Whatsapp Inc. v. NSO Grp. Techs. Ltd., Case No. 19-cv-07123-PJH

CourtUnited States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Northern District of California
Writing for the CourtPHYLLIS J. HAMILTON, United States District Judge
Citation472 F.Supp.3d 649
Parties WHATSAPP INC., et al., Plaintiffs, v. NSO GROUP TECHNOLOGIES LIMITED, et al., Defendants.
Decision Date16 July 2020
Docket NumberCase No. 19-cv-07123-PJH

472 F.Supp.3d 649

WHATSAPP INC., et al., Plaintiffs,
v.
NSO GROUP TECHNOLOGIES LIMITED, et al., Defendants.

Case No. 19-cv-07123-PJH

United States District Court, N.D. California.

Signed July 16, 2020


472 F.Supp.3d 658

Travis LeBlanc, Joseph Douglas Mornin, Kyle Christopher Wong, Michael Graham Rhodes, Cooley LLP, San Francisco, CA, Antonio J. Perez-Marques, Pro Hac Vice, Craig Cagney, Pro Hac Vice, Greg D. Andres, Pro Hac Vice, Davis Polk and Wardwell LLP, Ian Shapiro, Pro Hac Vice, Cooley LLP, New York, NY, Daniel Joseph Grooms, Pro Hac Vice, Elizabeth B. Prelogar, Cooley LLP, Michael R. Dreeben, Pro Hac Vice, OMelveny Myers LLP, Washington, DC, Micah Galvin Block, Davis Polk and Wardwell LLP, Menlo Park, CA, for Plaintiffs.

Joseph N. Akrotirianakis, Aaron S. Craig, King & Spalding LLP, Los Angeles, CA, for Defendants.

ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS AND DENYING MOTION TO STAY DISCOVERY

Re: Dkt. Nos. 45, 95

PHYLLIS J. HAMILTON, United States District Judge

Before the court is defendants NSO Group Technologies, Ltd. ("NSO") and Q Cyber Technologies Ltd.’s ("Q Cyber," and together with NSO, "defendants") motion to dismiss. The matter is fully briefed and suitable for decision without oral argument. Having read the parties’ papers and carefully considered their arguments and the relevant legal authority, and good cause appearing, the court rules as follows.

BACKGROUND

On October 29, 2019, plaintiffs WhatsApp Inc. ("WhatsApp") and Facebook, Inc. ("Facebook" and together with WhatsApp, "plaintiffs") filed a complaint ("Compl.") alleging that defendants sent malware, using WhatsApp's system, to approximately 1,400 mobile phones and devices designed to infect those devices for the purpose of surveilling the users of those phones and devices. Dkt. 1, ¶ 1. The complaint alleges four causes of action: (1) violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 ; (2) violation of the California Comprehensive Computer Data Access and Fraud Act,

472 F.Supp.3d 659

Cal. Penal Code § 502 ; (3) breach of contract; and (4) trespass to chattels.

Plaintiff WhatsApp is a Delaware corporation with its principal place of business in Menlo Park, California and is owned by plaintiff Facebook, which is also a Delaware corporation with its principal place of business in Menlo Park, California. Compl. ¶¶ 3–4. WhatsApp provides an encrypted communication service that is accessed through the WhatsApp application ("app") that users must download to their personal devices. Id. ¶ 17. Defendant NSO is an Israeli limited liability company and defendant Q Cyber is an Israeli corporation and NSO's only active director and the majority shareholder. Id. ¶¶ 5–6. Defendants are alleged to manufacture, distribute, and operate surveillance technology "designed to intercept and extract information and communications from mobile phones and devices" Id. ¶ 24.

In order to use the WhatsApp app and service, WhatsApp users consent to WhatsApp's terms of service in which they agree to "use [WhatsApp's] Services according to [WhatsApp's] Terms and policies" and further agree to "access and use [WhatsApp's] Services only for legal, authorized, and acceptable purposes." Id. ¶¶ 19–20. WhatsApp's terms prohibit users from using services in ways that "violate, misappropriate, or infringe the rights of WhatsApp, [its] users, or others," "are illegal, intimidating, harassing, ... or instigate or encourage conduct that would be illegal, or otherwise inappropriate;" or "involve sending illegal or impermissible communications." Id. ¶ 21. Additionally, users are not permitted to:

(a) reverse engineer, alter, modify, create derivative works from, decompile, or extract code from our Services, (b) send, store, or transmit viruses or other harmful computer code through or onto our Services; (c) gain or attempt to gain unauthorized access to our Services or systems; (d) interfere with or disrupt the safety, security, or performance of our Services; [or] ... (f) collect the information of or about our users in any impermissible or unauthorized manner.

