Case Summary and Outcome

The United States District Court for the Northern District of California held that the lawsuit filed by WhatsApp and its parent company Facebook may proceed against the Israeli mobile surveillance software company, NSO Group. The complaint asserted that spyware developed by NSO Group had been used to infect 1,400 mobile devices, enabling the surveillance of the communications of a targeted group of WhatsApp users. The Court rejected the defendants’ argument that they had a limited role in the surveillance of the plaintiff’s users. Rather, the Court held that NSO Group “retained some role” in the operation of their “Pegasus” spyware, “even if it was at the direction of their customers.” [p. 19] Accordingly, the Court denied the defendants’ motion to dismiss the plaintiffs’ complaint in all but one cause of action, concerning trespass to movable personal property. The Court also denied the defendants’ motion to delay discovery, enabling the disclosure of documents and records concerning NSOs practices in anticipation of future litigation. 

---

Facts

The plaintiffs in this case are WhatsApp Inc., the encrypted telecommunications service, and their parent company, Facebook, Inc., the social networking website. Both plaintiffs are based in Menlo Park, California. The defendants are NSO Group Technologies Ltd., an Israeli limited liability company and Q Cyber Technologies Ltd., an Israeli corporation and the majority shareholder in NSO Group. It is alleged that the defendants manufacture, distribute, and operte mobile surveillance technology.

The plaintiffs claim that, between April 2019 and May 2019, the defendants used WhatsApp servers, partially located in the United States, to send malware to approximately 1,400 WhatsApp users’ mobile phones and devices. Once the devices had been infected, the malware, known as “Pegasus”, was designed to facilitate the surveillance of particular WhatsApp users. These users include at least one hundred human rights defenders, journalists, and other members of civil society operating across the globe. 

On May 13, 2019, Facebook announced that it had investigated and closed the vulnerability exposed by the defendants. The defendants’ technology allegedly sought to circumvent WhatsApp’s end-to-end encryption in order to gain remote access and control of information, including calls, messages, and locations, on users’ mobile devices. The defendants’ business operated by licensing Pegasus and selling their support service to customers for installation, monitoring, training and technical support. The plaintiffs claim that the defendants’ action was not authorized by WhatsApp and was in violation of their Terms of Service. 

On October 29, 2019, the plaintiffs filed their complaint, demanding permanent injunctive relief to block the defendants from accessing their computer system and seeking damages. The complaint filed by the plaintiffs alleges four causes of action: that the defendants (1) violated the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; (2) violated the California Comprehensive Computer Data Access and Fraud Act, § 502; (3) breached their contracts with WhatsApp; and (4) wrongfully trespassed on the plaintiffs’ property. 

The defendants deny the plaintiffs’ allegations. NSO Group argues that the sole purpose of their technology is to enable governments and law enforcements to fight “terrorism and serious crime”, facilitated by WhatsApp’s encryption service. 

---

Decision Overview

District Judge Phyllis J. Hamilton delivered the opinion of the U.S. District Court of the Northern District of California. 

The matter before the Court was whether or not to grant the defendants’ motion to dismiss the complaint filed by the plaintiffs, WhatsApp and Facebook. In her assessment of the background of the case, Justice Hamilton acknowledged that the facts regarding the transmission of malware via WhatsApp’s servers were not disputed. Rather, the primary issue centered around the question of whether NSO Group’s “foreign sovereign customers” were solely responsible, or the defendants themselves.

The plaintiffs submitted four causes of action; firstly, that the defendants violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 by knowingly accessing WhatsApp’s servers without authorization and with the intent to obtain something of value. Secondly, the plaintiffs claim that the defendants violated the California Comprehensive Computer Data Access and Fraud Act (CFAA), California Penal Code § 502, by using the plaintiffs’ network in order to defraud and wrongfully obtain money. Thirdly, the plaintiffs allege that the defendants had committed a breach of contract of WhatsApp’s Terms of Service, causing injury to the plaintiffs. The final cause of action alleges a trespass to chattels (movable personal property) due to the defendants’ interference with the plaintiffs’ computer systems intentionally and without authorization.  The plaintiffs requested that the Court grant a permanent injunction “restraining defendants and their agents, servants, employees, successors, and assigns” from a range of conduct, including accessing Whatsapp and Facebook’s computer systems.  [p. 33] The plaintiffs further sought damages, including compensatory, statutory and punitive damages. 

The Court considered four Federal Rules of Civil Procedure under which a federal court may dismiss an action: (1) Rule 12(b)(1) regarding subject matter jurisdiction; (2) Rule 12(b)(2) regarding personal jurisdiction; (3) Rule 12(b)(7) regarding the failure to join necessary parties; and (4) Rule 12(b)(6) regarding the legal sufficiency of the claims alleged in the complaint.

Rule 12(b)(1) – Lack of Federal Subject Matter Jurisdiction

The first Federal Rule of Civil Procedure considered by the Court was 12(b)(1), which provides that a federal court may dismiss an action for lack of federal subject matter jurisdiction. 

Setting out the legal standard for Rule 12(b)(1), the Court noted that, because “[a] federal court is presumed to lack jurisdiction in a particular case unless the contrary affirmatively appears,” the burden to demonstrate that the court has such jurisdiction “rests on the party asserting federal subject matter jurisdiction.” [p. 4] (Pac. Bell Internet Servs. v. Recording Indus. Ass’n of Am., Inc., No. C03-3560 SI, 2003 WL 22862662) Furthermore, a challenge to the jurisdiction of the federal court may be facial or factual. (Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004)) The Court applied this legal standard to the facts of the case. 

The defendants sought to dismiss the plaintiffs’ complaint under the Computer Fraud and Abuse Act, 18 U.S. .C. § 1030, by invoking the court’s “federal question jurisdiction” on a factual, rather than facial, basis. NSO Group claimed that the impugned conduct of the complaint was actually performed by foreign sovereigns, who are barred from any lawsuit under the Foreign Sovereign Immunity Act (“FSIA”), 28 U.S.C. §§ 1602–11. The FSIA holds that “a foreign state shall be immune from the jurisdiction of the courts of the United States and of the States”, with limited statutory exceptions. [p. 9] 

There are two relevant doctrines concerning the sovereign immunity argument raised by the defendants: foreign official immunity and derivative sovereign immunity. The first doctrine, foreign official immunity, is distinguished by courts on the basis of status-based immunity and conduct-based immunity. While status-based immunity is applied to “diplomats and heads of state”, conduct-based immunity is available to “any [ ] [p]ublic minister, official, or agent of the state with respect to acts performed in his official capacity”. [p. 11] (Lewis v. Mutond, 918 F.3d 142, 145 (D.C. Cir. 2019)) The defendants did not submit that status-based immunity was available to them. Rather, they claimed that conduct-based foreign sovereign immunity is available to a “foreign sovereign’s private agents when the agent acts on behalf of the state.” [p. 11] The defendants argued that foreign states used their software to “fight terrorism and serious crime, which are official public acts.” [p. 11]

In response, the plaintiffs argued that “attacks on journalists and attorneys” was inconsistent with “fighting terrorism and crime.” [p. 11] Additionally, the plaintiffs noted that any exercise of the federal court’s jurisdiction would only bind NSO Group, not a foreign state. The Court agreed that any injunctive relief would be enforced against the defendants, without any affirmative action required by a foreign sovereign. As such, the Court found that the defendants did not qualify as foreign officials under the content-based immunity test. 

The second doctrine concerning sovereign immunity addressed by the Court was derivative sovereign immunity. The defendants argued that, in Butters v. Vance International, Inc., 225 F.3d at 466, the Fourth Circuit extended the rule of derivative sovereign immunity to American private agents of foreign governments. [p. 13] However, the Court agreed with the plaintiffs that Butters should not be applied as the Ninth Circuit had not held that the doctrine of derivative sovereign immunity extends to foreign contractors of foreign sovereigns. Accordingly, the doctrine of derivative domestic sovereign immunity was also not available to the defendants. As such, the Court denied the defendants’ motion to dismiss for lack of subject matter jurisdiction. 

Rule 12(b)(2) – Lack of Personal Jurisdiction

The second Federal Rule of Civil Procedure considered by the Court was rule 12(b)(2), which provides that a federal court may dismiss an action for lack of personal jurisdiction. “Personal jurisdiction” refers to a Court’s power to adjudicate over another legal entity within their jurisdictional reach. 

The Court noted that the party “seeking to invoke a federal court’s jurisdiction bears the burden of demonstrating jurisdiction.” [p. 5] (Picot v. Weston, 780 F.3d 1206, 1211 (9th Cir. 2015) The extent of a federal court’s jurisdiction is determined in accordance with state law. (Daimler AG v. Bauman, 571 U.S. 117, 125 (2014)) In the state of California, the “long arm statute permits exercise of personal jurisdiction to the fullest extent permissible under the U.S. Constitution.” [p. 5] Accordingly, the nature of a personal jurisdiction assessment “centers on whether exercising jurisdiction comports with due process.” [p. 5] (Picot v. Weston, 780 F.3d at 1211)

To determine whether a particular defendant’s conduct is sufficiently connected to a particular state to establish specific jurisdiction, the Ninth Circuit employs a three-part test (Morrill test): 

“(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;
(2) the claim must be one which arises out of or relates to the defendant’s forum-related activities; and
(3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.” [p. 6] (Morrill v. Scott Fin. Corp., 873 F.3d 1136, 1142 (9th Cir. 2017))

Once the plaintiff has satisfied the first two prongs, the burden shifts to the defendant to “set forth a ‘compelling case’ that the exercise of jurisdiction would not be reasonable.” [p. 6] (CollegeSource, Inc. v. AcademyOne, Inc., 653 F.3d 1066, 1076 (9th Cir. 2011)) The Court applied this legal standard to the facts of the case. 

1. Consent

The defendants firstly argued that they had not consented to personal jurisdiction when they accepted WhatsApp’s terms of service. The Ninth Circuit has recognized that accepting a contractual clause regarding the choice of legal forum is sufficient to demonstrate consent to personal jurisdiction in that forum. (SEC v. Ross, 504 F.3d 1130, 1149 (9th Cir. 2007)) In this case, WhatsApp’s terms of service included the clause that: “you will resolve any Claim you have with us relating to, arising out of, or in any way in connection with our Terms, us, or our Services (each, a “Dispute,” and together, “Disputes”) exclusively in the United States District Court for the Northern District of California”. [p. 16] The defendants argued that the present complaint does not fall within the definition of a “Dispute”, as it relates to a complaint by WhatsApp with their users, rather than their users with WhatsApp. In response, the plaintiffs argued that a “Dispute” includes any claim between WhatsApp and their users, regardless of which party initiates the claim. Referring to the absence of the term “between” in the definition of “Dispute” in WhatsApp’s Terms of Service, the Court found in favour of the defendants and concluded that the forum selection clause does not apply to claims by WhatsApp against their users. Accordingly, the defendants did not consent to personal jurisdiction. 

2. Specific Jurisdiction

The plaintiffs further argued that the Court should exercise specific jurisdiction over the defendants under both a purposeful direction theory (concerning their tort claims) and a purposeful availment theory (concerning their contract claim). 

1. 1. 1. Purposeful Direction

Purposeful direction is determined by the Calder effects test, under which the plaintiffs must prove that the defendants “(1) committed an intentional act, (2) expressly aimed at the forum state, (3) caused harm that the defendant knew was likely to be suffered in the forum state.” [p. 18] (Calder v. Jones, 465 U.S. 783, 789–90 (1984)) Addressing the first element, committing an intentional act, the defendants argued that it was their “foreign sovereign customers” that committed the act of targeting WhatsApp’s systems and servers to disseminate malware. The defendants referred the Court to the statement by Shalev Hulio, NSO’s CEO and co-founder: “NSO markets and licenses the Pegasus technology to its sovereign customers, which then operate the technology themselves”. [p. 19] Rather than intentionally committing the act, Hulio claimed that the role of NSO Group is limited to providing “advice and technical support” in setting up, rather than operating, the software. The Court was not convinced by this argument. Firstly, the Court observed that the defendants retained a role in the conduct of the intentional act, even if it was at the “direction of their government customers.” [p. 19] Secondly, the Court found that the “boundary between defendants’ conduct and their clients’ conduct is not clearly delineated” by the Hulio declaration. [p. 19] However, at this stage, the plaintiffs need only demonstrate a “prima facie showing of jurisdictional facts”. [p. 19] (Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1223 (9th Cir. 2011) at 1223) The Court found that the plaintiffs had sufficiently proven that the defendants committed an intentional act.

The second element considers whether the “defendant’s allegedly tortious action was “expressly aimed at the forum state.” (Picot v. Weston, 780 F.3d, at 1214) The defendants alleged, among several arguments, that courts have rejected the claim that the “mere location of a server may give rise to personal jurisdiction.” [p. 20] In response, the plaintiffs argued that the defendants’ conduct was aimed at a California-based company and used WhatsApp’s and a third-party QuadraNet’s California-based servers. The Court held that, by sending the malware, the defendants “electronically entered the forum state” by targeting the plaintiffs’ servers, “which were a necessary component to transmit the malicious code to the users.” [p. 24-25] Therefore, the Court held that the plaintiffs successfully demonstrated that the defendants aimed their intentional act at the forum state. 

The third and final element of the Calder test determines whether the defendants caused harm that they knew would likely be suffered in the forum state. The plaintiffs claimed that the defendants injured their “reputation, public trust, and goodwill.” [p. 25] The defendants did not provide an argument to counter this claim. The Court also noted that the defendants knew that accessing the plaintiffs’ servers without authorization would cause harm to the plaintiffs and that this harm would be suffered in California. In these circumstances, Justice Hamilton held that the plaintiffs had demonstrated the purposeful direction element of specific jurisdiction. 

2. 0. 2. Purposeful Availment

A prima facie case of personal availment requires proof of the defendant’s conduct in the particular legal forum. “By taking such actions, a defendant ‘purposefully avails itself of the privilege of conducting activities within the forum State, thus invoking the benefits and protections of its laws.’” [p. 25] (Schwarzenegger v. Fred Martin Motor Co., 374 F.3d at 802) The defendants argued that they did not take any of the requisite action in the forum of California, such as executing or performing a contract. In response, the plaintiffs submitted that the defendants purposefully availed themselves of California’s benefits by accepting the WhatsApp terms of service and engaging in activity relating to California, including the development of the “Pegasus” software via funding from a California-based private equity firm. The Court found that the plaintiffs had not sufficiently demonstrated purposeful availment. However, as the plaintiffs had already met their burden concerning purposeful direction, the Court moved on to the third-part of the Morrill test. 

2. 0. 3. Reasonableness

The Court finally considered the third-part of the Morrill test: whether the exercise of jurisdiction comports with fair play and substantial justice. Considering a wide range of factors, the Court found that some weighed in favor of the defendant, and others in favor of the plaintiff. In such circumstances, the defendant had failed to fulfil their burden to demonstrate a compelling argument that exercising jurisdiction in the impugned forum would be unreasonable. Therefore, the Court found that exercising personal jurisdiction over the defendants was reasonable and the defendants’ motion to dismiss the complaint for lack of personal jurisdiction was denied. 

Rule 12(b)(7) – Failure to Join an Indispensable Party

The third Federal Rule of Civil Procedure considered by the Court was 12(b)(7), which provides that a federal court may dismiss an action if the plaintiff fails to “join a party recognized as indispensable.” [p. 8] 

The defendants sought to dismiss the complaint because the plaintiffs failed to join the defendants’ foreign sovereign customers under Rule 19. [p. 32] The Court noted that finding a party to be necessary under Rule 19(a)(1)(A) denoted that “complete relief” cannot be found between the existing parties without the joinder of the nonparty. The defendants relied on the decision in Republic of Philippines v. Pimentel, 553 U.S. 851, 867 (2008), that “[a] case may not proceed when a required-entity sovereign is not amenable to suit.” [p. 34-35] However, the Court found that the defendants’ customers were not required parties because “the court can craft injunctive relief that excludes or carves out any sovereign nation.” (EEOC v. Peabody Western Coal Co., 610 F.3d 1070, 1079 (9th Cir. 2010)) As the defendants’ foreign sovereign customers were not necessary parties, the principle from Pimentel did not apply to the present case. Accordingly, the defendants’ motion to dismiss the complaint for failure to join the necessary parties was denied. 

Rule 12(b)(6) – Legal Sufficiency of the Alleged Claims 

The final Federal Rule of Civil Procedure considered by the Court was 12(b)(6), which provides that a federal court may dismiss an action if the plaintiff fails to state a “cognizable legal theory, or has not alleged sufficient facts to support a cognizable legal theory.” [p. 6] (Somers v. Apple, Inc., 729 F.3d 953, 959 (9th Cir. 2013)) 

1. First Claim: CFAA

The first claim addressed by the defendants was the plaintiffs’ claim that the defendants violated the Computer Fraud and Abuse Act by knowingly accessing the plaintiffs’ protected computers and the devices of their users without authorisation, and with the intent to commit fraud and obtain something of value. 

The Court observed that this statute provides two ways of committing the crime: either obtaining access without authorization or obtaining access with authorization but then using that access improperly. (Musacchio v. United States, 136 S. Ct. 709, 713 (2016)) Justice Hamilton determined that, by creating WhatsApp accounts and accepting the terms of service, the defendants had authorized access to the device in question. However, the Court recognised the plaintiffs’ complaint that the defendants had used “WhatsApp’s Relay Servers without authorization to send encrypted data packets designed to activate the malicious code injected into the memory of the Target Devices.” [p. 38] Accordingly, Justice Hamilton held that the defendants’ conduct met the secondary “exceeds authorized access” prong of 18 U.S.C. § 1030(a)(2) and (a)(4). [p. 37] 

In order to recover for violation of the CDAA, the plaintiff must have been harmed by the impugned act. The defendants claimed that the plaintiffs did not suffer a “loss” as defined by the CFAA: “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” § 1030(e)(11). The plaintiffs alleged that their losses included the expenditure of resources to investigate and remediate the defendants’ conduct, under the statutory “cost of responding to an offense.” (18 U.S.C. § 1030(e)(11)) The defendants, however, argued that this loss derived from their response to a vulnerability in the WhatsApp system, rather than the accessing of information on individual users’ devices. Justice Hamilton was not convinced by this argument and determined that the plaintiffs’ allegations were sufficient to claim for loss based on responding to an offense on a third party’s device. Accordingly, the defendants’ motion to dismiss the plaintiffs’ first cause of action for violation of the CFAA was denied. 

2. Fourth Claim: Trespass to Chattels

To prove a claim of trespass to chattels, the plaintiff must plead that “(1) the defendant intentionally and without authorization interfered with plaintiff’s possessory interest in the computer system; and (2) defendant’s unauthorized use[ ] proximately caused damage.” (Brodsky v. Apple Inc., F. Supp. 3d, No. 19-CV-00712-LHK, 2020 WL 1694363, at *6 (N.D. Cal. Apr. 7, 2020)) Once proven, a plaintiff can only recover “the actual damages suffered by reason of the impairment of the property or the loss of its use.” [p. 41] (Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1350–51 (2003)) 

The defendants argued that the plaintiffs cannot state a claim for trespass to chattels because they had not demonstrated that the defendants’ conduct caused actual damage to the plaintiffs’ servers. The defendants claimed that the plaintiffs’ complaints regarding the costs of investigation and remediation was not actual harm to their servers. The leading case concerning electronic trespass in California is Intel Corp. v. Hamidi, 30 Cal. 4th at 1347, where the California Supreme Court held that trespass to chattels “does not encompass . . . an electronic communication that neither damages the recipient computer system nor impairs its functioning.” [p. 41] The Court agreed, noting that the alleged conduct neither degraded nor damaged WhatsApp’s servers. 

In response, the plaintiffs argued that the defendants’ conduct had damaged the value and quality of WhatsApp’s servers by concealing a malicious code which led to a loss of goodwill in their business due to a “perceived weakness in WhatsApp’s encryption or its services.” [p. 43] The Court determined that the plaintiffs’ complaint did not refer to any actual harm caused by the defendants’ program or access to WhatsApp’s servers. Accordingly, the plaintiffs’ fourth cause of action for trespass to chattels was dismissed by the court, with leave to amend. 

Motion to Stay Discovery

The defendants filed a motion to stay discovery pending final resolution of their motion to dismiss due to their foreign sovereign immunity argument. No other reason to stay discovery was provided by the defendants, other than their pending motion to dismiss. As the Court had just decided their pending motion, the defendants’ request to stay discovery was moot and was denied by the Court. The case could now proceed to discovery, in which both sides can request documents and records. This decision may implicate the government clients of NSO Group who have previously denied their involvement with the company. 

Conclusion

The Court granted the defendants’ Rule 12(b)(6) motion to dismiss the plaintiffs’ fourth cause of action regarding trespass to chattels. However, their motion to dismiss in all other matters was denied, along with their motion to stay discovery. 

---