Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 1 of 35 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 COOLEY LLP MICHAEL G. RHODES (116127) (rhodesmg@cooley.com) TRAVIS LEBLANC (251097) (tleblanc@cooley.com) BETHANY C. LOBO (248109) (blobo@cooley.com) KYLE C. WONG (224021) (kwong@cooley.com) JOSEPH D. MORNIN (307766) (jmornin@cooley.com) 101 California Street, 5th Floor San Francisco, CA 94111-5800 Telephone: (415) 693-2000 Facsimile: (415) 693-2222 DANIEL J. GROOMS (D.C. Bar No. 219124) (admitted pro hac vice) (dgrooms@cooley.com) ELIZABETH B. PRELOGAR (262026) (admission pending) (eprelogar@cooley.com) 1299 Pennsylvania Avenue, NW, Suite 700 Washington, DC 20004-2400 Telephone: (202) 842-7800 Facsimile: (202) 842-7899 O’MELVENY & MYERS LLP MICHAEL R. DREEBEN (D.C. Bar No. 370586) (pro hac vice pending) (mdreeben@omm.com) 1625 I Street NW Washington, D.C. 20006 Telephone: (202) 383-5300 Attorneys for Plaintiffs WHATSAPP INC. and FACEBOOK, INC. 16 UNITED STATES DISTRICT COURT 17 NORTHERN DISTRICT OF CALIFORNIA 18 19 20 21 WHATSAPP INC., a Delaware corporation, and FACEBOOK, INC., a Delaware corporation, Plaintiffs, 22 23 24 25 26 v. NSO GROUP TECHNOLOGIES LIMITED and Q CYBER TECHNOLOGIES LIMITED, Case No. 4:19-cv-07123-PJH PLAINTIFFS’ OPPOSITION TO DEFENDANTS’ MOTION TO DISMISS Date: May 27, 2020 Time: 9:00 a.m. Courtroom: 3 Judge: Hon. Phyllis J. Hamilton Defendants. 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 2 of 35 1 TABLE OF CONTENTS 2 3 4 5 Page I. INTRODUCTION ................................................................................................................ 1 II. BACKGROUND .................................................................................................................. 2 III. ARGUMENT ........................................................................................................................ 3 6 A. 7 NSO HAS NO VALID CLAIM TO IMMUNITY………………………………... 3 1. THE FOREIGN SOVEREIGN IMMUNITIES ACT ONLY APPLIES TO FOREIGN STATES. ..................................................................................... 3 9 2. NO “DERIVATIVE FOREIGN SOVEREIGN IMMUNITY” EXISTS. ..... 4 10 3. NSO CANNOT SATISFY THE REQUIREMENTS FOR THE “DERIVATIVE SOVEREIGN IMMUNITY” APPLICABLE TO CERTAIN U.S.-GOVERNMENT CONTRACTORS.................................. 6 4. NSO’S “EXTRINSIC EVIDENCE” CANNOT SAVE ITS IMMUNITY DEFENSE. .................................................................................................... 7 8 11 12 13 14 B. THE COMPLAINT DOES NOT FAIL TO JOIN A REQUIRED PARTY……… 9 C. THE COURT HAS PERSONAL JURISDICTION OVER NSO………………... 10 15 1. NSO CONSENTED TO THIS COURT’S JURISDICTION. .................... 10 2. ALTERNATIVELY, NSO’S CONTACTS WITH CALIFORNIA ESTABLISH SPECIFIC JURISDICTION. ................................................ 12 18 3. THIS COURT HAS JURISDICTION UNDER RULE 4(K)(2). ................ 17 19 4. THIS COURT SHOULD EXERCISE PENDENT JURISDICTION.. ....... 18 16 17 D. 20 21 22 23 IV. THE COMPLAINT VALIDLY ALLEGES VIOLATIONS OF FEDERAL AND STATE LAW…………………………………………………………………….. 19 1. PLAINTIFFS STATE A CLAIM FOR A VIOLATION OF THE CFAA. 19 2. PLAINTIFFS STATE A CLAIM FOR TRESPASS TO CHATTELS. ..... 24 CONCLUSION ................................................................................................................... 25 24 25 26 27 28 i PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 3 of 35 TABLE OF AUTHORITIES 1 Page 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Cases Action Embroidery Corp. v. Atl. Embroidery, Inc., 368 F.3d 1174 (9th Cir. 2004)................................................................................................. 19 Adkisson v. Jacobs Eng’g Grp., Inc., 790 F.3d 641 (6th Cir. 2015)..................................................................................................... 8 Automattic, Inc. v. Steiner, 82 F. Supp. 3d 1011 (N.D. Cal. 2015) (Hamilton, J.) ............................................................. 10 Axiom Foods, Inc. v. Acerchem Int’l, Inc., 874 F.3d 1064 (9th Cir. 2017)..................................................................................... 14, 15, 18 Ballard v. Savage, 65 F.3d 1495 (9th Cir. 1995)............................................................................................. 10, 17 Boschetto v. Hansing, 539 F.3d 1011 (9th Cir. 2008)................................................................................................. 14 Boyle v. United Techs. Corp., 487 U.S. 500 (1988) .................................................................................................................. 5 Broidy Capital Management LLC v. Muzin, 2020 WL 1536350 (D.D.C. Mar. 31, 2020) ...................................................................... 3, 5, 6 Burger King Corp. v. Rudzewicz, 471 U.S. 462 (1985) .................................................................................................... 12, 13, 17 Butters v. Vance International, Inc., 225 F.3d 462 (4th Cir. 2000)..................................................................................................... 6 Cabalce v. Thomas E. Blanchard & Assocs., Inc., 797 F.3d 720 (9th Cir. 2015)................................................................................................. 6, 7 Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663 (2016) ............................................................................................................ 4, 6 CE Distribution, LLC v. New Sensor Corp., 380 F.3d 1107 (9th Cir. 2004)................................................................................................. 19 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO ii PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 4 of 35 1 TABLE OF AUTHORITIES 2 PAGE CollegeSource v. AcademyOne, 653 F.3d 1066 (9th Cir. 2011)................................................................................................. 16 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 CompuServe Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015 (S.D. Ohio 1997)................................................................................. 24, 25 CompuServe, Inc. v. Patterson, 89 F.3d 1257 (6th Cir. 1996)................................................................................................... 13 Coupons, Inc. v. Stottlemire, 2008 WL 3245006 (N.D. Cal. July 2, 2008) ........................................................................... 24 Craigslist Inc. v. 3Taps Inc., 942 F. Supp. 2d 962 (N.D. Cal. 2013) .................................................................................... 24 Craigslist, Inc. v, Naturemarket, Inc., 694 F. Supp. 2d 1039 (N.D. Cal. 2010) (Hamilton, J.) .................................................... passim DEX Sys., Inc. v. Deutsche Post AG, 727 F. App’x 276 (9th Cir. 2018) ........................................................................................... 15 Doğan v. Barak, 932 F.3d 888 (9th Cir. 2019)............................................................................................. 3, 5, 6 Dole Food Co. v. Patrickson, 538 U.S. 468 (2003) .................................................................................................................. 4 Dole Food Co. v. Watts, 303 F.3d 1104 (9th Cir. 2002).......................................................................................... passim E.E.O.C. v. Peabody W. Coal Co., 610 F.3d 1070 (9th Cir. 2010)............................................................................................. 9, 10 Eldredge v. Carpenters 46 N. Cal. Ctys. Joint Apprenticeship & Training Comm., 662 F.2d 534 (9th Cir. 1981)..................................................................................................... 9 In re Estate of Ferdinand Marcos Human Rights Litig., 94 F.3d 539 (9th Cir. 1996)....................................................................................................... 9 Facebook, Inc. v. ConnectU LLC, 2007 WL 2326090 (N.D. Cal. Aug. 13, 2007) .................................................................. 16, 18 Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016)........................................................................................... 20, 21 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO iii PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 5 of 35 1 TABLE OF AUTHORITIES 2 PAGE Facebook, Inc. v. Rankwave Co., No. 19-3738 (N.D. Cal. Nov. 14, 2019)............................................................................ 12, 13 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Flextronics Int’l, Ltd. v. Parametric Tech. Corp., 2014 WL 2213910 (N.D. Cal. May 28, 2014) ........................................................................ 23 Gillespie v. Prestige Royal Liquors Corp., 183 F. Supp. 3d 996 (N.D. Cal. 2016) .................................................................................... 19 Gomez v. Campbell-Ewald Co., 768 F.3d 871 (9th Cir. 2014), aff’d, 136 S. Ct. 663 (2016) ...................................................... 8 Google, Inc. v. Eolas Techs. Inc., 2014 WL 2916621 (N.D. Cal. June 24, 2014) ........................................................................ 12 Hernandez v. Mesa, 140 S. Ct. 735 (2020) ................................................................................................................ 5 hiQ Labs Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019)................................................................................................... 20 Holland Am. Line Inc. v. Wartsila N. Am., Inc., 485 F.3d 450 (9th Cir. 2007)................................................................................................... 17 Hotmail Corp. v. Van$ Money Pie Inc., 1998 WL 388389 (N.D. Cal. Apr. 16, 1998) .......................................................................... 25 Hungerstation LLC v. Fast Choice LLC, 2020 WL 137160 (N.D. Cal. Jan. 13, 2020) ........................................................................... 15 Hydentra HLP Int’l v. Sagan Ltd., 783 F. App’x 663 (9th Cir. 2019) ..................................................................................... 17, 18 Intel Corp. v. Hamidi, 30 Cal. 4th 1342 (2003) .................................................................................................... 14, 25 Jedson Eng'g, Inc. v. Spirit Const. Servs., Inc., 720 F. Supp. 2d 904 (S.D. Ohio 2010).................................................................................... 24 Kimberlite Corp. v. John Does 1–20, 2008 WL 2264485 (N.D. Cal. June 2, 2008) .......................................................................... 23 Laub v. U.S. Dep’t of Interior, 342 F.3d 1080 (9th Cir. 2003)................................................................................................... 8 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO iv PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 6 of 35 1 TABLE OF AUTHORITIES 2 PAGE Liu v. Republic of China, 892 F.2d 1419 (9th Cir. 1989)................................................................................................... 9 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)........................................................................................... 20, 22 Manetti-Farrow, Inc. v. Gucci Am., Inc., 858 F.2d 509 (9th Cir. 1988)................................................................................................... 