Id. ¶ 22.

Plaintiffs allege that defendants created a data program, termed Pegasus, that could "remotely and covertly extract valuable intelligence from virtually any mobile device." Id. ¶ 27. Defendants licensed Pegasus and sold support services to customers. Id. ¶ 29. According to public reporting and as alleged, defendants’ customers include sovereign nations such as the Kingdom of Bahrain, the United Arab Emirates, and Mexico. Id. ¶ 43. Defendants could customize Pegasus for different purposes such that, once installed on a user's device, they could intercept communications, capture screenshots, or exfiltrate browser history and contacts from that user's device. Id. ¶¶ 27, 41. Defendants used a network of computers to monitor and update the version of Pegasus implanted on a user's phone as well as control the number of devices that a customer could compromise using Pegasus. Id. ¶ 28.

Between January 2018 and May 2019, defendants are alleged to have created WhatsApp accounts that could be used to send malicious code to personal devices in April and May 2019. Id. ¶ 33. Defendants also leased servers and internet hosting services from third parties such as Choopa, QuadraNet, and Amazon Web Service; the leased servers were used to distribute malware and relay commands to users’ devices. Id. ¶ 34. Defendants reverse engineered the WhatsApp app and developed Pegasus to emulate legitimate WhatsApp network traffic. Id. ¶ 35.

Pegasus is alleged to operate by first routing malicious code through WhatsApp's relay servers to a user's device. Id. ¶ 36. Defendants formatted certain messages

472 F.Supp.3d 660

containing the malicious code to appear like a legitimate call and concealed the code within the call settings. Id. ¶ 37. To avoid technical restrictions built into the WhatsApp signaling servers, defendants formatted call initiation messages that contained the malicious code to appear as a legitimate call. Id. The call would inject the malicious code into a device's memory whether or not the user answered the call. Id. After the malicious code was delivered to a device, defendants caused encrypted data packets to be sent to a user's device via WhatsApp's relay servers, designed to activate the malicious code residing on the memory of the target devices. Id. ¶ 39. Once activated, the malicious code caused the target device to connect to one of the leased, remote servers hosting defendants’ malware, which was then downloaded and installed on the target devices. Id. ¶ 40. The malware would then give defendants and their customers access to information on the target devices. Id. ¶ 41.

Between April 29, 2019 and May 10, 2019, defendants caused their malicious code to be transmitted over WhatsApp's servers reaching approximately 1,400 devices used by "attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials." Id. ¶ 42. On May 13, 2019, Facebook announced that it had investigated the vulnerability and WhatsApp and Facebook closed the vulnerability around that time. Id. ¶ 44.

DISCUSSION

A. Legal Standard

1. Rule 12(b)(1)

A federal court may dismiss an action under Federal Rule of Civil Procedure 12(b)(1) for lack of federal subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1). Because "[a] federal court is presumed to lack jurisdiction in a particular case unless the contrary affirmatively appears," the burden to prove its existence "rests on the party asserting federal subject matter jurisdiction." Pac. Bell Internet Servs. v. Recording Indus. Ass'n of Am., Inc., No. C03-3560 SI, 2003 WL 22862662, at *3 (N.D. Cal. Nov. 26, 2003) (quoting Gen. Atomic Co. v. United Nuclear Corp., 655 F.2d 968, 969 (9th Cir. 1981) ; and citing Cal. ex rel. Younger v. Andrus, 608 F.2d 1247, 1249 (9th Cir. 1979) ). A jurisdictional challenge may be facial or factual. Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (citing White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000) ). When the attack is facial, the court determines whether the allegations contained in the complaint are sufficient on their face to invoke federal jurisdiction. Id. Where the attack is factual, however, "the court need not presume the truthfulness of the plaintiff's allegations." Id.

When resolving a factual dispute about its federal subject matter jurisdiction, a court may review extrinsic evidence beyond the complaint without converting a motion to dismiss into one for summary judgment. McCarthy v. United States, 850 F.2d 558, 560 (9th Cir. 1988) (holding that a court "may review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction"); see also Land v. Dollar, 330 U.S. 731, 735 n.4, 67 S.Ct. 1009, 91 L.Ed. 1209 (1947) ("[W]hen a question of the District Court's jurisdiction is raised ... the court may inquire by affidavits or otherwise, into the facts as they exist."). "Once the moving party has converted the motion to dismiss into a...

To continue reading

Request your trial
11 practice notes
  • Commonwealth v. Delgado-Rivera, SJC-12919
    • United States
    • United States State Supreme Judicial Court of Massachusetts
    • June 1, 2021
    ...to retain a reasonable expectation of privacy in those messages is not before us. Cf. WhatsApp Inc. v. NSO Group Techs. Ltd., 472 F. Supp. 3d 649, 659 (N.D. Cal. 2020) ; Nield, The best apps to send self-destructing messages, Popular Science (Nov. 15, 2020), https://www.popsci.com/send-self......
  • WhatsApp Inc. v. NSO Grp. Techs. Ltd., 20-16408
    • United States
    • United States Courts of Appeals. United States Court of Appeals (9th Circuit)
    • November 8, 2021
    ...under the common law and inquire how the State Department would resolve this case. See WhatsApp Inc. v. NSO Grp. Techs. Ltd. , 472 F. Supp. 3d 649, 665 (N.D. Cal. 2020). Nor is it necessary to explain that neither the State Department nor any court has ever applied foreign official immunity......
  • Yenovkian v. Moor, 21-CV-1071 JLS (MSB)
    • United States
    • United States District Courts. 9th Circuit. United States District Court (Southern District of California)
    • August 18, 2021
    ...if the effect of exercising jurisdiction would be to enforce a rule of law against the state.”'” WhatsApp Inc. v. NSO Grp. Techs. Ltd., 472 F.Supp.3d 649, 664 (N.D. Cal. 2020) (citing Lewis v. Mutond, 918 F.3d 142, 145 (D.C. Cir. 2019); Dogan, 932 F.3d at 894). A district court lacks subjec......
  • Rosasen v. Kingdom of Nor., 2:21-cv-06811-JWH (SP)
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Central District of California
    • February 10, 2022
    ...immunity” is available to any public minister, official, or agent of the foreign state. See WhatsApp Inc. v. NSO Grp. Techs. Ltd., 472 F.Supp.3d 649, 664 (N.D. Cal. 2020) (citation omitted); Yenovkian v. Moor, 2021 WL 3666448, at *4-5 (S.D. Cal. Aug. 18, 2021). District courts lack subject ......
  • Request a trial to view additional results
11 cases
  • Commonwealth v. Delgado-Rivera, SJC-12919
    • United States
    • United States State Supreme Judicial Court of Massachusetts
    • June 1, 2021
    ...to retain a reasonable expectation of privacy in those messages is not before us. Cf. WhatsApp Inc. v. NSO Group Techs. Ltd., 472 F. Supp. 3d 649, 659 (N.D. Cal. 2020) ; Nield, The best apps to send self-destructing messages, Popular Science (Nov. 15, 2020), https://www.popsci.com/send-self......
  • WhatsApp Inc. v. NSO Grp. Techs. Ltd., 20-16408
    • United States
    • United States Courts of Appeals. United States Court of Appeals (9th Circuit)
    • November 8, 2021
    ...under the common law and inquire how the State Department would resolve this case. See WhatsApp Inc. v. NSO Grp. Techs. Ltd. , 472 F. Supp. 3d 649, 665 (N.D. Cal. 2020). Nor is it necessary to explain that neither the State Department nor any court has ever applied foreign official immunity......
  • Yenovkian v. Moor, 21-CV-1071 JLS (MSB)
    • United States
    • United States District Courts. 9th Circuit. United States District Court (Southern District of California)
    • August 18, 2021
    ...if the effect of exercising jurisdiction would be to enforce a rule of law against the state.”'” WhatsApp Inc. v. NSO Grp. Techs. Ltd., 472 F.Supp.3d 649, 664 (N.D. Cal. 2020) (citing Lewis v. Mutond, 918 F.3d 142, 145 (D.C. Cir. 2019); Dogan, 932 F.3d at 894). A district court lacks subjec......
  • Rosasen v. Kingdom of Nor., 2:21-cv-06811-JWH (SP)
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Central District of California
    • February 10, 2022
    ...immunity” is available to any public minister, official, or agent of the foreign state. See WhatsApp Inc. v. NSO Grp. Techs. Ltd., 472 F.Supp.3d 649, 664 (N.D. Cal. 2020) (citation omitted); Yenovkian v. Moor, 2021 WL 3666448, at *4-5 (S.D. Cal. Aug. 18, 2021). District courts lack subject ......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT