if there is a god, this flies against what graces the gods have given us to let ourselves be constrained so. It is unnatural & against the spirit of the human enterprise.

I have no love for NSO Group. It feels great seeing such a group of shady, underhanded, anti-democratic punks get served. But this is absolutely going to be yet another move in the ongoing shift towards top-down combined technocratic/legal control. It's absolutely a demonstration of Apple wielding legal power to obstruct & defend that which it simply doesn't want to have to deal with, brushing aside something inconvenient. It's absolutely a battle over what terms of service mean & whether the world has any rights of their own. I for one am not cheering for Apple's victory in having their massive iron-clad armor further enhanced.


>Agreed. That's exactly what it seems like. And that sounds like immoral, unjustifiable, sickening hell. That Apple gets to hold all the cards, no one else on the planet gets any say in how a device might be used.

I'm not a big proponent of IP, but you're basically saying it is immoral, unjustifiable, and sickening as hell that Apple enforces the rules that Apple wants on Apple products/services, which were created and offered by Apple? Who should be making the rules if not the creator and maintainer of the product/service? Why is using another product/service not an acceptable alternative?

I agree with the general direction of your comment, but certainly not with the same voracity that wouldn't allow my own company to create the rules for my own service offerings (within the confines of state/national law).


Replace "Apple" by any traditional car company and you should immediately become concerned. Shouldn't a car company have absolute, one-sided control over the cars they sell? Like should the car stop working if you agreed to obey the speed limit but then sped? Or stop working if you didn't use their branded fluids?

Except, as I understand it, this case is not about a EULA on the iPhones themselves, but rather on Apple's services.

They agreed to the EULA on the services, then, in part, abused their access to those services to hack into other people's iPhones.


The fact that the modern world exists in an corporate-owned, proprietary cloud, versus the era of personal computers & personally-owned systems, is greatly greatly greatly confusing. I don't fully well know how to handle this great confusion. But ultimately, the trend of all rights being reserved by the megacorp is, ultimately, a vulgar anti-human anathema which we must shake off. Humanity must be allowed to pick up our microscopes & magnifying glasses, to peer in, to meddle. No legal contract preventing the natural sciences is ethical nor godly.

I have no idea how we do that. Perhaps decoupling the data-processing services from the data-holding entity might be a possible frontier. One could imagine being able to keep their identity, their core systems & datum wherever they want, & to convert Apple into a mere processor of those personal systems. That way we might not know what Apple is doing, but we at least can watch their black box act against us.

In general, trying to draw further extenuating circumstances, trying to say "except except except" is simply not ok. The phones we carry are part & parcel to their many services, in this weird conflux of computing. It reduces basic core human integrity to be denied access, to be rebuffed by EULA from understanding & witnessing & probing into these core techno-vessels we navigate about with. These mere technicalities presented, that our homes happen to be located inside Apple data-centers, is to me uninteresting & unimportant in the moral, ethical, humanistic & religious discussion and/or reckoning we have fallen into.


I mean, broadly speaking, I agree, but do you really think that "state-sponsored hacking group that provides the ability to break into people's phones to the worst regimes the world has to offer" is the use case you want to be enabling here...?

If I'm understanding correctly, this wasn't a case of "they agreed to the iCloud EULA because you have to have iCloud to use an iPhone". You don't, in fact. Yes, some services will be unavailable, and...it might occasionally bug you about it? (Not sure about the last, as I do have iCloud) No; they agreed to the iCloud EULA because they were trying to take advantage of unpatched iMessage bugs to break into other people's phones.

I fully agree that the scope of EULAs today is terribly overbroad, but I do not believe that making a legally-binding agreement not to abuse the service to harm other people or steal their data is an inappropriate use of them.


..Or the warranty becomes void if you open up the hood of your car and try to repair/replace parts..

> Who should be making the rules if not the creator and maintainer of the product/service?

Many things should be up to them, but many things should be up to the buyer.


> Who should be making the rules if not the creator and maintainer of the product/service?

The customer? Thats the whole point of a market


The law works fine when there is no monopoly.

But since Apple has 50% of the market share, the law doesn't work well anymore.


> But since Apple has 50% of the market share, the law doesn't work well anymore.

Apple has 60% of the mobile market in the US[1].

[1] https://www.pcmag.com/news/ios-more-popular-in-japan-and-us-...


This and more. I find it beyond farce that Apple & it's adherents chief defense seems to be that there are other people making products that aren't Lawful-Evil to humanity. If Google one day woke up and said, we're just going to try to do what Apple does to it's users, there would be nothing left. This pretense that Apple's behavior is anything but anti-competitive, anti-trust worthy rings so hollow to me. The excuses that there are other places to go completely fail to wash for me.

It's as if these folks are saying the Carterphone victory was only won because AT&T was a monopoly. That's not how consumer rights work. That's not a solid enough platform for humanity to remain upright.


...50% of what market?

I assume OP is referring to the fact that Apple has 60% phone market share in the US[0].

[0]: https://news.ycombinator.com/item?id=29325606


Put another way, I don't really have a problem with 3rd parties - or individuals who are so inclined - repairing Apple gear, but the recent moves have shown that the company would much rather deal with the small headaches of setting up and administering such a program if they can set the terms under which it happens.

Otherwise, legislators (think: US Congress) will do it for them, with disastrous results. Doing it like this means everybody gets something out of the deal: Consumers can choose the best repair option for them, Independent shops now can take Apple business and without worrying about warranties, and all of this happens in full view of the company and people who are watching them closely (Again, legislators).

It's a closed system and Apple sets the rules, but just about anyone can participate. On the whole, that seems like a net good to me.

* The same sentiment might apply to Deere as well, but I don't know enough about that particular situation to say if it would still be impractical to take a similar approach.


>This sits so unwell with me, gives such limitless tyrannical & dictatorial control to a company.

Do you think Apple could get some "hackers" extradited if they don't live in the US? Its that old adage, one mans terrorist is another mans freedom fighter and some country's like Russia will point blank refuse extradition to the US as will other countries.

Any business can put what they like in their terms and conditions, those T's & C's are still tertiary to regional and state law if they are even enforceable. Lawyers will let your put what ever you like in a contract, whether its reasonable and enforceable is another matter which only judges can decide.

Now if you live in the EU, there is nothing wrong with reverse engineering code, the EU court has ruled this https://news.ycombinator.com/item?id=28809559 but the definition of a bug can be more vague because a coder might suggest a user reported bug is working as its coded, so the coder may not see it as a bug but the user might and her you just need to convince the judge. Grey area.

Another example of what was a grey area of law was initiating an email send to an email server in order to track whether an email address existed or not. Once the status of an email address was known abort the reset of the communication. It was useful for tracking people globally, and spam filters were not that good at picking this up in the past. Anyway that process has effectively been ruled illegal by the EU now as your email address supplied by your employer has to be treated as a private and personal email address so then other personal & privacy laws come into play to make the game more complicated, but you used to be able to track people globally in businesses & military to spot when people had left an employer or been moved in some cases.

Then you have the NSA putting out reverse engineering tools for free like https://ghidra-sre.org/ making one wonder what is the point of law especially when you reproduce parts of the AT&T infrastructure in Romania? https://news.ycombinator.com/item?id=29135559

Now whilst the law might seem absolute, legislation is very intentionally left vague and its judges who make it closer to being absolute with narrow specific definitions when they make a judgement, but if there's one thing I have learnt, interpretation of the law can be surprisingly vague even by judges.

So all in all this could actually be a marketing or reputation management exercise or both involving lawyers to reassure Apple customers they have made the right purchase. Running an entity beit a business or a govt can be incredibly nuanced like playing a game of chess, and sometimes its not the initial action we need to be concerned with but the resulting action.


Personally, generally I could not be more uninterested in the international legal politics behind this all. None of it is at all progressive, none of it speaks to what humanity can or could do. It's the most anodyne, boring, real world, un-possible way to take the discussion. It's mired in endless fun-house mirrors of shit-show politics that hasn't wont and can't figure out how to adapt. I can't think of a single nation that shows leadership, that has anything interesting or useful to say, any means of embracing humanity, of raising potential.

> Its that old adage, one mans terrorist is another mans freedom fighter and some country's like Russia will point blank refuse extradition to the US as will other countries.

This is a great mentality, and I'd love to see more dynamic behind it. Alas. I see no nations espousing & helping the actual obvious Open Source & other progressive & pro-human, pro-enlightenment, anti-proprietary freedom fighters. I see no one standing up for more personal computing liberties. The international regime is hostile & un-comprehending of tech & it's possibilities, more interested in businesses & big tech than it is in trying to help good tech happen, which is the real oppression, the real struggle, one enacted via pervasive & harsh IP laws & seemingly ever-expanding copyright length. Sure, some nations celebrate punk-ish behavior & sticking it to the west, but I can think of precious few examples of nations actually helping the good. The recent AskHN about software/tech monastaries[1], & the complete worldwide lack of any answers whatsoever indicates to me that there is no real help or interest in the actual freedom fighters, anywhere in the world.

If you want to look at the law, I think today's example, of Russia telling 13 big tech companies they have to establish offices in Russia[2], is a near perfect example of how tech and law intersect. This is particularly menacing & threatening & scary, but it mirrors most of the relationship worldwide: aggressive, at ends, seeking constraint & control & dominance, no interest in growth or humans or improving the human-computer relationship. The law rarely serves the people, rarely amplifies possibility. It's here to insist that some antiquated self-obsessed notion of justice can be served, even when that justice so often only serves a fading out of touch law, or big vested interests, not the people.

Generally I consider myself extremely progressive & hopeful for what governance & governments can do and should do. And I think if government wanted to deploy tech to help the people, if it would stop allowing endless private control to reign, great things would happen (Ron Wyden for president, 2028). But right now trying to frame questions & challenges in terms of the law is not-great. The law affords deep & vast powers to it's vested interests & the ideas of law itself. Yet in your particular scenario, it also simultaneously jealously & vengefully guards actual access to it's means power, to the reigns of state-sponsored violence & enforcement. The question posed, about whether Apple could get access to this executive use of force, isn't particularly relevant to me, and I don't think it reflects on the widescale systematic bureaucratic control companies like Apple & the prevailing worldwide laws get to impose via EULAs against the people of humanity.

Some of the comments on Facebook getting the OK from federal US Court of Appeals to also try to sue the NSO Group[3] are somewhat in line with your questions & scenarios. The comments there talk to the ability to try to pursue legal action, but the inability to actually get the state/states to do anything about it. In some ways, this is an ideal case. It shows that a state that wanted to support freedom fighters, that wanted to support emancipatory, liberated, pro-personal computing, might be able to. There's just not a lot of good guys out there trying to help spring us free from the walled gardens we're locked in.

My apologies for not trying to take up the question better. I think there's interesting material here. But to me, these questions return us to a not-compelling legalistic mindset, a practical view, that isn't capable of adequately considering how entrapped humanity at large is by the corporation's abilities to write it's own rules, by the de-personalization & de-accessing of computing that the cloudification of the world has brought upon us, & consigned us into. Whether or not this tyranny has the power to cross international boundaries & come get us isn't a particularly interesting subproblem to me. Generally I feel like the world has conformed to the prevailing notions of corporate techno-sovereignty.

[1] https://news.ycombinator.com/item?id=29309794 (12 comments)

[2] https://www.reuters.com/markets/europe/moscow-says-13-foreig... https://news.ycombinator.com/item?id=29320398 (7 comments)

[3] https://www.reuters.com/technology/facebook-can-pursue-malwa... https://news.ycombinator.com/item?id=29323095 (15 comments)


In a way, we are just witnessing and commenting on the survival needs and actions of different entities, beit a country, laws, finance, companys, groups, religions or individuals. They all have different needs for their survival and this is just one story on one entity and the interactions of those involved like the courts, law, Apple, NSO, The Press, consumers or users, Judges, Govts, administrations, etc etc.

AFAIK there is not a country on this planet that does not believe in sky faeries in one form or another (?Antarctica?), likewise we generally all eat the same things, with minor regional differences, similar practices and needs so until you can get the main users ie humans to increase their intelligence and knowledge, it would seem this planet is stuck in a slowly evolving pattern of operation which still has various self destruct risks, some easily quantifiable others not. The problem still remains, Apple have massaged the Ego of many via advertising and functionality creating this walled garden.

Russia telling 13 mostly US tech companies has already been done by the EU with servers having to be located in the EU, so the EU has led the way on that issue apart from the obvious US data gathering in the first place by building the services and tech!

To me its just survival of the fittest of entities and whether cultures/country's are now holding back some of these entities which can then come back and bite the culture and country into non existence. When is an action a Zerohedge?


They can try. But that's not the same as succeeding, let's not get ahead of the lawsuit, which will likely take a long time to resolve.

Fair enough.

My issue here is that every time this kind of thing comes up, it becomes a sounding board for how (any) company has too much power...

Ever wonder why that is? The laws are written in such a way to allow it to happen, and they are more or less required to do what is in the best interest of shareholders.

If this doesn't suit you, bug your Congressperson to work to change the laws - just don't take a page from Newt Gingrich and burn the house down.


> but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?

I see this in companies I work for all the time, so, yes, I can see that being the case here.

(I'm not saying that's a good or professional thing.)


> but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?

Yes! They don't seem like people who think through or care about the consequences of their actions.


There's always the problem with a little one that has to accept the big one's terms. Actually in Germany and probably elsewhere there is clear jurisdiction what is allowed in a terms and conditions type contract. It actually applies to any contract that is not created from scratch on an eye to eye basis. Other laws like the GDPR also restrict what can be part of a contract. So while nobody is reading all this stuff at least we have some assurance that it's not totally unfair. Otherwise is typically safe to assume that companies try to shape everything to their own benefit. So it boils down to trusting a company in general.

Not being a lawyer and having no clue abou US jurisdiction: I am really curious if this EULA thing works though. Normally under copyright law wrongdoing would normally just mean that your licence is terminated. Illegal use typically just requires paying damages twice the licence cost afaik. I would actually find it kind of scary if I could be pulled into any kind of jurisdiction about something not directly related to the contract just because I accepted a software licence agreement.


> How else are two entities supposed to come to legally binding terms without a contract?

The question is what's the threshold for the existence of a contract. You both go into a conference room with lawyers and negotiate over the terms and sign it in ink, that's some pretty good yes vibes. Somebody clicks a button on an un-negotiated text form in a piece of software, maybe it should take more than that.

> I'm all for a little bit of lenience when an end user didn't read the terms but you think NSO group doesn't have a lawyer and just scrolls down and clicks accept?

Tons of bureaucracies do exactly that. The boss says they need a way to do this thing, so some Danny from the IT department finds some software to do that thing, it's free or costs less than the amount he's authorized to spend from petty cash, so he clicks accept and installs it on the user's machine.


>Somebody clicks a button on an un-negotiated text form in a piece of software, maybe it should take more than that.

My litmus test is I don't consider a contract valid unless I've actually had a chance to do a counteroffer.


It's not just the iCloud terms of service, though — they're using that to strengthen the case that NSO agreed to the jurisdiction of California courts but they're relying on the CFAA and especially the claim that the access to the users' device was not authorized by that user.

It would be really interesting to see what precedent comes out of this case and especially how that would affect a future case where Apple claims a violation of their terms of service but the user fully consented to that use.


>they're relying on the CFAA and especially the claim that the access to the users' device was not authorized by that user.

What's their theory of standing to sue over damage to their customers?

Edit: the main point is this (from the CFAA count):

Defendants’ actions caused Apple to incur a loss as defined by 18 U.S.C. § 1030(e)(11), in an amount in excess of $5,000 during a one-year period, including the expenditure of resources to investigate and remediate Defendants’ conduct. Apple is entitled to compensatory damages in an amount to be proven at trial, as well as injunctive relief or other equitable relief. See 18 U.S.C. § 1030(g).


18 U.S.C. § 1030(e)(11) https://www.law.cornell.edu/uscode/text/18/1030

"(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service;"

18 U.S.C. § 1030(g) "

"(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware."

I assume "negligent" is used in the legal sense? But it'll be curious if NSO claims they're not liable for selling flaws that already existed in Apple *ware.


They'd have to prove that Apple was negligent to sell software with flaws, but that's gonna be tough considering that much software has flaws.

