It's not just the iCloud terms of service, though — they're using that to strengthen the case that NSO agreed to the jurisdiction of California courts but they're relying on the CFAA and especially the claim that the access to the users' device was not authorized by that user.
It would be really interesting to see what precedent comes out of this case and especially how that would affect a future case where Apple claims a violation of their terms of service but the user fully consented to that use.
>they're relying on the CFAA and especially the claim that the access to the users' device was not authorized by that user.
What's their theory of standing to sue over damage to their customers?
Edit: the main point is this (from the CFAA count):
Defendants’ actions caused Apple to incur a loss as defined by 18 U.S.C.
§ 1030(e)(11), in an amount in excess of $5,000 during a one-year period, including the
expenditure of resources to investigate and remediate Defendants’ conduct. Apple is entitled to
compensatory damages in an amount to be proven at trial, as well as injunctive relief or other
equitable relief. See 18 U.S.C. § 1030(g).
"(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service;"
18 U.S.C. § 1030(g) "
"(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware."
I assume "negligent" is used in the legal sense? But it'll be curious if NSO claims they're not liable for selling flaws that already existed in Apple *ware.
Agreed. I'd assume that's what the large number of words related to "Apple demonstrates an outstanding security record, etc etc" is aimed at. And it's a fair argument: nothing is bugless.
> They'd have to prove that Apple was negligent to sell software with flaws, but that's gonna be tough considering that much software has flaws.
It does carry a strange irony when Apple keep saying they have the best security after iOS has been very badly hacked by nation state actors, though. I'm not saying their security isn't good, but I would have rathered "we're fixing X things" than security hyperbole.
It would be really interesting to see what precedent comes out of this case and especially how that would affect a future case where Apple claims a violation of their terms of service but the user fully consented to that use.