NSO Group’s surveillance software has been at the heart of Abu Dhabi and Riyadh’s digital crackdown on dissent at home and abroad.
Last month’s revelations into the reach of the NSO Group’s Pegasus spyware shone a light on how the software was used by governments to unlawfully infiltrate the devices of hundreds of journalists, activists, and lawyers around the world since 2016.
The investigation conducted by French NGO Forbidden Stories and its media partners obtained over 50,000 telephone numbers targeted globally by the Israeli malware on behalf of NSO clients in eleven countries, three of which were in the Gulf: Bahrain, Saudi Arabia and the United Arab Emirates (UAE).
The disclosures further confirmed the nexus between Gulf states like the UAE and Saudi Arabia with Israel, and the spyware’s role in Riyadh and Abu Dhabi’s intensifying digital repression, where online criticism or opposition to the state is deemed illegal.
On July 28, the Gulf Center for Human Rights (GCHR) filed a complaint against the Israeli company for its responsibility in the harm committed to human rights activists in the Middle East.
“These revelations also come at a time when press freedom is threatened across the world, particularly in a context of intensifying crises due to the Covid-19 pandemic,” the complaint read, adding that the NSO Group’s sale of Pegasus to repressive governments “undermine[s] freedom of expression, freedom of the press and the secrecy of sources.”
The case was filed in France by lawyers William Bourdon and Vincent Brengarth.
“It’s essential, throughout the Arab world, to speak out for the great journalists and human rights activists who have been spied on, and bring perpetrators of these violations to justice,” they stated upon submitting the case to the French public prosecutor.
After having filed a complaint for @GulfCentre4HR with @BourdonWilliam2, we state that "It’s essential, throughout the Arab world, to speak out for the great journalists and human rights activists who have been spied on, and bring perpetrators of these violations to justice." https://t.co/YRKYpfe2Hi— Vincent Brengarth (@v_brengarth) July 29, 2021
Victims of the Pegasus hacks include Ahmed Mansoor, an Emirati human rights activist currently serving a ten-year prison sentence in the UAE. Mansoor is believed to have been targeted in 2016 by the spyware prior to his arrest in March 2017.
In addition to Mansoor, the GCHR complaint mentions two other well-known Gulf human rights figures that were targeted using Pegasus: late Emirati activist Alaa al-Siddiq and Saudi’s Yahya al-Assiri.
Al-Siddiq was the executive director of ALQST, a nonprofit that works to defend human rights in the Gulf region and aid the release of political prisoners. She relocated to the UK to flee persecution, and tragically died in a car crash in the UK this June.
Al-Assiri, the founder of ALQST, is a human rights defender that also resettled in the UK.
Apart from those mentioned in the GCHR complaint, there have been several other confirmed targets in Abu Dhabi and Riyadh’s crosshairs.
Most notably, there were attempts to utilise the spyware after Saudi journalist Jamal Khashoggi’s murder to monitor his family and close associates, and even Turkish investigations – which included selecting the phone of Istanbul’s chief prosecutor Irfan Fidan and his wife Hanan Elatr for surveillance.
Khashoggi’s finance Hatice Cengiz’s phone was infected with Pegasus four days after his murder, as well as the journalist’s son Abdullah Khashoggi. Wadah Khanfar, a close friend of Khashoggi’s and the former director general of the Al Jazeera television network, was hacked.
London-based academic Madawi al-Rasheed, the co-founder of an opposition party made up of expatriate Saudi activists called the Saudi National Assembly, was also a victim of a hacking attempt in 2019, as was the party’s general secretary Yahya Asiri.
Writing on the revelations, al-Rasheed believes that Israel, Saudi Arabia, and the UAE “have become a chorus of malicious powers aiming to stifle activism and the quest for democracy in the region.”
“Israel provides knowledge; the others provide funds,” she said, adding that the privatisation of Israel’s security apparatus was not only a threat to Palestinians, but all Gulf citizens.
It was revealed that Latifa bint Mohammed al-Maktoum, the runaway daughter of the ruler of Dubai, was captured in 2018 with the help of Pegasus spyware.
Nasser al-Khelaifi, Qatari president of French football club PSG and CEO of beIN Sports, was suspected of being hacked in 2018, at the height of the Gulf rift between Qatar and the UAE, Saudi Arabia, Bahrain, and Egypt.
Over the course of the last two decades, the Gulf states have steadily invested in global surveillance technologies and weaponised them against their citizens.
In a joint action led by the MENA Surveillance Coalition, GCHR, Access Now protested “the scandalous targeting of hundreds of journalists and activists in Saudi Arabia, Qatar, Algeria, Bahrain, UAE, Lebanon, Morocco, Turkey and Egypt – many who have long been the subject of surveillance, harassment, arrest, torture and assassination.”
The Pegasus leaks “refute the repeated groundless claims made by the NSO Group that its spyware is exclusively used to deter crime and terrorism,” the joint action added.
Both Saudi Arabia and the UAE have denied the spying allegations.
The findings do not come as a surprise as many incidents had been reported on previously, including how Khashoggi and a close confidant of his Omar Abdulaziz had their phones monitored by Saudi intelligence using the spyware.
In December 2020, University of Toronto-based Citizen Lab disclosed that Saudi and Emirati authorities used Pegasus to hack 36 Al Jazeera journalists.