Agreed. I'd assume that's what the large number of words related to "Apple demonstrates an outstanding security record, etc etc" is aimed at. And it's a fair argument: nothing is bugless.

> They'd have to prove that Apple was negligent to sell software with flaws, but that's gonna be tough considering that much software has flaws.

It does carry a strange irony when Apple keep saying they have the best security after iOS has been very badly hacked by nation state actors, though. I'm not saying their security isn't good, but I would have rathered "we're fixing X things" than security hyperbole.


Thanks for sharing your marketing preferences.

> While NSO Group created hacking tools, and then did some questionable things with them

Such as selling their software to the Saudi Government which in turn used the software in a highly targeted cyber attack leading to the grisly murder of a dissident journalist?


What is great is it could bring some much needed clarity on the subject.

A ruling against the EULA might bring some clarity to the limits of powers tech companies have over us.

A ruling for the EULA might shine a light the power these companies DO have and force governments to bring in laws to curb them.

It is not a good situation, where Apple / Microsoft could turn around and say to someone who broke the EULA or perhaps even to someone who didn't, we are revoking our agreement you can no longer use our software. Leaving them virtually unemployable in many sectors, and similarly they are in the position to absolutely cripple the vast majority of businesses with the same tactics.


What normal people probably want is the state of affairs that historically existed:

Government (legislative) mandates via law what rights consumers are entitled to, that cannot be stripped from them.

Companies are free to request waiving or agreeing to anything not enumerated in the above.

What's broken down recently is that legislatures aren't doing their job of proactively mandating consumer rights, and consequently companies are requiring whatever they think they can get away with: forced arbitration, lease-not-own, arbitrary right to revoke usage grants, prohibiting user / independent repairs, etc.


Realistically speaking we have no legislature anymore.

In what sense?

In the sense that new laws are really difficult to do in the age of polarization. So instead the executive branch issues orders and the judiciary interprets laws in creative ways.

H.R.3684 (aka "Infrastructure Investment and Jobs Act" aka "INVEST in America Act" aka "the Infrastructure Bill") passed the House 221/201/8 [0] and the Senate 69/30/1 [1].

Admittedly not the best numbers, but not terrible either.

[0] https://clerk.house.gov/Votes/2021208

[1] https://www.senate.gov/legislative/LIS/roll_call_lists/roll_...


I think this is my point, this was a very non-controversial bill made in as much as a bi-partisan way as we can. It is also very similar to what Trump called infrastructure week. Still it got 2!! republican votes in the house. In the senate it was a bit better, but still 30/50 republicans voted no.

I think if Trump proposed the very same bill more or less all republicans would have been on board.


Actually, it's worse. The legislature creates executive Agencies to create Administrative Law, thus freeing them of any responsibility besides budget, political theater, and insider trading.

> While NSO Group created hacking tools, and then did some questionable things with them

Wow, that's some serious softballing there. At a minimum, The NSO Group knowingly facilitates criminal activity. They shouldn't be treated as if they were a legitimate organization.


> do we really want those inane licenses no one reads, and everyone scrolls down to hit [agree]; do we really want them to legally binding?

In this case the contract was made between two businesses. Consumers deserve protection because they are naturally disadvantaged. Companies with fully staffed legal departments really have no excuse.


I am a straight-up GPL coder and advocate, and I find this line of reasoning, difficult to support. Additionally, it is a habit of lying, thieving security people to use every inch of freedom that GPL-advocates give them.. really torn here

Yes. We emphatically want the rule of law to persist, and for legal avenues to be open for combating conduct like what NSO Group has done here.

In particular, by any standard, it certainly seems reasonable for Apple (or even companies we don't like) to prevent the use of its own tools and accounts for the purposes of attacking its products and attacking its customers. Especially when the attackers have explicitly promised not to do so.


hmmm, I mean if we have to agree to things that are supposedly legally binding, I would like them to be so. If they are not legally binding, I would like to know that and not have to agree to them.

Terms of services place an unreasonable burden on the average person. No one reads them and it isn't at all practical to do so. It's been demonstrated before that if the ToS contain unreasonable terms and that the users were not adequately warned, the terms become nullified anyway.

So if Apple added a term that said "you will owe use $1000 per day and give us license to harvest your organs", it would be nullified even if the user agreed. They would have to have something like a big payment screen showing $1000 and clearly marking out the terms without being lost in a wall of text.


Forcing opaque, possibly abusive EULAs on individuals is one thing, using them against organizations is another. In most jurisdictions, many terms routinely found in contracts between businesses are invalid when an individual is a party due to consumer protection laws. Take renting. In many places you typically can't rent out a dilapidated home to someone even if they agreed to it explicitly, but you can lease any location in any state to a business.

Unlike individuals, organizations are expected to be have the resources to handle the legalities and to not be pressured into a terrible deal by circumstances.


> those inane licenses no one reads, do we really want them to legally binding?

What all would be possible if software EULAs weren't legally binding?

One thing that EULAs typically do is reduce liability for the company producing the software. Imagine if Google/Apple were liable for damages from all the miscommunications caused by autocorrect?


There’s a difference between clauses in an EULA that release the software vendor from liability and those that impose additional liability on the user. I think it’s perfectly fine for an EULA or “non-warranty warranty” to be included in open source software. If a person or a company wants to release software and they should be able to do so without being held liable for damages caused by the user’s improper use of the software.

On the other hand, if a click-through license can expose users to a potential lawsuit then that fundamentally changes the regime we all live in. It creates a world where the countless pieces of software we all use on a daily basis become hidden legal threats, lurking in the shadows like so many snakes waiting to strike. That’s not a world I want to live in and I think most HNers would agree.


EULAs are also used to protect IP, such as by prohibiting reverse engineering. Preventing reverse engineering would prevent modding games, fixing bugs in software that aren't supported anymore, security analysis, etc... In my view, it'd be a net negative for society.

I'm pretty sure you can reverse engineer most Apple things without ever signing their EULA. Maybe not those that require an iCloud account though.

They are legally binding if the parties agree, but there's a catch: a checkbox is repudiable. You can reject EULA, then you will be judged for unlicensed usage of the service.

A court can decide. Apple and many others have been harmed by this so it makes sense that somebody should be able to sue.

It seems many laws are written in the hopes everyone just agrees, but secretly hoping it is never challenged in court. The easiest hurdle put in place is standing in legal terms. That's one bit I have trouble with how laws are challenged is that if a bad law is enacted, it should be able to be challenged immediately through courts to knock it back vs having to wait for the first person to be directly affected by the law to also have the means to mount the legal challenge.

> Put another way, if it was someone HN liked,

I'm sure no one reads TSLA EULAs either.


This is a rare insightful comment from the usual mainstream thought you find on hn. Exactly, what if it's someone you like? So few people consider this when they give up their rights for the "common good" eula's are just one these things we just allow to happen to us because we assume good intentions.

I will just add, the author of the NYT piece has a book out on this subject. The book is decent, has some cringe worthy descriptions of technical things if you are a technical person, but overall I learned a huge amount reading it.

A lot of the commentary, accusations, and opinions in the comments here would be addressed or better colored if you're interested enough to read her book (https://www.amazon.com/This-They-Tell-World-Ends/dp/16355760...).

Also, just to be clear, one of the reasons I like the book is because it's written by a person that doesn't understand all the deep technical aspects of these things.


If you want a more technical perspective, The Darknet Diaries did an episode a couple months ago about the NSO group:

https://overcast.fm/+PMNc5Hr8c

I discovered darknet diaries listening to that episode. It’s very accessible and excellent storytelling.


You actually want to listen to the previous episode to get context first https://darknetdiaries.com/episode/99/

I've listened to a bunch of those episodes. I agree, the host/creator does a fantastic job.

> has some cringe worthy descriptions of technical things

Par for the course when trying to explain things to non-technical people.

People joke but you can see the thought process in explaining to a politician that the internet is a "series of tubes" for example.


Reminds me of when the Oracle v. Google case was argued in front of the Supreme Court on a series of metaphors, among other things comparing Java to football teams: https://www.theverge.com/2020/10/9/21506172/oracle-google-ja...

The justices clearly boned up on the technical aspects of the case though as their opinion shows a good grasp of what is going on in the underlying dispute over Android.

