Apple’s claim at times reads like a modern day spy thriller. It is couched in the most uncompromising terms, describing NSO Group (and its parent company, Q Cyber Technologies) as:
“notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.”
Apple alleges that NSO “design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, [NSO] enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.”
The scope of the claim is impressive. Apple seeks injunctions against NSO, prohibiting them from accessing any Apple devices or software and requiring them to identify and delete any data obtained from Apple devices. The claim also seeks an order prohibiting NSO from continuing its efforts to develop spyware targeting Apple devices.
Some of the allegations levelled at NSO are particularly striking. The suggestion that NSO created and then misused Apple IDs and iCloud accounts to facilitate the deployment of their infamous Pegasus spyware is certainly alarming. Likewise, the assertion that NSO provide ongoing consultation services to their customers, by assisting them with their deployment and use of Pegasus spyware, goes against the public rhetoric issued by NSO themselves in the face of the scandal created by the Pegasus Project revelations earlier this year.
The shocking capabilities of Pegasus spyware are now widely known. Once installed on a phone, Pegasus has the potential to harvest and control more or less everything. It can turn on your microphone and video camera. It can gain access to your apps and photos. From that moment on, nothing is safe from prying eyes; SMS and WhatsApp messages, address books and contact details, passwords, call history, calendars, emails and internet browsing histories can all be exfiltrated. And, of course, your private conversations can be eavesdropped too.
NSO sells its spyware exclusively to governments and law enforcement agencies. For this reason, it is understandable why the press release issued by Apple this week seeks to reassure its customers that only a handful of users will have been affected. Whilst that is true in relative terms, the scale of the issue is not to be underestimated. Data leaked as part of the Pegasus Project includes a list of 50,000 phone numbers that are believed to have been identified as people of interest by NSO’s customers.
In conjunction with its claim against NSO, Apple has started to notify those customers it believes to have been targeted by NSO. Going forward, Apple has pledged that when activity considered to be consistent with a state-sponsored spyware attack is discovered, it will seek to notify the affected users.
The step to notify Apple users is not without consequence. The notification of potential victims raises fascinating questions about the extent to which civil remedies will be available to individuals affected. At least on the face of it, an attack by spyware like Pegasus gives rise to all manner of potential civil claims under UK law, not least misuse of private information and data protection rights, breach of confidence and harassment. It will also constitute criminal offences that, to date, UK law enforcement has been ill equipped to prosecute.
And it raises a number of broader questions as to the responsibilities of tech companies to inform consumers about the threats they face when using their products. Apple is to be commended for engaging in this process. Ten years ago it took the MP Chris Bryant and others to pursue a judicial review to compel the police to inform individuals (identifiable within evidence from a previous prosecution) who were targeted by the phone hacker employed by News Group Newspapers. The positive obligation to notify under Article 8 of the European Convention on Human Rights, as argued by Bryant, is now bolstered by obligations within the UK GDPR and tech companies would be well advised to act promptly.
What is certain is that we are entering a new era in our relationship with technology where cybersecurity is no longer simply the reserve of IT experts, an esoteric topic that need not really concern the average smartphone user. Technical developments to protect from intrusion will always be matched by the technical abilities of the hackers who recognise the value of the data we all store and exchange on our devices. Apple is right to engage the Courts as well as its technical experts, because investigating and prosecuting these intrusions is long overdue.