472 F.Supp.3d 649
N.D. Cal.2020Background
- Plaintiffs WhatsApp Inc. and Facebook sued NSO Group Technologies Ltd. and Q Cyber, alleging defendants deployed Pegasus malware via WhatsApp to infect ~1,400 mobile devices (journalists, activists, officials) for surveillance.
- Claims: CFAA, California Penal Code §502, breach of contract, and trespass to chattels; plaintiffs allege defendants reverse‑engineered WhatsApp and routed malicious payloads through WhatsApp signaling/relay servers (some located in California).
- Defendants are Israeli companies that license Pegasus to sovereign customers; they moved to dismiss on grounds including FSIA/derivative sovereign immunity, lack of personal jurisdiction, failure to join sovereign customers (Rule 19), and failure to state claims.
- Key factual disputes bear on who executed the intrusions (defendants v. sovereign customers) and whether WhatsApp’s servers in California were targeted.
- Court disposition: denied dismissal on subject matter jurisdiction, personal jurisdiction, and Rule 19 grounds; denied to dismiss CFAA claims; granted dismissal of trespass to chattels with leave to amend; motion to stay discovery denied as moot.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Subject‑matter jurisdiction: FSIA / derivative sovereign immunity | FSIA does not bar suit; defendants are private actors and plaintiffs sue them directly | Defendants claim derivative sovereign immunity (or foreign‑official immunity) because they acted as agents for foreign sovereigns | Dismissal denied; court refused to extend derivative sovereign immunity to foreign private entities here and found foreign‑official immunity inapplicable on these facts |
| Personal jurisdiction — consent via WhatsApp Terms of Service/forum clause | Terms of service and forum clause subject users to N.D. Cal. jurisdiction | Clause reads as claims "you have with us" (users’ claims); WhatsApp‑initiated claims not covered | Court held the forum clause does not cover claims initiated by WhatsApp; no consent to jurisdiction established |
| Personal jurisdiction — specific jurisdiction (purposeful direction / availment) | Defendants intentionally aimed malware at WhatsApp infrastructure (including CA servers), causing foreseeable harm in California | Defendants say foreign governments performed the acts; server location was fortuitous / incidental | Court found specific jurisdiction proper under purposeful‑direction (express aiming at WhatsApp’s CA servers); purposeful availment via contract not shown; exercising jurisdiction is reasonable; pendent jurisdiction over related claims allowed |
| Failure to state a claim — CFAA and trespass to chattels | CFAA: defendants accessed/exceeded authorized access to WhatsApp servers and users’ devices; Trespass: interference harmed WhatsApp’s systems and goodwill | Defendants argue they were authorized users under ToS (Brekka) and plaintiffs allege no actual damage to servers (Hamidi) | CFAA claims survive under "exceeds authorized access" theory; trespass to chattels dismissed with leave to amend for failure to plead actual damage/impairment |
Key Cases Cited
- Samantar v. Yousuf, 560 U.S. 305 (discusses two‑step foreign official immunity and role of State Department suggestion of immunity)
- Butters v. Vance Int’l, 225 F.3d 462 (4th Cir.) (extension of derivative sovereign immunity to U.S. contractors discussed)
- Daimler AG v. Bauman, 571 U.S. 117 (limits on general jurisdiction)
- Calder v. Jones, 465 U.S. 783 (effects test for specific jurisdiction)
- Walden v. Fiore, 571 U.S. 277 (contacts must be defendant’s, not plaintiff’s, forum connections)
- Axiom Foods, Inc. v. Acerchem Int’l, 874 F.3d 1064 (9th Cir.) (internet torts and forum contacts analysis)
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.) (authorization v. exceeds authorized access under CFAA)
- United States v. Nosal, 676 F.3d 854 (9th Cir.) (CFAA as anti‑intrusion statute; circumvention of technical barriers)
- hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir.) (distinguishing public data scraping from accessing protected systems)
- Facebook, Inc. v. Power Ventures, 844 F.3d 1058 (9th Cir.) (CFAA line between terms‑of‑use violations and unauthorized access)
- Intel Corp. v. Hamidi, 30 Cal.4th 1342 (Cal.) (trespass to chattels for electronic communications requires damage or impairment of system)