I was the victim of a state-sponsored attack. I took it to court. I tried to subpoena the contents of the government agents' iPhones but Apple came and filed a Joinder in Motion and sent expensive lawyers to lie to the judge about the judge's power to subpoena digital evidence. The lawyer specifically told me all he does is go around the country and lie to judges to get them to cancel subpoenas.

We introduced the T+Cs from one major online provider to show how the government violated them. The government stipulated that they had violated the T+Cs and that they had broken the law. Two different courts both stated that government agents are allowed to violate federal and state computer and data access laws to conduct intelligence-gathering operations, and they are certainly allowed to violate T+Cs even when a violation of a T+C is a criminal act (which it is in many jurisdictions).

One thing that is lulzy is that I recently received a letter from one government agency stating that the evidence I had requested by subpoena was no longer available because they left it on a server in violation of the T+Cs and never took a copy of it and the provider deleted the account.

It hasn't reached the appellate courts yet.


> Apple came and filed a Joinder in Motion and sent expensive lawyers to lie to the judge about the judge's power to subpoena digital evidence.

If a lawyer makes an argument in court about the law governing a case (as opposed to the facts of the case), and the judge accepts the argument, and the judge's decision survives all its appeals, then the lawyer's argument is, by definition, true.

EDIT: I'm objecting here to the characterization of the lawyers' arguments as "lying". The judge's "power" to suboena digital evidence sounds like a question of interpretation of the law. Many (all?) US court cases have at least one question of law in which the parties make opposing arguments. One party prevails, the other does not, or maybe one party prevails on some points and the other prevails on other points. But however those questions are ultimately decided, that's the law, as it pertains to that case. In that context, it seems very strange to characterize either party as "lying" in such arguments.

If, on the other hand, "the judge's power to subpoena digital evidence" really means Apple's technical ability to produce such evidence, then I would agree that those are facts about which some statements could be considered truthful or not.


>"If a lawyer makes an argument in court about the law governing a case (as opposed to the facts of the case), and the judge accepts the argument, and the judge's decision survives all its appeals, then the lawyer's argument is, by definition, true. "

This is a Kafkaesque and wrong understanding of the legal system. There are all sorts of errors of law and errors of fact that are non-appealable.


I think poster above is right, certainly with respect to the legal system in the USA.

In the USA you often get one direct appeal - an appeal by right - and then if that fails, a discretionary appeal by a more superior court.

I've seen some bone-headed decisions made by the trial judge, then the same error made by the appellate judges, and you know the superior court would reverse, but they only take 0.01% of the cases they see every year and so they just don't have time to fix every mistake. So some really stupid legal decisions become "the law of the case" simply because society doesn't have the funds to pay more judges to check the work of lesser judges.


Case law, not truth. Judges do not decide fact.

> Judges do not decide fact.

Trial court judges in jury trials do not (in principal) decide fact questions (though even that is misleading, since they can decide “as a matter of law” that offered evidence is insufficient for a particular fact conclusion even over the jury’s determination of fact, except in the case where that would be unfavorable to the defense in a criminal trial.)

Judges in bench trial, and appellate judges in many cases, do, in fact, decide matters of fact, though in the latter case the usual rules are generally, but not infinitely, deferential to trial court decisions.


US based? I understand if you can't divulge any specifics, but I'm always curious about the nature of these attacks, e.g. we know certain types of journalists/activists are often targeted.

US-based, yes.

> and they are certainly allowed to violate T+Cs even when a violation of a T+C is a criminal act (which it is in many jurisdictions).

Is violating a T&C criminal in the US, if the violating action itself is not a crime? I have not heard of this. Are there any examples that can be linked to? I thought it was always a civil matter.



The CFAA includes this. I am not sure it's possible for US government actors to violate the CFAA unless they're violating some other law also. It seems very unlikely Congress intended to make T&Cs binding on law enforcement or intelligence investigations.

"This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States."

https://www.law.cornell.edu/uscode/text/18/1030#


This is correct, although most US States have their own version of CFAA which aren't so limited and don't include any exceptions or exemptions, either.

Yes, for instance in Illinois there is a specific crime for violating terms of service:

720 ILCS 5/17-51(a-10)(1) Computer tampering

https://www.ilga.gov/legislation/ilcs/fulltext.asp?DocName=0...


Perhaps you may want to ask https://eff.org for help.

I tried at the time, but received no response.

> sent expensive lawyers to lie to the judge about the judge's power to subpoena digital evidence.

You're being unreasonable here since it is a very grey area.

If Apple is compelled for example to hand over encryption keys to a judge (which often means a bunch of junior lawyers) then that would infringe everybody's right to have their information be secure.


As quoted that sounds like a choice of law clause, not a choice of forum clause, and so wouldn't necessarily help in bringing suit in California.

In computer terms a choice of law clause in a contract is essentially a macro that when the contract is interpreted in a court expands to the contract law of the jurisdiction named in the clause.

If a court in, say, Kentucky hears a contract dispute and the contract has a choice of law clause specifying California it is essentially as if the parties wrote California contract law into their contract. For things that a contract does not have the power to alter in Kentucky, Kentucky law would apply regardless of what California law said. E.g., the Kentucky court would use Kentucky rules of civil procedure and would use Kentucky rules of evidence.

A choice of forum clause requires the parties to use a particular jurisdiction to settle disputes. When you agree to such a contract you are agreeing to give the courts of that jurisdiction personal jurisdiction over you for matters involving that contract.

PS: I found the EULA. In addition to a choice of law clause it has a choice of forum clause:

> Except to the extent expressly provided in the following paragraph, this Agreement and the relationship between you and Apple shall be governed by the laws of the State of California, excluding its conflicts of law provisions. You and Apple agree to submit to the personal and exclusive jurisdiction of the courts located within the county of Santa Clara, California, to resolve any dispute or claim arising from this Agreement

PPS: note that the choice of law clause excludes California's conflict of law provisions. That's to avoid the situation where California's law says that some third jurisdiction's law should apply. In theory you could even end up in a situation where jurisdiction X says to use Y's laws and Y says to use X's, and then you've really got a mess.


If this is ruled in Apple's favor, can that be a stepping stone to allow NSO to be charged with aiding in murder?

I guess they haven't done this, but isn't this trivially mitigated by hiring someone to create the accounts, outside of the US entirely, in a jurisdiction where T&C violation doesn't mean anything? Especially if the accounts are needed in bulk, where it makes sense not just to work around the legal arguments but simply economically.

They presumably created the accounts in Israel in any case. It doesn’t matter though, because they’re being sued in the United States. Apple is a US company, and the EULA says that disputes will be resolved according to California law, so according to US law, Apple can sue NSO in California. The jurisdiction where NSO (or their designee) agreed to the EULA isn’t important because contracts have two parties, and Apple is in the US.

Were those engineers authorized to act on NSO's behalf?

If I sign an agreement with Apple on behalf of <faang company>, even as, let's say, an intern at that FAANG company, Apple should probably sue me, not the FAANG.


No, the FAANG is on the hook.

I know this, because I did exactly that, and was given a right good talkin’ to, by our General Counsel.

If anything lawsuit-worthy had come from it, then I suspect that I would have gotten more than just a lecture.


Probably, there are shades of grey in this sort of thing, but that’s usually for low-level employees agreeing to stuff wildly out of their responsibilities. For engineers agreeing to the EULA for a service that they use as part of their job, the court will probably agree that is sufficient for this lawsuit, even if NSO has policies that notionally should have prevented the engineers from agreeing to the EULA.

Also, if they weren’t, then NSO presumably violated the Computer Fraud and Abuse Act by accessing Apple’s services and systems without prior permission. Maybe that nixes Apple’s jurisdiction argument for this lawsuit, but Apple can also sue for criminal damages, and is presumably entitled to do so in their home jurisdiction since that’s where they exist and so that’s where they suffered the damages. And I think Apple notes this also in the lawsuit.


So they used iCloud to spy on NSO?

Sounds not right, regardless of what you think of NSO's actions.


No.

The information on fake accounts was passed to Apple by Citizen Lab, which discovered the zero click vulnerability.


The framing of NSO as "state-sponsored" cannot be overstated, and Apple didn't miss the chance to do just that.

A hard blow to Israel's policy just as much as it is to NSO itself.


One could interpret this as the software is "sponsored" by the governments that finance their operations and purchase their products. This would be countries like Saudi Arabia, Mexico, Germany, and Kazakhstan, not necessarily Israel.

Though the fact the US has sanctioned an Israeli business does seem to have potential implications on Israeli policy. [1]

[1] https://www.reuters.com/technology/us-blacklists-four-compan...


Beyond merely selling their products to Israel, the NSO Group itself is an Israeli firm, founded by ex-Israeli intelligence, and whose products are subject to Israeli national export controls.

https://en.wikipedia.org/wiki/NSO_Group

That's a level of sponsorship way beyond simply being a customer... that's state espionage served with a side of profit. It's evil when the USA does it, it's evil when the Russians do it, it's evil when China does it, it's evil when Israel does it... but nobody does anything about it because all those states would prefer strong surveillance rather than rights for activists and journalists.


Further to this there has been some recent coverage in the Israeli press about the strong relationship between NSO Group and the Israeli government. The gov used NSO and it's products as a lure to the Gulf states to bring them on-side as a wedge against Iran

https://www.haaretz.com/middle-east-news/.premium-with-israe...

> NSO is one of the most active Israeli companies in the Gulf, and its Pegasus 3 software permits law enforcement authorities to hack into cellphones, copy their contents and sometimes even to control their camera and audio recording capabilities

> Israel put NSO in touch with Arab states in the region, and Israeli representatives even took part in marketing meetings between intelligence officials in the Arab states and NSO executives. Some of the meetings were held in Israel.

Further reading on just how intertwined NSO group was with the government:

https://www.haaretz.com/israel-news/.premium.HIGHLIGHT-israe...


> Israeli national export controls

A crash course in Israeli national export control:

1. You can sell everything except for nuclear tech (and maybe even that, I don't know).

2. If the client is not officially an enemy of Israel then do whatever you want, we don't give an f'ing f'.

3. If the client _is_ officially an enemy of Israel, then all sales must be conducted through official (secret) state channels. Independent side-action will not be tolerated (see the cases of Nahum Manbar or Shim'on Sheves). This might be a hassle, but the upside is that the courts will uphold complete secrecy of your affairs and the military censorship (yes, Israel has that) will likely prevent any nasty exposes.

4. If the US throws a tantrum, then sections (1.) and (2.) are abrogated. But don't worry: There plenty of generals and other high-ranking retired officers are in key positions in politics, and a bunch of us are wanted for war crimes anyways with ICC cases pending, so... we're all friends here and we got your back.


Are you sure about that? The English translation of the export control law seem to imply that companies exporting defense equipment must have a license and that that license can be revoked whenever for almost whatever reason: http://www.exportctrl.mod.gov.il/Documents/%D7%97%D7%95%D7%A... I may be misunderstanding it though.

Is that so much different than how the U.S operates, other than Israel is really fun to demonize? The U.S arms whoever it wants to arm, Europe as well. So selling F-15's is cool but cyber hacks isn't. Got it.

The main differences from the US as I see them:

* Less effective government control of the press (although that seems to be tightening up in recent years).

* Less use of secrecy, i.e. more of the sales happen in the open.

* The US has more enemies which it actually doesn't sell to.

* No outside boss country to prevent the US from doing what it wants.


So morally there is no difference, there are only some technical differences.

There's definitely parallels to be drawn between the Israeli and the American conservative/right-wing/militant nationalist elements. Both countries operate as global bullies, using military force to subjugate externally and propaganda and fear of replacement to subjugate internally, heavily enhanced by the use of technology.

They both have this old-guard mentality of "might makes right" hegemony, which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview that favors the pipe dream of peaceful multilateral democracies. Count myself as someone who dislikes this approach.

Whether it's planes or surveillance tech or reactor malware doesn't really matter, all just ammunition for their goals.

Israel at least has a survival need; it learned the (very) hard way that it has many enemies constantly seeking to destroy it. It's an us-or-them mentality hardened by centuries of oppression and decades of war.

America... now that's much harder to find an excuse for. And arguably we've spent all our resources on attacking Muslim scapegoats while China leapfrogs us. But hey, I don't make global policy, I just comment on it on the internet.


> hey both have this old-guard mentality of "might makes right" hegemony, which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview that favors the pipe dream of peaceful multilateral democracies.

At least you are honest enough to say it's a pipe dream. It really is. The world is pretty brutal and liberal democracy is a value shared by a minority of humanity. If liberal democracy wants to survive it sometimes has to defend itself. The minimum it needs is an army to protect its people. Does that absolve U.S or Israel from every arms sell they do? Probably not. But it's a broad context we need to understand when we talk about this issue.

> which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview

I understand that's the liberal and progressive thing to say. But if you really think about it, it reeks from hypocrisy. The "progressive" countries (who are they exactly?) like Canada, Sweden, Australia etc all need the U.S to protect them. They wouldn't want the U.S to go away, not in a million years.


> The world is pretty brutal and liberal democracy is a value shared by a minority of humanity. If liberal democracy wants to survive it sometimes has to defend itself. The minimum it needs is an army to protect its people.

Yes, I agree to a large extent. Most of the world's strong extant states were forged in war (or is a quasi vassal state to one which was). We didn't get here by being nice to each other. A strong defensive military is something I think every state would be wise to have, so long as human nature remains what it is... we're not wizened philosopher-kings, more just horny, hungry apes.

The distinction I draw is in foreign interference in matters that do not directly threaten us. I would rather see us resign from our role as world police/bully and focus more on domestic affairs, severely scaling back our force projection abilities (namely, carrier groups whose homeland defense uses are limited). I don't believe in this idea that "the only way to protect ourselves is to shape the world in our image, and forcibly subjugate those who will not willingly convert". Yes, there are shitty dictators out there, there is real evil in the world, but we're no angels and we've done a really shitty job of trying to make other countries better (with limited exceptions, like post-WW2 Japan and Germany).

The thing is, sustainable peace through militant nationalism is also a pipe dream. It's never stable for long and it creates vast power differentials that breeds discontent and violence; eventually it bleeds back over to us. I'd bet, measured across a few decades, our forays in Afghanistan and Iraq will create more terrorists than we've actually stopped... our administrations think in 4-8 year terms, not 20+, incurring foreign policy debts that later generations will have to try to pay off in an increasingly unstable world compounded by not just virally-amplified ideologies but also skyrocketing inequality and climate change. There is no military force that can keep an unstable, discontent world of ~8 billion apes in check for long.

Absent either a world dictatorship or peaceful multilateral democracies, I'd settle for regional hegemonies and old-school spheres of influence instead... we stay out of China's way, they stay out of ours, we trade peacefully. That means some nations will fall, whether it's Israel (possible, but unlikely?) or Taiwan (probably), Ukraine, etc. Sucks for those countries, but by % of world population, I believe that will result in greater overall peace and prosperity.

Shrug. It's all pipe dreams. Always has been. Some of us just have bigger pipes, I guess.


> which a lot of other countries (and some portion of their populations) don't like because it's broadly incompatible with a human-rights centered worldview

>> I understand that's the liberal and progressive thing to say. But if you really think about it, it reeks from hypocrisy. The "progressive" countries (who are they exactly?) like Canada, Sweden, Australia etc all need the U.S to protect them. They wouldn't want the U.S to go away, not in a million years.

Yeah, even a self-identified progressive, I unfortunately still mostly agree with you. Most of the liberals/progressives I've discussed foreign affairs with seem to have a pretty limited understanding of (or even interest in) military history. Not that I'm an expert by any stretch, but I do worry that they naively see the world as an unreasonably safe place. I don't think it is.

The American progressive strong suit is in domestic affairs -- leftist populism, basically -- not military strategy or even foreign policy at large.

Broadly, I suppose I believe in big hugs for my fellow citizens, big talks with our competitors, and big guns for our enemies (but we sure as heck shouldn't shoot first).

> Canada, Sweden, Australia etc all need the U.S to protect them

Y'know, Trump wasn't right about much, but maybe NATO really ought to pay its fair share in regional defense. Our forces are so disproportionate that NATO is less like an alliance and more like a protectorate. It can't just forever be "the Western world will fall apart absent American carriers"... if for no other reason than hypersonic missiles. We cemented global hegemon status in the post-WW2 years, but it's not a responsibility we should have to single-handedly carry into the indefinite future. If our allies need to build up their defenses, maybe we could encourage them by gradually bringing ours home. And if we have fewer foreign expeditions, cool, maybe we'd make fewer enemies.

In other words, I think our military should be strong enough to defend against homeland invasions and provide limit support to our allies, but not so strong that it runs the entire world's geosecurity. Somewhere in between is the question of what to do about Eurasia and specifically China... ideally we'd find some Cold-War like balance of mutually assured destruction, with neither side really wanting a hot war. Even better would be if we just cooperated economically with them and worked together on climate change, and let them run their social experiment while we run ours. We need to stop thinking we can singlehandedly liberate the world from oppression, or bring light to darkness, or whatever. We're just another country with big guns and small hearts... there's been many through history, none of which ended particularly well.


> Israel at least has a survival need;

Every state has a "survival need"

> it learned the (very) hard way that it has many enemies constantly seeking to destroy it.

While that might be true at the level of people in the Arab East, but as far as states are concerned, that isn't actually the case. Unfortunately, repressive governments in Jordan, Egypt and elsewhere are supportive of Israel; and Lebanon and Syria are effectively quiescent long-term.

And that's despite Israel's best efforts to trigger enmity...

> It's an us-or-them mentality hardened by centuries of oppression and decades of war.

Israel has only existed for 73 years. And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign. It's only the gulf war in which Israeli was "just attacked" (by Scud rockets from Iraq).


This is not relevant to the subject, and full of lies. @dang -- clean up the thread

"@dang" doesn't do anything special. The most reliable way to reach the mods is to email them using the Contact link in the footer.

> And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign. It's only the gulf war in which Israeli was "just attacked" (by Scud rockets from Iraq).

That's a very naive way to look at things, I really doubt you bothered looking into it deeply. Israel had little choice to go to the 1967 war, Egypt was preparing for war both rhetorically and in action (blockade of the Straits of Tiran among others). If you actually care about History and read about that period you'd understand Israel felt it was facing an existential threat. Was it the case? We don't really know. There was a good chance Egypt would have started invading. I agree that Arab states tend to sometimes speak a lot (even threatening genocide) without doing much, but Israel couldn't really know.


> Unfortunately, repressive governments in Jordan, Egypt and elsewhere are supportive of Israel; and Lebanon and Syria are effectively quiescent long-term.

IMO that's the direct result of Israel being strong militarily, a reluctant status quo arrived at by the immense competence of the IDF. Earlier in history much of the Arab world would've much preferred Israel to not have existed at all. They Israelis had to carve out a niche for themselves through sheer force of will (and firepower).

> And - it directly started most of the wars it fought; and one other was an attack to reclaim land occupied by a previous Israeli campaign.

I don't think that's a very fair framing of the situation. I despise Israeli militancy, and I feel sorry for the Palestinians, and I wish we wouldn't support Israel's efforts to displace them... but that land has been contested since biblical times.

For many centuries the Jews lacked a proper homeland, and that did not at all end well for them. Most of the world's population lives on stolen or conquered land. Who "originally" owned the now-contested area isn't really relevant; both sides claim it as their ancestral homeland (and both sides are partially right, as far as I can tell as an outsider). More importantly, both sides live there now, regardless of who got there "first".

If Israel gave up arms, it would cease to exist within the week. If Israel did not so strongly defend itself, as in the Six-Day War, it would almost certainly have ceased to exist by now. Some of the Arab world tolerates Israel and may make tactical decisions to cooperate with them on limited bases. But that is a very far cry from outright accepting them as a friendly neighbor, E.U. style. Israel's survival needs are unlike those of most other developed nations in the world, who are largely surrounded by stable neighbors... it's comparable maybe only to Taiwan, Ukraine, South Korea, and other situations facing immediate volatility.

This isn't to excuse (what I consider) the excessive use of force on the Israeli part, but it's the excessive that I take issue with. If they didn't use force at all (or at least threaten to and actually have the capacity for), they really wouldn't exist for very long... history has shown that time and time again, and it's the very reason Israel was founded as such. They have been challenged, life-or-death style, in a way that very few other countries have been or foreseeably will be. If the USA lost a war, maybe we'd fail to accomplish some geopolitical objective... but it's unlikely the country would simply disappear altogether. If Israel lost a war, it's the next Holocaust.


Every Israeli citizen, except religious extremists, serves in the IDF or equivalent; if you look useful to the intelligence apparatus, that's where you'll end up.

You literally cannot find an Israeli company that isn't founded, run, and staffed by people with military or intelligence links, unless you're only dealing with religious extremists.


A bit more nuanced; Israeli Arab Muslims (besides Bedouins) and Arab Christians don't go to the army besides some very small number of volunteers. Bedouins are a special case but I think going to the army isn't as prevalent with them as it used to be. Druze all go to the army but they are not Muslim and don't see themselves as connected to the Palestinians.

Valid point - I was primarily talking to Israeli Jewish citizens from that perspective.

Not sure that makes it any better.

It makes it a nothingburger. Your Israeli barista has past involvement with the security forces. In and of itself it's basically a meaningless statement.

Yeah, an intelligence firm founded by ex intelligence is absolutely a coincidence. There's no chance they would use their skills or connections in their new firm.

The very wikipedia article you linked to says that the NSO Group is owned by " Novalpina Capital" They describe themselves this way:

> Novalpina Capital is an independent European private equity firm that focuses on making control equity investments in middle market companies throughout the continent. Novalpina Capital has a solution-orientated, entrepreneurial approach to investing and creating value in its portfolio companies.

> Novalpina Capital was established by Stephen Peel, Stefan Kowski and Bastian Lueken in 2017. The Founding Partners bring combined experience of 48 years in private equity investing, including senior positions in the European operations of leading global private equity investment firms, and have a shared history of working together for nearly a decade.


Capital may be liquid, but staff nationalities, values, ideals, and goals...not so much.

This isn't some far-flung conspiracy about dark forces puppeteering seemingly innocent companies. It's just people valuing profit over concern for human rights. It's a surveillance firm, what would you expect? What would be a benevolent use of this technology even be?


None of this seems like 'sponsorship' to me, it seems more like 'restriction' or 'regulation'. 'Sponsorship' implies that someone is providing a level of funding beyond just being a paying customer. Is there any evidence that the government of Israel (or any of the other governments you mention) are actually providing loans or share capital to NSO Group?

Dictionary defines it broader than just money i.e. support, advice etc.

In this case it is clear that the Israeli government is sponsoring NSO.


my brother has vans sponsorship. he gets shirts and shoes, not money ;)

you get my point?


I agree that the word 'sponsorship' has been quite diluted, as you point out, but it should mean something more than 'be a customer of'. Do I sponsor my local sports team when I buy tickets to a game? Am I sponsoring Netflix by subscribing? Do I sponsor my local government by paying property taxes? On the flip side, does my government sponsor me by granting a driver's license?

I get bothered by the use of the term "nation-state" in this context.

And I thought I was pedantic.


>"I get bothered by the use of the term "nation-state" in this context.

And I thought I was pedantic. "

I don't think I'm being pedantic, it seems like people use the word 'sponsor' in these contexts to exaggerate and vilify.

Nobody seems to have used the word 'nation-state' in this post; what made you think of it?


It's used throughout the comments and the topic generally. I don't call it out (for meaning a state with borders aligned with an ethnicity) because I get the point being made.

As for sponsorship, states sponsor their industries by providing labor trained at public expense, promoting them abroad through trade agreements, access to trade representation etc. so there is the technical definition of sponsorship met.

The revolving door between Unit 8200 and surveillance startups is documented as is Israel's courting of KSA and the UAE with access to intelligence sharing and capabilities as a bargaining chip. And why wouldn't they? It's good for the state and its industry. Just sucks for everyone else.

The definition of sponsorship doesn't matter when it is met in every sense of the word.


> Just sucks for everyone else

Not necessarily. I assume you mean it fortifies despot regimes in the Middle East right? I no longer think at this time there is any sane alternative.


Because that's worked out so well until now. So may as well make a little cash on the side of it, eh?

Do you think the path to end tyranny was so smooth in developed countries? Think back through Western revolutionary history and now immediately forget the name of every leader the moment you think of them - because that's what's happening, right now, in these countries at this exact stage of their political development. The technology now exists to make effective popular resistance impossible. Every possible rebellion strangled at birth. Every potential leader, every sympathetic journalist, religious or opposition figure, immediately identified, located and silenced.

And apparently that's worth a comfortable 6 figure salary to a lot of engineers and managers in comfortable, developed countries.

Do you really think you'd be in the position you're in if your ancestors never had the chance to remove their despotic king/emperor/dear leader? If you don't think it would be another North Korea, maybe it's because of some ahistorical belief that your culture is inherently more civilised. So you probably don't see the racism that's implicit in your statement.

From my experience in the Middle East, seeing people march for an end to corruption, for justice, for a chance for their kids, I realise I hardly know anyone back home as brave, as prepared to risk everything for their political and civil rights. They aren't marching for another ruler. They deserve a chance.

So fuck NSO and its deplorable staff.


I don't care about NSO at all, they can shut down tomorrow for all I care. I'm just saying if the alternative is between something like the Islamic Revolution of Iran and the Muslim Brotherhood type movements - to something like the military regime Egypt has now or whatever the Saudis came up with, I take the latter. What you said about resistance being impossible - it won't get any better under a radical Islamic rule as we are seeing in Iran. All I am saying it can get way worse. it CAN become North Korea. What we have now in several areas there may be the best we can get for now. And a big part of how I feel about this is about self survival - the Iranian regime hates the West (and especially the U.S but not only) in very deep ways that Saudi Arabia/UAE/Egypt/etc do not. That's how it is. As long as it is what it is selling stuff to Saudi Arabia doesn't sound super terrible.

They don't just use sales to oppose the Muslim Brotherhood! They are bombing innocent Yemenis who have ZERO connection to Iran. They backed Salafis, like Al-Qaeda for decades (forgotten about those guys?) They use them to jail journalists for reporting on corruption, women rights activists for driving. People just trying to make their countries a bit better.

You say "if the alternative is between...", and then proceed to just accept the false choice that it's either tyranny or anarchy, using that reasoning to give a pass to the scum making a buck from some of the most disgusting regimes on the planet. Western countries took generations of incremental improvements to arrive here, all while tyrants always used that argument to try stay on top.

You're uncritically buying the line that Iran or the Muslim Brotherhood are the worst (which could be argued) but the other less so, because they are on "our side". If you prioritise human rights, that lives on both sides are equally valuable (and I suspect from this thread that you don't) then such a distinction is meaningless.

It's a fear-driven siege mentality and terribly short sighted to think that in the region that brought us Gadhafi, Saddam, Daesh and the Mujahaddin, somehow KSA, Egypt or the UAE will magically always align with however your interests evolve.

Thanks to NSO they ARE a step closer to North Korea and destabilising the region in the long term with repression and misery. But you're only interested in short term outcomes for Israel/Western countries, kicking the can down the road when the consequences of such sales will have unknown impacts for decades.

After seeing how it's played out, it's just exhausting to see this kind of mentality after all these years, lost lives and lessons apparently unlearned. Along with greed, this mentality is why the mercenary surveillance industry exists. For the sake of everyones kids both need to end.


> They are bombing innocent Yemenis who have ZERO connection to Iran

The Houthis are an extremely well armed group supported by Iran, please read about the topic you are uninformed. I am not saying what's going on there isn't tragic but it's far from "good guys vs bad guys". Iran had a role in what happened in Yemen as it had a role in what happened in Syria. Saudi Arabia is as far from liberalism as Iran, I acknowledge that. But they have much less of a will to export "the revolution" to other places - unlike Iran. They kinda mind their own business most of the time.

> You're uncritically buying the line that Iran or the Muslim Brotherhood are the worst (which could be argued) but the other less so, because they are on "our side".

You are being uncritical as well. If you have any info that suggests otherwise you can share it, otherwise don't just contradict me and call me uncritical.

> If you prioritise human rights, that lives on both sides are equally valuable

I prioritise human rights within reason. Since the Arab Spring we've seen the whole area can in fact get much worse for humans very quickly. "Democratizing" a place like Egypt probably means bringing a hostile (to the West and to freedom in general) Islamic Caliphate of some sort, which I don't like.


the NSO Group itself is an Israeli firm, founded by ex-Israeli intelligence, and whose products are subject to Israeli national export controls.

All this means is that the NSO Group is an Israeli company staffed by Israeli citizens. I don't know what export controls have to do with anything since those apply categories of products, regardless of whether or not you have business with the Israeli government.


It's a little disingenuous to suggest that an intelligence firm founded by state intelligence officers is just another "Israeli company staffed by Israeli citizens", as though it were a street-corner restaurant. Other threads here have mentioned the close ties between that company and the government. Is this really controversial? Who else would a hardcore surveillance company's primary customers be..? Cheating spouses?

Export controls means, one, that the product they're selling is likely a concern of national security, unlike, say, your average lockpick kit or GPS tracker. Two, it means the state gets to selectively pick and choose who it shares this technology with, using it as a tool of statecraft/diplomacy/subterfuge/sabotage. It's a recognition of the value of the technology, along with a desire to limit its availability to Israel's enemies.

NSO's own website says "NSO Group, develops best-in-class technology to help government agencies detect and prevent a wide-range of local and global threats." It wouldn't exist if not for state sponsorship.


It's a little disingenuous to suggest that an intelligence firm founded by state intelligence officers is just another "Israeli company staffed by Israeli citizens", as though it were a street-corner restaurant. Other threads here have mentioned the close ties between that company and the government.

I have no problem believing that Israel "sponsors" them, but your justifications are baseless. Ex-intelligence officers are not government officials, they are civilians. And government contracts don't imply "sponsorship" in the usual sense, e.g. a landscaping company would not be said to be "state-sponsored" just because they are contracted to work around a government property.

You, and Apple, have to demonstrate how Israel materially supports the NSO Group outside of usual business practices.

Export controls means, one, that the product they're selling is likely a concern of national security, unlike, say, your average lockpick kit or GPS tracker.

GPS devices of almost any kind are subject to ITAR/EAR in the USA. It is extremely easy to run afoul of weapons export controls and there is quite a large market for ITAR-free products. It means extraordinarily little if a product is subject to these type of controls.


> I have no problem believing that Israel "sponsors" them, but your justifications are baseless. Ex-intelligence officers are not government officials, they are civilians. And government contracts don't imply "sponsorship" in the usual sense, e.g. a landscaping company would not be said to be "state-sponsored" just because they are contracted to work around a government property.

I am no longer sure what we're arguing about. Is it the meaning of the word "sponsor"? That's not my word choice, that was just what the OP used and I mirrored it.

I think the bigger point is that states (no matter WHICH state) are funding private companies to surveil citizens in a way that genuinely threatens what few civil rights they have left.

Secondarily, are we arguing about the degree of connection between NSO, the company, and the State of Israel? If so, I used "sponsorship" in the revolving door sense, as in intimate relationships between the staff and government officials, not entirely unlike the US and Blackwater/Xe/Academi or Halliburton or Diebold/Premier. The discomfort there is not just in the amount of dollars exchanged, but in the offloading of legal and criminal responsibility to what is essentially a front company used to do the dirty work of the state. Outsourced oppression.

> GPS devices of almost any kind are subject to ITAR/EAR in the USA. It is extremely easy to run afoul of weapons export controls and there is quite a large market for ITAR-free products. It means extraordinarily little if a product is subject to these type of controls.

OK, without looking this up, I'll take your word for it and I stand corrected. Sorry for the mistake about GPS. But that's really a technicality. Surveillance tech of this sort IS a weapon, capable of suppressing not just external enemies but internal citizens, especially if it falls into the hands of nations participating in "Five Eyes"-style surveillance exchanges of each other's citizens. And this in particular is a lot more dangerous than a GPS receiver. And unlike GPS, it has no real "benevolent" civilian purpose. Its primary (only?) customers are oppressive states.

Sorry if this wasn't clear -- I thought it was implied -- but the worry behind the state-private connection here is that this company is getting the kind of resources (and thus effectiveness) that only states can provide, thus making it a dangerous tool. Another implied fear is that the NSO group can also get special extrajudicial treatment because of their usefulness and close connections to the Israeli state, and thus risk breaking checks and balances in a way that a landscaping company would simply not.

I feel like we're running circles around semantics here. Am I fundamentally misunderstanding your argument?


Export controls of weapons, not simply customs laws. Every NSO group contract needs Israeli government approval similar to how Lockheed Martin cannot simply sell weapons to any country.

NSO would not sell to those countries if the regional interests of Saudi /UAE were unaligned with the Israeli desires for the regions. Israel wants dictatorships throughout the Arabian peninsula and turmoil within the borders of all of its neighbors. The NSO software helps advance Israeli interests on both those fronts.

The framing is "abuse" of state-sponsored spyware, not necessarily spyware in-and-of itself. As seen with PRISM, Apple has no problem putting state-sponsored spyware on millions of phones, so long as they (or the US government) doesn't consider it "abuse".

NSO is pretty well covered by Darknet Diaries:

https://darknetdiaries.com/episode/99/ https://darknetdiaries.com/episode/100/

I have no sympathy for NSO.


I think the most important part of this announcement (I cried genuine tears of joy when I read it) is that Apple is committing to give Citizen Lab whatever they need. That kind of internal access to Apple's people and infrastructure is tremendous.

I've never heard anyone but a despot (or vendor to despots) claim anything untoward about Citizen Lab, it sure seems like they're genuine "good" folks. They do great work, and they'll do better with support and access. The announcement makes it sound like Apple is willing to offer similar support to other good actors. I imagine Apple putting the word out will yield a few more.

It raises - again - the question of what we expect from big companies vs governments, and questions of sovereignty. Where's the line between supporting good work and cyber vigilantes (if it's not a thing today, it will be, and what will society's place be with respect to them)?


I guess I am getting cynical. What is the context in which trigger Apple to sue them now, and not any time before?

And what if NSO Group closed the branch in US? I assume you cant really do anything to an Israeli company.

Because half of it reads a lot like a PR pieces to me. And Apple easily gets the marketing message response they wanted. They are fighting "State Sponsored" spyware. The privacy message they are sending out ( fighting on behalf of their user ), in the mist of a worldwide App Store battle and Anti-Trust.

And I am willing to bet this message will be used in their future PR message when they discuss it in Anti-Trust to gain public support.


> What is the context in which trigger Apple to sue them now, and not any time before?

Apparently Facebook has a similar suit against NSO and just had a significant ruling go their way. NSO had claimed they were immune since they were acting as foreign government agent.

I’m guessing Apple was waiting to see how that ruling went before proceeding, since if NSO had won Apple would have to take a completely different approach.


They even went ahead and compared their platform’s security with android in the same piece. Like jeez, find a place and time to do that Apple.

NSO Group and any organization who does business with them should be placed on the OFAC list

*Apple VP of SW Engineering: "Apple devices are the most secure consumer hardware on the market"*

... except for how Apple sends a copy of all of your data that passes through their servers to the NSA. No, I'm not espousing a conspiracy theory, this has been brought to light by Edward Snowden's revelations. Now, we don't know how much of the data on Apple phones gets sent to Apple's servers, so it's not literally everything on your phone, but at least everything that's backed up remotely, and possibly more.

So, pot calling the kettle black.

---

*"to curb the abuse of state-sponsored spyware"*

Note that Apple is not saying "to prevent", only "to curb". But even worse than that, they're saying "curb abuse", not "curb use", as though that type of state spying is not inherently abusive.

---

*"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,"*

Apple has a larger R&D budget than most world states. In fact, Apple themselves probably spend more money on sophisticated surveillance technologies than half the world's states combined. Certainly if we count things like dynamic image analysis from all those cameras on phones and cars and such. Why is it an unaccountable foreign corporation better than a government? They're both pretty bad.


Let's see the big picture: It's not only about a spyware, but it's about a vast range of malicious tools used for targeting human right activists around the world, at first through spywares and other malicious software, but if they needed, physically harming them. It is actually part of the Israeli state-sponsored terrorism around the world. Other dictatorships like Saudi Arabia also use their tools. Brutally killing Jamal Khashoggi was one of the instances.

> It is actually part of the Israeli state-sponsored terrorism around the world

Care to explain what you mean? When the U.S sells arms by the billions to despot regimes is it also a state-sponsored terrorism around the world? Or just when Israel sells a cyber app you call it that?


> When the U.S sells arms by the billions to despot regimes is it also a state-sponsored terrorism around the world?

Yeah



As an Israeli, NSO is deeply embarassing. I do not understand why this is allowed to continue.

There is a lot of money on NSO Group. I'm not really surprised they're being given the green light, especially by the government.

Thank you for sharing. Even though I'm not Israelian and Jewish and I speak for someone else country I support your idea and provide these arguments in favor:

Yes I also believe that financing NSO goes against the founding principles of Israel. NSO Pegasus was used by the Hungarian secret service to spy on journalists. https://www.theguardian.com/news/2021/jul/18/viktor-orban-us...

Orban, the prime minister of Hungary is turning more authoritarian by the day.

Hungary displayed plenty of antisemitism well before the Nazi German occupation in 1944: https://www.ushmm.org/information/exhibitions/online-exhibit...

I'm not an Israelian and I'm not Jewish but if I was I would most certainly be even more opposed to sell cyber weapons to authoritian governments, especially the ones whose authoritarians regimes of the past contributed to the holocaust.


Link to the docket (including complaint) for those interested: https://www.courtlistener.com/docket/61570971/apple-inc-v-ns...

I am interested to see what evidence ends up on the public record.

Apple sues NSO Group to curb the abuse of state-sponsored spyware

I'm quite cynical about this press release. The key point in the title is that Apple are cool with state-sponsored spyware, it's just abuse of it that bothers them. Also why did they wait so long to file this. I don't think it's because they lacked evidence until now. Perhaps they think such a lawsuit will is now expected of them otherwise they will lose face, and that they have the general backing of the public now. I remember some months ago showed that Apple already had grounds to sue for copyright infringement. Either way, Apple is stepping into a political minefield. Buy popcorn and expect fireworks. Big ones.


We need to target the pos engineers and management at NSO, Finfisher, Hacking Group etc. who sell their souls for a fast buck. These pricks are likely already setting up the next corporate front for when this one collapses. Let's make the mercenary business a cripplingly expensive line of work.

"target them"? What are you proposing?

An often cited rule on HN is that you should assume the most charitable interpretation... Parent might be suggesting that those that make money on NSO Group's spyware should be treated in the same way that we treat others that make money on deeply immoral or illegal businesses. E.g it is not illegal to optimize online casinos to suck money out of gambling addicts, but many of us thinks that it is immoral.

Firstly, chill. Secondly, focus attention on them so they feel the legal, civil and reputational consequences (in line with the theme of this entire post) of their career choices. Draining a disgusting industry of expertise that it couldn't exist without.

They made their choices. Their victims had none.


Ban them and their immediate family from everywhere: iCloud, Google, Instagram, Github, Cloudflare, Spotify, Steam, etc.

Make them explain their kids that they can't play games on Xbox or listen to music on Spotify because their daddy is a terrorist.


Terrorist? Really? I think one can argue that they've likely saved many, many lives.

Whose?

They support oppressive regimes with their products and services, thereby suppressing public revolts and preempting civil wars that doubtlessly would claim the lives of many. Very noble of them. /S

The U.S supports the same regimes. The U.S made huge weapons deals with UAE, Saudi Arabia and more. Selling actual fighting jets that destroy thousands of people, not some cyber app.

Ideas can cost and save lives too.

So whatabout someother asshole? Come back when you have an argument.


please

Based on context, and the phrase “expensive”, I assume they mean they want prosecution/legal action against the individual engineers and management. Not threatening

Wouldn't it be better to target the one outfit (NSO), and not its workers? Then again, I suppose the workers would setup another underground business to do the same thing, with the same exploits, and the same people. What is the solution for this?

The solution is go after its staff.

For governments, standard CT/AML financial intelligence: identify employees, shareholders/UBOs and add them and subsequent companies they start to the various watchlists/blacklists. For the public: open source intelligence, post info on forums, name and shame etc.


Strongly-worded emails written by mediocre AI.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: