UAE and the impact of spyware on human rights defenders

Introduction

In October of last year, NSO Group, a leading Israeli technology company, announced that it would be terminating its contract with the United Arab Emirates. This decision was taken after it was revealed in the UK High Court that Sheikh Mohammed Bin Rashid Al Maktoum, ruler of Dubai, was using the company’s Pegasus software to spy on his ex-wife and those close to her. The hacking was used amid the couple’s custody battle over their two children. Pegasus software was designed by NSO Group to help government bodies to track down and stop criminals and terrorists. However, its clients have repeatedly misused it, the number one culprit being the United Arab Emirates. This case is not the first time the UAE was guilty of misusing the software but in fact has been found to use it multiple times against journalists, high profile political officials, and human rights defenders. Despite NSO Group finally taking human rights concerns over their technology seriously, a lot of damage had already been done.

US State Department Report

This damage was outlined in the recently released US State Departments Report on the United Arab Emirates Human Rights Practices for the year 2021. UAE’s spying activities were mentioned multiple times throughout the report. Firstly, under the section, Arbitrary or Unlawful Interference with privacy, family, home, or correspondence. It was highlighted that the constitution affords free and private correspondence through mail, phone, and internet. However, it was found this was not the case in practice. Particularly for journalists, dissidents, and activists, whose correspondence was repeatedly targeted. It was found that both incoming and outgoing international mail and phone calls were monitored and sometimes censored by the government. In 2021, the Pegasus Project, which was a special investigation by seventeen media organizations, released their findings into the use of this software. It accused the government of using this Pegasus software to illegally spy on people. Roula Khalaf, the Financial Times editor, was targeted as well as Emirati human rights defender Alaa al-Siddiq before her tragic death in July last year.

The internet was not any safer for these activists as the report found that online surveillance was used by the government to track dissidents both at home and abroad. Foreign cyber experts were hired by the Emirati government to improve its hacking abilities. Even living abroad did not keep dissidents safe from illegal monitoring and surveillance. Relatives of political prisoners were targeted and spied on to gather information about their relative’s activities. Many phones in the UK were targeted, which will be detailed later in the piece. The government labelled many of these dissidents as terrorists in order to justify their activities. This US report highlights the measures the UAE is willing to go to quieten its critics and how dangerous this Pegasus spyware can be for human rights defenders.

What is Pegasus?

Pegasus software is a product of the NSO group, which has the ability to break into a mobile phone and gather personal and location data. It first came to prominence when it was revealed that the Israeli government was using it to spy on its citizens. On its website, NSO describes it as “technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.” Although intended for law enforcement activities by governments, it is now being used by mainly authoritarian governments to spy on its citizens as well as on foreign governments due to its infiltration capabilities. As well as gaining access to locations, it can also access the microphone and camera, enabling the hacker to listen in on conversations. It can allow the hacker to see call logs, internet searches, and passwords. Privacy is virtually impossible once Pegasus is installed. The biggest problem with this software is also what NSO Group prides itself on. It explains that the software is “designed to bypass detection and mask its activity,” meaning the person hacked has no way of knowing that their device has been infiltrated. The technology is so sophisticated that it can be what is known as a zero-click hack meaning the person does not even need to click a link for their phone to be hacked.

The Pegasus Project found that one thousand people across fifty countries were targeted. These included 189 journalists from various institutions including Al Jazeera, Reuters, Le Monde, and The Wall Street Journal. High-profile politicians were also a target with France’s President Emmanuel Macron being listed. Eighty-five human rights activists were victims of this hacking. It was found that the use of Pegasus primarily came from ten countries, three of which were the Gulf countries- Bahrain, Saudi Arabia, and of course, the United Arab Emirates. It is interesting that the countries with some of the worst records of human rights abuses use this software the most. The advanced sophistication of this software is what makes it so dangerous.

NSO Group insists that the software is for law enforcement purposes only and that it investigates any human rights concerns and then cancels its contract if necessary. It was only after several abuses of the software did the UAE receive its ban. After the release of the findings of the Pegasus Project, NSO Group denied any wrongdoing on its part and that the report was full of mistruths, once again emphasizing its mission in capturing criminals. Amnesty International Secretary General Agnes Callamard dismissed these claims and said “NSO Group can no longer hide behind the claim that its spyware is only used to fight crime – it appears that Pegasus is also the spyware of choice for those wanting to snoop on foreign governments,” NSO Group has taken little responsibility for the danger its software has placed human rights defenders’ lives in, and this needs to change.

UAE and Human Rights Defenders

One of the modern challenges that activists and human rights defenders have to deal with is cyber-security. Authoritarian governments do not want these activists spreading the truth about their precious regimes and human rights abuses against their own people and so, they will do everything in their power to silence them. In this new age of cyber-space, escaping and working in a different country is not enough to make these activists safe. Cyberspace is becoming another arena for people to fight for their rights. Their privacy and therefore, safety is being violated by the misuse of modern technologies. The United Arab Emirates is known for its atrocious human rights record and its treatment of dissidents. The US Report on Country’s Human Rights Practices not only details its surveillance procedures but also incidents of torture, arbitrary arrests, and denial of a free trial. The freedom of speech, press, and assembly are all extremely limited in the country. Emirati activists work tirelessly, campaigning for human rights in their country and now they must work even more carefully.

Alaa al-Siddiq was an Emirati activist based in London. She was the executive director of ALQST, a human rights organization. She tragically passed away last year in a car accident that her organization deemed as not suspicious. According to an article in the Guardian, at her funeral, her close friends were too afraid to attend for fear of it being watched. They feared repercussions for their family in the UAE should they be connected to the well-known activist. Just three months later, it was revealed publicly that she was most likely being monitored and tracked by the UAE government from 2015 until 2020. She learned she had been hacked in 2020 and did an interview under a false name with Forensic Architecture on the subject. She expressed worry about the surveillance, mainly for those around her and who aided her in her research for ALQST. When she suspected the hack, she brought her device to Citizen Lab and researchers found evidence of Pegasus software in her devices. It was discovered that the government was constantly trying to hack all her devices with UK numbers. Friends reported that these constant cyber-attacks caused her great anguish in her final months, as she worried for not only her life but for those around her. For dissidents that have found safety abroad, they are never fully safe with this Pegasus software being able to reach them so easily and able to identify their family who might still be in the country and therefore, are even more vulnerable.

Other instances of the UAE using spying technology were revealed including an attempt on Saudi journalist, Jamal Khashoggi’s wife’s phone just months before his murder. She was detained and questioned upon her arrival in Dubai and had her belongings confiscated. It is believed this was when an attempt was made to infiltrate her phone. While it is thought that the attempt was not successful and NSO Group confirmed Pegasus was not used in any form in the murder of Khashoggi, the intent was clear. It was confirmed in the Washington Post that the UAE does spy on Saudi activists abroad and reports this information back to Riyadh. In 2016, prominent human rights defender, Ahmed Mansoor received text messages prompting him to click on links. When he sent these messages to Citizen Lab, they were found to contain Pegasus spyware. Mansoor is currently serving ten years imprisonment for exercising his right to freedom of speech. The Emirati government was also found to have been spying on Yemeni ministers for strategic and political purposes.

Future for activists

It is an ever-complicated field for activists and dissidents to navigate in their mission to fight for human rights in their country. Modern technology is both a help and hindrance as social media helps raise awareness for their cause among many other benefits, but the arm of their oppressive government stretches even further now. This hacking hinders the effectiveness of their work as activists cannot speak freely online and therefore can’t communicate or organize adequately. It also dissuades them from continuing their advocacy work for fear of their lives and those around them. One invasion can expose a whole network. So, what can be done to counter this invasion of privacy?

Pavlina Pavlova wrote a piece for Global Policy Journal detailing the new struggles activists and dissidents face in cyberspace but also the way forward. She highlights the vulnerability of the human rights defender community as they are specially targeted by authoritarian governments. These online threats can manifest into actual concern over physical and psychological security. Some defenders are acutely aware of the danger and can read security indicators by recognizing and resolving abnormalities, but many remain unaware of the dangers of their digital environment. One step to take is raising technological awareness and informing those at risk. Civil society organizations such as Front-Line Defenders are already progressing in this mission. Knowledge is key. UAE was able to gather unprecedented amounts of data on these people without their knowledge. The Pegasus Project was groundbreaking in this regard. Once human rights defenders have some semblance of knowledge on the issue, they can look out for certain red flags.

Pavlova also details the policy and legal framework being established to deal with this new cyber minefield and protect human rights defenders. A UN Programme of Action on cyber issues is in the process of being established. This would be a permanent UN forum where dialogue on the issue will be mainstreamed. Other projects such as the Open-Ended Working Group which works on improving responsible state behavior in the cyber realm have not been very successful in implementing real policy change. Companies like NSO Group upholding their human rights commitment is also key. Ending its contract with the UAE for violating human rights sends a message to other countries that the valuable software can be taken away. It also prevents the UAE from doing further damage with this product at least. But they must stay consistent in their rhetoric and therefore end their contract with Bahrain and Saudi Arabia too. Private companies must play a role and acknowledge the danger of their products and act accordingly, in respecting human rights. Both policymakers and human rights defenders are navigating their way through this 21st-century challenge but thanks to initiatives like the Pegasus Project, knowledge is power, and the way forward to combat these attacks and work safely becomes clearer.