Whatsapp Inc. v. NSO Grp. Techs. Ltd.

• Decision Date: 16 July 2020
• Docket Number: Case No. 19-cv-07123-PJH
• Court: U.S. District Court — Northern District of California
• Parties: WHATSAPP INC., et al., Plaintiffs, v. NSO GROUP TECHNOLOGIES LIMITED, et al., Defendants.

472 F.Supp.3d 649

WHATSAPP INC., et al., Plaintiffs,

v.NSO GROUP TECHNOLOGIES LIMITED, et al., Defendants.

Case No. 19-cv-07123-PJH

United States District Court, N.D. California.

Signed July 16, 2020

Travis LeBlanc, Joseph Douglas Mornin, Kyle Christopher Wong, Michael Graham Rhodes, Cooley LLP, San Francisco, CA, Antonio J. Perez-Marques, Pro Hac Vice, Craig Cagney, Pro Hac Vice, Greg D. Andres, Pro Hac Vice, Davis Polk and Wardwell LLP, Ian Shapiro, Pro Hac Vice, Cooley LLP, New York, NY, Daniel Joseph Grooms, Pro Hac Vice, Elizabeth B. Prelogar, Cooley LLP, Michael R. Dreeben, Pro Hac Vice, OMelveny Myers LLP, Washington, DC, Micah Galvin Block, Davis Polk and Wardwell LLP, Menlo Park, CA, for Plaintiffs.

Joseph N. Akrotirianakis, Aaron S. Craig, King & Spalding LLP, Los Angeles, CA, for Defendants.

ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS AND DENYING MOTION TO STAY DISCOVERY

Re: Dkt. Nos. 45, 95

PHYLLIS J. HAMILTON, United States District Judge

Before the court is defendants NSO Group Technologies, Ltd. ("NSO") and Q Cyber Technologies Ltd.’s ("Q Cyber," and together with NSO, "defendants") motion to dismiss. The matter is fully briefed and suitable for decision without oral argument. Having read the parties’ papers and carefully considered their arguments and the relevant legal authority, and good cause appearing, the court rules as follows.

BACKGROUND

On October 29, 2019, plaintiffs WhatsApp Inc. ("WhatsApp") and Facebook, Inc. ("Facebook" and together with WhatsApp, "plaintiffs") filed a complaint ("Compl.") alleging that defendants sent malware, using WhatsApp's system, to approximately 1,400 mobile phones and devices designed to infect those devices for the purpose of surveilling the users of those phones and devices. Dkt. 1, ¶ 1. The complaint alleges four causes of action: (1) violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 ; (2) violation of the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502 ; (3) breach of contract; and (4) trespass to chattels.

Plaintiff WhatsApp is a Delaware corporation with its principal place of business in Menlo Park, California and is owned by plaintiff Facebook, which is also a Delaware corporation with its principal place of business in Menlo Park, California. Compl. ¶¶ 3–4. WhatsApp provides an encrypted communication service that is accessed through the WhatsApp application ("app") that users must download to their personal devices. Id. ¶ 17. Defendant NSO is an Israeli limited liability company and defendant Q Cyber is an Israeli corporation and NSO's only active director and the majority shareholder. Id. ¶¶ 5–6. Defendants are alleged to manufacture, distribute, and operate surveillance technology "designed to intercept and extract information and communications from mobile phones and devices" Id. ¶ 24.

In order to use the WhatsApp app and service, WhatsApp users consent to WhatsApp's terms of service in which they agree to "use [WhatsApp's] Services according to [WhatsApp's] Terms and policies" and further agree to "access and use [WhatsApp's] Services only for legal, authorized, and acceptable purposes." Id. ¶¶ 19–20. WhatsApp's terms prohibit users from using services in ways that "violate, misappropriate, or infringe the rights of WhatsApp, [its] users, or others," "are illegal, intimidating, harassing, ... or instigate or encourage conduct that would be illegal, or otherwise inappropriate;" or "involve sending illegal or impermissible communications." Id. ¶ 21. Additionally, users are not permitted to:

(a) reverse engineer, alter, modify, create derivative works from, decompile, or extract code from our Services, (b) send, store, or transmit viruses or other harmful computer code through or onto our Services; (c) gain or attempt to gain unauthorized access to our Services or systems; (d) interfere with or disrupt the safety, security, or performance of our Services; [or] ... (f) collect the information of or about our users in any impermissible or unauthorized manner.

Id. ¶ 22.

Plaintiffs allege that defendants created a data program, termed Pegasus, that could "remotely and covertly extract valuable intelligence from virtually any mobile device." Id. ¶ 27. Defendants licensed Pegasus and sold support services to customers. Id. ¶ 29. According to public reporting and as alleged, defendants’ customers include sovereign nations such as the Kingdom of Bahrain, the United Arab Emirates, and Mexico. Id. ¶ 43. Defendants could customize Pegasus for different purposes such that, once installed on a user's device, they could intercept communications, capture screenshots, or exfiltrate browser history and contacts from that user's device. Id. ¶¶ 27, 41. Defendants used a network of computers to monitor and update the version of Pegasus implanted on a user's phone as well as control the number of devices that a customer could compromise using Pegasus. Id. ¶ 28.

Between January 2018 and May 2019, defendants are alleged to have created WhatsApp accounts that could be used to send malicious code to personal devices in April and May 2019. Id. ¶ 33. Defendants also leased servers and internet hosting services from third parties such as Choopa, QuadraNet, and Amazon Web Service; the leased servers were used to distribute malware and relay commands to users’ devices. Id. ¶ 34. Defendants reverse engineered the WhatsApp app and developed Pegasus to emulate legitimate WhatsApp network traffic. Id. ¶ 35.

Pegasus is alleged to operate by first routing malicious code through WhatsApp's relay servers to a user's device. Id. ¶ 36. Defendants formatted certain messages containing the malicious code to appear like a legitimate call and concealed the code within the call settings. Id. ¶ 37. To avoid technical restrictions built into the WhatsApp signaling servers, defendants formatted call initiation messages that contained the malicious code to appear as a legitimate call. Id. The call would inject the malicious code into a device's memory whether or not the user answered the call. Id. After the malicious code was delivered to a device, defendants caused encrypted data packets to be sent to a user's device via WhatsApp's relay servers, designed to activate the malicious code residing on the memory of the target devices. Id. ¶ 39. Once activated, the malicious code caused the target device to connect to one of the leased, remote servers hosting defendants’ malware, which was then downloaded and installed on the target devices. Id. ¶ 40. The malware would then give defendants and their customers access to information on the target devices. Id. ¶ 41.

Between April 29, 2019 and May 10, 2019, defendants caused their malicious code to be transmitted over WhatsApp's servers reaching approximately 1,400 devices used by "attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials." Id. ¶ 42. On May 13, 2019, Facebook announced that it had investigated the vulnerability and WhatsApp and Facebook closed the vulnerability around that time. Id. ¶ 44.

DISCUSSION

A. Legal Standard

1. Rule 12(b)(1)

A federal court may dismiss an action under Federal Rule of Civil Procedure 12(b)(1) for lack of federal subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1). Because "[a] federal court is presumed to lack jurisdiction in a particular case unless the contrary affirmatively appears," the burden to prove its existence "rests on the party asserting federal subject matter jurisdiction." Pac. Bell Internet Servs. v. Recording Indus. Ass'n of Am., Inc., No. C03-3560 SI, 2003 WL 22862662, at *3 (N.D. Cal. Nov. 26, 2003) (quoting Gen. Atomic Co. v. United Nuclear Corp., 655 F.2d 968, 969 (9th Cir. 1981) ; and citing Cal. ex rel. Younger v. Andrus, 608 F.2d 1247, 1249 (9th Cir. 1979) ). A jurisdictional challenge may be facial or factual. Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (citing White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000) ). When the attack is facial, the court determines whether the allegations contained in the complaint are sufficient on their face to invoke federal jurisdiction. Id. Where the attack is factual, however, "the court need not presume the truthfulness of the plaintiff's allegations." Id.

When resolving a factual dispute about its federal subject matter jurisdiction, a court may review extrinsic evidence beyond the complaint without converting a motion to dismiss into one for summary judgment. McCarthy v. United States, 850 F.2d 558, 560 (9th Cir. 1988) (holding that a court "may review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction"); see also Land v. Dollar, 330 U.S. 731, 735 n.4, 67 S.Ct. 1009, 91 L.Ed. 1209 (1947) ("[W]hen a question of the District Court's jurisdiction is raised ... the court may inquire by affidavits or otherwise, into the facts as they exist."). "Once the moving party has converted the motion to dismiss into a factual motion by presenting affidavits or other evidence properly brought before the court, the party opposing the motion must furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction." Safe Air for Everyone, 373 F.3d at 1039.

2. Rule 12(b)(2)

A federal court may dismiss an action under Federal Rule of Civil Procedure 12(b)(2) for lack of personal jurisdiction. When resolving a motion to dismiss under Rule 12(b)(2) on written materials, the court accepts uncontroverted facts in the complaint as true and resolves conflicts in affidavits in the plaintiffs’ favor. Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1223 (9th Cir. 2011). The party seeking to invoke a federal court's jurisdiction bears the burden of demonstrating jurisdiction. Picot v. Weston, 780 F.3d 1206, 1211 (9th Cir. 2015). "Federal courts ordinarily follow state law in determining the bounds of their...