11 Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218 (9th Cir. 2011)........................................................................................... 10, 11 Micron Tech., Inc. v. United Microelectronics Corp., 2019 WL 1959487 (N.D. Cal. May 2, 2019) .......................................................................... 18 Microsoft Corp. v. Does 1–18, 2014 WL 1338677 (E.D. Va. Apr. 2, 2014) ............................................................................ 25 Mitan v. Feeney, 497 F. Supp. 2d 1113 (C.D. Cal. 2007)................................................................................... 19 Moore v. McAleenan, 2019 WL 2870079 (D. Alaska July 3, 2019) ............................................................................ 8 Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887 (N.D.Cal.2010) ...................................................................................... 23 NetApp, Inc. v. Nimble Storage, Inc., 41 F. Supp. 3d 816 (N.D. Cal. 2014) ...................................................................................... 14 Novoa v. GEO Grp., Inc., 2018 WL 4057814 (C.D. Cal. Aug. 22, 2018) ...................................................................... 7, 8 Panavision Intl., L.P. v. Toeppen, 141 F.3d 1316 (9th Cir. 1998).......................................................................................... passim Pasquantino v. United States, 544 U.S. 349 (2005) .................................................................................................................. 5 Picot v. Weston, 780 F.3d 1206 (9th Cir. 2015)................................................................................................. 14 Principal Mut. Life Ins. Co. v. Vars, Pave, McCord & Freedman, 65 Cal. App. 4th 1469 (1998).................................................................................................. 11 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO v PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 7 of 35 1 TABLE OF AUTHORITIES 2 PAGE Raffaele v. Compagnie Generale Mar., 707 F.2d 395 (9th Cir. 1983)................................................................................................... 16 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Republic of Phil. v. Pimentel, 553 U.S. 851 (2008) ................................................................................................................ 10 Rio Props., Inc. v. Rio Int’l Interlink, 284 F.3d 1007 (9th Cir. 2002)................................................................................................. 13 Rosen v. Terapeak, Inc., 2015 WL 12724071 (C.D. Cal. Apr. 28, 2015) ...................................................................... 15 Roth v. Garcia Marquez, 942 F.2d 617 (9th Cir. 1991)................................................................................................... 16 Ruddell v. Triple Canopy, Inc., 2016 WL 4529951 (E.D. Va. Aug. 29, 2016) ........................................................................... 6 Salim v. Mitchell, 183 F. Supp. 3d 1121 (E.D. Wash. 2016) ................................................................................. 8 Salim v. Mitchell, 268 F. Supp. 3d 1132 (E.D. Wash. 2017) (Salim II) ............................................................. 6, 7 Samantar v. Yousuf, 560 U.S. 305 (2010) .......................................................................................................... 1, 3, 6 Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797 (9th Cir. 2004)................................................................................................... 10 Seattle Sperm Bank, LLC v. Cryobank Am., LLC, 2018 WL 3769803 (W.D. Wash. Aug. 9, 2018) ..................................................................... 15 Sinatra v. Nat’l Enquirer, Inc., 854 F.2d 1191 (9th Cir. 1988)........................................................................................... 16, 17 Skapinetz v. CoesterVMS.com, Inc, 2019 WL 2579120 (D. Md. June 24, 2019) ............................................................................ 24 Summit Entm’t, LLC v. Santia, 2014 WL 12577430 (C.D. Cal. June 24, 2014) ................................................................ 14, 25 Synopsys, Inc. v. Ubiquiti Networks, Inc., 2017 WL 3485881 (N.D. Cal. Aug. 15, 2017) ........................................................................ 15 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO vi PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 8 of 35 1 TABLE OF AUTHORITIES 2 PAGE Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003)........................................................................................... 22, 23 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Thrifty-Tel, Inc. v. Bezenek, 46 Cal. App. 4th 1559 (1996).................................................................................................. 24 Ticketmaster L.L.C. v. Prestige Entm't W., Inc., 315 F. Supp. 3d 1147 (C.D. Cal. 2018)................................................................................... 23 Twitch Interactive, Inc. v. Does 1 Through 100, 2019 WL 3718582 (N.D. Cal. Aug. 7, 2019) .......................................................................... 25 United States v. Morris, 928 F.2d 504 (2d Cir. 1991) .............................................................................................. 20, 21 United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (Nosal I) ............................................................................. 20, 21 United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016) (Nosal II) .......................................................................... 20, 22 United States v. Phillips, 477 F.3d 215 (5th Cir. 2007)................................................................................................... 20 Van Buren v. United States, No. 19-783 (U.S.) .................................................................................................................... 22 In re W. States Wholesale Nat. Gas Antitrust Litig., 715 F.3d 716 (9th Cir. 2013)................................................................................................... 16 W.S. Kirkpatrick & Co. v. Envtl. Tectonics Corp, Int’l, 493 U.S. 400 (1990) .................................................................................................................. 9 Walden v. Fiore, 571 U.S. 277 (2014) ................................................................................................................ 15 Warren v. Fox Family Worldwide, Inc., 328 F.3d 1136 (9th Cir. 2003)................................................................................................... 8 Washington v. GEO Grp., Inc., 2019 WL 3565105 (W.D. Wash. Aug. 6, 2019) ....................................................................... 7 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO vii PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 9 of 35 TABLE OF AUTHORITIES 1 PAGE 2 3 4 5 6 Statutes 18 U.S.C.§ 1030 et seq. .......................................................................................................... passim 28 U.S.C. § 1603(b)(1)-(2).............................................................................................................. 4 Cal. Civ. Code § 1641 ................................................................................................................... 11 7 8 9 10 11 12 13 14 15 Other Authorities Fed. R. Civ. P. 4(k)(2) ............................................................................................................................... 18, 19 12 et seq......................................................................................................................... 2, 10, 13 15 ............................................................................................................................................. 10 19 et seq........................................................................................................................... 1, 9, 10 65 ............................................................................................................................................. 10 H.R. Rep. 98-894 (1984), reprinted in 1984 U.S.C.C.A.N. 3689 ................................................ 21 RESTATEMENT (SECOND) OF FOREIGN RELATIONS LAW § 66(f) (1965) .......................................... 6 16 17 18 19 20 21 22 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO viii PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 10 of 35 1 I. INTRODUCTION 2 A flawed premise runs through the motion to dismiss (“MTD”). Defendants contend that they 3 cannot be held responsible for designing and marketing spyware and then deploying it using 4 WhatsApp’s U.S.-based servers, including in California, to hack into WhatsApp users’ devices. 5 Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn: 6 Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit 7 in a California court; and the Complaint states valid claims for relief based on Defendants’ 8 unauthorized access to and hijacking of WhatsApp’s servers. The motion should be denied. 9 First, the Foreign Sovereign Immunities Act (“FSIA”) affords Defendants no protection. The 10 statute confers immunity only on foreign states—not private companies who develop and operate their 11 own technology and then claim to act on a foreign state’s behalf. Defendants seek to expand the 12 domestic doctrine of derivative sovereign immunity to cover contractors of foreign sovereigns—an 13 unwarranted leap that no court in this circuit has endorsed and that conflicts with the Supreme Court’s 14 decision in Samantar v. Yousuf, 560 U.S. 305 (2010). Nor can Defendants satisfy the prerequisites for 15 derivative sovereign immunity even assuming it applies, given the discretion, control, and 16 independence they concede they exercised in carrying out the attacks alleged in the Complaint. In any 17 event, this issue cannot be resolved in Defendants’ favor at the pleading stage: their showing is 18 conclusory, identifies no specific foreign sovereigns, and would require discovery. 19 Second, Defendants’ putative foreign clients are not “required parties” under Fed. R. Civ. P. 20 19(a). The Complaint alleges only wrongdoing by Defendants—not any other actor. And Rule 19(b)’s 21 considerations of “equity and good conscience” require the action to proceed. 22 Third, the Court has personal jurisdiction over Defendants. They agreed to litigate here, under 23 California law; obtained financing from a California firm; accessed and exploited Plaintiffs’ California 24 servers—as well as used separate servers in California—to carry out their attacks; intentionally 25 directed their tortious conduct towards California-based corporations; and the effects of their actions 26 were foreseeably felt in California by Plaintiffs and WhatsApp users. 27 Finally, the Complaint validly alleges violations of the Computer Fraud and Abuse Act 28 (“CFAA”) and trespass to chattels. Defendants had no authority to access WhatsApp’s servers with COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 1 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 11 of 35 1 an imposter program, manipulate network settings, and commandeer the servers to attack WhatsApp 2 users. That invasion of WhatsApp’s servers and users’ devices constitutes unlawful computer hacking 3 at the heart of the CFAA’s unauthorized-access offense. And Defendants’ interference with the 4 intended functioning of Plaintiffs’ servers constitutes trespass to chattels under established law. 5 II. BACKGROUND 6 WhatsApp provides an end-to-end encrypted communication service on mobile devices. 7 Compl. ¶ 17. Users must install the WhatsApp app to use the WhatsApp Service. Id. WhatsApp 8 routes end-to-end encrypted calls and messages between users using network protocols built into its 9 app. Id. ¶¶ 17-18, 35. 10 According to the allegations in the Complaint, which must be taken as true on a motion to 11 dismiss under Fed. R. Civ. P. 12(b), Defendants NSO Group Technologies Inc. and Q Cyber 12 Technologies Inc. (collectively, “NSO”) manufactured, distributed, and operated surveillance 13 technology, also known as “spyware,” designed to intercept and extract information and 14 communications from mobile phones and devices of WhatsApp users (“Target Devices”). Compl. 15 ¶¶ 24–29. 16 surreptitiously installed on a victim’s phone without her knowing her phone had been compromised. 17 Id. ¶¶ 24-29, Ex. 10.1 Once installed, Pegasus captured an array of private information, including the 18 phone’s location, camera, microphone, memory, and hard drive, as well as private emails, calls, texts, 19 and messages sent via WhatsApp and other services. Id. ¶¶ 24-29. NSO ultimately deployed its 20 spyware to hack into approximately 1,400 phones and devices belonging to WhatsApp users, including 21 attorneys, journalists, human rights activists, government officials, and others. Id. ¶ 42. NSO’s spyware includes a product called “Pegasus,” which was designed to be 22 To carry out the attacks, NSO created WhatsApp accounts, gained unauthorized access to 23 WhatsApp’s servers in the United States, including in California, and deployed spyware to connect 24 users’ devices to a network of remote servers in California that NSO controlled. Id. ¶¶ 32, 35-48, 60- 25 61. First, NSO reverse-engineered the WhatsApp app and wrote a program that emulated legitimate 26 WhatsApp network traffic while hiding malware transmitted to users. Id. ¶¶ 35-48. By using its 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 1 Defendants’ claim (MTD at 2 n.2) that Facebook sought to purchase Pegasus to monitor Onavo app users is inaccurate and an attempt to distract from Defendants’ own conduct and the issues in this case. 2 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 12 of 35 1 unauthorized program to access WhatsApp servers, NSO circumvented technical restrictions and 2 security measures that prevent users from altering network call settings. Id. NSO then manipulated 3 those settings to covertly transmit malicious code through WhatsApp servers and inject the code into 4 users’ devices, even when the victims did not answer the call. Id. Once NSO’s malicious code was 5 activated, NSO’s malicious servers transmitted additional malware that gave NSO and its customers 6 remote access to the devices. Id. ¶¶ 39-41. NSO used a network of computers to monitor and update 7 Pegasus after it was implanted on users’ devices. Id. ¶ 28. These NSO-controlled computers served 8 as the nerve center through which NSO controlled its customers’ operation and use of Pegasus. Id. 9 In May 2019, Plaintiffs detected and stopped NSO’s unauthorized access and abuse of the 10 WhatsApp service and computers. Id. ¶ 44. The attack damaged Plaintiffs’ goodwill and forced them 11 to incur costs to investigate and prevent NSO’s hacking activities, including updating the WhatsApp 12 app on users’ devices. Id. ¶¶ 44-45, 57. This suit followed. 13 III. ARGUMENT 14 A. NSO Has No Valid Claim to Immunity. 15 The Foreign Sovereign Immunities Act only applies to foreign states. 16 NSO’s claim to FSIA immunity, MTD at 8-9, is precluded by the Supreme Court’s decision in 17 Samantar v. Yousuf, 560 U.S. 305 (2010). Samantar held that the FSIA confers immunity only on a 18 “foreign state” itself, “as the Act defines that term.” Id. at 325. A “foreign state,” as defined in the 19 FSIA, does not “include an official acting on behalf of the foreign state,” id. at 319, let alone a private 20 contractor claiming to act for a foreign state, see Broidy Capital Management LLC v. Muzin, 2020 WL 21 1536350, at *5 (D.D.C. Mar. 31, 2020) (FSIA inapplicable to consulting firm’s claim for immunity as 22 Qatari agent); Doğan v. Barak, 932 F.3d 888, 893 & n.4 (9th Cir. 2019) (FSIA immunity “does not 23 extend” to entities other than “foreign states”). Here, NSO is a for-profit commercial company— 24 decidedly not a foreign state. See Compl. ¶¶ 1, 5-7, 29. The FSIA has no bearing here. 25 To avoid this straightforward conclusion, NSO asserts that the allegedly unlawful conduct was 26 “carried out by sovereign governments.” MTD at 8. But it offers no support for its novel theory that 27 the FSIA confers immunity on private companies, sued in their own name, when those entities attribute 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 3 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 13 of 35 1 their unlawful activity to a foreign sovereign. 2 The FSIA remains inapplicable because this suit asserts 2 no claims against and seeks no relief from a foreign state. Indeed, even where the FSIA protects an 3 “agency or instrumentality of a foreign state,” it restricts immunity to entities that are “organ[s]” of 4 the state or are majority-owned by the state. 28 U.S.C. § 1603(b)(1)-(2); see Dole Food Co. v. 5 Patrickson, 538 U.S. 468, 474 (2003). NSO qualifies as neither, see Compl. ¶¶ 5-6, and its position 6 would render those limitations on foreign state corporate immunity superfluous. Cf. Dole, 538 U.S. 7 at 476-77 (relying on superfluity canon in construing the FSIA). 8 NSO’s attempt to shift liability to foreign states is further flawed because NSO does not dispute 9 that it engaged in critical conduct at the heart of the complaint: NSO concedes that it (1) “design[ed],” 10 manufactured, “market[ed],” sold, “configure[d],” and “deploy[ed]” Pegasus; (2) “assist[ed] with the 11 training, setup, and installation of the Pegasus technology” and provided “technical support” post- 12 installation; (3) and, at NSO’s discretion, canceled or suspended customers’ use of Pegasus. MTD at 13 2-6.3 And while NSO provides no explanation of its precise role in routing malicious code through 14 Plaintiffs’ servers other than an unadorned denial, MTD at 7, the Complaint specifically and credibly 15 alleges that NSO was deeply involved in carrying out the attack and claimed ownership of the attack 16 after WhatsApp stopped it. Compl. ¶¶ 32, 35-39, 42, 45. NSO’s unsupported claim that the FSIA 17 immunizes all of the conduct at issue thus affords no basis for dismissal. No “derivative foreign sovereign immunity” exists. 18 19 NSO has no sounder basis for claiming “derivative foreign sovereign immunity” as a private 20 contractor working for foreign governments. MTD at 9-10. Although such immunity protects certain 21 contractors working “with the United States,” Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663, 672 22 (2016) (emphasis added), no court in this Circuit has extended that doctrine to work performed for 23 foreign sovereigns. Nor should this Court create such federal common law; the foreign context 24 implicates international comity concerns for the Executive Branch, not courts, to address. 25 2 26 The nature of the victims targeted during the attack, including journalists and attorneys, is not consistent with the type of government operations NSO claims to support in its motion. 27 3 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO NSO offers no evidence that the development, testing, or upgrading of Pegasus was commissioned by a foreign state, nor does it dispute that its own use of its product for development purposes is primarily for commercial advantage over other companies that provide similar services. 4 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 14 of 35 1 The leap from the domestic to the foreign context is not “small.” MTD at 10. Domestic 2 “derivative sovereign immunity” reflects that the United States and its agents have “the same interest 3 in getting the Government’s work done.” Boyle v. United Techs. Corp., 487 U.S. 500, 505 (1988). In 4 that context, federal courts have created a federal common law rule to protect unique federal interests. 5 Id. at 504-05. This is one of the rare instances where fashioning federal common law is appropriate. 6 But foreign sovereign immunity is instead based on international comity, Broidy, 2020 WL 1536350, 7 at *7, and federal courts have no freewheeling license to fashion common law rules to protect 8 international relations. Because “the Executive is the sole organ of the federal government in the field 9 of international relations,” and has the responsibility to account for comity considerations, 10 Pasquantino v. United States, 544 U.S. 349, 369 (2005) (citation omitted), separation-of-powers 11 concerns preclude judicial creation of a new derivative sovereign immunity doctrine for contractors 12 working for foreign sovereigns. See Hernandez v. Mesa, 140 S. Ct. 735, 747 (2020) (cautioning 13 against “unwarranted judicial interference in the conduct of foreign policy”) (citation omitted). 14 In determining whether a foreign entity is entitled to immunity, courts therefore confine 15 themselves to established sources of law. See Doğan, 932 F.3d at 891-93; Broidy, 2020 WL 1536350, 16 at *6-7. Here, no established law recognizes the novel immunity NSO seeks. 4 Indeed, even common- 17 law foreign-official immunity requires either a Suggestion of Immunity from the U.S. State 18 Department, or a judicial determination that the official (by virtue of his position or conduct) possesses 19 the established prerequisites for immunity. 20 Department has not filed a Suggestion of Immunity. And as a private non-governmental entity, NSO 21 has no claim by virtue of its position. See Broidy, 2020 WL 1536350, at *5 (“Status-based immunity” 22 “is unavailable here because the defendants are neither Qatari diplomats nor Qatari heads of state.”). See Doğan, 932 F.3d at 891-93. Here, the State 23 That leaves only conduct-based foreign-official immunity, which sets a standard NSO cannot 24 meet. As articulated by the Restatement (Second), a foreign official may have common law immunity 25 “with respect to acts performed in his official capacity if the effect of exercising jurisdiction would be 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 4 Courts sometimes also consider whether the State Department has an “established policy” recognizing the asserted immunity. See Broidy, 2020 WL 1536350, at *5-6 (citation omitted). NSO identifies no State Department guidance recognizing immunity for foreign government contractors. 5 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 15 of 35 1 to enforce a rule of law against the [foreign] state.” RESTATEMENT (SECOND) OF FOREIGN RELATIONS 2 LAW § 66(f) (1965); Doğan, 932 F.3d at 893-95. Here, Plaintiffs seek to halt wrongdoing by NSO, 3 not a foreign state; NSO’s liability rests on its own conduct. And the effect of a judgment in Plaintiffs’ 4 favor would not be to enforce a rule of law against the unidentified foreign states that transacted with 5 NSO. Specifically, a judgment enjoining NSO from creating accounts with Plaintiffs, accessing their 6 services, or violating or facilitating violations of their terms of service, see Compl. at 14, would bind 7 only NSO. And any damages judgment would not be paid from a foreign state’s coffers. Accordingly, 8 NSO cannot prevail even under the common-law foreign-official immunity framework. 9 It is thus unsurprising that hardly any authorities (even outside this Circuit) recognize “foreign 10 derivative sovereign immunity” for private contractors. NSO relies on Butters v. Vance International, 11 Inc., 225 F.3d 462 (4th Cir. 2000), and its progeny. MTD at 10. But Butters is no longer good law. 12 Butters is a pre-Samantar decision interpreting the FSIA—not common-law immunity—to confer 13 immunity on private agents of foreign governments. See 225 F.3d at 464, 466-67; see also Ruddell v. 14 Triple Canopy, Inc., 2016 WL 4529951, at *7 (E.D. Va. Aug. 29, 2016) (“Butters . . . confronted 15 a contractor’s immunity claim derived from the [FSIA], not immunity derived from the United States’ 16 common law sovereign immunity”). Samantar has since made clear that the FSIA confers immunity 17 only on foreign states, see III.A.1, supra, effectively abrogating Butters’ holding. 18 19 20 21 22 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO NSO cannot satisfy the requirements for the “derivative sovereign immunity” applicable to certain U.S.-government contractors. Even if foreign-government contractors could invoke the “derivative sovereign immunity” available to U.S.-government contractors, NSO cannot satisfy that doctrine’s requirements. Immunity for U.S.-government contractors, “unlike the sovereign’s, is not absolute.” Campbell-Ewald, 136 S. Ct. at 672. Derivative sovereign immunity “is limited to cases in which a contractor had no discretion in the design process and completely followed government specifications.” Cabalce v. Thomas E. Blanchard & Assocs., Inc., 797 F.3d 720, 732 (9th Cir. 2015) (internal quotations and citation omitted). Where a contractor “had a significant role in the design of the Program” and was not “acting merely and solely as directed by the Government,” Salim v. Mitchell, 268 F. Supp. 3d 1132, 1150 (E.D. Wash. 2017) (Salim II)—or where a contractor had “discretion” in 6 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 16 of 35 1 “administering” the contracted-for program, Novoa v. GEO Grp., Inc., 2018 WL 4057814, at *3 (C.D. 2 Cal. Aug. 22, 2018)—no derivative sovereign immunity exists. 3 NSO bears no resemblance to the no-discretion contractor archetype protected by U.S.- 4 government derivative sovereign immunity, as its own statements confirm. 5 No foreign government 5 identified a need for NSO’s services, hired NSO, and directed NSO to deliver a product according to 6 particular specifications and subject to governmental control. Just the opposite: Pegasus was NSO’s 7 brainchild—conceived, executed, and marketed by NSO. NSO designed Pegasus, promoted and 8 licensed Pegasus to multiple parties, and trained those customers to use Pegasus. Compl. ¶¶ 1, 24, 26- 9 27, 29. Even if foreign sovereigns identified which users to target, NSO determined the parameters 10 and operation of the Pegasus technology—including by providing technical support and continuously 11 monitoring customers for compliance with NSO’s terms. Id. ¶¶ 28-29. Courts in this Circuit routinely 12 reject claims of derivative sovereign immunity on analogous facts. See, e.g., Cabalce, 797 F.3d at 732 13 (denying immunity where contractor “designed the destruction plan” for seized fireworks “without 14 government control or supervision”); Salim II, 268 F. Supp. 3d at 1148 (no immunity when contractors 15 did not “act[] specifically at the direction of the Government, but rather . . . designed and implemented” 16 a program as “architects” who then “trained” CIA personnel); Washington v. GEO Grp., Inc., 2019 17 WL 3565105, at *5 (W.D. Wash. Aug. 6, 2019) (denying immunity because contractor failed to show 18 it had “no discretion in the design process and completely followed government specifications”). 19 4. NSO’s “extrinsic evidence” cannot save its immunity defense. 20 Although NSO’s immunity claims have no legal basis and should be dismissed outright, at a 21 minimum, NSO wrongly relies on extrinsic evidence to press those claims. 22 n.7. Derivative sovereign immunity is not a jurisdictional doctrine. E.g., Adkisson v. Jacobs Eng’g 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO MTD at 8-10 & 5 See MTD at 2 (NSO “design[ed] and market[ed]” its technology to governments); id. at 3-4 (“NSO has voluntarily undertaken additional steps” to monitor the use of Pegasus, and NSO “contractually can suspend—and ha[s] suspended, and would terminate—service to customers engaged in any improper use of NSO’s Pegasus technology”); id. at 3-4 (“NSO requires its customers” to agree to use NSO technology for specified purposes and to “immediately notify NSO of any potential misuse”); see also Compl., Ex. 10 (NSO’s Pegasus Manual) at 55 (“NSO is responsible to deploy and configure the Pegasus hardware and software at the customer premises”); id. at 58 (“[a]ll the necessary hardware is supplied with the system upon deployment”); id. at 61 (“[NSO] [is] responsible for the system setup and training before its hand-over to the customer”). 7 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 17 of 35 1 Grp., Inc., 790 F.3d 641, 645 (6th Cir. 2015); accord Gomez v. Campbell-Ewald Co., 768 F.3d 871, 2 874, 879-82 (9th Cir. 2014), aff’d, 136 S. Ct. 663 (2016). And even if it were, “[w]here jurisdiction 3 is intertwined with the merits”—as it is here, where NSO’s twin defenses hinge on the identity of its 4 customers and the services it provided—“the truth of the [complaint’s] allegations” must be assumed 5 “unless controverted by undisputed facts in the record.” Warren v. Fox Family Worldwide, Inc., 328 6 F.3d 1136, 1139 (9th Cir. 2003) (citation omitted). Accordingly, the allegations in Plaintiffs’ 7 Complaint control. Moore v. McAleenan, 2019 WL 2870079, at *2 (D. Alaska July 3, 2019). 8 Beyond that, NSO’s factual showing does not come close to supporting an attack on 9 jurisdiction. The Complaint alleges targeting of 1,400 separate devices, Compl. ¶ 42, and NSO does 10 not specify who it was working for in each attack. Instead, NSO relies on a conclusory declaration 11 from its CEO Shalev Hulio stating that “NSO markets and licenses its Pegasus technology exclusively 12 to sovereign governments and authorized agencies,” and those sovereigns—not NSO—“operate [the] 13 Pegasus technology.” Hulio Decl. ¶¶ 9, 14-15. But Hulio fails to identify any specific foreign 14 sovereign for whom NSO worked—let alone cite a single contract or any evidence establishing NSO’s 15 purportedly limited operational role. That factual showing is plainly insufficient. 16 Finally, before any fact-based immunity defense could be entertained, Plaintiffs would be 17 entitled to discovery. See Laub v. U.S. Dep’t of Interior, 342 F.3d 1080, 1093 (9th Cir. 2003) 18 (discovery appropriate when “jurisdictional facts are contested or more facts are needed” to determine 19 jurisdiction). All information relating to NSO’s customers and NSO’s services is in NSO’s 20 possession. Absent discovery on these subjects, NSO’s motion cannot be granted. See id. (reversing 21 denial of jurisdictional discovery where plaintiff sought “detailed accounting of all [defendant’s] 22 transactions”); Salim v. Mitchell, 183 F. Supp. 3d 1121, 1130-31 (E.D. Wash. 2016) (“Salim I”) 23 (denying motion to dismiss that asserted “derivative sovereign immunity” defense because “no 24 discovery has been conducted”); Novoa, 2018 WL 4057814, at *3 (same). 6 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 6 NSO’s passing reference to the act of state doctrine also fails. MTD at 10-11 & n.12. NSO concedes that this argument is not ripe for decision, id., and it also lacks merit. NSO is alleged to have engaged in unlawful hacking and breach of contract, and proving those violations does not require the Court to rule on the validity of the act of any foreign sovereign. W.S. Kirkpatrick & Co. v. Envtl. Tectonics Corp, Int’l, 493 U.S. 400, 409-10 (1990). Further, gaining unauthorized access to WhatsApp’s servers 8 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 18 of 35 1 B. The Complaint Does Not Fail to Join a Required Party. 2 NSO is wrong to contend that the Complaint must be dismissed because Plaintiffs did not join 3 NSO’s foreign-sovereign customers. MTD at 18-19. NSO’s customers are not “required part[ies]” 4 under Rule 19(a), and even if they were, considerations of “equity and good conscience” evaluated 5 under Rule 19(b) require the action to “proceed among the existing parties.” Fed. R. Civ. P. 19; see 6 Fed. R. Civ. P. 12(b)(7). 7 NSO argues that under Rule 19(a)(1)(A) “the court cannot accord complete relief among 8 existing parties” without NSO’s foreign-sovereign clients. But this suit seeks to enjoin wrongdoing 9 by NSO—not any other actor. An order enjoining NSO from, inter alia, accessing or attempting to 10 access Plaintiffs’ systems, or violating or facilitating violations of Plaintiffs’ terms of service, will 11 afford Plaintiffs “complete relief.” NSO’s allusion (MTD at 19) to hypothetical relief against 12 sovereign clients, not sought by Plaintiffs, is irrelevant—Rule 19(a)(1)(A) “is concerned only with 13 relief as between the persons already parties, not as between a party and the absent person.” Eldredge 14 v. Carpenters 46 N. Cal. Ctys. Joint Apprenticeship & Training Comm., 662 F.2d 534, 537 (9th Cir. 15 1981) (internal quotations and citation omitted). Nor can NSO rely on “possible future conduct” by 16 third-party sovereigns that might “frustrate the remedial purposes of [a] court-order[]” enjoining NSO 17 in order to “avoid [its] own liability for [illegal] practices.” Id. 18 NSO incorrectly suggests that an injunction restraining it “and all other persons acting in 19 concert with or conspiracy with” it must include foreign sovereigns. Compl. at 14. Such language is 20 “standard boilerplate drawn from Rule 65 describing the ‘persons bound’ by ‘every injunction.’” 21 E.E.O.C. v. Peabody W. Coal Co., 610 F.3d 1070, 1080 (9th Cir. 2010) (quoting Fed. R. Civ. P. 65). 22 The “better reading” is that the language does not seek “injunctive relief against” an immune 23 sovereign. Id.; see In re Estate of Ferdinand Marcos Human Rights Litig., 94 F.3d 539, 545-46 (9th 24 Cir. 1996). But even if NSO’s reading were correct, “the proper response . . . would . . . be[] simply 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO located in the United States could never be considered an “act of state.” That doctrine bars adjudicating only the sovereign acts of a foreign government done “within its own territory.” Id. Courts are free to “judge the legality and propriety of an act that occurred within the borders of the United States.” Liu v. Republic of China, 892 F.2d 1419, 1433 (9th Cir. 1989). 9 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 19 of 35 1 to deny [the] request for injunctive relief” against a sovereign, “shap[e] the relief” sought under Rule 2 19(b)(2)(B), or permit Plaintiffs leave to amend under Rule 15. Peabody, 610 F.3d at 1077, 1080. 3 Finally, even if NSO’s sovereign clients were “required parties” under Rule 19(a), Rule 19(b) 4 dismissal is unwarranted. NSO argues that this action would “prejudice [its] customers” by “ignoring 5 their sovereign status.” MTD at 19 (citation omitted). But the rule for foreign sovereigns is not 6 categorical; rather, the inquiry turns on multiple “factors varying with the different cases.” Republic 7 of Phil. v. Pimentel, 553 U.S. 851, 863 (2008) (citation omitted). An action should continue without 8 a required sovereign where considerations of “equity and good conscience” weigh against the severe 9 remedy of dismissal. Id. at 862-63 (quoting Rule 19(b)). That is true here: If NSO is liable for the 10 violations alleged, it cannot remain free to abuse Plaintiffs’ systems and victimize Plaintiffs’ users by 11 hiding behind the actions of absent sovereign clients that can pursue their own interests. 7 12 C. The Court Has Personal Jurisdiction Over NSO. 13 Personal jurisdiction over NSO exists for two independent reasons: NSO (1) consented to 14 jurisdiction by accepting WhatsApp’s Terms; and (2) directed its conduct at California. Plaintiffs need 15 only identify “facts that if true would support jurisdiction” to defeat a Rule 12(b)(2) dismissal. Mavrix 16 Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1223 (9th Cir. 2011); Ballard v. Savage, 65 F.3d 17 1495, 1498 (9th Cir. 1995).8 Plaintiffs have made this showing. NSO consented to this Court’s jurisdiction. 18 19 By agreeing to WhatsApp’s Terms, which include a forum selection clause designating this 20 Court, NSO “consented to personal jurisdiction.” Automattic, Inc. v. Steiner, 82 F. Supp. 3d 1011, 21 1022 (N.D. Cal. 2015) (Hamilton, J.) (citation omitted); Craigslist, Inc. v, Naturemarket, Inc., 694 F. 22 Supp. 2d 1039, 1052 (N.D. Cal. 2010) (Hamilton, J.) (defendants consented to jurisdiction by 23 “agree[ing] to the TOUs as a condition to accessing Plaintiff’s website”). Such forum selection clauses 24 are “prima facie valid” and are “enforceable absent a strong showing” by the opposing party that the 25 7 26 NSO’s suggestion that it will be hampered in obtaining discovery needed for its defense, MTD at 19 n.18, is unfounded. NSO can prove its own conduct without relying on others’ evidence. 27 8 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO Under Rule 12(b)(2), the Court takes Plaintiffs’ “uncontroverted allegations in the complaint” as true, Mavrix, 647 F.3d at 1223, and resolves conflicts “over statements contained in affidavits” in “[P]laintiff[s’] favor,” Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 800 (9th Cir. 2004). 10 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 20 of 35 1 clause is invalid or its enforcement would otherwise be “unreasonable or unjust.” Manetti-Farrow, 2 Inc. v. Gucci Am., Inc., 858 F.2d 509, 514 (9th Cir. 1988) (citation omitted). 3 4 5 6 7 8 9 10 The WhatsApp Terms applicable to NSO contained a “Dispute resolution” section with the following forum selection clause and choice of law provision: If you are not subject to the “Special Arbitration Provision for United States or Canada Users” section below, you agree that you will resolve any Claim you have with us relating to, arising out of, or in any way in connection with our Terms, us, or our Services (each, a “Dispute,” and together, “Disputes”) exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County in California, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating all such Disputes. Governing Law: The laws of the State of California govern our Terms, as well as any Disputes, whether in court or arbitration, which might arise between WhatsApp and you, without regard to conflict of law provisions. 11 12 Duffy Decl. ¶¶ 4, 6, Ex. 1 (emphasis added). The arbitration provision referenced in the forum 13 selection clause states that arbitration applies to “all disputes” that involve U.S. or Canadian users, 14 with the exception of a subset of actions. Id. 15 NSO does not deny that it accepted WhatsApp’s Terms or that the forum selection clause is 16 enforceable. See MTD at 11-12. Instead, NSO wrongly urges the Court to interpret the term “Dispute” 17 to apply only to users’ claims against WhatsApp, and not vice versa. See MTD at 11-12. That reading 18 ignores the plain meaning of the forum selection clause, as this suit involves a Dispute that NSO “ha[s] 19 with [WhatsApp]”—i.e., a dispute between NSO and WhatsApp. 20 NSO’s one-sided reading of the term “Dispute” in the forum selection clause is likewise 21 inconsistent with the use of the same term in the choice-of-law and arbitration provisions. “[E]ach 22 clause” of the Terms “help[s] to interpret the other.” Cal. Civ. Code § 1641; see Principal Mut. Life 23 Ins. Co. v. Vars, Pave, McCord & Freedman, 65 Cal. App. 4th 1469, 1478 (1998) (“[W]ords used in 24 a certain sense in one part of a contract are deemed to have been used in the same sense elsewhere.”) 25 The choice-of-law provision makes clear that the term “Dispute” applies to all actions between users 26 and WhatsApp, providing that California law “govern[s] [WhatsApp’s] Terms, as well as any Disputes 27 . . . which might arise between WhatsApp and you.” See Duffy Decl. ¶¶ 4, 6, Ex. 1. And the arbitration 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 11 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 21 of 35 1 provision uses “dispute” the same way, applying to “all disputes” whether WhatsApp or the user 2 initiates them. Based on the consistent meaning of “Dispute” as used throughout the Terms, NSO 3 consented to this Court’s exercise of personal jurisdiction. See Craigslist, 649 F. Supp. 2d at 1052. 4 Alternatively, NSO’s contacts with California establish specific jurisdiction. 5 Specific jurisdiction over a defendant exists when (1) the defendant “purposefully avail[ed]” 6 itself of the forum’s benefits regarding a contract claim or “purposefully direct[ed]” its activities at the 7 forum with respect to a tort claim; (2) the plaintiff’s claims “arise[] out of or relate[] to” those “forum- 8 related activities”; and (3) the exercise of jurisdiction is consistent with fair play and substantial justice. 9 See Dole Food Co. v. Watts, 303 F.3d 1104, 1111 (9th Cir. 2002). Here, specific jurisdiction exists 10 because Plaintiffs have established the first two prongs, and NSO has not “present[ed] a compelling 11 case that the exercise of jurisdiction . . . would be unreasonable.” Id. at 1117 (citation omitted). 12 a. NSO purposefully availed itself of California’s benefits. 13 NSO contends that it did not purposefully avail itself of California’s benefits because it has not 14 engaged in in-forum conduct. MTD at 16. To the contrary, NSO “deliberately [] engaged in 15 significant activities” and created “continuing obligations” in California, receiving “manifold 16 benefits.” See Burger King Corp. v. Rudzewicz, 471 U.S. 462, 475-76, 480 (1985). NSO: (1) 17 contracted with California-based WhatsApp and agreed that California law governed; (2) committed 18 to perform under WhatsApp’s Terms; and (3) benefited from business activities directed at California. 19 First, NSO concedes that it contracted with WhatsApp and agreed to WhatsApp’s Terms with 20 a California choice-of-law clause when creating user accounts; indeed, NSO does not dispute that 21 Plaintiffs have stated a claim for breach of those Terms. See Compl. ¶¶ 19, 30-31, 67-73; MTD at 7- 22 8, 11. Contracting under California law shows that a defendant “chose[] to avail itself of the benefits 23 and protections of California’s laws.” Google, Inc. v. Eolas Techs. Inc., 2014 WL 2916621, at *3 24 (N.D. Cal. June 24, 2014) (finding personal jurisdiction). 25 “sophisticated” entities, like NSO, agree to a choice-of-law clause. Facebook, Inc. v. Rankwave Co., 26 No. 19-3738, at *8-9 (N.D. Cal. Nov. 14, 2019) (ECF No. 34); see Burger King, 471 U.S. at 481-82. 27 Second, NSO committed to perform continuously under the Terms, including by complying 28 with WhatsApp’s policies for ongoing use of the platform. See Compl. ¶¶ 20-22 (Terms require users, COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 12 This is particularly true where PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 22 of 35 1 e.g., not to “send . . . harmful computer code through or onto our Services[.]”). The “continuous course 2 of dealing” under a contract governed by California law supports a finding of “purposeful availment.” 3 Facebook, No. 19-3738, at *8-10 (finding jurisdiction where foreign defendant agreed to plaintiff’s 4 Terms, including a California choice-of-law clause, as a condition of accessing plaintiff’s data). 5 Third, NSO engaged in significant activities directed at California. NSO developed Pegasus 6 using financing from a California-based private equity firm.9 NSO also intentionally exploited 7 WhatsApp’s California-based infrastructure to develop its product and deliver malware to Target 8 Devices. See Compl. ¶¶ 5, 11, 27-29, 34-40, 60-62; see also Exs. 4, 10 (advertising the surveillance 9 capability of NSO’s technology); MTD at 5 (admitting use and exploitation of WhatsApp’s platform). 10 Additionally, to execute its scheme and install its spyware on WhatsApp users’ devices, NSO 11 separately entered into a contract with a California-based technology company, QuadraNet, that 12 included a California choice-of-law clause. Compl. ¶ 34; Gheorghe Decl. ¶¶ 3-5; LeBlanc Decl. ¶¶ 2- 13 3, Exs. 1, 2; Mornin Decl. ¶¶ 2-4, Exs. 1-5. NSO used QuadraNet’s California-based server more than 14 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 15 2019. Gheorghe Decl. ¶ 4; Mornin Decl. ¶¶ 2-4, Exs. 1-5; Compl. ¶ 34. And NSO knew or should 16 have known the QuadraNet server was in California. Id.; Panavision Intl., L.P. v. Toeppen, 141 F.3d 17 1316, 1322 (9th Cir. 1998) (purposeful availment established because defendant was “likely” to know 18 his conduct “had the effect of injuring” plaintiff “in California”). Tellingly, NSO does not deny that 19 it contracted with QuadraNet, or that the QuadraNet server was used in the attack. See MTD at 14. 20 NSO’s contacts with California, taken together, show that NSO purposefully availed itself of 21 the forum’s benefits. See CompuServe, Inc. v. Patterson, 89 F.3d 1257, 1264 (6th Cir. 1996) (specific 22 jurisdiction where defendant contracted with in-forum plaintiff, including a forum state choice-of-law 23 clause, and used plaintiff’s server infrastructure); Panavision, 141 F.3d at 1321 (discussing 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 9 NSO submits no evidence that this financing was not used to build Pegasus, and NSO’s conclusory assertion that the financing is irrelevant (MTD at 16) fails on a Rule 12(b)(2) challenge. Rio Props., Inc. v. Rio Int’l Interlink, 284 F.3d 1007, 1019 (9th Cir. 2002); see Compl. ¶ 33, Ex. 4 (indicating that NSO created Pegasus while funded by a California firm). NSO issued “major upgrades” to Pegasus annually—and no evidence shows that this stopped from 2014 to February 2019, when a California firm owned 70 percent of NSO’s business. See Compl., Ex. 10 at 64; fastcompany.com/90307864/us-fund-sells-israeli-hacking-firm-nso-group-amid-spy-mystery. 13 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 23 of 35 1 CompuServe with approval); Summit Entm’t, LLC v. Santia, 2014 WL 12577430, at *3 (C.D. Cal. June 2 24, 2014) (purposeful availment met based on knowing use of California servers to commit breach). 10 b. 3 NSO purposefully directed its conduct at California. 4 A defendant purposefully directs its activities at California if it (1) commits an intentional act 5 (2) expressly aimed at California (3) that causes harm it knows will likely be suffered here. See Axiom 6 Foods, Inc. v. Acerchem Int’l, Inc., 874 F.3d 1064, 1069 (9th Cir. 2017). Here, NSO purposefully 7 directed its conduct to California: it marketed its ability to compromise California-based WhatsApp’s 8 security and used reverse-engineered WhatsApp technology and QuadraNet’s California-based 9 servers to hijack WhatsApp’s servers, including in California, to distribute malware. Compl. ¶¶ 34- 10 39, 60-62 & Ex. 10; Gheorghe Decl. ¶¶ 3-4; Mornin Decl. ¶¶ 2-6, Exs. 1-9. That satisfies Axiom. 11 The intentional-act element is beyond dispute. Plaintiffs allege that NSO violated California’s 12 Computer Data Access and Fraud Act (“CDAFA”) by “knowingly” and “willfully” targeting 13 WhatsApp’s systems to disseminate malware. See Compl. ¶¶ 60-61, 64, 66; see also MTD at 2 & n.1; 14 NetApp, Inc. v. Nimble Storage, Inc., 41 F. Supp. 3d 816, 826 (N.D. Cal. 2014) (exercising jurisdiction 15 over foreign defendant who “had reason to know” that he was accessing plaintiff’s “computer systems 16 in California” through his affirmative acts directed towards the forum state). Indeed, NSO’s product 17 description of Pegasus specifically mentions WhatsApp and Facebook. Compl. ¶ 24, Ex. 10 at 33. 18 NSO’s willful targeting of WhatsApp’s infrastructure suffices. See Panavision, 141 F.3d at 1321. 19 Likewise, the harm element also exists: NSO’s acts caused harm NSO knew would likely be suffered 20 in California, Plaintiffs’ principal place of business. See id.; see also Dole, 303 F.3d at 1113-14. 21 NSO appears to challenge only the express-aiming element, arguing that it did not target its 22 conduct at California.11 See MTD at 14-15. But NSO’s actions aimed at, and caused effects in, 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 10 Contrary to NSO’s assertion (MTD at 16), Boschetto v. Hansing, 539 F.3d 1011 (9th Cir. 2008) and Picot v. Weston, 780 F.3d 1206 (9th Cir. 2015), are consistent with finding specific jurisdiction here. See Boschetto, 539 F.3d at 1019 (specific jurisdiction appropriate where (as here) a non-forum defendant contracts with forum plaintiff, then uses plaintiff’s platform as “vehicle for commercial activity”); Picot, 780 F.3d at 1212 (no purposeful availment where, unlike here, parties contracted wholly in non-forum state and only plaintiff took significant in-forum actions under contract). 11 NSO renews its improper contention that foreign governments (not NSO) committed the attacks. See MTD at 14. The Court cannot accept that contention at the pleading stage. See Section III.A.1, 14 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 24 of 35 1 California: its attacks targeted a California-based company and used WhatsApp’s and QuadraNet’s 2 California-based servers. See Section II, supra. Such allegations satisfy the purposeful direction test. 3 See, e.g., Synopsys, Inc. v. Ubiquiti Networks, Inc., 2017 WL 3485881, at *24-25 (N.D. Cal. Aug. 15, 4 2017) (test met where defendant contracted with California company to access files via California 5 servers to harm California-based company); Craigslist, 694 F. Supp. 2d at 1053 (same, where 6 defendants knowingly used California plaintiff’s website to sell services to enable users to bypass 7 plaintiff’s website’s security measures, in violation of plaintiff’s terms of service); Seattle Sperm Bank, 8 LLC v. Cryobank Am., LLC, 2018 WL 3769803, at *2 (W.D. Wash. Aug. 9, 2018) (same, where 9 defendant used in-forum server to misappropriate information belonging to in-forum company). 10 NSO errs in suggesting that it is irrelevant that Plaintiffs’ servers are located in California. 11 MTD at 14. NSO’s cases hold only that purposeful direction is not shown solely by a defendant’s 12 incidental access to third-party servers in the forum state. Rosen v. Terapeak, Inc., 2015 WL 13 12724071, at *9 (C.D. Cal. Apr. 28, 2015); Hungerstation LLC v. Fast Choice LLC, 2020 WL 137160, 14 at *4-5 (N.D. Cal. Jan. 13, 2020). Here, in contrast, NSO intentionally targeted and exploited 15 WhatsApp’s California-based infrastructure; heavily marketed its ability to do so through a U.S.-based 16 advertising arm, knowing this would damage WhatsApp; and contracted with California-based 17 QuadraNet to lease and knowingly use its California servers to carry out the attack on WhatsApp and 18 its users. Compl. ¶¶ 11, 60-62; see MTD at 2 n.1. Taken together, these actions underscore that 19 California is “the focal point” of both the conduct and the harm suffered. Axiom Foods, Inc., 874 F.3d 20 at 1071; see DEX Sys., Inc. v. Deutsche Post AG, 727 F. App’x 276, 278 (9th Cir. 2018) (specific 21 jurisdiction is often proper where defendants improperly exploit a plaintiff’s in-forum servers). 22 Indeed, while NSO relies on Axiom and Walden v. Fiore, 571 U.S. 277 (2014), MTD at 13-14, 23 those cases demonstrate that a defendant’s international targeting of the forum state is relevant and, 24 when coupled with injuries that the defendant knows are likely to be felt within the forum, will suffice 25 to establish purposeful direction. Axiom, 874 F.3d at 1070-71; Walden, 571 U.S. at 287-88. That is 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO supra. That is particularly true where NSO’s own description of its Pegasus software shows that it is NSO’s software that accomplishes the attack: customers need “only insert the target phone number” and “[t]he rest is done automatically by [NSO’s] system.” Compl., Ex. 10 at 13. NSO does not dispute that Exhibit 10 is accurate; indeed, NSO invokes that exhibit itself. See MTD at 2 n.1. 15 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 25 of 35 1 the situation here. See, e.g., Panavision, 141 F.3d at 1322; Facebook, Inc. v. ConnectU LLC, 2007 2 WL 2326090, at *2, *5-6 (N.D. Cal. Aug. 13, 2007) (purposeful direction where defendant’s software 3 used falsified login information to access Facebook and improperly export other users’ information). c. 4 This suit arises from NSO’s contacts with California. 5 All of Plaintiffs’ claims and related injuries—including their CDAFA and breach of contract 6 claims, which NSO does not move to dismiss—arise from NSO’s creation of WhatsApp accounts, 7 related agreement to the WhatsApp Terms, and misuse of WhatsApp’s and QuadraNet’s California- 8 based infrastructure. See Compl. ¶¶ 11, 35-39, 60-62. That is sufficient. In re W. States Wholesale 9 Nat. Gas Antitrust Litig., 715 F.3d 716, 742 (9th Cir. 2013) (direct nexus satisfies test). d. 10 Exercising jurisdiction here is reasonable. 11 NSO has not made a “compelling case” that the exercise of jurisdiction would be unreasonable. 12 CollegeSource v. AcademyOne, 653 F.3d 1066, 1079 (9th Cir. 2011). The reasonableness factors, far 13 from tipping “sharply” towards NSO, id., weigh strongly in favor of personal jurisdiction. 14 First, Defendants are wrong that their “purposeful interjection” into California’s affairs is 15 “negligible at best.” See MTD at 17. Instead, this factor favors Plaintiffs based on the purposeful 16 availment showing. See Section III.C.2.a, supra; Roth v. Garcia Marquez, 942 F.2d 617, 623 (9th Cir. 17 1991) (purposeful interjection redundant of purposeful availment test). 18 Second, the supposed burden an Israeli company faces litigating in California (MTD at 17-18) 19 is not dispositive. Dole, 303 F.3d at 1115. NSO ignores its U.S. ties,12 and that “the Supreme Court 20 has preferred nonjurisdictional methods of lessening the inconvenience faced by defendants.” Sinatra 21 v. Nat’l Enquirer, Inc., 854 F.2d 1191, 1199 (9th Cir. 1988) (citing, inter alia, Burger King, 471 U.S. 22 at 477-78). Plaintiffs would be burdened if forced to litigate in Israel, when their witnesses and 23 evidence are concentrated in California. And it is most efficient to litigate in California, given that 24 California is both the place where Plaintiffs’ injury occurred and the forum whose law will be applied. 25 Raffaele v. Compagnie Generale Mar., 707 F.2d 395, 399 (9th Cir. 1983). 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 12 NSO fails to acknowledge that it owns a U.S.-based marketing and sales arm that engaged in lengthy sales discussions with the U.S. Drug Enforcement Administration, Compl. ¶ 5, Exs. 2, 3; that its cofounder, who is a member of its board, lives in the United States, ECF No. 20-3 ¶ 14, Ex. 12; and that it was funded by a San Francisco-based equity firm until February 2019, Comp. ¶ 5 & Ex. 4. 16 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 26 of 35 1 Third, NSO asserts that exercising jurisdiction over it would “conflict[] with Israel’s 2 sovereignty” due to NSO’s claimed lack of California operations. See MTD at 17. But NSO is neither 3 a sovereign nor immune from the Court’s exercise of jurisdiction. 4 dispositive: “if given controlling weight, it would always prevent suit against a foreign national in a 5 United States court.” See Sinatra, 854 F.2d at 1199 (discounting defendant’s attempt to invoke this 6 factor where defendant had benefited from engagement with the U.S. market). Nor is NSO’s nationality 7 Fourth, NSO does not seriously dispute California’s and Plaintiffs’ interests in a California- 8 based resolution of Plaintiffs’ claims. See MTD at 17-18. California has a “strong interest” in 9 providing residents with “effective means of redress.” Sinatra, 854 F.2d at 1200. And Plaintiffs’ 10 claims are concededly governed by federal and California law. Compl. ¶¶ 49-78; MTD at 20-25. A 11 California-based court is better positioned to apply these laws than an Israeli court. 12 Finally, NSO is incorrect (MTD at 18) that Plaintiffs bear the burden to show that Israel is 13 inadequate as an alternative forum. See, e.g., Ballard, 65 F.3d at 1502 (construing factor against 14 defendant who “present[ed] absolutely no evidence on this issue, erroneously assuming that the burden 15 [was] on [plaintiff]” to show no alternate forum). NSO has offered no evidence on this point, arguing 16 only that Plaintiffs were sued by NSO’s employees in Israel. See MTD at 18. NSO does not explain 17 how this makes Israel an adequate forum to litigate Plaintiffs’ U.S.-law based claims. And of course, 18 NSO does not (and cannot) assert that California is an inadequate forum to hear Plaintiffs’ claims. 19 Thus, the balance of the reasonableness factors favors Plaintiffs. And since Plaintiffs have 20 satisfied each prong of the analysis, the Court has specific jurisdiction over NSO. 21 This Court has jurisdiction under Rule 4(k)(2). 22 Even if specific jurisdiction were lacking, NSO would still be subject to personal jurisdiction 23 under Federal Rule of Civil Procedure 4(k)(2) because (1) Plaintiffs’ CFAA claim arises under federal 24 law; (2) NSO would not be subject to jurisdiction in any state; and (3) exercising jurisdiction comports 25 with due process. See Hydentra HLP Int’l v. Sagan Ltd., 783 F. App’x 663, 665 (9th Cir. 2019). 26 Here, Plaintiffs assert claims under federal law. And NSO, in resisting jurisdiction in 27 California, has not “alleged that it is subject to the courts of general jurisdiction in any state.” Holland 28 Am. Line Inc. v. Wartsila N. Am., Inc., 485 F.3d 450, 461 (9th Cir. 2007) (a court may exercise COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 17 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 27 of 35 1 jurisdiction over Rule 4(k)(2) if “the defendant contends that [it] cannot be sued in the forum state and 2 refuses to identify any other where suit is possible”) (citation omitted). Indeed, the logic of NSO’s 3 argument is that no state would have personal jurisdiction if California does not. See MTD at 17-18. 4 Critically, NSO’s contacts with the U.S. make it fair for NSO to litigate here. See Axiom, 874 5 F.3d at 1072 (Rule 4(k)(2) analysis “is nearly identical to traditional personal jurisdiction analysis”); 6 Hydentra, 783 F. App’x at 665 (applying specific jurisdiction analysis to hold that Rule 4(k)(2) was 7 met). NSO’s contacts with the United States were substantial, intentional, and essential to the success 8 of the violations that the Complaint alleges. 9 Numerous facts support that conclusion. NSO extensively used U.S.-based computer servers 10 in the challenged attacks. See Compl. ¶ 34; see also Gheorghe Decl. ¶¶ 3-5; Mornin Decl. ¶¶ 2-6, Exs. 11 1-9; Micron Tech., Inc. v. United Microelectronics Corp., 2019 WL 1959487, at *3 (N.D. Cal. May 12 2, 2019) (finding Rule 4(k)(2) jurisdiction where defendant used U.S.-based servers). 13 “knowingly and with intent to defraud” accessed Plaintiffs’ computers and infrastructure in the United 14 States to distribute its malware. See Compl. ¶ 54; see generally Facebook, 2007 WL 2326090 at *2, 15 *5-6. NSO exploited U.S. financial and commercial markets by relying on a subsidiary marketing 16 arm based and incorporated in the United States and by financing its product via U.S. backers. See 17 Compl. ¶ 5, Exs. 2, 3. One of NSO’s board members lives in the United States. ECF No. 20-3 ¶ 14, 18 Ex. 12. And NSO’s conduct foreseeably caused harm in the United States: WhatsApp, a U.S. 19 company, expended significant engineering resources in the United States to investigate and remediate 20 the attack, including updating the WhatsApp app so that approximately 56.6 million users could 21 download an update to protect the app from NSO’s attack. Gheorge Decl. ¶ 2; Nguyen Decl. ¶ 3; 22 Compl. ¶ 44. The totality of NSO’s U.S.-directed conduct establishes that, “but for [its] forum-related 23 conduct, the injury would not have occurred.” Craigslist, 694 F. Supp. 2d at 1053 (citation omitted). 24 Lastly, NSO has made no showing (let alone a compelling one) that requiring it to litigate in 25 the U.S. is unfair. See Section III.C.2.d. Thus, personal jurisdiction is appropriate under Rule 4(k)(2). 26 NSO This Court should exercise pendent jurisdiction. 27 If the Court finds jurisdiction over some, but not all, of Plaintiffs’ claims, it should exercise 28 pendent jurisdiction over the remaining claims, which arise “out of a common nucleus of operative COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 18 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 28 of 35 1 facts.” See Action Embroidery Corp. v. Atl. Embroidery, Inc., 368 F.3d 1174, 1180 (9th Cir. 2004). 2 Because NSO’s unauthorized use of WhatsApp’s computer infrastructure to send malicious code to 3 WhatsApp users in violation of WhatsApp’s Terms underpins each of Plaintiffs’ claims, this Court 4 should exercise pendent jurisdiction over the remaining claims. See, e.g., Compl. ¶¶ 49-78; CE 5 Distribution, LLC v. New Sensor Corp., 380 F.3d 1107, 1113 (9th Cir. 2004) (exercising pendent 6 jurisdiction over contract claims where personal jurisdiction existed for related tort claims). 13 7 D. The Complaint Validly Alleges Violations Of Federal And State Law. Plaintiffs state a claim for a violation of the CFAA. 8 9 The Complaint alleges that NSO violated Sections 1030(a)(2), (a)(4), and (b) of the CFAA 10 because it accessed and conspired to access, without authorization, Plaintiffs’ servers and WhatsApp 11 users’ devices. Compl. ¶¶ 49-57. As detailed below, NSO circumvented WhatsApp technical 12 restrictions in order to access and use the servers, which constitutes unauthorized access under the 13 CFAA. Id. ¶¶ 32, 35-39. Because NSO’s actions caused Plaintiffs to incur a loss as defined by Section 14 1030(e)(11), the CFAA authorizes Plaintiffs to pursue civil remedies. See Theofel v. Farey-Jones, 359 15 F.3d 1066, 1078 (9th Cir. 2003) (“The civil remedy extends to ‘[a]ny person who suffers damage or 16 loss by reason of a violation of this section.’”) (quoting 18 U.S.C. 1030(g)). a. 17 NSO lacked authorization to access the servers and devices. 18 NSO does not dispute that its conduct resulted in unauthorized access to victims’ devices in 19 violation of the CFAA. Compl. ¶¶ 53–54. In addition, NSO lacked authorization to access Plaintiffs’ 20 servers, through which it carried out its malicious hacking activity. NSO argues it is immune from 21 liability under the CFAA because the WhatsApp Terms of Service “authorized” its conduct. MTD at 22 20-21. But NSO mischaracterizes its conduct and the nature of its unauthorized access. 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 13 If this Court is not prepared to exercise jurisdiction, Plaintiffs request jurisdictional discovery before the MTD is resolved. See Gillespie v. Prestige Royal Liquors Corp., 183 F. Supp. 3d 996, 1003 (N.D. Cal. 2016) (broad discretion to permit jurisdictional discovery); Mitan v. Feeney, 497 F. Supp. 2d 1113, 1119 (C.D. Cal. 2007) (“some evidence” tending to show personal jurisdiction suffices). Here, Plaintiffs have indisputably proffered evidence tending to show personal jurisdiction. While Plaintiffs respectfully submit that their jurisdictional showing is adequate, if this Court disagrees, further discovery would allow Plaintiffs to present additional evidence bearing on, e.g.: Defendants’ communications showing they knowingly exploited California-based technology from WhatsApp; evidence that Defendants used funding from California entities to develop Pegasus; and evidence that Defendants used California-based computer systems, including QuadraNet servers, in their attacks. 19 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 29 of 35 1 More specifically, and as alleged in the Complaint (Compl. ¶¶ 32-42): First, NSO reverse- 2 engineered the WhatsApp app to create an unauthorized program designed to evade technical 3 restrictions on the access and use of the WhatsApp service. Second, using its own program (as opposed 4 to the legitimate WhatsApp app) NSO gained unauthorized access to WhatsApp servers. Third, NSO 5 circumvented security measures built into WhatsApp’s servers by formatting messages to conceal 6 malicious code and appear like legitimate calls. Fourth, NSO further used WhatsApp servers to gain 7 unauthorized access to users’ devices. In short, Plaintiffs’ CFAA claims are not based on a terms-of- 8 service violation but on NSO’s conduct in circumventing Plaintiffs’ technological restrictions. 9 Under the CFAA, whether access is “authorized” depends on actions by the computer owner 10 to grant or deny permission to the system. United States v. Nosal, 844 F.3d 1024, 1035–36 (9th Cir. 11 2016) (Nosal II) (observing that all circuits agree on this definition); see also LVRC Holdings LLC v. 12 Brekka, 581 F.3d 1127, 1133, 1135 (9th Cir. 2009). Courts have “typically analyzed the scope of a 13 user’s authorization to access a protected computer on the basis of the expected norms of intended use 14 or the nature of the relationship established between the computer owner and the user.” United States 15 v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007). Relevant considerations include whether the defendant 16 engaged in “technological gamesmanship” to “aid in access,” Facebook, Inc. v. Power Ventures, Inc., 17 844 F.3d 1058, 1067 (9th Cir. 2016), and “whether the conduct at issue is analogous to ‘breaking and 18 entering,’” hiQ Labs Inc. v. LinkedIn Corp., 938 F.3d 985, 1001 (9th Cir. 2019) (citation omitted). 19 For example, in United States v. Morris, 928 F.2d 504 (2d Cir. 1991), the court concluded that 20 a defendant who “exploit[ed] [a] security defect[]” to transmit a virus infecting other computers on his 21 network gained “unauthorized access” to those computers because his use of email and network 22 programs was not “in any way related to their intended function” and instead exploited “holes in both 23 programs that permitted him a special and unauthorized access route into other computers.” Id. at 505, 24 510; see Nosal II, 844 F.3d at 1037 (citing Morris with approval). And in Phillips, the court concluded 25 that a user’s “‘brute-force attack’ program” that provided “a ‘back door’ into [his university’s] main 26 server” was “not an intended use” of the network “within the understanding of any reasonable 27 computer user and constitute[d] a method of obtaining unauthorized access to computerized data that 28 he was not permitted to view or use.” 477 F.3d at 218, 220. COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 20 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 30 of 35 1 So too here, NSO gained unauthorized access to WhatsApp’s servers by reverse-engineering 2 the app and using that program to evade WhatsApp security features that prevent access to and 3 manipulation of technical call settings. See United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) 4 (Nosal I) (observing that the “general purpose” of the CFAA “is to punish hacking—the circumvention 5 of technological access barriers”). WhatsApp has never granted any user permission to access server- 6 side call settings and alter the technical architecture routing calls through its servers. Instead, it 7 employs security measures to protect its servers from abuse and prevent attacks on users. NSO built 8 sophisticated software to circumvent those security measures, engaging in “technological 9 gamesmanship” to access and alter network protocols to transmit malicious code to victims and hack 10 into their devices. Power Ventures, Inc., 844 F.3d at 1067. This abuse lies at the core of the hacking 11 activity the CFAA prohibits. See, e.g., H.R. Rep. 98-894 at 10 (1984), reprinted in 1984 U.S.C.C.A.N. 12 3689, 3694–95 (CFAA addresses concern about serious harm caused by “‘hackers’ who have been 13 able to access (trespass into) both private and public computer systems.”). Plaintiffs thus sufficiently 14 allege that NSO accessed protected computers without authorization in violation of the CFAA. 15 In arguing that this abuse was “authorized,” NSO observes that it signed up for WhatsApp 16 accounts and so obtained a license to use WhatsApp’s services. MTD at 21. But users are licensed to 17 access WhatsApp services only through the WhatsApp app, which has integrated security measures 18 preventing users from accessing server-side call settings. Compl. ¶ 17; see also id. ¶¶ 19–23 19 (WhatsApp Terms of Service prohibit users from gaining “unauthorized access to [WhatsApp’s] 20 Services or systems” and “exploiting [WhatsApp’s] Services in impermissible or unauthorized 21 manners”). NSO bypassed those restrictions by using its own program to gain unauthorized entry to 22 the servers and manipulate settings not accessible to any user. NSO did not use WhatsApp’s servers 23 “in any way related to their intended function” but instead built sophisticated software that provided 24 “a special and unauthorized access route into other computers.” Morris, 928 F.2d at 510. 25 Untenable consequences would flow from accepting NSO’s argument that creating an account 26 for a service extinguishes CFAA liability even when the user gains unauthorized access through other 27 means. For example, websites like the New York Times authorize users to sign up for accounts and 28 access servers when reading and commenting on articles. But such access surely would not permit a COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 21 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 31 of 35 1 user to hack into the New York Times’s servers, manipulate normally inaccessible settings, and gain 2 control of other readers’ comments. NSO’s claim that its access was authorized merely because it 3 created a WhatsApp account would sharply circumscribe the CFAA’s scope and has no statutory basis. 4 NSO’s reliance on Brekka—the only case it cites to support its “authorization” argument—is 5 misplaced. In Brekka, an employee who indisputably had been granted access to his work computer 6 and company materials was alleged to have violated the CFAA by accessing those materials for an 7 improper purpose. 581 F.3d at 1129–30. The Ninth Circuit held that “when an employer authorizes 8 an employee to use a company computer subject to certain limitations, the employee remains 9 authorized to use the computer even if the employee violates those limitations.” Id. at 1133. Here, 10 unauthorized access occurred not because WhatsApp messages were sent for an improper purpose but 11 because NSO accessed the servers using its own program, evaded technical restrictions, and then 12 commandeered the network infrastructure to deliver malware to victims. 14 The analysis in Brekka— 13 which involved a classic employer-employee dispute and implicated concerns about transforming 14 “arguably innocuous conduct” into federal crimes, Nosal II, 844 F.3d at 1038—has never been and 15 should not be applied to malicious hacking activity like NSO’s conduct here. 15 b. 16 NSO’s conduct harmed Plaintiffs. 17 The CFAA provides a private right of action to “[a]ny person who suffers damage or loss by 18 reason of a violation . . . .” 18 U.S.C. § 1030(g), see also Theofel, 359 F.3d at 1078. The CFAA 19 defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, 20 conducting a damage assessment, and restoring the data, program, system, or information to its 21 22 14 24 A pending Supreme Court case raises the question whether an employee who is authorized to view information on a computer for particular purposes violates the CFAA by accessing that information for an improper purpose. Van Buren v. United States, No. 19-783 (U.S.). The resolution of that issue will not affect Plaintiffs’ CFAA claim because NSO had no authorization to access Plaintiffs’ servers through a reverse-engineered program or manipulate server-side settings for any purpose. 25 15 23 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO Even if NSO’s creation of WhatsApp accounts sufficed to authorize access to WhatsApp’s servers, NSO exceeded any such authorized access by using an illicit, reverse-engineered program to evade security restrictions and gain access to call settings that users are not permitted to view or alter. Nosal I, 676 F.3d at 858 (CFAA’s prohibition on “exceed[ing] authorized access” applies to “individuals whose initial access to a computer is authorized but who access unauthorized information or files”). If the Court determines that unauthorized access did not occur, Plaintiffs request leave to amend their CFAA claim to allege that NSO exceeded authorized access. 22 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 32 of 35 1 condition prior to the offense.” 18 U.S.C. § 1030(e)(11). NSO does not (and cannot) dispute that the 2 Complaint adequately alleges loss based on the costs associated with investigating and remediating 3 NSO’s unauthorized access to WhatsApp’s servers. Compl. ¶¶ 44, 57. On that basis alone, Plaintiffs’ 4 CFAA claim should proceed. See Flextronics Int’l, Ltd. v. Parametric Tech. Corp., 2014 WL 5 2213910, at *3 (N.D. Cal. May 28, 2014) (denying motion to dismiss where plaintiff alleged costs 6 related to investigating and remediating defendant’s conduct). 7 In addition, contrary to NSO’s contentions (MTD at 22), the Complaint further alleges loss 8 based on NSO’s unauthorized access to users’ devices. The Ninth Circuit has held that plaintiffs can 9 be injured under the CFAA by a defendant’s access to a third party’s device, specifically rejecting any 10 requirement of control or ownership of the device. Theofel, 359 F.3d at 1072, 1078. Here, under 11 WhatsApp’s Terms of Service, WhatsApp owns “all intellectual property rights” associated with the 12 WhatsApp app and grants users a license “to use” the service when they download the app on their 13 devices. See id. ¶ 19 (incorporating terms of service). And the Complaint alleges that NSO accessed 14 WhatsApp computers without authorization to further their unauthorized access of Target Devices. 15 Id. ¶¶ 53-54. NSO’s conduct impaired the integrity and security of the WhatsApp app on those devices 16 and caused a loss to Plaintiffs within the meaning of Section 1030(e)(11), which included responding 17 to the offense and conducting a damage assessment. Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 18 2d 887, 894–95 (N.D.Cal.2010) (“Costs associated with investigating intrusions into a computer 19 network and taking subsequent remedial measures are losses within the meaning of the statute.”). 20 Indeed, to prevent NSO’s further unauthorized access to users’ devices, Plaintiffs needed to 21 update the WhatsApp app. Compl. ¶¶ 44-45; Gheorge Decl. ¶ 2. Costs incurred when “upgrading a 22 system’s defenses to prevent future unauthorized access” constitute a cognizable “loss” under the 23 CFAA. Ticketmaster L.L.C. v. Prestige Entm't W., Inc., 315 F. Supp. 3d 1147, 1174 (C.D. Cal. 2018); 24 Kimberlite Corp. v. John Does 1–20, 2008 WL 2264485, at *2 (N.D. Cal. June 2, 2008) (plaintiff “set 25 forth a CFAA violation “where it alleged costs associated with “securing” its email system). Thus, 26 the Complaint additionally pleads a valid CFAA claim based on NSO’s access to users’ devices. 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 23 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 33 of 35 c. 1 Plaintiffs’ conspiracy claim is sufficient. 2 Because Plaintiffs have stated claims for violations of 18 U.S.C. § 1030(a)(2) and (a)(4), the 3 Complaint states a conspiracy claim under § 1030(b) as well (as NSO seems to concede, MTD at 23). 4 Plaintiffs state a claim for trespass to chattels. 5 a. NSO interfered with the intended operation of Plaintiffs’ servers and app. 6 To state a claim for trespass to chattels, a complaint must allege “some injury to the chattel or 7 to the plaintiff’s rights in it,” such as impairment of the property’s “condition, quality, or value.” Intel 8 Corp. v. Hamidi, 30 Cal. 4th 1342, 1350, 1357 (2003). In the cyber context, such injury occurs if the 9 defendant interfered with the “intended functioning of the system.” Id. at 1356. 10 Here, NSO interfered with the intended functioning of Plaintiffs’ servers and the WhatsApp 11 app. Compl. ¶ 46. Plaintiffs’ servers are programmed to route encrypted communications between 12 users using established network protocols. Id. ¶¶ 17-18. NSO’s use of Plaintiffs’ servers to covertly 13 transmit malware and fraudulently emulate network protocols plainly interfered with the intended 14 functioning and integrity of the WhatsApp computer system. Compl. ¶¶ 17, 35. Indeed, NSO designed 15 its malware to conceal that it was evading WhatsApp’s technical restrictions and interfering with the 16 WhatsApp service by making it appear as if the malicious code originated from WhatsApp’s servers 17 and not from NSO. Compl. ¶¶ 32, 36-37. Because the value of Plaintiffs’ servers and app derives 18 from their ability to securely and accurately transmit communications between users, NSO’s actions 19 impaired the quality and value of Plaintiffs’ system. See CompuServe Inc. v. Cyber Promotions, Inc., 20 962 F. Supp. 1015, 1022 (S.D. Ohio 1997) (holding that computer system’s value was “wholly derived 21 from the extent to which that equipment can serve its subscriber base.”). 16 22 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 16 Courts routinely find cognizable injury to support a trespass-to-chattels claim when the defendant impaired the ability of a plaintiff’s equipment to serve customers as intended. See, e.g., Coupons, Inc. v. Stottlemire, 2008 WL 3245006, at *6 (N.D. Cal. July 2, 2008) (defendant circumvented server’s technical restriction and impaired plaintiff’s ability to provide coupons to other customers); Craigslist Inc. v. 3Taps Inc., 942 F. Supp. 2d 962, 980 (N.D. Cal. 2013) (unauthorized access reduced website’s “capacity to service its users”); Thrifty-Tel, Inc. v. Bezenek, 46 Cal. App. 4th 1559, 1564, 1566 (1996) (hacking of network denied “some subscribers access”); Jedson Eng'g, Inc. v. Spirit Const. Servs., Inc., 720 F. Supp. 2d 904, 926 (S.D. Ohio 2010) (unauthorized access harmed value of “servers as a safe, secure location for project files”); Skapinetz v. CoesterVMS.com, Inc, 2019 WL 2579120, at *5 (D. Md. June 24, 2019) (defendant “damaged the value of [plaintiff’s] accounts by breaching the security and privacy” of email accounts). 24 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 34 of 35 1 NSO misses the point in focusing on whether the transmission of its messages embedded with 2 malicious code burdened Plaintiffs’ services as a quantitative matter. MTD at 24-25 (citing cases in 3 which plaintiffs failed to explain how defendant’s use of system interfered with system’s operation). 4 The Complaint alleged cognizable harm based not on the number of messages sent, but on the effect 5 of those transmissions in impairing the integrity, quality, and value of WhatsApp’s services. That 6 suffices to allege cognizable injury for a trespass-to-chattels claim. See Hamidi, 30 Cal. 4th at 1353. 7 b. 8 9 Plaintiffs’ loss of goodwill and remediation expenditures are cognizable. Contrary to NSO’s contention, Hamidi does not categorically foreclose the loss of goodwill and remediation expenditures as cognizable harms. 30 Cal. 4th at 1357–58. Rather, Hamidi 10 acknowledged that courts have found such losses actionable where the harm has a sufficient 11 “connection” to the property at issue, such as when the loss of goodwill stems from the “functioning 12 of the company’s [computer system].” Id. at 1358 (describing loss of reputation and goodwill in 13 CompuServe, 962 F. Supp. at 1023). 14 Here, Plaintiffs’ loss of goodwill resulted directly from NSO’s interference with the proper 15 functioning and integrity of the WhatsApp system. See CompuServe, 962 F. Supp. at 1023; Microsoft 16 Corp. v. Does 1–18, 2014 WL 1338677, at *10 (E.D. Va. Apr. 2, 2014) (defendants’ manipulation of 17 Microsoft’s search engines caused injury to goodwill). Moreover, Plaintiffs had to expend resources 18 to combat and remediate the attacks. Twitch Interactive, Inc. v. Does 1 Through 100, 2019 WL 19 3718582, at *4 (N.D. Cal. Aug. 7, 2019) (harm where plaintiff “expend[ed] resources to combat 20 [defendant’s] attack”); Hotmail Corp. v. Van$ Money Pie Inc., 1998 WL 388389, at *7 (N.D. Cal. 21 Apr. 16, 1998) (harm from “added costs for personnel to sort through and respond to the misdirected 22 emails”); Summit Entm’t, LLC v. Santia, 2014 WL 12577430, at *5 (C.D. Cal. June 24, 2014) (harm 23 from “expend[ing] time and resources investigating and stopping a breach in the servers’ security”). 24 NSO’s attack on the trespass-to-chattels claim accordingly lacks merit. 25 IV. 26 CONCLUSION Plaintiffs respectfully request that the Court deny NSO’s motion to dismiss. 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 25 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH Case 4:19-cv-07123-PJH Document 55 Filed 04/23/20 Page 35 of 35 1 2 Dated: April 23, 2020 Respectfully submitted, 3 COOLEY LLP 4 /s/ Travis LeBlanc Travis LeBlanc 5 6 7 8 9 10 11 12 Michael G. Rhodes Daniel J. Grooms Elizabeth B. Prelogar Bethany C. Lobo Kyle C. Wong Joseph D. Mornin COOLEY LLP Michael R. Dreeben O’MELVENY & MYERS LLP Attorneys for Plaintiffs WHATSAPP INC. and FACEBOOK, INC. 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COOLEY LLP ATTO RNEY S AT LAW SAN FRA NCI S CO 26 PLS.’ OPP. TO DEFS.’ MOTION TO DISMISS CASE NO. 4:19-CV-07123-PJH