Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 1 of 15 1 2 3 4 5 6 7 8 9 COOLEY LLP TRAVIS LEBLANC (251097) (tleblanc@cooley.com) JOSEPH D. MORNIN (307766) (jmornin@cooley.com) 101 California Street, 5th floor San Francisco, CA 94111-5800 Telephone: (415) 693-2000 Facsimile: (415) 693-2222 DANIEL J. GROOMS (D.C. Bar No. 219124) (pro hac vice forthcoming) (dgrooms@cooley.com) 1299 Pennsylvania Avenue, NW, Suite 700 Washington, DC 20004-2400 Telephone: (202) 842-7800 Facsimile: (202) 842-7899 Attorneys for Plaintiffs WHATSAPP INC. and FACEBOOK, INC. 10 UNITED STATES DISTRICT COURT 11 NORTHERN DISTRICT OF CALIFORNIA 12 13 14 15 WHATSAPP INC., a Delaware corporation, and FACEBOOK, INC., a Delaware corporation, 18 19 20 COMPLAINT DEMAND FOR JURY TRIAL Plaintiffs, 16 17 Case No. v. NSO GROUP TECHNOLOGIES LIMITED and Q CYBER TECHNOLOGIES LIMITED, Defendants. 21 22 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 1 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 2 of 15 1 Plaintiffs WhatsApp Inc. and Facebook, Inc. (collectively, “Plaintiffs”) allege the following 2 against Defendants NSO Group Technologies Ltd. (“NSO Group”) and Q Cyber Technologies Ltd. 3 (“Q Cyber”) (collectively, “Defendants”): INTRODUCTION 4 5 1. Between in and around April 2019 and May 2019, Defendants used WhatsApp servers, 6 located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones 7 and devices (“Target Devices”). Defendants’ malware was designed to infect the Target Devices for 8 the purpose of conducting surveillance of specific WhatsApp users (“Target Users”). Unable to break 9 WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages 10 and other communications after they were decrypted on Target Devices. Defendants’ actions were 11 not authorized by Plaintiffs and were in violation of WhatsApp’s Terms of Service. In May 2019, 12 Plaintiffs detected and stopped Defendants’ unauthorized access and abuse of the WhatsApp Service 13 and computers. 14 2. Plaintiffs bring this action for injunctive relief and damages pursuant to the Computer 15 Fraud and Abuse Act, 18 U.S.C. § 1030, and the California Comprehensive Computer Data Access 16 and Fraud Act, California Penal Code § 502, and for breach of contract and trespass to chattels. PARTIES 17 18 19 20 3. Plaintiff WhatsApp Inc. (“WhatsApp”) is a Delaware corporation with its principal place of business in Menlo Park, California. 4. Plaintiff Facebook, Inc. (“Facebook”) is a Delaware corporation with its principal place 21 of business in Menlo Park, California. Facebook acts as WhatsApp’s service provider for security- 22 related issues. 23 5. Defendant NSO Group was incorporated in Israel on January 25, 2010, as a limited 24 liability company. Ex. 1. NSO Group had a marketing and sales arm in the United States called 25 WestBridge Technologies, Inc. Ex. 2 and 3. Between 2014 and February 2019, NSO Group obtained 26 financing from a San Francisco–based private equity firm, which ultimately purchased a controlling 27 stake in NSO Group. Ex. 4. In and around February 2019, NSO Group was reacquired by its founders 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 2 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 3 of 15 1 and management. Id. NSO Group’s annual report filed on February 28, 2019, listed Defendant Q 2 Cyber as the only active director of NSO Group and its majority shareholder. Ex. 5. 3 6. Defendant Q Cyber was incorporated in Israel on December 2, 2013, under the name 4 L.E.G.D. Company Ltd. Ex. 6 and 7. On May 29, 2016, L.E.G.D. Company Ltd. changed its name 5 to Q Cyber. Ex. 7. Until at least June 2019, NSO Group’s website stated that NSO Group was “a Q 6 Cyber Technologies company.” Ex. 8. Q Cyber’s annual report filed on June 17, 2019, listed OSY 7 Technologies S.A.R.L. as the only Q Cyber shareholder and active Director. Ex. 9 8 7. At all times material to this action, each Defendant was the agent, partner, alter ego, 9 subsidiary, and/or coconspirator of and with the other Defendant, and the acts of each Defendant were 10 in the scope of that relationship. In doing the acts and failing to act as alleged in this Complaint, each 11 Defendant acted with the knowledge, permission, and consent of each other; and, each Defendant 12 aided and abetted each other. JURISDICTION AND VENUE 13 14 15 16 8. The Court has federal question jurisdiction over the federal causes of action alleged in this Complaint pursuant to 28 U.S.C. § 1331. 9. The Court has supplemental jurisdiction over the state law causes of action alleged in 17 this Complaint pursuant to 28 U.S.C. § 1367 because these claims arise out of the same nucleus of 18 operative fact as Plaintiffs’ federal claims. 19 10. In addition, the Court has jurisdiction over all the causes of action alleged in this 20 Complaint pursuant to 28 U.S.C. § 1332 because complete diversity between the Plaintiffs and each 21 of the named Defendants exists, and because the amount in controversy exceeds $75,000. 22 11. The Court has personal jurisdiction over Defendants because they obtained financing 23 from California and directed and targeted their actions at California and its residents, WhatsApp and 24 Facebook. The claims in this Complaint arise from Defendants’ actions, including their unlawful 25 access and use of WhatsApp computers, several of which are located in California. 26 12. The Court also has personal jurisdiction over Defendants because Defendants agreed 27 to WhatsApp’s Terms of Service (“WhatsApp Terms”) by accessing and using WhatsApp. In relevant 28 part, the WhatsApp Terms required Defendants to submit to the personal jurisdiction of this Court. COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 3 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 4 of 15 1 2 3 4 13. Venue is proper in this Judicial District pursuant to 28 U.S.C. § 1391(b), as the threatened and actual harm to WhatsApp and Facebook occurred in this District. 14. Pursuant to Civil L.R. 3-2(d), this case may be assigned to either the San Francisco or Oakland division because WhatsApp and Facebook are located in San Mateo County. FACTUAL ALLEGATIONS 5 6 A. Background on Facebook 7 15. Facebook is a social networking website and mobile application that enables its users 8 to create their own personal profiles and connect with each other on their personal computers and 9 mobile devices. As of June 2019, Facebook daily active users averaged 1.59 billion and monthly active 10 11 users averaged 2.41 billion. 16. In October 2014, Facebook acquired WhatsApp. At all times relevant to this action, 12 Facebook has served as WhatsApp’s service provider, which entails providing both infrastructure and 13 security for WhatsApp. 14 B. 15 16 Background on WhatsApp 1. 17. The WhatsApp Service WhatsApp provides an encrypted communication service available on mobile devices 17 and desktop computers (the “WhatsApp Service”). Approximately 1.5 billion people in 180 countries 18 use the WhatsApp Service. Users must install the WhatsApp app to use the WhatsApp Service. 19 18. Every type of communication (calls, video calls, chats, group chats, images, videos, 20 voice messages, and file transfers) on the WhatsApp Service is encrypted during its transmission 21 between users. This encryption protocol was designed to ensure that no one other than the intended 22 recipient could read any communication sent using the WhatsApp Service. 2. 23 24 25 26 19. WhatsApp’s Terms of Service Every WhatsApp user must create an account and agree and consent to WhatsApp’s Terms (available at https://www.whatsapp.com/legal?eea=0#terms-of-service). 20. The WhatsApp Terms stated that “You must use our Services according to our Terms 27 and policies” and that users agreed to “access and use [WhatsApp’s] Services only for legal, 28 authorized, and acceptable purposes.” COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 4 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 5 of 15 1 21. The WhatsApp Terms prohibited using the WhatsApp services in ways that (a) “violate, 2 misappropriate, or infringe the rights of WhatsApp, our users, or others, including privacy;” (b) “are 3 illegal, intimidating, harassing, . . . or instigate or encourage conduct that would be illegal, or otherwise 4 inappropriate;” [or] . . . (e) “involve sending illegal or impermissible communications.” 5 22. The WhatsApp Terms prohibited users from “exploiting [WhatsApp’s] Services in 6 impermissible or unauthorized manners, or in ways that burden, impair, or harm us, our Services, 7 systems, our users, or others.” The Terms also required users to agree not to: “(a) reverse engineer, 8 alter, modify, create derivative works from, decompile, or extract code from our Services; (b) send, 9 store, or transmit viruses or other harmful computer code through or onto our Services; (c) gain or 10 attempt to gain unauthorized access to our Services or systems; (d) interfere with or disrupt the safety, 11 security, or performance of our Services; [or] . . . (f) collect the information of or about our users in 12 any impermissible or unauthorized manner.” 13 14 23. The WhatsApp Terms prohibited users not just from personally engaging in the conduct listed above, but also from assisting others in doing so. 15 C. Background on NSO Group and Pegasus 16 24. Defendants manufactured, distributed, and operated surveillance technology or 17 “spyware” designed to intercept and extract information and communications from mobile phones and 18 devices. Defendants’ products included “Pegasus,” a type of spyware known as a remote access trojan. 19 Ex. 10 and 11. According to Defendants, Pegasus and its variants (collectively, “Pegasus”) were 20 designed to be remotely installed and enable the remote access and control of information—including 21 calls, messages, and location—on mobile devices using the Android, iOS, and BlackBerry operating 22 systems. Id. 23 25. On information and belief, in order to enable Pegasus’ remote installation, Defendants 24 exploited vulnerabilities in operating systems and applications (e.g., CVE-2016-4657) and used other 25 malware delivery methods, like spearphishing messages containing links to malicious code. Id. 26 27 26. According to media reports and NSO documents, Defendants claimed that Pegasus could be surreptitiously installed on a victim’s phone without the victim taking any action, such as 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 5 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 6 of 15 1 clicking a link or opening a message (known as remote installation). 1 Id. Defendants promoted that 2 Pegasus’s remote installation feature facilitated infecting victims’ phones without using spearphishing 3 messages that could be detected and reported by the victims. 27. 4 According to NSO Group, Pegasus could “remotely and covertly extract valuable 5 intelligence from virtually any mobile device.” Id. Pegasus was designed, in part, to intercept 6 communications sent to and from a device, including communications over iMessage, Skype, 7 Telegram, WeChat, Facebook Messenger, WhatsApp, and others. Id. On information and belief, 8 Pegasus was modular malware, which meant that it could be customized for different purposes, 9 including to intercept communications, capture screenshots, and exfiltrate browser history and 10 contacts from the device. Id. 28. 11 Defendants used a network of computers to monitor and update the version of Pegasus 12 implanted on the victims’ phones. Id. These Defendant-controlled computers relayed malware, 13 commands, and data between a compromised phone, Defendants, and Defendants’ customers. This 14 network served as the nerve center through which Defendants supported and controlled their 15 customers’ operation and use of Pegasus. In some instances, Defendants limited the number of 16 concurrent devices that their customers could compromise with Pegasus to 25. Ex. 11. 29. 17 Defendants profited by licensing Pegasus and selling support services to their 18 customers, which included Pegasus installation, monitoring, and training. Ex. 10 and 11. Defendants 19 also offered technical support to customers using Pegasus to infect victims’ phones, including: (a) 20 technical support by email and phone; and (b) remote troubleshooting by Defendants’ engineers 21 through remote desktop software and a virtual private network. Id. 22 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 1 See Financial Times, “Israel’s NSO: the business of spying on your iPhone” (May 14, 2019), available at https://www.ft.com/content/7f2f39b2-733e-11e9-bf5c-6eeb837566c5; Vice, “They Got Everything” (September 20, 2018), available at https://www.vice.com/en_us/article/qvakb3/insidenso-group-spyware-demo. 6 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 7 of 15 1 D. Defendants Agreed to the WhatsApp Terms 2 30. Between January 2018 and May 2019, Defendants created and caused to be created 3 various WhatsApp accounts and agreed to the WhatsApp Terms. Defendants’ employees and agents 4 accepted and agreed to be bound by the Terms on behalf of Defendants. 5 6 7 31. At all times relevant to this Complaint, Defendants were bound by the WhatsApp E. Defendants Accessed and Used Plaintiffs’ Servers Without Authorization Terms. 8 and Infected Target Users’ Devices With Malware 9 1. 10 32. Overview Defendants took a number of steps, using WhatsApp servers and the WhatsApp Service 11 without authorization, to send discrete malware components (“malicious code”) to Target Devices. 12 First, Defendants set up various computer infrastructure, including WhatsApp accounts and remote 13 servers, used to infect the Target Devices and conceal Defendants’ identity and involvement. Second, 14 Defendants used and caused to be used WhatsApp accounts to initiate calls through Plaintiffs’ servers 15 that were designed to secretly inject malicious code onto Target Devices. Third, Defendants caused 16 the malicious code to execute on some of the Target Devices, creating a connection between those 17 Target Devices and computers controlled by Defendants (the “remote servers”). 18 information and belief, Defendants caused Target Devices to download and install additional 19 malware—believed to be Pegasus or another remote access trojan developed by Defendants—from 20 the remote servers for the purpose of accessing data and communications on Target Devices. 2. 21 Defendants Set Up Computer Infrastructure Used to Infect the Target Devices 22 23 Fourth, on 33. Between approximately January 2018 and May 2019, Defendants created WhatsApp 24 accounts that they used and caused to be used to send malicious code to Target Devices in April and 25 May 2019. The accounts were created using telephone numbers registered in different counties, 26 including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands. 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 34. Beginning no later than 2019, Defendants leased and caused to be leased servers and internet hosting services in different countries, including the United States, in order to connect the 7 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 8 of 15 1 Target Devices to a network of remote servers intended to distribute malware and relay commands to 2 the Target Devices. This network included proxy servers and relay servers (collectively, “malicious 3 servers”). The malicious servers were owned by Choopa, Quadranet, and Amazon Web Services 4 (“AWS”), among others. The IP address of one of the malicious servers was previously associated 5 with subdomains used by Defendants. 6 7 3. 35. Defendants’ Unauthorized Access of Plaintiff’s Servers On information and belief, Defendants reverse-engineered the WhatsApp app and 8 developed a program to enable them to emulate legitimate WhatsApp network traffic in order to 9 transmit malicious code—undetected—to Target Devices over WhatsApp servers. Defendants’ 10 program was sophisticated, and built to exploit specific components of WhatsApp network protocols 11 and code. Network protocols generally define rules that control communications between network 12 computers, including protocols for computers to identify and connect with other computers, as well as 13 formatting rules that specify how data is packaged and transmitted. 14 36. In order to compromise the Target Devices, Defendants routed and caused to be routed 15 malicious code through Plaintiffs’ servers—including Signaling Servers and Relay Servers— 16 concealed within part of the normal network protocol. WhatsApp’s Signaling Servers facilitated the 17 initiation of calls between different devices using the WhatsApp Service. WhatsApp’s Relay Servers 18 facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to 19 use Plaintiffs’ servers in this manner. 20 37. Between approximately April and May 2019, Defendants used and caused to be used, 21 without authorization, WhatsApp Signaling Servers, in an effort to compromise Target Devices. To 22 avoid the technical restrictions built into WhatsApp Signaling Servers, Defendants formatted call 23 initiation messages containing malicious code to appear like a legitimate call and concealed the code 24 within call settings. Disguising the malicious code as call settings enabled Defendants to deliver it to 25 the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling 26 Servers. Once Defendants’ calls were delivered to the Target Device, they injected the malicious code 27 into the memory of the Target Device—even when the Target User did not answer the call. 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 8 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 9 of 15 38. 1 For example, on May 9, 2019, Defendants used WhatsApp servers to route malicious 2 code, which masqueraded as a series of legitimate calls and call settings, to a Target Device using 3 telephone number (202) XXX-XXXX. On information and belief, the malicious code concealed 4 within the calls was then installed in the memory of the Target Device. 39. 5 Between April and May 2019, Defendants also used and caused to be used WhatsApp’s 6 Relay Servers without authorization to send encrypted data packets designed to activate the malicious 7 code injected into the memory of the Target Devices. When successfully executed, the malicious code 8 caused the Target Device to send a request to one of the malicious servers controlled by Defendants. 40. 9 On information and belief, the malicious servers connected the Target Devices to 10 remote servers hosting Defendants’ malware. The malicious code on the Target Devices then 11 downloaded and installed Defendants’ malware from those servers. 41. 12 On information and belief, after it was installed, Defendants’ malware was designed to 13 give Defendants and their customers access to information and data stored on the Target Devices, 14 including their communications. 42. 15 Between approximately April 29, 2019, and May 10, 2019, Defendants caused their 16 malicious code to be transmitted over WhatsApp servers in an effort to infect approximately 1,400 17 Target Devices. The Target Users included attorneys, journalists, human rights activists, political 18 dissidents, diplomats, and other senior foreign government officials. 43. 19 The Target Users had WhatsApp numbers with country codes from several countries, 20 including the Kingdom of Bahrain, the United Arab Emirates, and Mexico. According to public 21 reporting, Defendants’ clients include, but are not limited to, government agencies in the Kingdom of 22 Bahrain, the United Arab Emirates, and Mexico as well as private entities. 2 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 2 See Fast Company, “Israeli cyberweapon targeted the widow of a slain Mexican journalist” (March 20, 2019), available at https://www.fastcompany.com/90322618/nso-group-pegasus-cyberweapontargeted-the-widow-of-a-slain-mexican-journalist; New York Times, “Hacking a Prince, and Emir and a Journalist to Impress a Client” (August 31, 2018), available at https://www.nytimes.com/2018/08/31/world/middleeast/hacking-united-arab-emirates-nsogroup.html; The Guardian, “Israeli firm linked to WhatsApp spyware attack faces lawsuit” (May 18, 2019), available at https://www.theguardian.com/world/2019/may/18/israeli-firm-nso-group-linkedto-whatsapp-spyware-attack-faces-lawsuit. 9 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 10 of 15 1 44. On or about May 13, 2019, Facebook publicly announced that it had investigated and 2 identified a vulnerability involving the WhatsApp Service (CVE-2019-3568). 3 Facebook closed the vulnerability, contacted law enforcement, and advised users to update the 4 WhatsApp app. 5 45. WhatsApp and Defendants subsequently complained that WhatsApp had closed the vulnerability. 6 Specifically, NSO Employee 1 stated, “You just closed our biggest remote for cellular . . . It’s on the 7 news all over the world.” 8 F. Facebook 9 10 11 Defendants’ Unlawful Acts Have Caused Damage and Loss to WhatsApp and 46. Defendants’ actions and omissions interfered with the WhatsApp Service and burdened Plaintiffs’ computer network. 12 47. Defendants’ actions injured Plaintiffs’ reputation, public trust, and goodwill. 13 48. Defendants have caused Plaintiffs damages in excess of $75,000 and in an amount to 14 be proven at trial. 15 FIRST CAUSE OF ACTION 16 (Computer Fraud and Abuse Act, 18 U.S.C. § 1030) 17 49. Plaintiffs reallege and incorporate by reference all preceding paragraphs. 18 50. At various times between April 29, 2019, and May 10, 2019, Defendants accessed, 19 used, or caused to be accessed or used Plaintiffs’ Signaling Servers and Relay Servers without 20 authorization in an effort to compromise approximately 1,400 Target Devices. 21 22 23 51. Plaintiffs’ Signaling Servers and Relay Servers and the Target Devices were “computers” as defined by 18 U.S.C. § 1030(e)(1). 52. Plaintiffs’ Signaling Servers and Relay Servers and the Target Devices were “protected 24 computers” as defined by 18 U.S.C. § 1030(e)(2)(B) because they are “used in or affecting interstate 25 or foreign commerce or communication.” 26 53. Defendants violated 18 U.S.C. § 1030(a)(2) because they intentionally accessed and 27 caused to be accessed (a) Plaintiffs’ computers, and (b) Target Devices, without authorization and, on 28 information and belief, obtained data from the Target Devices. COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 10 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 11 of 15 1 54. Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with intent to 2 defraud accessed and caused to be accessed (a) Plaintiffs’ protected computers and (b) Target Devices 3 without authorization, and by means of such conduct furthered the intended fraud and obtained 4 something of value. Defendants’ fraud included falsely agreeing to the WhatsApp Terms, sending 5 unauthorized commands to Plaintiffs’ computers and concealing the commands as legitimate network 6 traffic, in order to gain access of the Target Devices without the Target Users’ knowledge or consent. 7 As a result of the fraud, Defendants obtained money, customers, remote access and control of the 8 Target Devices, data from the Target Devices, and unauthorized use of the WhatsApp service, the 9 value of which exceeds $5,000. 10 11 12 13 14 55. Defendants violated 18 U.S.C. § 1030(b) by conspiring and attempting to commit the violations alleged in the preceding paragraphs. 56. Defendants’ conduct caused a loss to Plaintiffs and the Target Users in excess of $5,000 during a one-year period. 57. Defendants’ actions caused Plaintiffs to incur a loss as defined in 18 U.S.C. 15 § 1030(e)(11), including the expenditure of resources to investigate and remediate Defendants’ fraud 16 and unauthorized access. Plaintiffs are entitled to be compensated for losses and damages, and any 17 other amount to be proven at trial. 18 SECOND CAUSE OF ACTION 19 (California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502) 20 21 58. Plaintiffs reallege and incorporate by reference all of the preceding paragraphs. 22 59. Defendants knowingly accessed and without permission altered and used Plaintiffs’ 23 data, computer, computer system, and computer network in order to (a) devise and execute a scheme 24 and artifice to defraud and deceive, and (b) wrongfully control and obtain money, property, and data 25 in violation of California Penal Code § 502(c)(1). 26 60. Defendants knowingly and without permission used and caused to be used WhatsApp 27 Signaling Servers and Relay Servers, including servers located in California, in violation of California 28 Penal Code § 502(c)(3). COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 11 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 12 of 15 1 61. Defendants knowingly and without permission provided and assisted in providing a 2 means of accessing Plaintiffs’ computers, computer systems, and computer networks, including those 3 located in California, in violation of California Penal Code § 502(c)(6). 4 62. Defendants knowingly and without permission accessed and caused to be accessed 5 Plaintiffs’ computers, computer systems, and computer networks, including those located in 6 California, in violation of California Penal Code § 502(c)(7). 7 8 9 63. Defendants knowingly introduced a computer contaminant into Plaintiffs’ computers, computer systems, and computer networks in violation of California Penal Code § 502(c)(8). 64. Defendants’ actions caused Plaintiffs to incur losses and damages, including, among 10 other things, the expenditure of resources to investigate and remediate Defendants’ conduct, damage 11 to Plaintiffs’ reputation, and damage to the relationships and goodwill between Plaintiffs and their 12 users and potential users. Plaintiffs have been damaged in an amount to be proven at trial. 13 65. Because Plaintiffs suffered damages and a loss as a result of Defendants’ actions and 14 continue to suffer damages as result of Defendants’ actions, Plaintiffs are entitled to compensatory 15 damages, attorneys’ fees, and any other amount of damages to be proven at trial, as well as injunctive 16 relief under California Penal Code §§ 502(e)(1) and (2). 17 66. Because Defendants willfully violated California Penal Code § 502, and there is clear 18 and convincing evidence that Defendants acted with malice and oppression and committed “fraud” as 19 defined by section 3294 of the Civil Code, Plaintiffs are entitled to punitive and exemplary damages 20 under California Penal Code § 502(e)(4). 21 THIRD CAUSE OF ACTION 22 (Breach of Contract) 23 67. Plaintiffs reallege and incorporate by reference all preceding paragraphs. 24 68. Access to and use of WhatsApp is governed by the WhatsApp’s Terms and related 25 26 27 WhatsApp policies. 69. Defendants agreed to and became bound by the WhatsApp’s Terms when they used WhatsApp and the WhatsApp Service. 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 12 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 13 of 15 1 2 3 4 5 70. WhatsApp and Facebook have performed all conditions, covenants, and promises required of it in accordance with the WhatsApp’s Terms. 71. Defendants’ violations of the WhatsApp’s Terms have directly and proximately caused and continue to cause harm and injury to WhatsApp. 72. When Defendants agreed to and became bound by the WhatsApp Terms, both Plaintiffs 6 and Defendants knew or could have reasonably foreseen that the harm and injury to Plaintiffs was 7 likely to occur in the ordinary course of events as a result of Defendants’ breach. 8 73. Defendants’ actions caused Plaintiffs to incur losses and other economic damages, 9 including, among other things, the expenditure of resources to investigate and remediate Defendants’ 10 conduct, damage to Plaintiffs’ reputation, and damage to the relationships and goodwill between 11 Plaintiffs and their users and potential users. Plaintiffs have been damaged in an amount to be proven 12 at trial, and in excess of $75,000. 13 FOURTH CAUSE OF ACTION 14 (Trespass to Chattels) 15 74. Plaintiffs reallege and incorporate by reference all of the preceding paragraphs. 16 75. At all times mentioned in this Complaint, Plaintiffs had legal title to and actual 17 18 possession of their computer systems. 76. Defendants intentionally and without authorization interfered with Plaintiffs’ 19 possessory interest in their computer systems, including by accessing and using Plaintiffs’ servers to 20 transmit malicious code for the purpose of unlawfully compromising Target Users’ devices, all 21 without authorization from Plaintiffs and Target Users. 22 23 24 77. Defendants’ access to Plaintiffs’ computer systems exceeded the scope of the conditional access that Plaintiffs grant to legitimate users of the WhatsApp Service. 78. Defendants’ actions caused Plaintiffs to incur losses and other economic damages, 25 including, among other things, the expenditure of resources to investigate and remediate Defendants’ 26 conduct, damage to Plaintiffs’ reputation, and damage to the relationships and goodwill between 27 Plaintiffs and their users and potential users. Plaintiffs have been damaged in an amount to be proven 28 at trial, and in excess of $75,000. COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 13 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 14 of 15 REQUEST FOR RELIEF 1 2 WHEREFORE, Plaintiffs request judgment against Defendants as follows: 3 1. That the Court enter judgment against Defendants that Defendants have: 4 a. Violated the Computer Fraud and Abuse Act, in violation of 18 U.S.C. § 1030; 5 b. Violated the California Comprehensive Computer Data Access and Fraud Act, in violation California Penal Code § 502; 6 7 c. Breached their contracts with WhatsApp in violation of California law; 8 d. Wrongfully trespassed on Plaintiffs’ property in violation of California law. 2. 9 That the Court enter a permanent injunction enjoining and restraining Defendants and 10 their agents, servants, employees, successors, and assigns, and all other persons acting in concert with 11 or conspiracy with any of them or who are affiliated with Defendants from: a. Accessing or attempting to access WhatsApp’s and Facebook’s service, platform, 12 and computer systems; 13 14 b. Creating or maintaining any WhatsApp or Facebook account; 15 c. Engaging in any activity that disrupts, diminishes the quality of, interferes with the 16 performance of, or impairs the functionality of Plaintiffs’ service, platform, and 17 computer systems; and d. Engaging in any activity, or facilitating others to do the same, that violates 18 WhatsApp’s or Facebook’s Terms; 19 3. 20 That WhatsApp and Facebook be awarded damages, including, but not limited to, 21 compensatory, statutory, and punitive damages, as permitted by law and in such amounts to be proven 22 at trial. 4. 23 24 attorneys’ fees. 25 26 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 5. That WhatsApp and Facebook be awarded pre- and post-judgment interest as allowed 6. That the Court grant all such other and further relief as the Court may deem just and by law. 27 28 That WhatsApp and Facebook be awarded their reasonable costs, including reasonable proper. 14 COMPLAINT Case 3:19-cv-07123 Document 1 Filed 10/29/19 Page 15 of 15 1 PLAINTIFFS RESPECTFULLY DEMAND A JURY TRIAL. 2 3 4 Dated: October 29, 2019 Respectively submitted, COOLEY LLP 5 6 7 8 9 10 11 12 /s/ Travis LeBlanc Travis LeBlanc Daniel J. Grooms Joseph D. Mornin Attorneys for Plaintiffs WHATSAPP INC. and FACEBOOK, INC. Platform Enforcement and Litigation Facebook, Inc. Jessica Romero Tyler Smith Michael Chmelar Bridget Freeman 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 15 COMPLAINT Case Document 1-1 Filed 10/29/19 Page 1 of 111 EXHIBIT 1 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 2 of 111 Ministry of Justice [emblem] Registrar of Companies State of Israel Companies Law, 5760-1999 Company Incorporation Certificate This is to certify that N.S.O. GROUP TECHNOLOGIES LTD [bilingual text] got incorporated and registered according to the Companies Law as a Limited Liability Company 25/01/2010 10th of Sh’vat, 5770 Company no. 514395409 [stamp:] Ministry of Justice Registrar of Companies [emblem:] State of Israel [signature] Einat Messika, Adv. Registrar of Companies [stamp:] [logo] Corporations Authority A confirmation that this document has been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 3 of 111 [emblem:] State of Israel Ministry of Justice This document is a copy scanned in its entirety on the indicated day and hour, via trusted digital scanning of the document found in the file, in accordance to the inspection regulation at the Ministry of Justice. Signed by Ministry of Justice (institutional signature). [stamp:] [logo] Corporations Authority A confirmation that this document has been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature PUBLIC0637849 Case Document 1-1 Filed 10/29/19 Page 4 of 111 EXHIBIT 2 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 5 of 111 09/25/2019 - Screenshot from https://www.documentcloud.org/documents/6401851-NSO-Emails-with-DEA.html Case Document 1-1 Filed 10/29/19 Page 6 of 111 EXHIBIT 3 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 7 of 111 09/25/2019 - Screenshot from https://www.documentcloud.org/documents/6401851-NSO-Emails-with-DEA.html Case Document 1-1 Filed 10/29/19 Page 8 of 111 EXHIBIT 4 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 9 of 111 09/23/2019 - Screenshot of https://www.franciscopartners.com/news/nso-group-acquired-by-its-management Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 10 of 111 09/23/2019 - Screenshot of https://www.franciscopartners.com/news/nso-group-acquired-by-its-management Case Document 1-1 Filed 10/29/19 Page 11 of 111 EXHIBIT 5 [emblem:] State of Israel Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 12 of 111 [logo:] [text cut off] [barcode:] 17042-905 State of Israel Ministry of Justice Corporations Authority Registrar of Companies Private Company Annual Report (Section 141 of the Companies Law 5759-1999 (hereinafter: “the Law”)) The data can be typed in or filled out in clear handwriting without using black ink. Company name NSO Group Technologies Ltd. Address of the registered office1 22 Galgalei Haplada, Hertsliya, Israel 4672222 Company number 514395409 Telephone Company Email (if any) The report is updated as of (state the date of signing the report in order to submit it to the Registrar of Companies) [hw:] 7/1/19 Annual meeting was conducted on the day2 7.1.2019 Share Capital Distribution Total registered capital of the company Share name and its set value (for shares with set value) Ordinary, set value – 0.01 Ordinary A, set value – 0.01 Preferred A, set value – 0.01 Ordinary Ordinary A Preferred A Number of shares in the registered capital Number of allotted shares Share value Ordinary – 548,940 Ordinary A – 26,290 Preferred A – 424,770 Ordinary – 185,716 Ordinary A – 8,936 Preferred A – 295,170 0.01 10,000 Share type Shareholders and their shares Shareholder name ID number3 Q Cyber Technologies Ltd 514971522 Type of shares Ordinary Ordinary A Preferred A Number of shares 118,263 8,936 295,170 Shareholder name ID number3 NSO Group Technologies Ltd. 514395409 Type of shares Ordinary Number of shares 67,453 Address (city, street, house no., zip code) 22 Galgalei Haplada, Hertsliya, Israel Zip Code 4672222 Unpaid amount in exchange for the shares Address (city, street, house no., zip code) 22 Galgalei Haplada, Hertsliya, Israel Zip Code 4672222 Unpaid amount in exchange for the shares _____________________ 1 Listing a P.O. Box as the company’s address is not enough. 2 The last date on which the annual meeting was conducted, indicate below in the appropriate place whether the company is exempt from conducting annual meetings according to Section 61 of the Law. [stamp:] 3 A non-holder of the Israeli ID shall indicate his passport number and the country it was issued in, and in the first report of[logo] this person, a copy shall be attached, as stated in Regulation 16 of the Companies Regulations (reporting, registration details and forms), 5760-1999. If the shareholder is a Corporations Authority corporation, a registration number of the corporation shall be indicated, and if it is a foreign corporation, the copy of incorporation certificate and the A confirmation that this document has required certificates as stated in Regulation 16, shall be attached in the first report of the corporation. been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature Case 3:19-cv-07123 State Document 111 [emblem:] [logo:] of Israel1-1 Filed 10/29/19 Page 13 of State of Israel Ministry of Justice Corporations Authority Corporations Authority Registrar of Companies Bearer Shares for the period * Fill out if bearer shares have been issued before 17.09.2016, and the update has not been performed as stated below: In accordance with the Amendment no. 28 to the Companies Law 5759-1999, which came into force on 17.09.2016, bearer shares can be no longer issued. A holder of bearer shares issued on the eve of the law coming into force shall be entitled to return the banknote to the company, and the company shall cancel it and issue a share for him that is registered in the Registry of Shareholders of the Company. A bearer share that is not returned as stated shall become a frozen share, as stated in Section 308 of the Law, and it shall not grant him rights until the date stated on the share, which will be recorded in the Registry of Shareholders of the Company. Total bearer shares for the period No. of shares in each note Note no. Details of active directors Director name Q Cyber Technologies Ltd ID number 514971522 Starting date as a director (year, month, day) 19/3/2014 Address (city, street, house no., zip code) 22 Galgalei Haplada, Hertsliya, Israel 4672222 Details of directors who stopped their activity (since the date of the previous annual report) Director name ID number End date as a director (year, month, day) Director name ID number End date as a director (year, month, day) Director name ID number End date as a director (year, month, day) Director name ID number End date as a director (year, month, day) Mark the appropriate option with X: No change has occurred in the details that were reported regarding the foreign directors according to Regulation 16 from the mentioned regulations. Change has occurred in the details that were reported regarding the foreign directors, and the documents required under Regulation 16 have been attached to the annual report. Authorized party to report to the registrar on behalf of the company, according to Section 39 of the Law Filling out the details of the authorized party to report according to Section 39 in this Form will allow the party whose details are entered here to relay updates about the company in a digital manner. For more information, see: http://www.justice.gov.il/Units/RasutHataagidim/units/RashamHachvarot/TfasimNew/Pages/Online.aspx Full name [hw:] [illegible] Idisis ID number 032063521 Position in the company Financial director [stamp:] [logo] Corporations Authority A confirmation that this document has been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature Case Document 1-1 Filed 10/29/19 Page 14 of 111 EXHIBIT 6 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 15 of 111 [emblem:] State of Israel State of Israel Ministry of Justice – Corporations Authority Registrar of Companies and Partnerships [logo:] Corporations Authority Company Incorporation Certificate This is to certify that the company: L.E.G.D. COMPANY LTD [bilingual text] whose number is 514971522 got incorporated and registered on 02/12/2013 - 29th of Kislev 5774, according to the Companies Law, 5760-1999, as a Limited Liability Company. Issued in Jerusalem on: 02/12/2013 29th of Kislev 5774 [signature] Zohar Horan Corporations Authority Registrar of Companies and Partnerships [stamp:] Ministry of Justice Registrar of Companies [stamp:] and Partnerships [logo] [emblem:] State of Israel Corporations Authority A confirmation that this document has been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 16 of 111 [emblem:] State of Israel Ministry of Justice This document is a copy scanned in its entirety on the indicated day and hour, via trusted digital scanning of the document found in the file, in accordance to the inspection regulation at the Ministry of Justice. Signed by Ministry of Justice (institutional signature). [stamp:] [logo] Corporations Authority A confirmation that this document has been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature PUBLIC0637849 Case Document 1-1 Filed 10/29/19 Page 17 of 111 EXHIBIT 7 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 18 of 111 [stamp:] [emblem:] State of Israel Document Start State of Israel Ministry of Justice – Corporations Authority Registrar of Companies and Partnerships [logo:] Corporations Authority Company Name Change Certificate This is to certify that the company L.E.G.D. COMPANY LTD [bilingual text] whose number is 514971522 has changed its name, and it shall be called from now on Q CYBER TECHNOLOGIES LTD [bilingual text] Issued in Jerusalem on 29/05/2016 21st of Iyyar, 5776 [stamp:] [emblem:] State of Israel Ministry of Justice Registrar of Companies and Partnerships [signature] Eyal Globus, Adv. Registrar of Companies and Partnerships Head of Corporations Authority Issued by Eyal Goldring [stamp:] [logo] Corporations Authority A confirmation that this document has been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 19 of 111 EXHIBIT 8 06/26/19 - web.archive.org screenshot of10/29/19 nsogroup.com Case 3:19-cv-07123 Document 1-1 Filed Page 20 of 111 https://www.nsogroup.com/ 100 captures 5 Jan 2011 - 31 Aug 2019 OUR TECHNOLOGY Helping Governments Maintain Public Safety NSO Group, a Q Cyber Technologies company, develops best-in-class technology to help government agencies detect and prevent a wide-range of local and global threats. Our products help government intelligence and law-enforcement agencies use technology to meet the challenges of encryption to prevent and investigate terror and crime. NSO technology is designed by telecommunications and intelligence experts who, positioned at the forefront of their fields, are dedicated to keeping pace with the ever-changing cyber world. LEARN MORE Go MAY JUN JUL 26 2012 2019 2020 👤 ⍰❎ f 🐦 ▾ About this capture Case Document 1-1 Filed 10/29/19 Page 21 of 111 EXHIBIT 9 [emblem:] State of Israel [logo:] of Israel Case 3:19-cv-07123 State Document 1-1 Filed 10/29/19 Page 22 of 111 [text cut off] [barcode:] 17903-560 Ministry of Justice Corporations Authority Registrar of Companies Private Company Annual Report (Section 141 of the Companies Law 5759-1999 (hereinafter: “the Law”)) The data can be typed in or filled out in clear handwriting without using black ink. Company name Q Cyber Technologies Ltd Address of the registered office1 22 Galgalei Haplada, Hertsliya, Israel 4672222 Company number 514971522 Telephone Company Email (if any) The report is updated as of (state the date of signing the report in order to submit it to the Registrar of Companies) [hw:] 16/6/19 Annual meeting was conducted on the day2 7.1.2019 Share Capital Distribution Total registered capital of the company Share name and its set value (for shares with set value) Share type 100,000 Ordinary, set value – 0.01 Ordinary Number of shares in the registered capital Number of allotted shares Share value Ordinary – 10,000,000 Ordinary – 100,000 0.01 Shareholders and their shares Shareholder name ID number3 Address (city, street, house no., zip code) OSY TECHNOLOGIES S.A.R.L. B184226 Luxembourg Type of shares Ordinary Number of shares 100,000 Unpaid amount in exchange for the shares Bearer Shares for the period* * Fill out if bearer shares have been issued before 17.09.2016, and the update has not been performed as stated below: In accordance with the Amendment no. 28 to the Companies Law 5759-1999, which came into force on 17.09.2016, bearer shares can be no longer issued. A holder of bearer shares issued on the eve of the law coming into force shall be entitled to return the banknote to the company, and the company shall cancel it and issue a share for him that is registered in the Registry of Shareholders of the Company. A bearer share that is not returned as stated shall become a frozen share, as stated in Section 308 of the Law, and it shall not grant him rights until the date stated on the share, which will be recorded in the Registry of Shareholders of the Company. _____________________ [stamp:] 1 Listing a P.O. Box as the company’s address is not enough. [logo] 2 The last date on which the annual meeting was conducted, indicate below in the appropriate place whether the company is exempt from conducting Corporations Authority annual meetings according to Section 61 of the Law. Afirst confirmation that this document 3 A non-holder of the Israeli ID shall indicate his passport number and the country it was issued in, and in the report of this person, a copy shallhas it is aiscopy been signed electronically, be attached, as stated in Regulation 16 of the Companies Regulations (reporting, registration details and forms), 5760-1999. If the shareholder a of thecopy document (originalcertificate or copy)and thatthe is in corporation, a registration number of the corporation shall be indicated, and if it is a foreign corporation, the of incorporation required certificates as stated in Regulation 16, shall be attached in the first report of the corporation. the file of the Corporations Authority on the day of the signature [emblem:] State of Israel [logo:] State of Israel Ministry of Justice Authority Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 23 of Corporations 111 Corporations Authority Registrar of Companies Total bearer shares for the period No. of shares in each note Note no. Details of active directors Director name OSY TECHNOLOGIES S.A.R.L. ID number B184226 Starting date as a director (year, month, day) 17/3/2014 Address (city, street, house no., zip code) Luxembourg Details of directors who stopped their activity (since the date of the previous annual report) Director name ID number End date as a director (year, month, day) Director name ID number End date as a director (year, month, day) Director name ID number End date as a director (year, month, day) Director name ID number End date as a director (year, month, day) Mark the appropriate option with X: No change has occurred in the details that were reported regarding the foreign directors according to Regulation 16 from the mentioned regulations. Change has occurred in the details that were reported regarding the foreign directors, and the documents required under Regulation 16 have been attached to the annual report. Authorized party to report to the registrar on behalf of the company, according to Section 39 of the Law Filling out the details of the authorized party to report according to Section 39 in this Form will allow the party whose details are entered here to relay updates about the company in a digital manner. For more information, see: http://www.justice.gov.il/Units/RasutHataagidim/units/RashamHachvarot/TfasimNew/Pages/Online.aspx Full name Yifa Idisis ID number 032063521 Position in the company Financial director Fulfillment of the instructions of Section 171 (C) of the Law The Board of Directors has approved the financial reports __ (mark X if done). Fulfillment of the instructions of Section 173 of the Law – (mark the appropriate option with X) The financial documents have been presented at the last annual meeting as required. If the company is not required to conduct annual meetings according to Section 61 (A) of the Law, indicate whether the financial reports have been sent to the shareholders according to Section 61 (A) of the Law. The company is not required to submit financial reports at the annual meeting, as stated in Section 172 (G) of the Law. Controlling accountant (mark the appropriate option with X). The company has a controlling accountant, as stated in Section 154 of the Law. [stamp:] [logo] Corporations Authority A confirmation that this document has been signed electronically, it is a copy of the document (original or copy) that is in the file of the Corporations Authority on the day of the signature Case Document 1-1 Filed 10/29/19 Page 24 of 111 EXHIBIT 1O https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 25 of 111 Pegasus – Product Description https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 26 of 111 https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 27 of 111 Contents Introduction ....................................................................................................................... 1 Overcoming Smartphone Interception Challenge ................................................... 1 Standard Interception Solutions Are Not Enough ................................................... 1 Cyber Intelligence for the Mobile World ......................................................................... 3 Benefits of Pegasus ................................................................................................ 3 Technology Highlights ............................................................................................ 3 High Level Architecture ........................................................................................... 4 Agent Installation .............................................................................................................. 6 Agent Purpose ........................................................................................................ 6 Agent Installation Vectors ....................................................................................... 6 Agent Installation Flow ............................................................................................ 7 Supported Operating Systems & Devices .............................................................. 8 Installation Failure ................................................................................................... 8 Remote Installation Benefits ................................................................................... 9 Data Collection ................................................................................................................ 10 Initial Data Extraction ............................................................................................ 11 Passive Monitoring................................................................................................ 11 Active Collection ................................................................................................... 11 Description of Collected Data ............................................................................... 12 Collection Buffer ....................................................................................................15 Data Transmission .......................................................................................................... 16 Data Transmission Security .................................................................................. 17 Pegasus Anonymizing Transmission Network ..................................................... 17 Data Presentation & Analysis ........................................................................................ 18 Rules & Alerts ......................................................................................................21 Data Export ....................................................................................................... ..22 Agent Maintenance ......................................................................................................... 23 Agent Upgrade ...................................................................................................... 23 Agent Settings .......................................................................................................23 Agent Uninstall ...................................................................................................... 23 Solution Architecture ......................................................................................................25 Customer Site ......................................................................................................25 Public Networks .................................................................................................... 26 Target Devices ...................................................................................................... 27 Solution Hardware .......................................................................................................... 28 Operators Terminals ............................................................................................. 28 System Hardware ................................................................................................. 28 System Setup and Training ............................................................................................31 System Prerequisites ............................................................................................ 31 System Setup ......................................................................................................31 Training ............................................................................................................. 31 High Level Deployment Plan ................................................................................ 32 System Acceptance Test (SAT) ............................................................................ 33 https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 28 of 111 Maintenance, Support and Upgrades ........................................................................... 34 Maintenance and Support ..................................................................................... 34 Upgrades ............................................................................................................ 34 https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 29 of 111 List of Tables Table 1: Collection Features Description .......................................................................... 12 Table 2: Presentation of Collected Data ........................................................................... 20 Table 3: Pegasus Deployment Plan ................................................................................. 32 List of Figures Figure 1: Pegasus High Level Architecture ........................................................................ 5 Figure 2: Agent Installation Flow ........................................................................................ 7 Figure 3: Agent Installation Initiation ................................................................................... 8 Figure 4: Collected Data ................................................................................................... 10 Figure 5: Data Transmission Process ............................................................................... 16 Figure 6: Data Transmission Scenarios ............................................................................ 16 Figure 7: Calendar Monitoring .......................................................................................... 18 Figure 8: Call Log & Call Interception ............................................................................... 19 Figure 9: Location Tracking............................................................................................... 19 Figure 10: Solution Architecture ....................................................................................... 25 Figure 11: Pegasus Hardware .......................................................................................... 29 https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 30 of 111 https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 31 of 111 Introduction Pegasus is a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device. This breakthrough solution was developed by veterans of elite intelligence agencies to provide governments with a way to address the new communications interception challenges in today's highly dynamic cyber battlefield. By capturing new types of information from mobile devices, Pegasus bridges a substantial technology gap to deliver the most accurate and complete intelligence for your security operations. Overcoming Smartphone Interception Challenge The rapidly growing and highly dynamic mobile communications market - characterized by the introduction of new devices, operating systems and applications on virtually a daily basis – requires a rethinking of the traditional intelligence paradigm. These changes in the communications landscape pose real challenges and obstacles that must be overcome by intelligence organizations and law enforcement agencies worldwide: Encryption: Extensive use of encrypted devices and applications to convey messages Abundance of communication applications: Chaotic market of sophisticated applications, most of which are IP-based and use proprietary protocols Target outside interception domain: Targets' communications are often outside the organization's interception domain or otherwise inaccessible (e.g., targets are roaming, face-to-face meetings, use of private networks, etc.) Masking: Use of various virtual identities which are almost impossible to track and trace SIM replacement: Frequent replacement of SIM cards to avoid any kind of interception Data extraction: Most of the information is not sent over the network or shared with other parties and is only available on the end-user device Complex and expensive implementation: As communications become increasingly complex, more network interfaces are needed. Setting up these interfaces with service providers is a lengthy and expensive process, and requires regulation and standardization Standard Interception Solutions Are Not Enough Until the above mentioned challenges are addressed and resolved, criminal and terrorist targets are likely "safe" from standard and legacy interception systems, meaning that valuable intelligence is being lost. These standard solutions (described in the sections below) deliver only partial intelligence, leaving the organizations with substantial intelligence gaps. Passive Interception Passive interception requires very deep and tight relationships with local service providers (cellular, Internet and PSTN providers) and traditionally has allowed for proper monitoring of text messages and voice calls. However, most contemporary communications is comprised of IP-based traffic, which is extremely difficult to monitor with passive interception due to its use of encryption and proprietary protocols. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 32 of 111 Even when this traffic is intercepted, it typically carries massive amounts of technical data that is not related to the actual content and metadata being communicated. Not only does this result in frustrated analysts and wasted time wading through irrelevant data, it also provides a partial snapshot (at best) of the target's communications. In addition, the number of interfaces required to cover the relevant service providers broadens the circle of entities exposed to sensitive information and increases the chance of leakage. Tactical GSM Interception Tactical GSM interception solutions effectively monitor voice calls and text messages in GSM networks. When advanced cellular technologies are deployed (3G and LTE networks), these solutions become less efficient. In such cases, it is required to violently downgrade the target to a GSM-based network, which noticeably impacts the user experience and functionality. These solutions also require a well-trained field tactical team located near the monitored target. Thus, in the majority of cases where the target location is unknown, these solutions become irrelevant. In other cases, placing a tactical team close to the target may pose serious risk both to the team and to the entire intelligence operation. Malicious Software (Malware) Malware presumably provides access to the target's mobile device. However, it is not completely transparent and requires the target's involvement to be installed on their devices. This type of engagement usually takes the form of multiple confirmations and approvals before the malware is functional. Most targets are unlikely to be fooled into cooperating with malware due to their high level of sensitivity for privacy in their communications. In addition, such malware is likely to be vulnerable to most commercially available anti-virus and anti-spyware software. As such, they leave traces and are fairly easily detected on the device. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 33 of 111 Cyber Intelligence for the Mobile World Pegasus is a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device. This breakthrough solution was developed by veterans of elite intelligence agencies to provide governments with a way to address the new communications interception challenges in today's highly dynamic cyber battlefield. By capturing new types of information from mobile devices, Pegasus bridges a substantial technology gap to deliver the most accurate and complete intelligence for your security operations. This solution is able to penetrate the market's most popular smartphones based on BlackBerry, Android, iOS and Symbian operating systems. Pegasus silently deploys invisible software ("agent") on the target device. This agent then extracts and securely transmits the collected data for analysis. Installation is performed remotely (over-the-air), does not require any action from or engagement with the target, and leaves no traces whatsoever on the device. Benefits of Pegasus Organizations that deploy Pegasus are able to overcome the challenges mentioned above to achieve unmatched mobile intelligence collection: Unlimited access to target's mobile devices: Remotely and covertly collect information about your target's relationships, location, phone calls, plans and activities – whenever and wherever they are Intercept calls: Transparently monitor voice and VoIP calls in real-time Bridge intelligence gaps: Collect unique and new types of information (e.g., contacts, files, environmental wiretap, passwords, etc.) to deliver the most accurate and complete intelligence Handle encrypted content and devices: Overcome encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world Application monitoring: Monitor a multitude of applications including Skype, WhatsApp, Viber, Facebook and Blackberry Messenger (BBM) Pinpoint targets: Track targets and get accurate positioning information using GPS Service provider independence: No cooperation with local Mobile Network Operators (MNO) is needed Discover virtual identities: Constantly monitor the device without worrying about frequent switching of virtual identities and replacement of SIM cards Avoid unnecessary risks: Eliminate the need for physical proximity to the target or device at any phase Technology Highlights The Pegasus solution utilizes cutting-edge technology specially developed by veterans of intelligence and law enforcement agencies. It offers a rich set of advanced features and sophisticated intelligence collection capabilities not available in standard interception solutions: Penetrates Android, BlackBerry, iOS and Symbian based devices https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 34 of 111 Extracts contacts, messages, emails, photos, files, locations, passwords, processes list and more Accesses password-protected devices Totally transparent to the target Leaves no trace on the device Minimal battery, memory and data consumption Self-destruct mechanism in case of exposure risk Retrieves any file from the device for deeper analysis High Level Architecture The Pegasus system is designed in layers. Each layer has its own responsibility forming together a comprehensive cyber intelligence collection and analysis solution. The main layers and building blocks of the systems are: Installations: The Installation layer is in charge of issuing new agent installations, upgrading and uninstalling existing agents. Data Collection: The Data Collection layer is in charge of collecting the data from the installed device. Pegasus offers comprehensive and complete intelligence by employing four collection methods: – Data Extraction: Extraction of the entire data that exists on the device upon agent installation – Passive Monitoring: Monitor new arrival data to the device – Active Collection: Activate the camera, microphone, GPS and other elements to collect real-time data – Event-based Collection: Define scenarios that automatically triggers specific data collection Data Transmission: The Data Transmission layer is in charge of transmitting the collected data back to the command and control servers, using the most efficient and safe way. Presentation & Analysis: The Presentation & Analysis component is a User Interface that is in charge of presenting the collected data to the operators and analysts, turning the data into actionable intelligence. This is done using the following modules: – Real-Time Monitoring: Presents real-time collected data from specific or multiple targets. This module is highly important when dealing with sensitive targets or during operational activities, where each piece of information that arrives is crucial for decision making. – Offline Analysis: Advanced queries mechanism that allows the analysts to query and retrieve any piece of information that was collected. The advanced mechanism provides tools to find hidden connections and information. – Geo-based Analysis: Presents the collected data on a map and conduct geo-based queries. – Rules & Alerts: Define rules that trigger alerts based on specific data that arrives or event that occurred. Administration: The administration component is in charge of managing the entire system permission, security and health: https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 35 of 111 – Permission: The permissions mechanism allows the system administrator to manage the different users of the system. Provide each one of them the right access level only to the data they are allowed to. This allows to define groups in the organization that handle only one or more topics and other groups which handles different topics. – Security: The security module monitors the system security level, making sure the collected data is inserted to the system database clean and safe for future review. – Health: The health component of the Pegasus solution monitor the status of all components making sure everything is working smoothly. It monitors the communication between the different parts, the system performance, the storage availability and alerts if something is malfunction. The system layers and components are shown in Figure 1. Figure 1: Pegasus High Level Architecture https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 36 of 111 Agent Installation In order to start collecting data from your target’s smartphone, a software based component ("Agent") must be remotely and covertly installed on their device. Agent Purpose The “Agent”, a software based component, resides on the end point devices of the monitored targets and its purpose is to collect the data it was configured to. The agent is supported on the most popular operating systems: BlackBerry, Android, iOS (iPhone) and Symbian based devices. Each agent is independent and is configured to collect different information from the device and to transmit it via specific channels in defined timeframes. The data is sent back to the Pegasus servers in a hidden, compressed and encrypted manner. The agent continuously collects the information from the device and will transmit it once reliable internet connection becomes available. Communications encryption, the use of many applications and other communications concealing methods are no longer relevant when an agent is installed on the device. Agent Installation Vectors Injecting and installing an agent on the device is the most sensitive and important phase of intelligence operation conducted on the target device. Each installation has to be carefully planned to ensure it is successful. The Pegasus system supports various installation methods. The installation methods variety answers the different operational scenarios which are unique to each customer, resulting in the most comprehensive and flexible solution. Following are the supported installation vectors: Remote Installation (range free): Over-the-Air (OTA): A push message is remotely and covertly sent to the mobile device. This message triggers the device to download and install the agent on the device. During the entire installation process no cooperation or engagement of the target is required (e.g., clicking a link, opening a message) and no indication appears on the device. The installation is totally silent and invisible and cannot be prevented by the target. This is NSO uniqueness, which significantly differentiates the Pegasus solution from any other solution available in the market. Enhanced Social Engineering Message (ESEM): In cases where OTA installation method is inapplicable1, the system operator can choose to send a regular text message (SMS) or an email, luring the target to open it. Single click, either planned or unintentional, on the link will result in hidden agent installation. The installation is entirely concealed and although the target clicked the link they will not be aware that software is being installed on their device. The chances that the target will click the link are totally dependent on the level of 1 e.g., some devices do not support it; some service providers block push messages; target phone number in unknown. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 37 of 111 content credibility. The Pegasus solution provides a wide range of tools to compose a tailored and innocent message to lure the target to open the message. NOTE: Both OTA and ESEM methods require only a phone number or an email address that is used by the target. Nothing else is needed in order to accomplish a successful installation of the Pegasus agent on the device. Close to the target (range limited): Tactical Network Element: The Pegasus agent can be silently injected once the number is acquired using tactical network element such as Base Transceiver Station (BTS). The Pegasus solution leverages the capabilities of such tactical tools to perform a remote injection and installation of the agent. Taking a position in the area of the target is, in most cases, sufficient to accomplish the phone number acquisition. Once the number is available, the installation is done remotely. Physical: When physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes. After agent installation, data extraction and future data monitoring is done remotely, providing the same features of any other installation method. NOTE: Tactical and Physical installations are usually used where no target phone number or email address are available. Agent Installation Flow Remote agent installation flow is shown in Figure 2. Figure 2: Agent Installation Flow In order to initiate a new installation, the operator of the Pegasus system should only insert the target phone number. The rest is done automatically by the system, resulting in most cases with an agent installed on the target device. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 38 of 111 Agent installation initiation is shown in Figure 3. Figure 3: Agent Installation Initiation Supported Operating Systems & Devices NOTE: Android-based devices are often added to the supported list. An updated list can be sent upon customer request. Installation Failure The installation can sometimes fail due to following reasons: 1. Unsupported device: the target device is not supported by the system (which appears above). 2. Unsupported OS: the operating system of the target device is not supported by the system. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 39 of 111 3. Unsupported browser: the default browser of the device was previously replaced by the target. Installation from browsers other than the device default (and also Chrome for Android based devices) is not supported by the system. In any of the above mentioned cases, if the operator initiates a remote installation to a non-supported device, operating system or browser, the injection will fail and the installation will be aborted. In these cases the process is finished with an open browser on the target device pointing and showing the URL page which was defined by the operator prior the installation. The device, OS and browser are identified by the system using their HTTP user agent. If by any reason the user agent was manipulated by the target, the system might fail to correctly identify the device and OS and provide the wrong installation payload. In such case, the injection will fail and the installation will be aborted, showing again the above mentioned URL page. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 40 of 111 Data Collection Upon successful agent installation, a wide range of data is monitored and collected from the device: Textual: Textual information includes text messages (SMS), Emails, calendar records, call history, instant messaging, contacts list, browsing history and more. Textual information is usually structured and small in size, therefore easier to transmit and analyze. Audio: Audio information includes intercepted calls, environmental sounds (microphone recording) and other audio recorded files. Visual: Visual information includes camera snapshots, photos retrieval and screen capture. Files: Each mobile device contains hundreds of files, some bear invaluable intelligence, such as databases, documents, videos and more. Location: On-going monitoring of the device location (Cell-ID and GPS). The variety of data that is collected by the Pegasus system is shown in Figure 4. Figure 4: Collected Data The data collection is divided into three levels: Initial data extraction Passive monitoring Active collection https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 41 of 111 Initial Data Extraction Once the agent is successfully injected and installed on the device, the following data that resides and exists on the device can be extracted and sent to the command and control center: SMS records Contacts details Call history (call log) Calendar records Emails Instant Messaging Browsing history As opposed to other intelligence collection solutions which provide only future monitoring of partial communications, Pegasus allows the extraction of all existing data on the device. As a result the organization benefits from accessing historical data about the target, which assists in building a comprehensive and accurate intelligence picture. NOTE: Initial data extraction is an option and not a must. If the organization is not allowed to access historical data of the target, such option can be disabled and only new arrival data will be monitored by the agent. Passive Monitoring From the point the agent was successfully installed it keeps monitoring the device and retrieves any new record that becomes available in real-time (or at specific condition if configured differently). Below is the full list of data that is monitored by the agent: SMS records Contacts details Call history (call log) Calendar records Emails Instant Messaging Browsing history Location tracking (Cell-ID based) Active Collection In addition to passive monitoring, upon successful agent installation a wide set of active collection features becomes available. Active collection refers to active requests sent by the operator to collect specific information from the installed device. These set of features are called active, as they carry their collection upon explicit request of the operator. Active collection allows the operator to perform real-time actions on the target device, retrieving unique information from the device and from the surrounding area of the target, including: Location tracking (GPS based) https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 42 of 111 Voice calls interception File retrieval Environmental sound recording (microphone recording) Photo taking Screen capturing Active collection differentiates Pegasus from any other intelligence collection solution, as the operator controls the information that is collected. Instead of just waiting for information to arrive, hoping this is the information you were looking for, the operator actively retrieves important information from the device, getting the exact information he was looking for. Description of Collected Data The different types of data available for extraction, passive monitoring and active collection with their respective features are listed in Table 1. Table 1: Collection Features Description https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 43 of 111 2 For active collection features, initial data is not extracted before a request is initiated by the user. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 44 of 111 The above mentioned data is the potential data that could be collected by an agent. The agent will collect the data that is applicable and available on the device. If one or more of the above mentioned applications does not exist and/or removed from the device, the agent will operate in the same manner. It will collect the data from the rest of the services and applications which are in use in the device. Also, all the collected data from the removed application will still be saved on the servers or at the agent, if it was not yet transmitted back to the servers. In addition, the above mentioned data that is collected by the agent covers the most popular applications used worldwide. Since applications popularity differs from country to country, we understands that data extraction and monitoring of other applications will be required as time evolves and new applications are adopted by targets. When such requirement is raised, we can fairly easily extract the important data from virtually any application upon customer demand and release it as a new release that will become available to the customer. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 45 of 111 Collection Buffer The installed agent monitors the data from the device and transmits it to the servers. If transmission is not possible3 the agent will collect the new available information and transmits it when connection will become available. The collected data is stored in a hidden and encrypted buffer. This buffer is set to reach no more than 5% of the free space available on the device. For example – if the monitored device has 1GB of free space, the buffer can store up to 50MB. In case the buffer has reached its limit, the oldest data is deleted and new data is stored (FIFO). Once the data has been transmitted, the buffer content is totally deleted. . 3 No data channels are available; Device is roaming; Device is shut down. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 46 of 111 Data Transmission By default, the collected data (initial data extraction, passive monitoring and active collection) is sent back to the command and control center in real-time. The data is sent via data channels, where Wi-Fi is the preferred connection to use when it is available. In other cases data is transmitted via cellular data channels (GPRS, 3G and LTE). Extra thought was put into compression methods and focusing on textual content transmission whenever possible. The data footprints are very small and usually take only few hundred bytes. This is to make sure that the collected data is easily transmitted, ensuring minimal impact on the device and on the target cellular data plan. If data channels are not available, the agent will collect the information from the device and store it in a dedicated buffer, as explained in Data Collection section. Data transmission is automatically ceased in the following scenarios: Low battery: When the device battery level is below the defined threshold (5%) all data transmission processes are immediately ceased until the device is recharged. Roaming device: When the device is roaming, cellular data channels become pricy, thus data transmission is done only via Wi-Fi. If Wi-Fi does not exist, transmission will be ceased. When no data channels are available, and no indication for communication is coming back from the device, the user can request the device will communicate and/or send some crucial data using text messages (SMS). CAUTION: Communication and/or data transmission via SMS may incur costs by the target and appear in his billing report thus should be used sparingly. The communication between the agent and the central servers is indirect (through anonymizing network), so trace back to the origin is non-feasible. The Pegasus system data transmission process is shown in Figure 5. Figure 5: Data Transmission Process The channels and scenarios for transmitting the collected data are shown in Figure 6. Figure 6: Data Transmission Scenarios https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 47 of 111 Data Transmission Security All connections between the agents and the servers are encrypted with strong algorithms and are mutually authenticated. While data encryption is probably the most urging issue, extra care was given to ensure minimal data, battery and memory are consumed within the agents requirements. This is meant to make sure that no concerns are raised by the target. Detecting an operating agent by the target is almost impossible. The Pegasus agent is installed at the kernel level of the device, well concealed and is untraceable by antivirus and antispy software. The transmitted data is encrypted with symmetric encryption AES 128-bit. Pegasus Anonymizing Transmission Network Agent transparency and source security are the guiding principles of the Pegasus solution. To assure that trace back to the operating organization is impossible, the Pegasus Anonymizing Transmission Network (PATN), a network of anonymizers is deployed to serve each customer. The PATN nodes are spread in different locations around the world, allowing agent connections to be redirected through different paths prior to reaching the Pegasus servers. This ensures that the identities of both communicating parties are highly obscured. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 48 of 111 Data Presentation & Analysis Successful data collection from hundreds of targets and devices generates massive amounts of data for visualization, presentation and analysis. The system provides a set of operational tools to help the organization to transform data into actionable intelligence. This is to view, sort, filter, query and analyze the collected data. The tools include: Geographical analysis: Track target's real-time and historical location, view several targets on map Rules and alerts: Define rules to generate alerts upon important data arrival Favorites: Mark important and favorite events for subsequent review and deeper analysis Intelligence dashboard: View highlights and statistics of target's activities Entity management: Manage targets by groups of interest (e.g., drugs, terror, serious crime, location, etc.) Timeline analysis: Review and analyze collected data from a particular time frame Advanced search: Conduct search for terms, names, code words and numbers to retrieve specific information The collected data is organized by groups of interest (e.g., drugs group A, terror group B, etc.) and each group consists of targets. Each target consists of several devices which some have installed agents on them. The collected data is displayed in an easy-to-use intuitive user interface and when applicable emulates popular display of common applications. The intuitive user interface is designed for a day-to-day work. Operators can easily customize the system to fit their preferred working methods, define rules and alerts for specific topics of interest. The operator can choose to view the entire collected data from specific target or only specific type of information such as location information, calendar record, emails or instant messages. Pegasus calendar monitoring screen is shown in Figure 7. Figure 7: Calendar Monitoring https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 49 of 111 Pegasus call log and call interception screen is shown in Figure 8. Figure 8: Call Log & Call Interception Pegasus location tracking screen is shown in Figure 9. Figure 9: Location Tracking https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 50 of 111 The presentation fields of the collected data are listed in Table 2. Table 2: Presentation of Collected Data https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 51 of 111 Rules & Alerts The Rules & Alerts module in the system alerts when important event takes place. Rules must be defined in advance and they help the operators to review and take actions in real-time, for example: Geo-fencing: o Access hot zone - Alert when target reached an important location o Leave hot zone - Alert when target left a certain location Geo-fence alerts are based on a perimeter around a certain location, where the operator defines the size of the perimeter. Meeting detection: Alert when two targets meet (share the same location) https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 52 of 111 Connection detection: o Alert when a message is sent from/to a specific number o Alert when a phone call is performed from/to a specific number Content detection: Alert when a defined word/term/code word is used in a message Data Export The system is designed as an end-to-end system, providing its users with collection and analysis tools. However, we understands that there are advanced analysis capabilities and data fusion requirements from other sources, therefore the system allows the exporting of the collected information and seamless integration with 3rd party backend or analysis systems available. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 53 of 111 Agent Maintenance Once agent is installed on a certain device, it has to be maintained in order to support new features and change its settings and configurations or to be uninstalled when it is no longer providing valuable intelligence to the organization. Agent Upgrade When agents' updates are released they become available to install. These new agents are now ready for installation on new targets' devices or as upgrades for existing agents installed on target's devices. These updates provide new functionalities, bug fixing, support for new services or improve the agents overall behavior. Such updates are crucial to keep the agent functional and operational in the endless progress of the communication world and especially the smartphone arena. There are two types of agent upgrades: Optional upgrade: agent upgrade is not mandatory by the system. The user decides when, if at all, to upgrade the agent. Mandatory upgrade: agent upgrade is mandatory by the system. The supervisor must upgrade the agent otherwise no new information will be monitored from the device. Upgrade sometimes requires an installation of a new agent and sometimes just a small update of the existing agent. In both cases the user is the only one to decide when to conduct the upgrade, and therefore should plan this accordingly. Once the command for upgrade was sent by the user, the process should take only few minutes. The process might take longer if the device is turned off or has bad data connection. In either case, the upgrade will be accomplished once a decent data connection becomes available. Agent Settings Agent settings are set for the first time during its installation. From this point, these settings serve the agent, but can always be changed if required. The settings include the IP address for transmitting the collected data, the way commands are sent to the agent, the time until the agent is automatically uninstall itself (see self-destruct mechanism for more details) and more. Agent Uninstall When the intelligence operation is done or in case where the target is no longer with interest to the organization, the software based component ("Agent") on the target's device can be removed and uninstalled. Uninstall is quick, requires a single user request and has no to minimal effect on the target device. The user issues a request for agent uninstall which is sent to the device. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 54 of 111 Once agent is uninstalled from a certain device it leaves no traces whatsoever or indications it was ever existed there4. As long as the agent is operational on the device and a connection exists between him and the servers it can be easily and remotely uninstalled. . Uninstall can always be done remotely no matter what was the method used for installation. Physical uninstall is also an option, if needed. Uninstalling an agent does not mean losing the entire collected data – the entire data that was collected during the time that the agent was installed on the device will be kept in the servers for future analysis. Self-Destruct Mechanism The Pegasus system contains self-destruct mechanism for the installed agents. In general, we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working. The mechanism is activated in the following scenarios: Risk of exposure: In cases where a great probability of exposing the agent exists, a self-destruct mechanism is automatically being activated and the agent is uninstalled. Agent can be once again installed at a later time. Agent is not responding: In cases where the agent is not responding and did not communicate with the servers for a long time5, the agent will automatically uninstall itself to prevent being exposed or misused. 4 In some cases, uninstall can result in device reboot. If reboot takes place, it happens once agent removal is done. The device comes up clean with no agent installed. 5 The default time is 60 days, but can be reconfigured for any period of time required https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 55 of 111 Solution Architecture The Pegasus system’s major architectural components are shown in Figure 10. Figure 10: Solution Architecture Customer Site NSO is responsible to deploy and configure the Pegasus hardware and software at the customer premises, making sure the system is working and functioning properly. Below are the main components installed at the customer site: WEB Servers Residing at the customer's premises, the servers are responsible for the following: Agent installation and monitoring Agent maintenance: Remotely control, configure and upgrade installed agents Data transmission: Receive the collected data transmitted from the installed agents Serve the operators' terminals Communications Module The communications module allows interconnectivity and internet connection to the servers. Cellular Communication Module The cellular communication module enables remote installation of the Pegasus agent to the target device using cellular modems and/or SMS gateways. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 56 of 111 Permission Module The Pegasus permission management module defines and controls the features and available content allowed for each user based on their role, rank and hierarchy. Data Storage The collected data that was extracted and monitored by the agents is stored on an external storage device. The data is well backed-up and with full resiliency and redundancy to prevent failures and downtime. Servers Security All the servers reside inside the customer's trusted network, behind any security measures it may deploy as well as security measures that we supply specifically for the system. Hardware The system standard hardware is deployed on several servers connected together on couple of racks. The equipment takes care of advanced load balancing, content compression, connection management, encryption, advanced routing, and highly configurable server health monitoring. Operator Consoles The operator's end-point terminals (PC) are the main tool which the operators activate the Pegasus system, initiate installations and commands, and view the collected data. Pegasus Application The Pegasus application is the user interface that is installed on the operator terminal. It provides the operators with range of tools to view, sort, filter, manage and alert to analyze the large amount of data collected from the targets' agents. Public Networks Apart from local hardware and software installation at the customer premises, the Pegasus system does not require any physical interface with the local mobile network operators. However, since agent installations and data are transferred over the public networks, we makes sure it is transferred in the most efficient and secured way, all the way back to the customer servers: Anonymizing Network Pegasus Anonymizing Transmission Network (PATN) is built from anonymizing connectivity nodes which are spread in different locations around the world, allowing agent connections to be directed through different paths prior to reaching the Pegasus servers. The anonymized nodes serve only one customer and can be set up by the customer if required. See more information in Pegasus Anonymizing Transmission Network section. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 57 of 111 Target Devices The above mentioned architecture allows the operators to issue new installations, extract, monitor and actively collect data from targets’ devices. See more details in Supported Operating Systems & Devices. NOTE: The Pegasus is an intelligence mission-critical system, therefore it is fully redundant to avoid malfunctions and failures. The system handles large amounts of data and traffic 24 hours a day and is scalable to support customer growth and future requirements. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 58 of 111 Solution Hardware The hardware specifications for operating the Pegasus system depends on the number of concurrent installed agents, the number of working stations, the amount of data stored and for how long should it be stored. All the necessary hardware is supplied with the system upon deployment and may require local customization that has to be handled by the customer based on we directions. If required, hardware can be purchased by the customer based on the specifications provided by we. Operators Terminals The operator terminals are standard desktop PCs, with the following specifications: Processor: Core i5 Memory: 3GB RAM Hard Drive: 320GB Operating System: Windows 7 System Hardware To fully support the system infrastructure, the following hardware is required: Two units of 42U cabinet Networking hardware 10TB of storage 5 standard servers UPS Cellular modems and SIM cards The system hardware scheme is shown in Figure 11. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 59 of 111 Figure 11: Pegasus Hardware https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 60 of 111 https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 61 of 111 System Setup and Training We are responsible for the system setup and training before its hand-over to the customer. System Prerequisites Successful installation of the Pegasus system requires the following preparations of the servers' room: Sufficient room to contain two 42U racks cabinet, 5x5x2.5m (LxWxH) Air conditioned (18°C) room Access restriction Routing from end-point terminals to servers room Reliable cellular network reception (at least -95 dBm) 2 x Electrical outlets (20A) per rack 2 x Symmetric ATM lines from different ISP's. Each line with a bandwidth of 10MB containing 8 external static IP addresses: o ISP #1: Fiber optic-based network o ISP #2: Ethernet category-7 cable-based network The mission-critical system requires two parallel networks to ensure system resilience and downtime is kept to an absolute minimum. 2 x E1 PRI connections, each contains 10 extensions (two different service providers is recommended) 2 x anonymous SIM cards for each local Mobile Network Operator 3rd party services registration as required System Setup The solution will be deployed at the customer site by we personnel Deployment duration usually requires 10-15 working weeks Operating environment prerequisites must be met System setup includes hardware and software installation, and in addition integration to local environment and systems Support and adaptations to the different local device firmware versions Training Upon system installation, we personnel will conduct full training sessions. Training can take place onsite or in any other location required by the customer, including we headquarters. Training session includes the following: Basic system usage System architecture Advanced system usage and roles https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 62 of 111 Real-world simulation exercises The recommended number of attendees is with respect to the number of installed operator consoles. High Level Deployment Plan The process of adapting, installing and testing the system in a new customer site in listed in Table 3. Table 3: Pegasus Deployment Plan Phase 1 – Preparations: Requirements for an Acceptance Test Procedure (ATP) are defined together with the customer Hardware and software acquisition and customization to answer customer requirements and needs When required, the Pegasus system is integrated with local infrastructures and systems System adaptations to the local mobile networks Phase 2 – Implementation: System testing Hardware installation System adaptations to local device firmware versions https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 63 of 111 Phase 3 – Training and Completion: Detailed system training, real-life scenarios practicing and simulation Customer ATP as defined during phase 1 System Acceptance Test (SAT) We have gained substantial experience in installing and implementing the Pegasus system. The following acceptance test plan verifies that the system works as required and validates that the correct functionality has been delivered. It describes the scope of the work to be performed and the approach taken to execute the proper tests to validate that the system functions as mutually agreed with the customer. The tests are divided into 3 stages: Functionality tests Network and providers tests Customer tailor specific tests An official system hand-over from we to the customer is done once the system has been deployed, tested and demonstrated. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 64 of 111 Maintenance, Support and Upgrades We provides, as default, one year of maintenance, support and upgrades services. These services include: Maintenance and Support We provides maintenance services and three-tier level support that includes: Tier-1: Standard system operations problems o Email and phone support Tier-2: Proactive resolving of technical problems o Dedicated engineers will inspect, examine and resolve common technical issues, putting their best efforts o Remote assistance using remote desktop software and a Virtual Private Network (VPN) where requested Tier-3: Bug fixing and system updates of substantial system malfunctions Phone support: In addition to the above mentioned, we provide phone and email support to any question and problem that is raised. In addition, the customer will be able to add the following support: Planned or emergency onsite assistance Health monitoring system Upgrades We have releases major upgrades to the Pegasus system few times a year. Such upgrades usually include: New features New devices/operating system support Tailored features based on customer requirements Bugs fix Case Document 1-1 Filed 10/29/19 Page 65 of 111 EXHIBIT 11 ia t.,1 l-t !. Ww "# re 5 Dl-/ - 11 fiT l ! I c{ I r:{ d)try bt i Er-tQ nt, t t rl.t .) I t' Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 66 of 111 i t i I ,l t't 1 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 67 of 111 b t>z I /l @ -\ ,'l ) I it t' i,, rl il il 'ii AGREEMENT This Agreement (the "Agreement") is entered into on Decernber I7'h, 2015 (the "Effective Date") between Infraloks Development Limited, a company incorporated.urder the.laws of the Republic of Ghana (company registration number CA-66,115), having its registered offices at HSE number 1 plot 50, 7'' Avenue Extension, North Ridge ACCRA, P.o. Box 30712 KrA, ACCRA (the "Company") and tJre National Communication Authorify of the Republic of Ghana (the "End-User"). Whereas, the Company is engaged in tbe business of resellilg and supplying cyber intelligence solutions developed, integrated and supplied by the NSO Group Technologies Ltd. (company regisfration number 514395409), an Israeli Company, having its registered offices at 9 Hamada St., Herzliya, Israel (tie "System Provider") which has developed the System (as defined below); and 'Whereas, the End-User is interested to purchase from the Company a License (as defined below) to use the System (as defined below), and obtain services related to it, soleiy for the use of the End-User as further set forth herein, and the Company has agreed to provide a License to use the System and related services to the End-User; and Whereas, tlie parties wish to set forth the terms under which such sale and purchase shall be made. Now, therefore, in consideration of the foregoing premises and the mutual covenants herein contained, l,l and for other good and yaluable consideration, the parties agree as follows: 1. Definitions and Exhibits In this Agreemen! unless the context otherwise requires, terms defined in the preamble and the recitals shall have the same meaning when used elsewhere in this Agreement and the following terms shall have the meanings ascribed thereto below: 1.1. il "Agreement" has the meaning ascribed to it in the preamble. i1 . "Approval" has the meaning ascribed to it in Section 5.1. "Bu-siness Day" rneans a day (other than a Friday, Saturday or Sunday) on which banks are generally open in Israel and in the Republic of Ghana for normal business. tl il "Certificate" has the meaning ascribed to it in Section 5.1 "Commissioning Notice" it in Exhibit B. has the meaning ascribed to , "Company" has the meaning ascribed to it in the preamble. I "Confidential Informatiotr" means any information provided by the Company to the and/or the End-User. "Deployment" has the meaning ascribed to it in Exhibit A. il "Effective Date" has the meaning ascribed to it in the preamble. ;l "Etrd-{Jser" has the meaning ascribed to it in tbe preamble. il "X'irst fnstallment" has the meaning ascribed to it in Exhibit B. "Force Majeure" has the meaning ascribed to it in Section 14. il I "Hardware Equipment" has the meaning ascribed to it in Exhibit A. "fiVlOD'means the Israeli Ministry of Defense, il "License" has the meaning ascribed to it in Section 2.1. I "Reseller" N/A. I t it " Reseller Representative" N/A. "Reseller Appointment Letter" N/A. itll^- _mp ; i \ /r Agreement rc012015 Pagel of 46 / Nt tal L5 1-1 Filed 10/29/19 Page 68 of 111 Case 3:19-cv-07123 Document I ! st I t- ) ) j : I ) "Reseller Appointment Letter" N/A, l,i ri "End-User Responsibilities" has the meaning ascribed to it in Section 4. 1",,1 "Services" has the meaning ascribed to it in Exhibit A. rl ii "SLAU has the meaning ascribed to in Section 6.2 "support Period" has the meaning ascribed to "Support Period Consideration" "support Services" . i: "Training" "'Warranfi/" i{ tl it in Exhibit B in Section 6. "System" has the meaning ascribed to it in Exhibit A. "system Provider" il has the meaning ascribed to has the meaning ascribed to it "system Considerafion" ' it in Section 6.1. has the meaning ascribed to has the meaning ascribed to it it in Exhibit B. at the preamble. has the meaning ascribed to it in.Exhibit A. has the meaning ascribed to it in Exhibit A. "Warrant5r Period" has the meaning ascribed to it in Exhibit A. 1.2. 't t.l The following are the exhibits in this Agreement; Exhibit A ri - Description of System and Services Exhibit A- I - Features and Capabilities Exhibit A-2 - List of Hardware Equipment Exhibit B - Consideration Exhibit C - Installation Requirements ii il rl I llii i and Software Exhibit D - Service Level Agreement 2 Provision of License and Services. I j 2-1. Subject to the terms of this Agreement and the payment of the System Consideration in full, the System Provider shall provide the End-User a limited, exclusive, nontransferable, non.pledgeable and non-assignabte license to use the System solely for the End-User's internal use, and for the purpose that it is intended for (the "License"), 2.2. Subject to provisions of Sections 2.3 and 5.2 below, within one-hundred (100) Business Days following the occurrenoe of the later of (i) receipt by the System Provider of the Approval, (ii) the completion of the Due-Diligence Process, and (iii) the receipt by the ll rl t Company r I I I i i i T I t il it of the First Installmen! in full, the System Provider shall complete the Deployment and shall conduot the Training. 2.3. . The provision of the Systern, the License and the Services by the System Provider in accordance with the time schedule set forth in Section 2.2 above and the performance by the Company of all its obligations under this Agteement is conditioned upon (i) the fulfillment by the End-User of all of the End-User Responsibilities when due, and (ii) the actual receipt by the Company of each payment of the System Consideration rvhen due, in tull. It is hereby clarified that the Company shall not be held responsible or liable for any delay in the provis.ion of the System, the License and/orthe Services, if such delay was due to any miss-performance or delay in the fulfillment of any of the End-User Responsibilities and/or payment obligations and/or due to a delay in the performance or achievement of the pre-requisite conditions set fbrth in Section 5 below. In the event of a delay in the performance of any of rhe End-User Responsibilities and/or payment ubl.igul,ious uul/ur [hu purlunrrullue ur uchieventeut of the pre requisitc conditions set f-l [,\)" il I I Agreement 100/2015 Page 2 of 46 Lnt g l-l-t Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 69 of 111 ,( 't lr i ,ii ,'l forth in Section 5 below, the Company's obligations shall be postponed by such number of days equal to number of days by which the time schedule was delayed due to acts or I ,t rl .il l, omissions caused by the End-User. ) t. I 2.4. I' i;l ji, If any sum payable pursuant to this Agreement shall not have been paid to the Company by its due date, then, without prejudice to any other right or remedy available to the Company in accordance with the terms of this Agreement or by law, the End-User shail pay interest thereon at a daily rate of 0.04yo, accumulated on a daily basis, in respect of the period starting on the due date of the delayed payment and ending on the date of the actual payment. In addition, the Company reserves the right to suspend contractual performance or the use of the System or the Services until the End-User has made payment of the overdue amount together with interest that has accrued thereupon, in full. ir ilt; I l 2.5, il lt Consideration; Payment Terms J I 3.1 . In consideration for the provision of the License, the System and the Services, the EndUser shall pay the Company the System Consideration 6s set forth in Exhibit B. I il So long as the System Consideration is not received by the Company, in full, and so long as the Company has not provided the Commissioning Notice, the End-User shall not be entitled to use the System and no license to use the System shall be deemed granted. 3.2. The System Consideration shall be paid by the End-User to the Company in instaliments as set forth in Exhibit B. 3.3. The System Consideration, the Support Period Consideration and any other payments made to the Company under this Agreement are exciusive of all state, provincial, municipal or other government, excise, use, sales, VAT or iike taxes, tariffs, duties or surcharges, now in force or as may be enacted in the future, which shall be bome by the I I , Company, provided, however that the Company shall bear all income taxes imposed on li the Company in connection with this Agreement. Each payment under this Agreement i1 shall be paid by the End-User against an invoice to be issued by the Company. 3.4. Any and all amounts paid to the Company under this Agreement are non-refundable, and may not be claimed or reclaimed by the End-User. 4. ii I I tl The End-User's Reqponsibilitie!. The End-User undertakes to perform obligations in a timely manner (the "End-User Responsibilities"): 4.1. fulfillment of all of the technical and installation requirements listed in Exhibit C at the End-User's site, prior to the delivery of the Hardware Equipment; 4.2. obtainment and maintenance of all permits and approvals required to be obtained from any regulatory and governmental authority relating.to the End-User, under any and all applicable legal requirements for the performance of this Agreement; 4.3. 4.4, delivery of the Certificate to the Company; 4.5. I It l [l I I il I I all of the following provision of any and all applicable information and documents required by the System Provider for the performance of the Due-Diligence Process, on a timely manner; and provision of any and all additional required conditions to enable the performance of the Company's obligations under this Agreernent when due, including without limitation, (if required) and assuring availability personnel participation in the Training. for the End-User's release of the Hardware Equipment from custom 5 of Pre-Conditions, 5.1 The provision of the License. the System and the Scrviccs and the performance by the Company of its obligations under this Agreement arc subject to (i) the receipt by the Syntcrl Proyidcr of thc originol certificote indicating the ldentity nf tht: Enrl-Ilscr. irt accordance with the requirements of the IMOD (the "Certificate"), (ii) the receipt by the Systom Providor of tho approval of the IMOD forthc provision of thc I.iccnsc, Systcm i .] I I t, I I I ,l It$" Agreoment 100/2015 Page 3 of46 6sr / /) \i :l Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 70 of 111 - ' , i ?l (---> ( -> .; r : .: ,1 btEb t' /' t! ':,1 t, ' i, and the Services as set forth herein (the "Approval"), (iii) the completion of a duediligence process to the Company by the System Provider (the "Due-Diligence ijl Process"). 5.2. I !j tlI ll , For the avoidance of any doubt, no products, Iicenses, equipment or services shall be provided by the Company under this Agreement until the Certificate is delivered to the System Provider and the Approval is obtained. In the event that the Certificate is not received by the System Provider andJor the Approvai is not obtained within six (6) months as ofthe date hereof, or in the event that the System Provider receives, earlier, a formal notice from the IMOD that the application for the Approval is denied, or in the event that the Approval is canceled, terminated or suspended, the Company shall have the right to terminate this Agreement by providing the End-User a written notice, and such termination shall not be considered a breach of this Agreement, and the Company shal1 not be held responsible or liable in connection with such tennination. Fulther, the Company hereby acknowledges and agrees that the actual performance of the activities contemplated herein is conditioned upon the completion of the Due Diligence Process to the System Provider's fuli satisfaction which otherwise may terminate this Agreement at its sole discretion, by providing the Company a written notice, and such termination shall not be considered a breach of this Agreemen! and the Company. shall not be held responsible or liable in connection with such termination. lr ll Itl tlir it 6. lr li Technical Support and Maintenance Services. F ollowing the expiration of the Waranty Period, the End-User shall be entitled to purchase technical support and maintenance services (the "support Services") under the following terms: rl ti11 6.1. rl 6.2. The Support Services shall be provided in accordance with the System Provide/s standard services level agreement, as may be amended from time to time. A copy of the System Provider's current service level agreement is aftached hereto as Exhibit D (the 'sLA"). 6,3. The consideration for the Support Services for each Support Period and the payment The End-User may purchase Support Services for periods of twelve (12) month each (each such period ir i, I il ,lii i,l - a "Support Period"). terms of such consideration are as set forth in Exhibit B. i1 7 :i il ! ,--' l { it il 1l ]l 8 l ll -t l l ,.1 1t rl I i it1l il I it I,I I I i I Itl Intellectual Property Rights. All the rights pertaining to the System, the Services and the License, including, but not limited to, all patents, trademarks, copyrights, service matks, trade names, technology, know how, moral rights and trade secrets, al1 applications for any of the foregoing, and all permits, grants and licenses or other rights relating to the System and the Services are and shall remain the sole properry of the System Provider, The End-User hereby acknowledges that, other than as set forth in Section 2.1, no title to the System (including the software embedded therein) is transferred to it under this Agreement or in connection hereoi and it is not granted any right in the System, including without limitation, intellectual property right' direcrlv eirher either hv by rhems themselves or through any olrher The End-User shall not, whether directiy or indirectly person, reproduce, modify, disassemble or reverse-engineer the System (including any software contained therein). r-1 rl Additional Remedy. tn the event a breach has occurred, in addition to the Company's rights and remedies under applicable law and this Agreemen! the Company may suspend or cancel the License or the provision of any ofthe Services, or take such actions necessary to prevent access to the System unti-l such time as it has received confirmation to its satisfaction that such breach was cured. The Company shall not be liable towards the End-User for any claim, losses or damages whatsoever related to its decision to suspend or cancel the provision of any of the Services, the License, or to prevent access to the System under this section. 9 Conficlentiality. The Encl-User undertakes to keep thc Confidcntial information in strict confldence ond not to disclose it to any third partv withor.it thc prinr writtcn connent of the r-l 1 AE eernent 1 00/20 1 5 Page 4 of 46 *r a-r f'*' :'-' € g )zL i' Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 71 of 111 I l: , ,' 4f i'l l.e-l t ) ) System Provider; provided, however, that the End-User may disclose such information to its respective employees and consultants having a need to know such information in order to carry out the provisions of this Agxeement. The End-User warrants that any such employees and consultants to which Confidential Information is disclosed will be bound and will abide by terms no less onerous than those contained herein and shall be responsible for any breach of :.i ijti confidentiality by such employees and consultants. Foliowing the termination of this Agreement for any reason, or upon the Company's first written demand, the End-User shall retum to the Company atl Confidential Information, including all records, products and samples received, and any copies thereof whether in its possession or under its controi, and shall erase all electronic records thereof, and shall so certify to the Company in writing 10. Limited Warrarfy It should be noted that the System Provider does not warrant that the License, the System and the Services provided hereunder will be uninterrupted, error-free, or completely secure. The System Provider does not make, and hereby disclaims, any and all implied warranties, including impiied warranties of merchantability, fitness for a particular purpose ald non-infringement. Except as otherwise expressly set forth in this Agreement (including any exhibits), the System Provider does not make and hereby disclaim's all express warranties. All products, the System and Services provided pursuant to this Agreement are provided or performed on an "as is", "as available" basis. ii Limitation of Liabilitv. In no event shall the Company be liable for any consequential, incidental, special, indirect or exemplary damages whatsoever, including lost profits, loss of business, Ioss of revenues, or any other type of damages, whether arising under tort, contract or law. The ii ii il 1t Company's aggregate liability under this Agreement shall be limited to the consideration actually received by the Company under this Agreement. {l I 1.) ii il Governing Law and Jurisdiction. This Agreement shall be governed, construed and enforced in accordance with the laws of the Republic of Ghana. Any controversy or claim arising under, out of or in connection with this Agreemenl its validity, its i-nterpretation, its execution or any breach or claimed breach thereof, are hereby submitted to the sole and exclusive jurisdiction of the competent courts in the Republic of Ghana. t3 tl Assignment. This Agreement and the rights and obligations hereunder are not ffansferable, pledgeable or assignable, by either party without the prior written consent of the other party. However, the System Provider may assign its rights and obiigations to a parent, affiliate or subsidiary company and, in the case of a merger or acquisition, to a successor company upon notice to the Company, and provided that the rights of the Company shall not be derogated pursuant to such assignment. it 14 i] I Force Maieure. The System Provider and the Company shall not be liable for any failure to perform its obligations under this Agreement due to any action beyond its conffol, including without limiktion: (i) acts of God, such as fires, floods, electrical storms, unusualiy severe weather and natural catastrophes; (ii) civil disturbances, such as strikes and riots; (iii) acts of aggression, such as explosions, wars, and terrorism; (iv) acts of government, including, without limitation, the actions of regulatory bodies which significantly inhibits or prohibits the System [l Provider and the Company from performing its obligations under this Agreement (each, a "Force l Majeure"). In the event of a Force Majeure, the performance of the Company's obligations shall be suspended dwing the period of existence of such Force Majeure as well as the period reasonably i I il required thereafter to resume the performance of the obligation. I i] 15 I I No Third Party Beneficiary, This Agreement shall not confer any rights or remedies upon any person other than the parties to this Agreement and their respective successors and permitted assigns. i { tl 16. Comnlete Agreement. This Agreement ancl the Exhihjts hereto constitute the full and entire with regard to the subject malters hereof and uurderstanding and agreement befween the parties i l I ll L-\- Agreement 10012015 Page 5 of46 U' i Gt"7 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 72 of 111 (f i "Ii. I '1 ) thereof and any other written or oral agreernent relating to the subject matter hereof existing between the parties is expressly canceled. i: ti 17 Representations. N/A. 18. No Set-Off. Not*ithstanding any right available to the End-User under law, the End-User shall not be entitled to set-off any amounts due to the Company under this Agreement' '] 19 ii 20 ,l :itl i\ 21 :t ll ll Severabitity. Should any court of competent jurisdiction declare any term of this Agreement void or unenforceable, such declaration shail have no effect on the remaining terms hereof' Interpretation. The titles and headings of the various sections and paragraphs in this Agreement are intended solely for reference and are not intended for any other purpose whatsoever or to explain, modify, or place any construction on any of the provisions of this Agreement. No Waiver. The failure of either parfy to enforce any rights granted hereunder or to take action by that Auiott tf," other parly in the evenl of any breach hereunder shall not be deemed a waiver puny as to subsiquent enforcement of rights or subsequent actions in the event of future breaches. il lt li li i) it rl il, ll '22 notices and demands hereunder shall be in writing and shall be served by personal r"rui." o. by mail at the address of the .receiving party set forth in this Agreement (or at such different address as may be designated by such party by written notice to the other pa(y). A11 notices or demands by mail shail be certified or registered mail, return receipt requested, by Notices. All nationally-recognized private express courier, or sent by electronic transmission, with confirmation received, to the telecopy numbered specified below, and shall be deemed complete upon receipt, il (t lll1 ir tltt l l) it ll t"l tl il il i-- t 1t il :l ti{l I f-t tt l I i l] ]lll ] I I l tl i I I t il Agreement 100/2015 Page 6 of 46 [J i &tLz Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 73 of 111 j :"ir ') ,4 !ti i "J 1 i .: i.. ; fn ,t lt I Witness Whereof, the parties hereto have executed this Agreement the day and year first above wriften. ,. t'A -asS 1 I ii , ! 17 i, i Development Limited r'i ij t'l iI -i.''?at { National Com munication Agency By: By: Mr. George Dgreffippong Mr. William Tevie Position: Di'rector, Business Development Position: Director General ,// ii i1 tllt il ii ilt.l il l'l il Ll itil llt.ltl ir rl ;-l rl i-1 il i-l il Ii I I ;t ll ll n ll I I i J i't II I] -l t I I Agreement 100/2015 Dl PageT of 46 l: :.:r ::i :it lr,: ,:.r ,*- {Ll c-7 ,I Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 74 of 111 ' (,t ) (? i.:i ,, iil ,11 rii rll I I Exhibit A I Description of the System and Services i_: (i ;i ii ij ii l( ti 'llii ll ilii The System; The System Provider's Pegasus system is comprised of the following (the ,,system,,): (a) the features and capabilities detailed in the table atlached hereto as Exhibit A-i. operational with of Ghana mobile numbers (residing in the Republic of Ghana), using the System Provider's supported devices running the Sysiem Provider's certified versions of Blackberry, Android and ios operating systems,incluaing zs concurrent targets; and respect fo the Republic (b) the hardware equipment (the "flardware Equipment") and software which are required for the installation of the System, including s confolitaiions, as listed in &dibit A-2 attachedherero. The Services: The services related to the system include the following (the ,'services,'): . (a) Depl6yment of the System at the End-User's site for use with respect to the Republic of Ghana mobile numbers residing in the Republic of Ghana (as set forifr in Section'(a) above) (the "Deployment,'); (b) Two (2) week training course and one (1) week on-site handover, which shalt be held in English (the "Training,,); (c) il 12 months warranty (the "Warranty Period") commencing at the date of the provision Commissioning Notice, which shall be provided in accordanc-e with the Company,s SLA. i1 No warranty is provided by the System Provider with respect to the hardware components of the illi of the System' To the extent permissible, Hardware Equipment warranty will be provided ty tne System Provider back to back with the warranty provided by the suppliers of the Hardware Equipment. i't il i/ r-l it lllt tl I I I n ll -l I I I I C\!)\ Agrcr:rrrcnl 10012015 Page I of46 r ','[ Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 75 of 111 ) i \ 'i.-. \-/i Exhib it A-1 Features and Capabilities Supported OS: ios 7.x-9"1 Safari . Clicking on Android BlackBerry 4.x-5 5.x - 7.1 a link will always result in Safari browser . Native browser (Webkit based) . Chrome versions lg up to 45 (excl. 1g.0.1025.166) . Focus mainly on Samsung Galaxy devices Native browser (w L\ based) N e 2\ o(\\ 'u' Agre=ment 100/2015 Page 9 of46 i1 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 76 of 111 ::: :- f=: r-:: r"**1 C\ g*\ i- \_./, Insta llation: ;t::,r. Remote Installation Push Message ,,l..ll device. This rnethod does not require the l:....:r applications) .'.'.' :::t:,, .tu:.. V V devices (OS a.x). Depends on rhe local ROM settings \/ The message content and link lure the target to click (only once) and browse to an innocent website. Clicking the link triggers a silent installation which runs in the c( (F : Infcction Assisting Tools MMS Fingerprint ..:..ti ii . Works on most BlackBerry devices . Works on a variety of Android Crafted Message An innocent message is sent to the (SMS, Email and target device which contains text other 3rd party and link. :,,.r: :.... Infection is done by silently pushing an installation to the Reveal the target device and OS version by sending an MMS to the device. No user interactiorl ti; engagement or message opening is required to receive the device .l:r, Sender ID Spoofing .'.. Set an alphanumeric sender identification for SMS and MMS. This fearure may be blocked by the local mobile network operator. V V Feature implementation subjects to site survey results. Note: MMS content appears on the device. This feature may be blocked by the local mobile network operator. V V \/ V Feature implementation subjects to site stwey results. .:::::. Control tink URL Set any DNS to be used as the installation link ...... Domains to be defined and purchased the customer V rc .-.s i- ::ti.i -1 Agreement 100/2015 Page 10 of46 i\, . .,1 -\ .+\ t-. l-.-:l .--l .-l i..-,.- i Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 77 of 111 _-"-l -.--t --. -l ---] ',.,...,i 1,...,..r l... ., i. -.I -^i.r :nc .., , .1 (,. -_!-a:r.44:r Agent Sun'ivability 1,.._.' Pcrsistency The installed collection Factory Reset ,, " :;,".:t:.:cohil- ,c.ilB,,, rr.1ri. ,,.,: l- :., Blackllerrw tool a Device reboot refers to . Device restart . Device tum off . Device battery drain survives device reboot. . ili.., The agent collection tool endures device factory reset. V Factory reset, also known as m€$ter reset, restores the device original manufacturer settings resulting in perrnanent erasing all ofthe :,.i informafion stored on the device. Blocking OS Upgrade The agent collection tool blocks the user from upgrading the OS version. Agent Uninstall Uninstall Permanently remove the agent collection tool The device acts like it has the latest OS version or is not allowed to perform off-the-air OS upgrade. Note: Physical OS upgrade is still Done remotely without any us€r V G (," V ): V a _-9 d t-U 1 Agreement 10012015 Page 11 of46 ,:,,no i::t ,m:_] Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 78 of 111 r: r: r-::l ! - .i j =-l ---=r-_) Y 7 xan Collection: () 6r 2 e g v, m 7 s E (t i,r -i I: StriD, i rl f{istorical I Contact details Data Extraction: Extract all existing data from the device. Gain access to SMS Extraction is done for all available (non-empty) fields. Extracts all incoming and outgoing text messages (sMS) BlackBerrv :Android ios V V V V V the device iMessage historical data. Extracts all incoming outgoing iMessages from 6r = Extracts all contacts available on the device including their and the Messages sent only between iOS devices device [,mails Extracts all emails that exist on the device g c Extracts only from the device slock application and Gmail application. Emails are presented in HTML 4 V N (r format. Call Log H Extracts the history of incoming/outgoing =, calls all made V V to/from the device WhatsApp Call Log Extracts the history of incoming/outgoing calls to/fiom the device Skype Call Log Extracts the history incoming/outgoing calls all made V using of all made V to/from the device I Due to some limitations and restrictions of the operating system, certain devices might not support all listed features. Agreement 100/2015 Page 12 + of46 -,-i,,-; J. ---." i i i::_i Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 79i.".* of 111 r_: .- r::l i-r --.< 'e-, - !-:-i {_) RlrcLIlhi^, Calendar Extracts all calendar records that BBM l.zqLnDur w Viber r Jr urcns€Illlel ios V exist on the device Browsing History Android Extract the entire list of browsed websites that exists on the device Extracts only from the device native browser ication Extracts all existing incoming and outgoing instant messages Extracts only instant messages (text) from the device, including V V V personal and group chat S Facebook V Kakao Talk t- V TF V ; Line V Odnoklassniki V WeChat V fa V VKontakte V NIail.Ru Data Monitoriug: Real-time monitor ofnelv Contact details SMS arrives/sent V Monitors addition, deletion and editin of contacts on the device V Monitors incoming and outgoing text mes data that iMessage to/from rhe Monitors incoming and outgoing Messages sent devices \)O Agreemert 10012015 V Page 13 of46 only between iOS _S P t ;: l_ 80 of 111 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page ffii (:= ffi: ,t tr\ .e' r.,T: - I d device . Emails , : .. ':. , Monitors incoming and outgoing emails Monitors only the device stock application and Gmail application. Emails are presented in gfUI. format. Call Log Monitors incoming and outgoing call records WhatsApp Call Log Monitors incoming and outgoing call records of V WhatsApp on Skype CatI Log Monitors lncomlng and outgoi ng call records Calendar of ication Mon itors addifi on and editing calendar records on the device Browsing History t-? T,N of Monitors new browsed websites V V -u\l Monitors only the device nati ve \li browser BBM Monitors incoming and outgoing lnstant messages, including personal and group chat Vilrcr only instant messages (text). Indication for file transier I_vlon]tors appear and their retrieval is possible using file retrieval feature. v Iiakao Talk f V V \/ V V V Line V V Odnoklass nihi V WeChat (> V a _s .." V *:" Agreement 100i2015 Page 14 of46 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 81 of 111 L-/ : .::, tii'r II t lii$ . l,t''-:' inl {:r. . Tango V VKontakte V Mail.Ru V sures USSD Monitors incoming V network V messages from the device Call recording interception) (call Record incoming and outgoing Calls are recorded locally on the voice calls made to/from thi device and then sent to the system device Device Information V V V V servers. Monitors general details about the device, network and V connection Cell-ID Location Monitors the device cell_ID within every connection to the V command and control servers Keystroke logging Monitors keystroke typing by the regular keyboard in unsupported applications and even User raluest's real-:ime actions on target device and sensitive accounts. Front Camera Snapshot Take a snapshot using the device front Back Camera Snapshot camera rear cantera Screenshot capturing Capture a device File System listing Retrieve a No indication appears on the device V screenshot of the full list of files and Page 15 of46 V No indication appears on the device and flash is never used. (-- Agreement 100/2015 passwords for and flash is never used. Take a snapshot using the device bJ -q- Helps monitoring texting usernames Active Data Collection: 6 \ V V -E -..__.-..,..i i..,.".,..-/_, i,.....,.,",,,J t*,.....,..J ,.... .) Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 82 of 111 .l _---r r\ A\ t- ,r i ,- t'' Y ,r,i,lli ! '!ll: --BlackBerrv. folder in target device File retrieval Retrieve any file from the target device including docum GPS Location photos, audio and video File retrieval is allowed from the device intemal storage and SD card. Locate device using the device V GPS Room Tap (environmental sound recording) Tum on the microphone listen in real-time to surrounding sounds of and the the V Tuming on the microphone is done by issuing an incoming silent call to the device. No indication of the on the device at any point. The ,:.iOS V V V V device. The surrounding sounds are recorded and saved for later recording or the silent call appears playback and analysis. quality of the recording depends on the device's microphone sensitivity, t- the surrounding noise and the device : model. \A ;l H I -5 V1 E Agreement 100/2015 Page 16 of 46 [i) ,.] t----- L,..-,- -.l Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 83 of 111 t'' --_) i :'-=l] t.--,-. li I I C\) \g; Q_/ Data Transmission: 'lii . [sac:re' Data GPRSruTMS/LTE Transmission: exfiltratethe orted in Transmit collected .il.+u r.!Jrtr data uslng cellular data channels Channels used to co[ected da-a back to the command and control servers l: wi-ri Transmit collected data using Wi_Fi Data is sent in very small packets. This has very small impact on target's data Has no impact on target's data plan at all. V V V V H [,\ v -l M so\ C' q Agreement 10012015 Page 17 of46 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 84 of 111 --l A\ ---r .. .-t .- i 'I (-: Presentation: Contact details Entire values stored in the contact entry including photo available SMS . Type (SMS /USSD) . Direction (incoming, outgoing) . Contact name . Phone number . Message content USSD iMessage G . From a,Olll* HTML presentation (emulates popular email clients) . Direction . Contact name . Phone number . Duration . Date & Time . Grid . Meeting subject . Location ' tA . Grid .Iull . Subject . Folder . Account . Message content . Date & Time . Grid . Monthly calendar view (emulates popular calendar Event date and start time clients) a L Agreement 100,201S Contact card with the entire details . Grid .To .CC Calendar . Grid . . Date & Time Emails Call (Cellular catts, WhatsOOO, if Page 18 of46 -b + !.,-.,,.--i i - --_-, Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 85 of 111 u.-.. .--i L -..J , L.-,.. .*l i "l i -- jj i-- ._ (\ g Browsing History . Website name (as saved by the targe! usually the default website name) . Website URL address BBM . Type of application Viber 'Chat participants Qrlames & phones) . Conversation content . Date & Time . List . Grid . Conversation rnode . Attachments metadata (without the attachment) Facebook Kakao Talk T Line Odnoklass niki In ?r WeChat {- Tango \rKontakte Mail.Ru sures Call recording (call interception) . Direction . Contact name . Phone number . Grid . Playback interface . Duration & Tirne JDo C L ,F' Agreement -00/201S ,'] Page 19 of46 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 86:"-:: of 111 :l,l i:- i:: i+ +) ii :_ l ,. -.'.- -- r_- G1 (/ Deyice and Network Information . Battery level . Last location . Connection type (e.g., 3G, WiFi) . MSISDN . Dashboard .IMEI .IMSI . Device Manufacturer . Device model . Operating System version . Installation type (remote, physical or other) . Installation date . Last communication time . Next communication expected . Device current country . Device home country . Serving network . Home serving network GPS/Cell-ID Location . Data source (GPS/Cell-ID) . I,atitude . Longitude . Enter Tirne & Date . Leave Time & Date Text Front Camera Back Camera Screenshot the . Grid 'Map: - On map display - Full trail - Type of locarion data (GpS or Cell-ID based) . List . Grid board . Date & Time . Photo . Source ofphoto . Photo viewer --s _-s\ t, t'. Agreement 100/2015 Page 20 of 46 -?:-' Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 87 of 111 ,--l [.-:: f:.": rI r+:" 'f (\ -\) i.? d- File System listing File retrievel Room Tap (environmental sound recording) . List of folders (tuee) . List of files (grid): - . Grid . Tree view Filename Modified date File size Retrieval status . Recorded audio . Recording Date & Time . Grid . Playback interface . Duration L\J +-- -L 6o (' *\ Agreemenr 100,?015 Page 21 of46 i i i i.- -) Case 3:19-cv-07123 Document 1-1'I Filed 10/29/19 Page 88L,--."-..J of 111 L_,...*..,J ..t \.. \ '-'t ! t. ..,.,J t.....".., 1.. "; ' t i' 't ,.'-; r-. O Rules & AIerLs: Geo Fence - Acr:ess hotspot Aiert when target entered an important area Meeting detection Alert when two targets meet Connectior detection Alert when a message Geo-fence alerts are based on a perimeter around a certain location, where the operator defines the size the perimeter. The alert occurs in two target are at the same perimeter as defined by the user. The alert wifi take place also if targets visited the same location in different times. is sent from/to a specific number Alert when target AS Alert when number of a phone call is performed from/to a specific defined is corresponding the user. ith a certain num ber Alert when target conducts/receives a phone call to/from a certain number as defined bv the user. se b, t r(/ ^\ Agreement I00/2015 l:. Page ?,2 of 46 i i_;i i::t i:l i-'. .... ..,.--l t Case 3:19-cv-07123 Document 1-1 Filed I10/29/19 Page 89 of 111 . m: r:: r-:1 rl t_ (-/ Exh$[4-2 List of Hardware Equi.pment and Software The system Prorider shatl supply the fottowing ha.dware equipment and software, or similar, to enable the commissioning of the system. Disclaimer: rhis List may change per Network\Regulation\System\country feature support changes. PowerEdge R7:0xd Server 3.4GHa2 0M cache,e. i;r; ilr"# ii;iffi;, 60 Gr/s epr,rurbo, Hr,6 c/ I 2r Dell (I3s w) I R73oXI) R730/xd PCIe Riser 2, Center R730ixd PCIe Riser 1, Right PowerEdge R730xd Shipping EMEA1 (English/French/German/Spani sh,/Russi anlFlebrew) Bezel Chassis with up to 24,2.5,, Hard Drives DIMM Blanks for System with 2 processors Performance Optimized t;f 2133MT/s RDILIMs ! I8GB RDIlvIIvI,2133MT/s, Dual Rank, x8 Data Width 2 X Star-dard H:atsink for powerEdge R730/R730xd Upgrade to Two Intel Xeon E5_Z6a{ fi 3.4GH2,20M Cache,9.60GT/s QPI,Turbo,HT,r'C/l 2T (1 3 5W) iD,RACS h Enterprise, integrated Dell Remote Access controrler, Enterprise ' 2 X 300G8 t5K RpM SAS 6Gbps 2.5in Hot_plug Hard 16 X 500c8 7.:,K R'M_NLSAS6Gbps 2.5in HT30Integrated IE\C Performance Orive,i:C Hoi-plug Hard Orive,t:G RAID Controiter, lGB Cache BIOS Settings Dual, Hot-plug, Redundant power Supply (1+l), 750W 2 X C13 to Ct4. pDU Style, t0 AMp;b.6m power Cord C) PowerEdge Server FIPS TpM Inte Ethernet ii5rl QP Gb N etwork Daughter Card Intel Ethernet I] 5 0 G b Server P \, Agreement 100i2015 "t Page 23 of 46 - Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 90 of 111 ---t g,.- - f.-'r -r< a\l r_. PorverEdge R730/R7 3Oxd Motherboard No Media Required No Operating Sysrem OpenManage Essentials, Server Configuration Management Electronic System Documentation uriop"ntvtanage DVD Kit, powerEdge R730/xd OEM Order Nor Selected in this Configuration Asset Service - System & shipbox Label (Model, Svc Tag, order krformation, Basic Config Details) 91$nals Sliding Rails With Cable Management Arm RA'D 1+R{ID -5 f61H330/H730/H730p (2"t 3-22 HDDs or SSDs) Base Warranfv lYr Parts Only Warranty (Emerging Only) iNFo lYr Prosupport and Nextbusin"rs buy on-Site Service (Emerging only) 3Yr ProSuppsrt and Next Business Day On_dite Service (Emerging Only) Consolidation Fee EX-Works PowerEdge R?30 Server ilfl il:J i#ffi};, 2.4GHz,r5M cache,8.00Gr/s epr,rurb o,Hr,6c/tzr(85w) R730/xd PCIe Riser 2, Center R730 PCIe Riser 3, Left R730/xd PCIe Riser 1, Right PowerEdge R730 Shipping EMEA1 (English/French/German /Spanish.tRus sian /tlebrew ) Dell 2 R730 tro *l* Bezel Chassis with up io 8, 3.5" Hard Drives DIMM Blanks for System with 2 processors Perform ance Crptim ize d 2.l33MT/s RDII{Ms X 8Glf RD If\,[M, 2 J 3MT/s, Dual Rank, x8 Data wi dth 2 Stancarc Heatsink for PowerEdge R 730/R73 0xd U pgrade to T 'l\o Intel Xeon E5-2620 v3 2.4G },lz, 5M Cache,8 .00G T/s Turb 2T 2 V l1 O V t Agreement 130/2015 Page24 of 46 ,.\ :' '\ Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 91 of 111 :---'-l -\\ \-.--1 CJ iDTdA C8 Enterprise, integrated D ell Remote Access Control ler, Enterprise 2 X J OC'GB OK RPM SAS 6Gbps 2 .5 in H,ot-plug I{ard Dri ve,3 .5 1n HYB CARR PERC H?30 Integrated RAID Controller, t GB Cache Performalce BIO S Settings ,A, DVD+/. RW, SAT Intemal Dual, Hot-plug, Redundant power Supply (1+l), 750W Cl3 to C14, pDU Style, 10 AMp, 0.6m iower cora European Power Cord 220V PowerEdge Server FIPS TpM Intel Ethernet i350 ep 1Gb Network Daughter Card Intel Ethemet 1350 ep lGb Server adapti PowerEdge R73 0/R73 Oxd Motherboard No Media Required No Oprating System OpenManage Essentials, Server Configuration Management Electronic System Documentatio, -iop"r,lutanage DVD OEM Order Not Selected in this Configuration Ki! powerEdge R730/xd F Asset Service - System & shipbox Labei (Model, Svc Tag, order Information, Basic Config Details) ea{Vna$ Sliding Raiis With Cabte Management Arm RAID I for H3304I730/H730P (2 HDDs or"SSDs) L_. *{- b Base Warranty lYr Pars Only Warranty (Emerging Only) 11, ProSupporr an{Ne1t-Au1n.r, buy On_Sire Service (Emerging Only) 3Yr ProSupport and Next Business Day On_dite Service (Emerging OnIy) ry,Fg Consolidation Fee EX-Works PowerECge R730 Server lntel Xeon E5-2650 v3 2-3GHz,25M cache,9.60GT/s epl,Turbo,HT,l0c/20T (105w) Max Mem 2133MHz q R730/xd PCIe Riser 2, Center R730 PCIe Riser 3, Left R730/xd PCIe Riser I Ri Agreement 100/2015 Dell 2 R730 6 {. Page 25 of 46 i,=.-*.--i ;--.-,1 t.-.,i t..:; Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 92 of 111 *-:l \+) f; :---l ,:--r f.:. ffi f: f-l t----' i..-; \-1. (--' L PowerEdge R730 Shipping EMEAI (English/French./Germar/Spanish,rRussian[Iebrew) I Bezel Chassis with up ro 8, 3.5,, Hard Drives DIMM Blanks for System with 2 processors Performance Optimized 2l33MTis RDIIvIMs 8 X 16GB RDIVIU,2133 MT/s, Dual Rank, x4 Data Width 2 X Standard Heatsink for powerEdge R730/R730xd upgrade to Two Intel Xeon E5-2650 v3 z.3GHz,25M cache,9.60GT/s QPI,Turbo,HT, 1 0C/20T ( I 05W) iDRACS Enterprise, integrated Deil Remote Access conboler, Enterprise VFlastr, 8GB SD Card for iDRAC Enterprise 2 x 300cB 10K RPM sAS 6Gbps 2.5in Hor-plug Hard Drive,3.5in HyB CARR PERC HT30lntegrated RAID Controller, IGB Cache Emulex LPE12002 Dual channel gGb pcle Host Bus Adapter, Low profile Performance BlOS Settings DVD+/-RW. S.4"TA, Internal Dual, Hot-plug. Redundant power Supply (l+l), 750W C13 to Cl4. PDU Sryle, 10 AMp,0.6m Fower Cord PowerEdge Server FIPS TpM Intel Ethernet i350 Qp tGb Network Daughter Card Intel Ethernet 1350 eP 1Gb Server Adapter PowerEd ge R7l 0/R73 Oxd Motherboard No Media Required No Operating System Electronic system Documentation and openManage DVD Kit, powerEdge R730ixd OEM OrCer Not SelecteJ in this Configuration Asset Service - S.v*stem & Shipbox Label (Model, Svc Tag, order Information, Basic Config Details) ReadyRails Sliding Rails With Cable Management Arm RAID i for H330,tI730/H730p (2 HDDs oiSSOry Base Warranty lYr Parts Onl w H V\ -F 5E \ On !. ii .1 i Agreement 100/2015 t, Page 26 of 46 m m: r*::] (Xl (-: r:] _r- Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 93 of 111 --.,j r(.--, d INFO lYr ProSupport and N ext Business Day On-Site Service (Emerging Only ) Yr ProSupport ald Next Business Day On-Site Service (Emerging Only) Consolidaticn F ee EX-Works _1 PowerEdge K}'M lOglAD _ Bi Port Keyboard/Video/lr4ouse Analog Switch, EUCEM 8x USB Sen.er Interface pod, includes 2 CAT 5 Cables, Deli I 1U KMI.,{ (Touchpad, US/Intemational Keyboard and Widescreen 1g.5,, LED) with ReadyRails - Ki1 Deil I NetApp 1 TAA 1081AD FAS8O2O r< L.\ -C 2 + ? ,-C 288 0\ L Agreemenr I00/20I5 Page?7 of46 J '{ L- -.-,... . .; l...*.-"! (__*.*i L*.J t*_J Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 94 of 111 :-J L.-...,J L*_.. J ["**J l**-_,*,J i,-, ) ,1 *4: i. () Digi PortServer TS l6 port rackmounlable RJ-45 Serial to Ethemet Terminal Server One (1) span digihl T1/Ei/JllpRI pCl-Express xl card Cisco 2921 Cisco 2921 Securit_v Bundle w/SEC license pAK SMARTNET SX5XNBD Cisco 2921 Security Four port 1 Oi 10011 000 Ethemet switch interface card Cisco 2901-2921 IOS UNIVERSAL Data Paper PAK for Cisco 2901-2951 Cisco 2921/2951 AC Power Supply Console Cable 6ft with RJ45 and DBSF Cisco Config Pro Express on Router Flash lnsert Packout - PI-MSE Digium 2 Digium 2 Cisco 3 TS I6 2921 IP Base L.icense for Cisco 2gOl-ZgSl Blank faceplate for HWIC slot on Cisco ISR 512M8 DRAM for Cisco ZgOt-Zg2t ISR (Default) 256M8 Cornpact Ftash for Cisco 1900 2900 3900 ISR Secnrity License for Cisco ZgOl-2951 Blank facep_ate f.-:r DW slot on Cisco 2951 and,3925 Removable faceplate for SM slot on Cisco 290039004400 ISR !n \- K Cisco 3750X Catalyst 3750X 48 Port Data Ip Base Cisco 2 Cisco 3750X SMARTNET SxsxNBD catalyst 3750x 4g port Data Ip Base for 36 Months Catalyst 3K-X 350W AC Secondary power Supply CAT 3750X IOS TINIVERSAL WITH WEB BASE DEV MGR Cisco StackWise 50CM Stacking Cable Catalyst 3750X and 3850 Stack power Cable 30 CM Catalyst 3K-X 10G Network Module Catalyst 3K-X 350W AC Power Supply Insert Packout - PI-MSE D + (-.\ Agreement _00/2015 Page 28 of46 i, r.--.. . _..,, -,.,; !......"....,.r .t,."..-.-! t-.".-*r Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 95 of 111 . '...:,. --l l :-l -- --l .---l L-,*._J L--.._..J L.*...,.,_,, 1..,,,,,.,",,j t, i I _-::l I Catalysr 296Cr-X 48 GigE 4 x SFp LAN Base Cisco 2 Cisco 2960-X Cinterion 9 MC55i Dell l5 Dell 30 APc NetShelter SX 42u Deep Enclosure 1200x600 with Roof and sides Black APC 2 AR3300 Rack PDU 2G. Metered , ZerorJ,32A,23OV, (36) C13 APC 4 AP8853 APC 4 AP9569 10 AR8429 SMARTNET sx5xr{BD cat2960-x stk 24 GigE4xSFp LAN Base (36 Months) Insert Packout - PI-MSE Cinterion MC-< 5i l'zlodem Optiplex 701D MT ' OptiPlex 7010 N{T: Mini-Tower 'Windows 8 ' 3rd Gen Intel core ii417a (euad core, 3.40GHz Turbo, gMB, w/ HD4000 Graphics ' 8cB (2X4cB I td00 MHz DDR3 Non_ECC yIf!+ (QWERTY) Dell KB2I2-B euietKey USB Keyboard Btack ' lTB 3.5inch Serial ATA IiI (7.200 Rpm) I{ard Drive ' Dell optica- oiot wireress), Scroil use-1: buttons scrolr) Brack Mouse ' I6XDVD+/-RW Drive Internal Dell Business Audio Speaker 3Yr ProSupp.rrt and Next Business Day On_Site Service (Emerging Only) Dell Professional p23 I 4H 5 g.4cm(23 ,') LED monitor vGA,DVI_D,Dp BlackUK ( 1 g20x t 0g0) & (6) Cl9 PDU cord Retention Kit for Full-Height & 4gu, Basic & LCD-Metered pDU PDU (l per \^r Horizontal Cable Organizer lU w/brush strip CatT patch cord,0.5m,Blue 20 CatT patch ccrd,lm,Blue 40 C Agreement 100l?015 _p Page 29 of46 ; 0a \*.-,-,.^i ,..J \f-t i- ,-_t ,I: -l L*.*J Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 96 of 111 =-t - .."i i6-".J L.-,",*di q*r&{r, b.,",,.*J }* ,, ,r i) .,.d CatT patch co:d,2m,Blue 60 Cat 7 patch cord,Sm,BLACK 20 Cat 7 patch cordl0m,Grey 10 48 port Cat 6 patch Panel HD Netkey 4 duplex patch cord,lOm - Patch cord Fiber OM3 LC LC 10m 10 Console Cable 6ft with RI45 and DBSF 2 Blank plate 1IJ(10 per pack total 4 packs) 40 Power Cord, Cl3 to 5m 20 Fower Cord, C13 to C14, 3m 40 Cl4, APC Smart-LPS SRT 5000VA RM 230V APC Smar-LrPS SRT 5kVA Output FIW SRT001 Kit Kit installation power cable j meters for ups + Sicon 32A APC Smart-UPS SRT 192V 5kVA and 6kVA RM Batrerv pack APC 4 SRT5KRMXLI APC 4 SRTOOl APC 4 APC 4 APC 4 Office Pro Plus 2013 Microsoft VPP L3 VMrvare vSphere 5 Enterprise for I processor Production Support/Subscription for VMware vSphere 5 Enterprise for 1 processor Vmware VPP L3 \\Iware vCenter Server 5 Standard for vSphere 5 (per Instance) E r SRTI92RMBP 15 4 processors C) Vmware 1 Instances __C\ t, ll'\ *ti Agreement 100/2015 Page 30 of 46 l_"a :---..--\, 97L-.\--) '* Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page of 111 L**-"J ill:-:-l iL--J I-.-*J t-. ..J tr'B\q ) r.--l r-\ \\ -') V eeam Backup &. Replication Enterpri SC for Vm ware and Hyper- per Socket License Microsoft windows Server 2012 R2 Standard Edition 2 Socket License MS SQL 2014 Serrer Standard core 2 socket License Nagios XI (Enterprise version with 100 Nodes license) Veeam 6 Sockets Microsoft. 2 Microsoft 2 Nagios I t* (,. =C t,... Agreement 100/2015 Page 31 of46 Bls? Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 98 of 111 1\r ,lt't *'1 .,4' II il ) Eihihit E I Consi.Gerations fi Gousi ffir fi d eratio li$ A}}toIfi ts. i'System eonside ratloni' provision'of ttiq Licease, Systern ,&:00&060.(Siglt nil }ioq. arid, Seryj.ees., fi ti '!Support Feriod , &ay,ore Suppor{ Period, 22P/r olthe System Coidderafion. Go-nsid€ration'r t- lr lr EdlrlicBt Tetiiil System Consideratiou I I '! I I The System Cons.ideratinori strall be paid by the End-USe'r to the Co.mpany in, follows: ll t, i I tlrqg Q) (a) 5070 of',*re Sptam Consideration,shzrli oe-paid o'y Janua4y-'2-8ur 2016 ({he (b) 3"5910 of t'he S,ystern Considera,tion shall.bepaid uporr.the p. rnvision insullm-errtS- aS: "First Installment"). o,f the Hardware Eqrlipnrent to the Erd-Uset'ssile. il (c) ir l5o/o of lhe System Consicleration shall be paid upon the provisiori: of a writteu notice by the Company to the End.User confirrning thar the Deplotrnnent oF the Syptern at the End-Userrs site rvas c gmpl eted (thel'iC om mlssi on ing No ti cen). : SUpporf qerjoi{ Considemtion Thersupport P€fiod iconsidqrdtri:on sliall ba paid hi one.pa.vment, in advanc'e of each Support Period. l l eN Agreenrenr 10012015 r.l t-^J P agl 32 of 46 / [J lsz \t'r- Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 99 of 111 L : I: :i iI i", ! t t_ a! I I I i,LJ Exhibit.C : Installation Requirements i,.i !--; l ! -tr 1-: The End-User shall ensure that the following pre-requisites are ready 2 weeks prior to the 1i installation (aligaed to SW version). System Disclaimer: This tist may change per Network\Regulation\Systerr feature support changes' : { .t I 1 symmetric A TM lines each 2 OMB (from different iSP's) with static IP' S of 8 external 2 Internet Connection ! i ri lill : addresses [2 lines a.e;;quired for redundancy, The minimum requirement might be even lower - depends on the (- number and type of stations. fi li ij Cellular Reception Air Condition Stable Cellular Reception Electricity 4 power socket 18 Degrees -220Y I it il ll iitl 5X5M, Height 2.5 M seryer room i1 .t Area needed for operator room l0Xl0M, Fleight2.5 M Patch panel SIMs Depends on the number of stationary stations. Wires from the end stations to the patch panel in the rack 2 SIM cards for each network Security Lockable doors Untraceable payment method 1 X named credit card with 4000$ balance 1 X il it ] l --95 db None Server room and operational room drawings are required to accuratelY specifl a1l wall outlets location. Power generator and Faciliry environment against hazard ddngers are ootional Area needed for l end Passport scan on the same name as a credit card rl X Prepaid no name local SIM card f X Utility bill with address on the same name as 1 There are 2 48U racks with the following dimensions: Height 2258.00 mm, Width 600.00 mm, DePth 1070.00 mm into Can be rooms S It is mandatory to use a 3rd party to order the SIMs , account also use a It is recommended to use a 3rd party, The PassPort, credit card and utilitY bill should not be related to the organization rt t1 i-l llt , ,/' .\ LLh l 0r t515 I" I \\l Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 100 of 111 I l) t! ,t !: 'I I t: i(-l t! li l Exhibit D rl ,) Service Level Agreement ]I i 1 ,J ,i li :l),) 1. i This Service Level Agreement (the 'SLA') is an agreement between NSO Group Technologies Ltd, (hereinafter the "Compatry") and Infralok Development Limited (hereinafter the jl -t ilrl "Reseller"). i The purpose of this SLA is to specify the services and commitments with respect to the software technical support, location support and/or hardware replacement services for the rl :1 .J i/ i1 il -1 purchased products. i i _1 il it !l ti :1 , Introduction 1.1 Objecfives of the Service Level Agreement To create an environment which is conducive to a co-operative and productive relationship between the Company, t}te End User, and the Reseller to ensure effective support for the End -t .ilil User. t To document the responsibilities of all the parties involved in the SLA' i1 To ensure the Company provides high qualiry seryice to the Reseller and the End User, i_) To define the service to be delivered by the Company and the level of service whicb can iill it : be expected by the End User, thereby reducing the risk of misunderstandings' To institute a formal system of objective service level monitoring ensuring that reviews of the SLA are based on factual data. il {i To provide a common understanding of service requirements/capabilities and of the principals involved in the measurement of service levels. il To provide for all parties to this SLA a single, easily referenced document, which caters for all objectives as listed above. ii lt I l .t l a t .s{}, r I 1" i i i'l lj t.l I il i I u 6N it a ,\gt'eeiltent 100/2015 lage 3'l of 46 r:'( I, Ggr Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 101 of 111 t, i rr ,'" i .; ) ..,,1 t'i!l 1\+ '- t, I It i' Definitions 2 ri Ilardware Replacement means a HW replacement service for the hardware products purchased by &e Reseller from the Company, whereby the Company delivers a replacement to the End User's site before the End IJser retums the faulty hardware. l-i il il ii ll 11 U All Hardware Replacements shall take effect after the Company receives relevant alerts and all required information, and determines that the hardware issue is related to a malfunction of one of the hardware components. itti i.t fl Business Day means a normal working day in the time zone where the End User is located. li il Ir Device Number means a unique identifier of a hardware device, which can be located on a label on a Hardware product: l.i r , ' ' ll iiri il t- ti f t tl il i tt I Company. ii !'li Hardware means a computing device md/or its component with a specific function and limited configuration ability. The Hardware is sold by the Company to the Reseller for the sole purpose of executing the specific Sofrware producUs supplied with it. il t_ (IMEI) Error means an error in one or more of the Company's products, which degrades the product functionality in accordance with the Severity defmitions, as compared to the product functionality and performance specifications described in the official user guides provided by the ll l Service Tag Number (STN) Enhancement means ali software changes, including new releases, new versions, product improvements, system modifications, updates, upgrades and service packs. l'l i: (.. Serial Number (SA{), Documentation means the User and Technical manrids provided by the Company for use with the purchased software and hardware products. il t- Media Access Control (MAC) Address, Internationai Mobile Station Equipment Identity Information means any idea, data and program, technical, business or other intangible information, howeyer conveyed. ( I ir il Problem Resolufion means the use of reasonable commercial efforts to resolve the reported problem. These methods may include, but are not limited to: configuration changes, patches that fix an issue, replacing a failed hardware component, reinstalling the software, etc. I 1i l; lt il Force Majeure has the meaning ascribed to it in the Agreement between the parties. i issue. Response means addressing the initial request and commencement of work pertaining to the Response Time means the amount of time elapsed between the initial contact by the Reseller or the End User with the Company's Technical Support Team and the returned response to the Reseller or the End User by the Company's support staff. it il Resolution Time means the amount of time elapsed between the initial contact by the Reseller or the End User with the Company's Technical Support Team till the issue reported is resolyed wither by permanent fix or a workaround till a permanent fix would be available. T Security Code means a specific code dedicated to the End User's account in the Company's 'l'echnical Sr.rpport Center.'l'his code must be provided hy the EnrlTIser eaclr tirne the End User up;rruuchcri the Colrrpuny's support staff. Support means the technical Support and Hardware replacement services provirlerl hy i TI ii r.he Company to the End User as set forth in this SLA. I [tt)u Agreement aa.. .::. .: i.i.:,:, t: :. ,I: 10012015 tt,,"lt:.: Page 35 of 46 i '1'.-4" .I ,LJ ( BlL b I. I, Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 102 of 111 I !' 11 s* ' [-." 1r' j r-' I t_. t: t- I l: t--i Support case means a single issue opened in the Company's Case Management System. The i; rl I1 IiLf ' i. I tt lit' case number identifies the Service Request. Field Service Engineer means an engineer that provides the following onsite services: installation, field configuration, operates system to demonstrate equipment on test devices and to analyze malfunctions, interprets rnaintenance manuals, schematics, and diagrams, and repairs electronic equipment, such as computer, computing device or component, utilizing knowledge of electronics and using standard test instruments and hand tools. LJ System means the Hardware, Software and Documentation that have been provided rI to the Reseller and/or the End User by the Company. il i: 1 Ji ,j Workaround means a change in the followed procedures substantialiy impairing use of the product. or data to avoid error rvithout i il llli .i ir' ' I il ii iJ i l j j ll ll al II 1l lt llLI i 'l rl il t. T il il l'l il LI rl i-t I L/'\-'uu\ r^n/.nl< D ^-^at^Ft L-i lbtsf r" I t_" I \\6 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 103 of 111 I 1,. I .l r" t, Company's Obligations 3 .). r'-: l li I i I 3.1. Maintenance and Support ! l The Services shall include wuranty, support and maintenance of the System as further detailed below, via support center. !t il il ii The Company shall provide the End User with technical support for the System, consisting of: (a) first level to fourth level ("Tierl to Tier4" as described in section 6.2) support via the Company's support center, and (b) SW updates and SW upgrades of the System, which, for the avoidance of any doubt, shali not be specifically adjusted to comply with any End-User Adjustments (as such term is defined in the Agreement which this SLA is attached to). The Services shall only be provided to the End User i1 System support and maintenance covers both SW and HW provided by the company. In case of 3rd party HW supplier, the company will contact the 3rd parly and ensure proper suppott ij r-i ti ti il it i i provided to the End User. Maintenance a. l il b. 1 I ['J c, will cover the following: SW upgrades - periodical SW releases to add new features and bug fix'es. Installing a new SW upgrade is communicated in advance to schedule the best time for the end-user and minimize the system downtime SW updates - special SW packages provided to fix specific critical bug outside the periodical SW release. SW updates are also provided when a new OS version is infroduced for a specific platform (e.g new iOS version). MoUilqftng system - connected to our 2417 NOC room and monitored around the clock. The monitoring system is configured to do the following: Connected to all the major HW components in the system, providing real- il a. il b. time status of the system Monitors SW components such as tunnels, VPS servers alerting when any c. component goes down Checks for white accounts balances and alefts when For further details, see the i d. A dedicated NOC center is operated to provide 24/7 support Tickets can be submitted via phone call, dedicated website or email. The NOC representatives foilow our support procedures to ensure each ticket is being handled 24/7 sapport - according to the SLA. End user should report issues with the system, using an agreed form or tool specifuing ali predefined data and providing all the required operational and technjcal information ri The Company shall not be obligated to provide the Services in case of misuse, abuse, neglect, alteration, modification, improper installation of the System, use of the System for purposes other than those authorizedby the Company, or repairs by anyone other than the Company or its authorized representatives without the Cornpany prior written approval. The Company shall not be ultligal,ed lo pnrvirle Llre Services irr corrrrecl,iorr rvil,lt [ltc l-']trd-lJser Adjustniettts. il il 3.2. I il enclosed "system monitoring capabilities and requirements" appendix. it it a predefined threshold i.l I it is below Software Support For End Users covered under a valid Support offering, Software Support will be provided pursuant to the terms of Section 6 "software Support Procedure". The scope of commitment /t1)= Agreement 10012015 Page37 of46 tJ f t: \\& 15tsY Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 104 of 111 a ,,J l f t t*; I i" r? in case ofSystem failure requiring a software repair or fix is to preserve the System at the fully functional condition as per the acceptance data ofthe System by the End User. _! L ,\] l.: r-1 ti Il tj ,i iit-l Software fixes are generally delivered in a secure format, delivered by the Company or in special occasions by the Reseller and/or the End User or third parfy partner if it is agreed for a particular case. In addition, permanent fixes are developed for known non-critical issues. These are incorporated into service pack updates that are periodically distributed. The version updates may include additional features, bug fixes and/ or services. ,i i.l The Company agrees to provide Suppor! where appropriate to the End User, which may include but is not limited to, the following actions: t.r iili (a) Provide the End User with access upon general commercial release. ,.1 ilI'l t-l li escalating the issue as needed. I ? l I {'' releases and related Documentation, (b) Provide the End User with access to Technical Support Team representatives, who will work with the End User to diagrrose issues, ald provide Problem Resolutions, including ti t1 to product update ti l. l 3.3. ti HardwareReplacement LI For End lJsers covered under a valid Support offering, the Company l i -J will use commercially rl i1 tl )') in accordance with the terms set forth in Section 5 "Hardware Replacement Procedure". Provision of hardware Replacement is subject to the following limitations: il llil ii (a) The Company will provide Hardware Replacement for up to three (3) years after hardware installation at the End User's Site or according to standard Hardware in case of a 3'o party reasonable efforts to provide Hardware replacement supplier. :l lt (b) Hardware shall be repaired or replaced with same or similar products when needed, at the Company's discretion. itil il 3.4. On-site Hardware Support For End Users covered under a valid Support offering, upon the End User's request, after the Company determines that the hardware issue is related to a malfunction of one of the hardware i'l i.l components, the Company will decide whether to dispatch a representative to the site' .l i'i il it II Provision of ou-site support is subject to the following limitations: (a) On-site Hardware Support does not include on-site service for Software troubleshooting or any Software or training related issues, il (b) On-site Hardware Support service may not dispatch a representative on-site to perform Hardware replacement outside of the End User's Site address for the Hardware, it (c) On-site service response times may be dependent upon the End User's Site address for the Hardware, the timely arrival of replacement parts at the End Uset's Site, and accessibility to the it Site. it 3.5 On-site Software Support On-site Sollware Support applies only in cases of Severity I issues rvhich can't be solved remotely (based on the Company's customer support stat'f .iudgmcnt). After the Company r:onfinns lhal lhe nral,ter is a Scvcrily I issue, tlte Contpatty and the End User will work diligently, with highly skilled engineers to resolve the critisal situation artd to restore operation' Il tl Lail't I Agreement 100/2015 Page 38 of46 -d LJ' I EIST Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 105 of 111 r! \t8 '-. ) r, t I J, \j ) tj ln case the criticality of the issue remains or no progress is made, the Company will decide whether to dispatch a representatiye to the End User's Site or use a partner Support ) representative. rp ti 3.6. Exclusions i., r.l Support does not include the following items or actions: i, r .i l.l L-t i.i ''l 1l illi -i li I il -) I I 'l'i i I 'r The Company shall have no obligation to Support: (a) An altered, damaged, or modified product or any portion of the product incorporated with or into other software, hardware, or products not specifically approved in advance in writing by the Company. (b) Product problems caused by the Resell6r's and,ior the End User's negligence, misuse, misapplication, or use of the product in a way other than as specified in the System user r"l (d) Product not purchased from the Company. (e) Products subjected to unusual physical or electrical stress, misuse, negligence or accident, or used in ultra-hazardous activities, il -l l architecture changes, Security-policy configuration, Audits, or Security design. manual, or any other causes beyond the control of the Company. (c) Product installed on any computer hardware that is not supported by the Company. ? l Services, or Educational Services. il I il (a) Step-by-step installation of Software or Service Packs. (b) On-site services (outside the ones described in this SLA), Professional Services, Managed (c) Modification of software code, IT Network it il The Company shall have no obligation to Support the End User if: (a) Appropriate payment for Support has not been received by the Company and the Reseller anilor the End User is unable to show reasonable proof of such payment; or (b) The End User's annual Support term has expired without renewal. l'l 'l it r1 it ri n n lr6jN it Agreement 10012015 Page 39 of 46 i /\ JLJ 'a{ {suo I t" I Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 106 of 111 I 1\{ .r; f-: ! {- r 5, U Hardware Replacement Procedure The Company uses equipment from Ieading vendors, surveillance, network seryers and software remedies. With each manufacturer, the Company has a contract for Service and Customer tr ri technical support. For End Users covered under a valid Suppori offering, the Company will provide the f; foll owing Hardware Support i.t : il (a) The Company will atlempt to diagnose and resolve Hardware problems over tle phone or via remote access. Upon determination that an issue is related to a malfirnction of one of the Hardware components, the Hardware Replacement process will be initiated by the Company. il !iilil (b) The Company will either issue a replacement for the faulty part or a full Hardware product replacement. tj t1 rF I I (c) The Company will send the required hardware to the End lJser's Site location within thirty (30) business days of Hardware Replacement process initiation. The time to ship the required hardware is dependent also on the export procedures that the Company must comply with, as well as the import procedures on the End User's side. i il (d) The End User must ship back the faulty Hardware product (or replaceable unit) suitably packaged, as specified by the Company in a letter shipped with the replacement, to a location designated by the Company. 'l iltl I I I I Transportation costs incurred in connection with the delivery of a repaired or replacement item to the End User by the Company shall be borne by the Company; provided, however. that if the Company determines, in its sole discretion, that the allegedly defective item is not covered by the terms and conditions of the Hardware Support described in this SLA or that a claim is made after the Hardware Support period expired, tie cost of the repair or replacement by the Company, including all shipping expsnses, shall be reimbursed by the End User. lt I User. (f) rl l l (e) Return shipment of the faulty Hardware should be made within five (5) business days of the arival of the replacement. Transportation costs forreturn shipment shall be bome by the End li II l il (g) The Company shall have no obligation to Support and Replace Hardware not monitored by Monitoring Client installed on the System and connected to the Company's Technical Support il Center. ! The Company shall have no obligation to Support: itt1 (a) An altered, damaged, or modified product or any portion of the product incorporated with or into other software, hardware, or products not specifically approved in writing by the Company. i (b) Product problems caused by the End User's negligence, misuse, misapplication, or use of the product other than as specitied in the System user manual, or any other causes beyond the control of the Company. T rl (c) Products subjected to unusual physical or electrical stress, misuse, negligence or accident, or used in ultra-hazardous activities. ll (d) Untrained personnel from the End User are operating the system. Fi it i-t ll il frh I l l,l Agrocmcnl 100/2015 Pitgc 41 o146 LJf \'i I l', -I I { ,I J ti ir il -'t l ) I -1 I tl I il J I t"i il { '1. li i l-i ,i l ) ii I it rl ili1 I J ,-i ii {1 Case 3:19-cv-07123 Document 1-1 tu1 Filed 10/29/19 Page 107 of 111 I 6.' il 'f SoftwareSupportProcedure (a) Upon initiation of initial contact with the Company's Technical Support Center, the End User must authenticate its identity by providing a valid Security Code. The Company shall have no obligation to provide Support if the End User does not provide the code. (b) A Technical Support representative will validate the Security Code and start gathering details relevant to the question or issue. The Company shall have no obligation to provide Support services if the End User does not provide the relevant informarion. (c) A unique Support Case number [Trouble Ticket] will be assigned and delivered to the End User either verbally or via email. This nurnber will be used to track any given issue from initial contact to final Problem Resolution. lf appropiate, an issue will be reproduced in the Company's labs. Additional testing and problem duptication may take place in a nelwork laboratory environment. Further investigation, including additional troubleshooting or debugging activity may be required. Based on the results of the TestLab investigation, anissue may be resolved, or, if an anomaly is identifie4 elevated to the appropriatc Company's Team for final Problem Resolution. (e) The Company agrees to use commercially reasonable efforts to work with the End User on Problem Resolution for an issue in accordance with the specifications bf this SLA. Timely efforts must be made by all parties involved. If communication from the End User ceases without notice, after five (5) business days, the Company may, upon notice, close a Support Case due to inactivity on the part of the End User. (I) The End User agrees to grant access via dedicated secured VPN tunnel, upon receiving a request from the Company for addressing issues reported by the End User. Thus, the Company will have access to the System for a limited period of time in order to reach Problem Resolution. The Cornpany shall haye no obligation to provide Support services if the End User does not provide the VPN connection to the System. (g) The End User agrees to grant access via dedicated secured VPN tunnel, upon the Company's request, for the purpose of Software updates and upgrades or for fixing problems detected during the system operation. Thus, the Company will have access to the System for a limited period of time in order to update/upgrade the System. The Company shall have no obligation to apply any updates/upgrades if the End User does not provide the VPN connection to the System. (d) (h) The Company shall have no obligation to provide Support services i-l \r-o if Internet access / 3G issues occur at the End User's Site. Exceptions: In some cases, the Company may not be able to resolve the issue until the I i. access network is stable (for example when the service provider installs firewalls over a period of time or there is a poor 3G coverage or poor Intemet access). In these cases, the Problem Resolution period will be paused until the nefwork is stable again. il Opening a support customer to provide specific country. il reeardins authentication of an inbound roamer identitv. wili require the a valid (activated) IMSI and MSISDN of the specific MNO from the lVote.' System will present targets'information onJy if such information is available, based on global roaming agreements. SAI (Send Authentication Info) and MSISDN by IMSI, information may not be retrieved iftarget is hosted by an operator that blocks such queries or in lack of roaming agreements with the telecom gateway, i-i ll il Technical Support Center: !'or End Users covered under a valid Support offering, the Company will provide the following t] n il I Software Support: llN Agreement 100/2015 Page 42 of 46 l,J I Gld* lll Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 108 of 111 kt, tl i support (a) The company will provide the End user with access to the company's Technical )i Center 24 hours a day,7 days a week, 365 days a year' il assistance in operating, managing and configuring the System as well as resolving any Software technical issues. email, and (c) The End User is able to submit an unlimited number of support cases by phone, (b) The company will provide the End user with web (Case Management SYstem)' ,.1 6.1 ll Support Levels and Support Level activities: Tier 1 support - Technical support that is provided by an_Engineer trained by the company' installations' Support activitie, at this levei'should include basic software and hardware optimization' upgrades, basic troubleshooting, configuration changes andlor operation il !l l, support Tier 2 Support - Technical support level that is provided by a Field Service Engineer' activities ut tfrls level should include all Tier 1 activities, customization management, il configuration changes and diagnostics or advanced troubleshooting. Specialist' Tier 3 Support - Technical support level that is provided by a Technical Support System in-dentl 2 activities, Tier 1 and Support activities at this .leve1 s'htuld include all Tier support of level This level' R&D at instructions, advanced diagnostics, and troubleshooting shall be initiated by a request to the System Support Team' 'ii i-l il Activities: (a) Providing initial client contact (b) Establishing problem logs and tracking lil (c) Providing "how to" support a-t (d) Determining if an issue is documented l: ii (e) Maintaining confi guration knowledge (f) Working with the End User to duplicate and reproduce problems (g) Providing intemal problem determination and verification (h) Performing remote diagnosis 11 Support Technical suppori level that is provided by an R&D Engineer' R&D software activities at this level should inciude design level consultation and solutions, support level This diagnostics, and high level of software and hardware fixes and solutions' shall Ue initiated by a request to the Technical Support Team' !i Activities: Tier 4 Support - (a) Isolating, tracking and fixing operational issues (b) working with the End user to duplicate and reproduce problems (c) Technical evaluation and allocation of defect reports within R&D i-l (d) Providing system fxes if and when deemed necessary lt (e) Performing remote diagnosis (f) System upgrades n ll 6.2. Severity Levels n Business Impact: Complete System failure in which no field p.".a*. resolves the reported issue, A problem has made a critical application fitnction unusable or unavailable and no workaround exists' l1 work, but is prodrrcing scvcrity Lcvcl 2 - scrious Busincss Impact: The System is able to ,r*1r. *.ru., i1 uurtaitr t'uqucsl.s surrt. A problulrr Lus trtudu u uriticul upplication function Severity Level 1 tl I - Critical unusabie or unavailable but a workaround exists' i{N :,, 1. .. .:1 Agreement 100/2015 i.r,tr:ti r,::ri. i. l',: Page 43 of .r..1: . .r,, 46 A( lbg l))- Case 3:19-cv-07123 Document 1-1 'L5Filed 10/29/19 Page 109 of 111 I I I t' v \,, ir I] L_; Severify Level 3 - Minor Busiress Impact: The system has problems, which do not affect its main functions. A problem has diminished critical or important application functionality or performance but the functionaliry still performs as specified in the user documentation. il tiLl dedicate , (a) For Severity Level 1: the Company's System Support Team and the End User agree to fuil tirne and all t}le necessary resources to solve the case. Top prioriry is to l'1 restore/improve service, not to debug the problem. l (b) For Severity Level 2 and 3: the Company's System Support Team and the End User agree to use their technical resources in order to restore an acceptable level of service or bring relevant information I' J iii. r 6.3. J Seryice Availability: The services of the helpdesk shall be available by way of CRM tool, email, telephone at all times 24 hours a day,7 days a week. I Report of System failure: The End User shall notify the Company in writing (via e-mail or CRM tool) using the "Customer Support Ticket" form, or by telephone promptly following the discovery of any verifiable and reproducibte failure of the System. Thjs SLAdoes not apply to bug reports or feature requests that are cosmetic or do not otherwise impair the operation of the System. Such bugs reports or feature requests are fypically prioritized for handling in some I lii.r l Contacting the Technical Support Center i-l ii future regularly scheduled product release. Email Support The Company's Technical Support Center responds to all support requests sent via email. Generally, this access the Case Management System. Email: he lpdesk@slobalhel p.support is used ai a backup in case the End User is unable to il j-,l tl il il Telephoue Support The Company's support engineers are available by telephone to receive support requests. Phone: +.4440-36954\An Skype i'l NOC-HelpDesk rl Contact Support via the web portal rl The end user can also open a ticket to the Company's Technical Support Center via a dedicated web portal that is connected to a CRM tool. Access is secured with a usemame and password which the Company will provide. il 6.4. rl li Response Time and Resource Commitment Severity 1 (a) Response'I'ime: I hour (b) Commitrucnt - thc Company and the Und User lvill commit tho nccousury resources arouad the clock for Probleur Resolution to obtain workaround or reducc thc scverity. Top priority is to T 'fL.iF it Agreement 100/2015 Page 44 of 46 ;'i Lt t'I vlbrl Jzr Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 110 of 111 I .,= i i I l I t i-; restore/improve service, not to debug the problem. If a workaround could not be provided, the task wili be transferred to Supplier's R&D Tearn for further investigation. ) i I Severify 2 il t-J tlti I I I i (a) Response Time - t hour (b) Commitment - the Company and the End User will commit the necessary resources during l normal business hours for Problem Resolution to obtain workaround or reduce the severity. Top priority is to restore/improve service, not to debug the problem. :.:i ,.I Severity 3 (a) Response Time - 4 hours (b) Commitnent - the Company's Technical Support Team i IJ and the End User agree to use their technical resources during normal business hours for Problem Resolution to obtain workaround or reduce the severity. Top priority is to restore an acceptable level ofservice or bring relevant I il information. NOTE: In case of Hardware problerns, the faulty parts will be shipped and time for shipment will be defined for each specific case. In case of severe software problems, the time for resolution will be defined on a case-by-case basis. The Company will use commercially reasonable efforts to provide Hardware replacement in accordance with the terms set forth in Section 5 "Ifardware Replacement Procedure". [, L, 1 ll i a'! ill L 6.5. I :ii Severity ii ti .;'] 1 (a) Resolution Time: 2 business days (b) Commitment - the Company and the End User will commit the necessary resources around the clock for Problem Resolulion to obtain workaround or reduce the severity. Top priority is to restore/improve service. Severify 2 ij i'l ., Resolution Time and Resource Commitment rl (a) Resolution Time - l0 business days (b) Commitment - the Company and the End User will commit the necessary resources during normal business hours for Problem Resolution to obtain workaround or reduce the severity. Top priority is to restore/improve service. Severity 3 (c) Resolution Time - the 2"d scheduled SW release (d) Commitment - the Company's Technical Support I i il Team and the End User aglee to use their technical resources during normal business hours for Problem Resolution to resolve the issue in the next scheduled SW release. This will be communic ated by the Company to the End user. ill) il tl ii il I arti" Agreement 100/2015 Page 45 of 46 ur [b1b5 Case 3:19-cv-07123 Document 1-1 Filed 10/29/19 Page 111 of 111 llY l \ l l. Clarifications li, r i. I The System willextract target 3G keys only if such information is available, based on global roaming agreements. This information may not be rekieved if the target is hosted by an operator that blocks such queries or in lack of roaming agreements with the telecom gateway I I 'l i The System will not extuact targets 3G keys from and in specific countries such as the USA I I ; and Israel. l I t. I . The installation of the system may involve the deployment of a dedicated SS7 telecom gateway at one or more of the mobile operators in tie country. The End User shall be responsible for providing access and permissions to the sites where the equipment is to be installed, including the allocation of necessary space, power and ventilation required for the installation of the equipment. i I' 1 I -.J I I I f jI ! ti 1 .J j t . In , . : j i Operating-wise, it is recommended that system queries be used with caution and on highty important cases, this in order to minimize risk of exceeding acceptable threshold in the foreign network for such activity. II il case of a cloud-based implementation, i.e., no S57 gateway implemented at a local telecom operator, billing records of targets may be affected and interception of incoming SMS will be restricted. The Company reserye the right to end the System's life upon a six months prior notice, with effect not before the lapse of 5 (five) years of a sale of a license to the System to the Reseller and/or the End User, Operation of the System during its life period is conditioned upon timely and fuli payment of maintenance and support fees during the entire period. ii i'l i1 i1 it il n tl t1 ii IL-b\) Agreement 10012015 Page 46 of 46 oi Case 3:19-cv-07123CIVIL Document 1-2 SHEET Filed 10/29/19 Page 1 of 1 COVER JS-CAND 44 (Rev. 07/19) The JS-CAND 44 civil cover sheet and the information contained herein neither replace nor supplement the filing and service of pleadings or other papers as required by law, except as provided by local rules of court. This form, approved in its original form by the Judicial Conference of the United States in September 1974, is required for the Clerk of Court to initiate the civil docket sheet. (SEE INSTRUCTIONS ON NEXT PAGE OF THIS FORM.) I. (a) PLAINTIFFS WHATSAPP INC., a Delaware corporation, and FACEBOOK, INC., a Delaware corporation (b) County of Residence of First Listed Plaintiff (EXCEPT IN U.S. PLAINTIFF CASES) DEFENDANTS NSO GROUP TECHNOLOGIES LIMITED and Q CYBER TECHNOLOGIES LIMITED County of Residence of First Listed Defendant ISRAEL (IN U.S. PLAINTIFF CASES ONLY) NOTE: IN LAND CONDEMNATION CASES, USE THE LOCATION OF THE TRACT OF LAND INVOLVED. (c) Attorneys (Firm Name, Address, and Telephone Number) Cooley LLP, Travis LeBlanc (251097) 101 California Street, 5th floor, San Francisco, CA 94111 415-693-2000 II. BASIS OF JURISDICTION (Place an “X” in One Box Only) Attorneys (If Known) III. CITIZENSHIP OF PRINCIPAL PARTIES (Place an “X” in One Box for Plaintiff and One Box for Defendant) (For Diversity Cases Only) 1 U.S. Government Plaintiff 3 2 U.S. Government Defendant IV. Federal Question (U.S. Government Not a Party) 4 Diversity (Indicate Citizenship of Parties in Item III) CONTRACT Citizen of This State 1 1 Citizen of Another State 2 2 Citizen or Subject of a Foreign Country 3 3 TORTS PERSONAL INJURY 310 Airplane 315 Airplane Product Liability 320 Assault, Libel & Slander 330 Federal Employers’ Liability 340 Marine 345 Marine Product Liability 350 Motor Vehicle 355 Motor Vehicle Product Liability 360 Other Personal Injury 362 Personal Injury-Medical Malpractice 120 Marine 130 Miller Act 140 Negotiable Instrument 150 Recovery of Overpayment Of Veteran’s Benefits 151 Medicare Act 152 Recovery of Defaulted Student Loans (Excludes Veterans) 153 Recovery of Overpayment of Veteran’s Benefits 160 Stockholders’ Suits 190 Other Contract CIVIL RIGHTS HABEAS CORPUS 441 Voting 463 Alien Detainee 510 Motions to Vacate Sentence 530 General 442 Employment 443 Housing/ Accommodations 210 Land Condemnation 220 Foreclosure FORFEITURE/PENALTY PERSONAL INJURY 365 Personal Injury – Product Liability 367 Health Care/ Pharmaceutical Personal Injury Product Liability 368 Asbestos Personal Injury Product Liability PERSONAL PROPERTY 370 Other Fraud 371 Truth in Lending 380 Other Personal Property Damage 385 Property Damage Product Liability PRISONER PETITIONS 440 Other Civil Rights 195 Contract Product Liability 196 Franchise REAL PROPERTY 230 Rent Lease & Ejectment 445 Amer. w/DisabilitiesEmployment 535 Death Penalty 240 Torts to Land 446 Amer. w/Disabilities-Other 245 Tort Product Liability 448 Education 540 Mandamus & Other 550 Civil Rights 555 Prison Condition 560 Civil Detainee Conditions of Confinement 290 All Other Real Property ORIGIN (Place an “X” in One Box Only) 1 Original Proceeding VI. DEF Incorporated or Principal Place of Business In This State Incorporated and Principal Place of Business In Another State Foreign Nation PTF 4 DEF 4 5 5 6 6 NATURE OF SUIT (Place an “X” in One Box Only) 110 Insurance V. PTF 2 Removed from State Court 3 BANKRUPTCY 625 Drug Related Seizure of Property 21 USC § 881 690 Other LABOR 422 Appeal 28 USC § 158 423 Withdrawal 28 USC § 157 PROPERTY RIGHTS 400 State Reapportionment 710 Fair Labor Standards Act 720 Labor/Management Relations 820 Copyrights 830 Patent 410 Antitrust 430 Banks and Banking 450 Commerce 460 Deportation 740 Railway Labor Act 751 Family and Medical Leave Act 790 Other Labor Litigation 791 Employee Retirement Income Security Act IMMIGRATION 462 Naturalization Application 465 Other Immigration Actions 835 Patent–Abbreviated New Drug Application 840 Trademark SOCIAL SECURITY 4 Reinstated or Reopened 470 Racketeer Influenced & Corrupt Organizations 861 HIA (1395ff) 862 Black Lung (923) 863 DIWC/DIWW (405(g)) 864 SSID Title XVI 865 RSI (405(g)) 480 Consumer Credit 485 Telephone Consumer Protection Act 490 Cable/Sat TV 850 Securities/Commodities/ Exchange FEDERAL TAX SUITS 890 Other Statutory Actions 891 Agricultural Acts 870 Taxes (U.S. Plaintiff or Defendant) 871 IRS—Third Party 26 USC § 7609 OTHER Remanded from Appellate Court OTHER STATUTES 375 False Claims Act 376 Qui Tam (31 USC § 3729(a)) 5 Transferred from Another District (specify) 6 893 Environmental Matters 895 Freedom of Information Act 896 Arbitration 899 Administrative Procedure Act/Review or Appeal of Agency Decision 950 Constitutionality of State Statutes Multidistrict Litigation–Transfer 8 Multidistrict Litigation - Direct File CAUSE OF Cite the U.S. Civil Statute under which you are filing (Do not cite jurisdictional statutes unless diversity): 18 U.S.C. § 1030 ACTION Brief description of cause: Computer Fraud and Abuse Act DEMAND $ CHECK IF THIS IS A CLASS ACTION VII. REQUESTED IN UNDER RULE 23, Fed. R. Civ. P. Permanent Injunction and Damages COMPLAINT: VIII. RELATED CASE(S), JUDGE DOCKET NUMBER IF ANY (See instructions): IX. DIVISIONAL ASSIGNMENT (Civil Local Rule 3-2) (Place an “X” in One Box Only) SAN FRANCISCO/OAKLAND SAN JOSE DATE 10/29/2019 SIGNATURE OF ATTORNEY OF RECORD CHECK YES only if demanded in complaint: JURY DEMAND: Yes No EUREKA-MCKINLEYVILLE /s/ Travis LeBlanc American LegalNet, Inc. www.FormsWorkFlow.com