WHATSAPP INC., et al., Plaintiffs, v. NSO GROUP TECHNOLOGIES LIMITED, et al., Defendants Case No. 19-cv-07123-PJH United States District Court, N.D. California Filed August 01, 2024 Counsel Antonio J. Perez-Marques, Pro Hac Vice, Craig Cagney, Pro Hac Vice, Greg D. Andres, Pro Hac Vice, Luca E. Marzorati, Pro Hac Vice, Davis Polk and Wardwell LLP, New York, NY, Jeffrey A. N. Kopczynski, Pro Hac Vice, O'Melveny & Myers LLP, New York, NY, Catalina Joos Vergara, O'Melveny and Myers LLP, Los Angeles, CA, Micah Galvin Block, Davis Polk and Wardwell LLP, Menlo Park, CA, Michael R. Dreeben, Pro Hac Vice, O'Melveny Myers LLP, Washington, DC, Ronald Arthur Lehmann, Pro Hac Vice, Fischer (Fbc & Co.), Israel, for Plaintiffs. Joseph N. Akrotirianakis, Aaron S. Craig, King & Spalding LLP, Los Angeles, CA, Roy Falik, Pro Hac Vice, King & Spalding, Denver, CO, for Defendants. Hamilton, Phyllis J., United States District Judge ORDER RE DISCOVERY LETTER BRIEFS, MOTION FOR ISSUANCE OF LETTER ROGATORY, MOTION TO COMPEL, AND VARIOUS MOTIONS TO SEAL *1 Before the court are four discovery letter briefs filed by the parties and by non-party William Marczak, plaintiffs' motion for issuance of a letter rogatory, and plaintiffs' motion to compel discovery. Having read the parties' papers and carefully considered their arguments and the relevant legal authority, and good cause appearing, the court rules as follows. A. Discovery letter briefs The court starts with the four discovery letter briefs, as they all relate to a similar issue – namely, the discoverability of information about the alleged victims in this case. In the first discovery letter brief, NSO seeks the production of certain documents that were embedded by hyperlinks in emails, while plaintiffs argue that the documents are either privileged or irrelevant or both. See Dkt. 306. In the second discovery letter brief, NSO seeks the production of plaintiffs' pre-litigation communications with non-party Citizen Lab. See Dkt. 308. In the third discovery letter brief, NSO renews its motion for issuance of a letter rogatory to Citizen Lab. See Dkt. 314. Finally, in the fourth discovery letter brief, non-party William Marczak, a computer scientist who served as an independent contractor for Citizen Lab, seeks to quash NSO's subpoena to him. See Dkt. 324. As mentioned above, NSO previously filed a motion for issuance of a letter rogatory seeking information from non-party Citizen Lab, which the court denied without prejudice to being renewed upon a threshold evidentiary showing. See Dkt. 305. In the third discovery letter brief, NSO argues that it has made that showing for all individuals on the ‘civil society’ and ‘VIP’ lists. See Dkt. 314. NSO acknowledges that it has “not received any information” from its “sovereign customers about the identity of the targets,” but rather relies upon “public sources of information” such as Internet links. See id. (emphasis in original). NSO further argues that “the VIP list is almost entirely comprised of persons who, by virtue of their positions in government or military organizations, are the subject of legitimate intelligence investigations.” See id. at 3. Plaintiffs respond by arguing that “there is no defense or exception to the CFAA [Computer Fraud and Abuse Act] or any other claim in this case that allows hacking of victims who have been accused of wrongdoing in blog posts and the like.” See Dkt. 314 at 4. Plaintiffs acknowledge that “the CFAA has an exception that applies to legitimate U.S. law enforcement activity (18 U.S.C. § 1030(f)),” but argue that “NSO does not and cannot invoke that U.S. law-enforcement exception.” See id. Specifically, plaintiffs emphasize that NSO relies on speculation as to whether certain individuals “might have been ‘appropriate targets’ for surveillance,” which “says nothing about whether NSO's unauthorized access was actually pursuant to any legitimate and authorized law enforcement, national security, or intelligence investigation.” See id. at 5. Plaintiffs also point out that “[h]aving repeatedly asserted that Pegasus technology is used only to combat terrorism and criminal activity, NSO now claims that anyone in any government or military organization is a valid target.” See id. at 6. Plaintiffs ultimately argue that NSO's affirmative defense should be stricken, and they seek leave to renew their motion to strike. See id. at 6. *2 As before, the court believes that it would be premature to preclude certain affirmative defenses as lacking legal or factual support, as that remedy is more properly suited to a motion in limine. See Dkt. 305 at 4. However, the court does find it proper to discern the boundaries of NSO's asserted affirmative defense, especially in light of the numerous related disputes that have arisen. As discussed above, in addition to arguing that the affirmative defense should be stricken in its entirety, plaintiffs also argue that any exception for law enforcement activity must be tied to the asserted claims under the CFAA, and further argue that the statutory exception applies only to United States law enforcement activity. NSO does not appear to respond to that argument in its portion of the discovery letter brief. In fact, NSO provides no statutory basis for its asserted affirmative defense. In the absence of any authority showing an expanded law enforcement exception, the court construes NSO's sixth affirmative defense as congruent with the exception provided for in 18 U.S.C. 1030(f), which reads as follows: This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States. Because NSO has not made even an initial showing that the above exception applies to any of the alleged victims in this case, the court concludes that the discovery sought in relation to those alleged victims would be disproportionate to the needs of the case. As mentioned above, the parties' disputes over victim-related information has spurred not only the four current discovery letter briefs, but also multiple previous rounds of discovery disputes. In other words, the parties' repeated disputes over victim-related information have made plain just how disproportional the requested discovery is to the needs of the case. The court has already held that the identity of the victims is not relevant to plaintiffs' case-in-chief, and plaintiffs have now represented to the court that they do not intend to call Citizen Lab at trial. See Dkt. 308 at 4. Based on that representation, the court concludes that the pursuit of further discovery related to Citizen Lab and the identification of the alleged victims would not be proportional to the needs of the case at this time. At the time of trial, the court will account for this limitation when determining the admissibility of evidence. Accordingly, the requests for relief sought in the parties' first, second, and third discovery letter briefs are DENIED, and the request for relief sought in non-party William Marczak's discovery letter brief is GRANTED.[1] B. Plaintiffs' motion for issuance of a letter rogatory Next, plaintiffs have filed a motion for issuance of a letter rogatory pursuant to the Hague Convention, seeking discovery from NSO witnesses in Israel. See Dkt. 320. NSO's response points out that no depositions have been taken in this case (at the time of the letter brief's filing), and that the discovery sought can be obtained from deponents who have already agreed to appear. See Dkt. 336 at 7. *3 The court concludes that, before going through the burdensome process of seeking discovery through the Hauge Convention, it would be more prudent for plaintiffs to first take the depositions of the witnesses that have already agreed to appear. While plaintiffs provide authority that the Israeli witnesses need not possess “unique” information in order to justify discovery, in this instance, the court finds that it would not be proportional to the needs of the case to seek non-unique discovery from Israel via the Hague Convention. Accordingly, plaintiffs' motion for issuance of a letter rogatory is DENIED at this time. C. Plaintiffs' motion to compel Finally, plaintiffs have filed a motion to compel production of the Amazon Web Services (“AWS”) web server. See Dkt. 332. Plaintiffs also ask that NSO be required to revise its RFA responses and to provide a “full explanation” regarding the preservation of the server “so that sanctions may follow if appropriate.” See id. at 7. In its opposition, NSO represents that it has “preserved” the “entire contents of the AWS server as it existed between November 2020 and January 2021, i.e., the most recent iteration of the AWS server that contained any Pegasus computer code or other materials comprising or related to Relevant Spyware.” See Dkt. 339 at 5. NSO further argues that plaintiffs have improperly filed a motion for reconsideration in the form of a motion to compel. As an initial matter, the court disagrees that plaintiffs' motion seeks, in substance, reconsideration of the court's previous order regarding NSO's server information. Instead, the court views the present motion as seeking clarification rather than reconsideration, as the court's previous order did not specifically mention the AWS server (rather, it referred only generally to “server architecture”) nor the specific request for production at issue on this motion (namely, RFP no. 30). NSO argues that, if the court were to grant the relief sought by plaintiffs' motion, then it would “challenge whether the prior motion did in fact compel further discover with respect to each of the requests in categories 1 and 2 (as the order did not use the word ‘granted’ in its discussion of categories 1 and 2).” See Dkt. 339 at 11, n. 4. The court agrees with NSO that the previous order did not use the word “granted” in the same specific paragraph as the discussions of categories 1 and 2, and now clarifies that the previous order did indeed intend to grant plaintiffs' requested relief with respect to categories (1) and (2), as reflected in the order's language that “those documents are sufficiently important and specific such that compliance with discovery obligations may not be excused.” See Dkt. 292 at 3-4. The court believes that such clarification will obviate the need for further motion practice on the issue. The need for clarification of the court's previous order regarding category (4) is evidenced by the argument made in NSO's proffered sur-reply[2] that the “previous order's reference to ‘full functionality’ was not intended to require NSO to produce Pegasus computer code.” Dkt. 346-1 at 3. The court takes this opportunity to clarify that the previous order's reference to ‘full functionality’ was indeed intended to require NSO to produce Pegasus computer code. The basis for the court's denial of category (4) was that production of the AWS server in its entirety could have resulted in the disclosure of information about NSO products completely unrelated to Pegasus, and because “[b]ased on the information presented to the court” at the time, it appeared “that plaintiffs would be able to glean the same information from the full functionality of the alleged spyware, as discussed in category (2) above.” See Dkt. 292 at 5. *4 Rather than arguing that the Pegasus code housed in the AWS server is duplicative of the discovery that will otherwise be provided to plaintiffs, NSO argues that production is not warranted because the Pegasus code “is very carefully export-controlled by the Israeli Ministry of Defense.” See Dkt. 339 at 6. However, the court already balanced those considerations as part of the Richmark analysis, and concluded that, in spite of the export controls and other restrictions, that production of “information sufficient to show the full functionality of all relevant spyware” was “not excused” because “that information is sufficiently important and specific” to require production under Richmark. See Dkt. 292 at 5. Accordingly, the court now clarifies that its previous order, dated February 23, 2024, should be read to encompass Pegasus computer code, as well as code that shows the full functionality of any other “relevant spyware.” To the extent that information on the AWS server as of November 2020, and which has since been moved to a different server, reflects such computer code, the court orders production of that code under Richmark, as the information is sufficiently important and specific to require production despite the existence of foreign legal restrictions. To be clear, the court is not re-balancing the Richmark factors on this motion, it is simply reiterating the balance that was struck in the previous order. The information showing the full picture of how Pegasus functions – which squarely includes Pegasus computer code – is discoverable under Richmark despite the various restrictions that have been cited. Regarding NSO's responses to plaintiffs' requests for admission, the court first recognizes that the Federal Rules of Civil Procedure impose upon parties a duty to supplement discovery responses if the party learns that the response is incomplete or incorrect. See Fed. R. Civ. Pro. Rule 26(e)(1). Given the additional information about the AWS server contained within this motion's briefing, the court concludes that supplementation of NSO's responses to plaintiffs' requests for admission is warranted. Accordingly, NSO is directed to provide supplemental responses to all of the requests for admission cited in plaintiffs' motion, namely, RFA nos. 38 and 43-52. To the extent that NSO argues that certain RFAs were properly denied – for instance, because they were phrased in the present tense – NSO need not necessarily amend those responses. The purpose of the court's order is simply to ensure that the RFA responses contain all of the updated information that was provided in NSO's opposition brief. To the extent that plaintiffs' motion seeks a “sanctions finding” or any related relief, the court finds that request to be premature and/or improper in light of NSO's representation that it preserved the relevant information on the AWS server. Accordingly, plaintiffs' motion to compel is GRANTED in part and DENIED in part. The motion is granted to the extent that plaintiffs seek production of information related to the “relevant spyware” (including Pegasus computer code) that was housed on the AWS web server and was subsequently preserved. The motion is also granted to the extent that plaintiffs seek to have NSO provide supplemental responses to RFA nos. 38 and 43-52. The motion is denied to the extent that plaintiffs seek sanctions-related relief. NSO shall provide supplementary responses to the RFAs within 21 days of the date of this order. Regarding the information previously stored on the AWS web server and subsequently preserved, the court recognizes that NSO must comply with certain procedures before production, and thus will not set a separate deadline beyond the obligations imposed by the federal rules and this case's schedule. *5 In connection with the discovery motions, the parties have filed various motions to seal. See Dkt. 307, 313, 319, 323, 331, 335, 341, 345. The motions to seal are GRANTED under the “good cause” standard. CONCLUSION For the foregoing reasons, the relief requested by the parties' first three discovery letter briefs (Dkt. 306, 308, 314) is DENIED, and the relief requested by non-party William Marczak (Dkt. 324) is GRANTED. Plaintiffs' motion for issuance of a letter rogatory (Dkt. 320) is DENIED, and plaintiffs' motion to compel (Dkt. 332) is GRANTED in part and DENIED in part. IT IS SO ORDERED. Footnotes [1] NSO argues that Marczak's relevant testimony is “not limited to the content of the Citizen Lab ‘civil society’ and ‘VIP’ lists,” but does not provide any basis for the court to conclude that Marczak has any relevant testimony beyond his work for Citizen Lab and/or unrelated to the identity of the alleged victims in this case. See Dkt. 324 at 5. [2] NSO's motion for leave to file a sur-reply (Dkt. 346) is GRANTED.