Cupertino’s reasons, experts‘ doubts and an issue that once again puts users’ rights at the centre in the confrontation between Big Tech and Sovereign States by Andrea Monti – Initially published in Strategikon – Italian Tech La Repubblica
In a twist worthy of the best of the best of roguelike scripts, on 13 September 2024 Apple filed an application to withdraw the lawsuit it brought three years ago against NSO, the Israeli company behind the Pegasus spyware that had caused such indignation in the world of public institutions and defenders of ‘digital rights’.
There are three reasons that would have led Apple to take this decision:
- going ahead with the trial would mean making confidential information available;
- we cannot run the risk of this information getting out of the court file;
- even if we won, the victory would serve no purpose because there are other developers of software similar to Pegasus that would not be affected by the ruling.
In their pragmatic cynicism, these motives are entirely fair, so much so that one wonders why they were not taken into account as early as 2021, before the trial began.
That certain information would have entered the trial was, in fact, obvious; that it could have slipped out of control in one of the many inevitable changes of hands, too; and one only needs to have a minimum knowledge of the criminal ecosystem of information technology to know that threats multiply and adapt according to ‘necessity’. So why, sticking to the narrow facts, has Apple decided to back off?
Some possible answers come from an analysis of the application to the San Francisco Division of the United States District Court – Northern District of California.
According to Apple, proceeding further with this lawsuit would imply the potential disclosure to third parties of the information Apple uses to counter spyware, while the defendants and others seriously hinder the possibility of obtaining a favourable verdict , and thus in order to avoid compromising its commitment to the security of its users, and in light of the developments described above, Apple has decided to prioritise the protection of its security systems to continue blocking spyware.
The illogicality of this argument is obvious: the fact that NSO does not want to (because it believes it is ‘covered’ by Israel’s national security needs) or cannot (because the documents of interest in the case would have been seized by the Tel Aviv government) does not change Apple’s duty to adduce evidence in support of its legal action and NSO’s right to defend itself. In an excellent example of ‘advocacy engineering’, Apple then argues its choice by stating that it had originally anticipated that certain information would be released, but that the scenario has changed and it is now no longer appropriate to make it available.
But what are these changes?
The trial has remained as it is and therefore what had to be exhibited before (if it was necessary to do so) must also be exhibited afterwards. So the decision to take a step back could not have been caused by a change in procedural rules or by some form of ‘distrust’ in the ability of the US trial system to maintain the confidentiality of documents.
Which leads to the equally interesting further motivation for the request to discontinue the trial: Apple has continued to develop ever more advanced threat intelligence systems, which have raised the effectiveness of its security measures currently used to protect users from defendants and other spyware to very high levels. The compromise of this information – an unavoidable risk inherent in its disclosure to third parties – would severely compromise the effectiveness of Apple’s programme and its ability to protect its users, especially in a high-risk environment where adversaries are willing to do anything to obtain this information.
This argument is well summed up in the verses of the Italian baroque poet Metastasio: voce dal sen fuggita, più richiamar non vale (spoken words cant’ be taken back). In other words, Apple seems to be saying, due process is fine, the obligation to prove one’s assertions is fine, and the right of defence of adversaries is also fine; but if we allow information on our security systems to be made available to opposing parties, their experts and who knows who else, the risk increases that – despite the duties of confidentiality – some weaker link in the chain of custody will break due to negligence or deliberate action to steal or disseminate it, perhaps on Wikileaks. As if to say: trusting is good, not trusting is better.
Finally, Apple believes, the spyware industry has changed a lot. The defendants have been partly supplanted by an increasing number of spyware producers, which means that the threats are no longer represented by a single entity … soeven a complete victory in this lawsuit would not have the same impact as it would have had in 2021 and therefore other spyware producers other than the Defendants will not be involved in the lawsuit and will be able to continue their destructive tactics.
But if this is the reason, then it is unclear why a civil lawsuit, which serves to obtain damages or to stop commercially or contractually improper conduct, and not a criminal prosecution, which, as the case of the ReVIL malware shows, is instead aimed at detecting and stopping dangers to the society at large.
All these contradictions seem, in fact, difficult to overcome, but they can be resolved with a little ‘search and replace’ exercise in court documents. It is enough, in fact, to change the word ‘user’ to ‘customer’ and everything becomes much clearer: even the NSO case is part of the ongoing clash to establish who decides ‘what’ people’s rights are, when these rights must be compressed in the name of the interests of an enormous corporation, and to what extent the state can or must take care of the protection of a Big Tech even to the detriment of the community instead of transferring the task to a powerful private body superiorem non recognoscens.