An opening for Apple’s lawsuit emerged in March after NSO’s Pegasus spyware was discovered on a Saudi activist’s iPhone. Citizen Lab discovers NSO’s Pegasus spyware infected iPhone without much of a click. The spyware can invisibly infect iPhones, Mac computers, and Apple Watches and then transfer their data back to government servers without the target knowing.
Citizen Lab called the zero-click infection scheme “Mandatory Login” and forwarded a sample to Apple in September. The discovery forced Apple to release urgent software updates for its iPhones, iPads, Apple Watches and Mac computers.
The Pegasus example has given Apple a forensic understanding of how Pegasus works. The company found that NSO engineers had created more than 100 fake Apple IDs to carry out their attack. In the process of creating these accounts, NSO engineers would have to agree to Apple’s iCloud Terms and Conditions, which expressly require iCloud users’ relationship with Apple to be “subject to the laws of the state of California.”
The clause helped Apple file a lawsuit against the NSO in the Northern Territory of California.
“This was a clear violation of our terms of service and our customers’ privacy,” said Heather Grenier, Apple’s senior director of commercial litigation. “This is our stake in the field to send a clear signal to our users that we will not allow such abuse.”
After filing its lawsuit Tuesday, Apple said it would offer free technical, threat intelligence, and engineering assistance to Citizen Lab and other organizations engaged in eliminating digital surveillance. Apple also said it will donate $10 million to these organizations and do any harm.
Digital rights experts said Apple’s lawsuit threatened NSO’s survival. “NSO is now poison,” said Ron Deibert, director of Citizen Lab. “No one in their right mind would want to touch that company. But it’s not just a company, it’s an industry-wide issue.”
He added that the lawsuit could be a step towards greater scrutiny of the unregulated spyware industry.
“Steps like this are helpful but incomplete,” said Mr Deibert. “We need more action by governments.”