Updates

EPIC Amicus: Foreign Spyware is Not Exempt from Prosecution Under the CFAA

July 31, 2024

EPIC urged the Ninth Circuit to recognize that the Northern District of California has jurisdiction to hear a case brought by foreign journalists whose devices were hacked using Pegasus, a spyware application produced by Israeli company NSO Group. EPIC’s amicus explains that U.S. courts have jurisdiction because Computer Fraud and Abuse Act (CFAA) applies extraterritorially, there is a substantial local interest in prosecuting foreign hackers because the exploitation of American infrastructure undermines user trust in platforms, and that individual victim cases are vital to giving the CFAA full effect

The plaintiffs-appellants, Salvadorean journalists, allege that NSO Group’s Pegasus software unlawfully surveilled their devices by exploiting Apple servers to reach the plaintiff’s-appellant’s data. The district court dismissed Dada’s lawsuit because the defendants and the plaintiffs are both located outside of the United States.

EPIC argues, however, that the plain text of the language, the legislative history, and the Department of Justice’s consistent prosecutions of foreign hackers exploiting American infrastructure clearly shows that the CFAA was meant to apply extraterritorially in this exact type of claim. In fact, as far as EPIC could tell, there is not a single court that has found that the CFAA does not apply extraterritorially.

Local courts also have a substantial interest in applying the CFAA extraterritorially because spyware’s exploitation of Apple’s infrastructure erodes end users trust in Apple platforms. Companies like Apple advertise their products as being privacy protective, and Apple device users, including substantial amounts of California residents, entrust Apple with their most sensitive data, such as real time location tracking and health data. Foreign hackers turning these trusted networks into mass surveillance apparatuses remove users’ trust that their devices and data are secure from attack.

Finally, EPIC’s brief shows that hearing individual cases is necessary because individual’s substantial privacy interests are not protected in disputes between corporate parties.

EPIC regularly files amicus briefs in CFAA cases. Most recently, EPIC filed in Van Buren v United States and LinkedIn Corp. v. hiQ Labs. EPIC has also submitted a FOIA request on information regarding the United States government’s use of Pegasus in 2021.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate