[Reflecting on events from the first half of 2021, IFEX’s Middle East and North Africa Editor Naseem Tarawnah explains how increasingly sophisticated digital surveillance tools are being sold to and deployed by authoritarian states in the region to target human rights defenders, and how civil society is defending the right to privacy and digital free expression.]
Preamble: The Context
Security agencies throughout the region have a long and notorious legacy of tracking their citizens and their free expression. However, the proliferation of the use of social media and technology spurred by the Arab uprisings of 2011, as well as growing awareness amongst activists of the use of encryption and circumvention tools to bypass state surveillance, saw authoritarian governments investing heavily in the import of foreign technologies and expertise in recent years – a concerted effort to enhance their surveillance capabilities. In an era where smartphones have helped bring most of the region’s population online, the devices in our pockets have also exposed critics of the region’s repressive authorities to a wide range of growing digital threats.
In this context, a thriving global surveillance technology industry has provided a growing marketplace for buyers from the region, often marketing their products under the guise of enabling governments to better counter terrorism threats. Dozens of companies, including Israeli’s NSO Group and Cellebrite, Germany’s Finfisher, and Italy’s Hacking Team, have sold digital espionage tools to the region’s worst violators of privacy and free expression, amidst an intensifying crackdown on criticism post-uprisings.
For instance, in the five years following the 2011 protests, UK arms company BAE Systems sold its Evident surveillance technology to Saudi Arabia, the UAE, Qatar, Oman, Morocco, and Algeria, empowering these states with a tool that collected and analysed millions of people’s emails and messages.
Justice and accountability have been slow to arrive. Only recently have executives from two French tech firms faced charges of “complicity in acts of torture” for selling internet surveillance tools to Libya and Egypt that were used to track down opposition figures who were later detained and tortured, according to the International Federation for Human Rights (FIDH).
Part of the problem is that these sales take place with little transparency or human rights considerations from the onset, and are only revealed as a result of investigative journalism and vigorous research by organizations like The Citizen Lab that document their nefarious uses by authoritarian states. While this has naturally restricted access to the most current information on the digital arsenals of the region’s authoritarian states, what has become self-evident is that, in the meantime, the tools being sold continue to evolve.
“It used to be that ‘the walls have ears’, but now it’s ‘smartphones have ears,'” Saudi women’s rights activist Manal al-Sharif told the BBC in 2017. Today, the shadowy digital surveillance landscape has produced tools that demonstrate a growing sophistication in their ability to monitor, record, and essentially convert devices into incriminating weapons against their targets.
Part I: Targets and perpetrators
The region’s burgeoning surveillance states have had a profound, negative impact on free expression and access to information. Activists and journalists face increased risks to their jobs, reputations, sources, and contacts, including family members. Their ability to report and relay on-the-ground information that both those living in the region and international organizations rely on has been massively hindered, restricting access to real-time information. Netizens are also likely to engage in more self-censorship when seeing how others have been targeted for their digital content and communications.
Data harvested from monitored devices have also been used to target activists, journalists, and human rights defenders through online doxxing and smear campaigns that have been particularly harmful to vulnerable groups in the region, including women and the LGBTQI+ community. Al Jazeera journalist Ghada Oueiss’s phone was hacked, resulting in her private photos and videos being posted online, and continuous gendered attacks from Saudi online trolls.
In the decade since the uprisings, authorities have also increasingly wielded digital surveillance tools to support human rights violations and flawed legal persecutions, targeting their populations in the most vicious of ways. In Bahrain, detained activists during the 2011 protests were shown transcripts of their private messages and asked to explain them, while being tortured. In Morocco, journalists Omar Radi and Maati Monjib, were identified as spyware targets by Amnesty International, and have faced jail sentences based on trumped-up charges.
In the region, the UAE and Saudi Arabia have stood out as the leaders in deploying these technologies to silence their populations. Activists like Bahraini human rights defender Maryam Al-Khawaja have also pointed to normalization deals between Gulf states and Israel as likely to worsen the situation for Gulf activists, arguing that the “exchange of spyware and surveillance technology is going to happen in an even more smooth transaction.”
UAE: An oasis for cyber-mercenaries
In a short period of time, the UAE has built a staggering homegrown surveillance infrastructure. A 2019 Reuters investigation revealed how American former National Security Agency operatives helped the UAE launch hacking operations dubbed Project Raven in 2014. The operations used various cybertools to monitor the UAE’s opponents, including Karma, a sophisticated spyware that between 2016 and 2017 hacked iPhones of hundreds of users. Targets included the Emir of Qatar, a senior Turkish official, Yemeni human rights activist and Nobel Peace laureate, Tawakkol Karman, and Nadia Mansoor, wife of imprisoned UAE human rights activist Ahmed Mansoor.
Project Raven’s cyber espionage operations were taken over by the UAE’s domestic cybersecurity firm, DarkMatter Group, which the Electronic Frontier Foundation called a “cyber-mercenary firm” that has spearheaded nefarious hacking efforts throughout the world, supported by its global recruitment of hackers. According to security experts, the group is likely behind ToTok, the short-lived Emirati messaging app that The New York Times revealed to be a spyware tool used to track conversations, movements, sounds and images on its users’ devices.
Prominent Emirati human rights defender Ahmed Mansoor, who is currently serving a 10-year prison sentence for his online expression, was extensively targeted by spyware. His case exemplifies the extent to which Emirati authorities have deployed a panoply of cybertools from across the world. According to Citizen Lab research, Mansoor was targeted with FinFisher’s FinSpy spyware in 2011, Hacking Team’s Remote Control System in 2012, as well as NSO Group’s Pegasus spyware in 2016.
Saudi Arabia: Perilous surveillance
In similar fashion, Saudi Arabia’s digital surveillance infrastructure has witnessed massive investment over the past decade, with a battery of cybertools imported and foreign cyber experts employed to build one of the region’s most threatening surveillance states.
Spearheaded by Mohammad Bin Salman (MBS) adviser Saud al-Qahtani, the Royal Court’s counterterrorism center in Riyadh has allegedly been responsible for some of the most notorious cyber espionage operations. Over the past decade, the Kingdom’s cyber arsenal has reportedly been bolstered by tools from Italian hacking company, Hacking Team, Israel’s NSO Group, and the UAE’s DarkMatter.
In a June 2014 report, Citizen Lab researchers identified malicious surveillance software by Hacking Team that targeted citizens in Qatif protesting government policies and state repression. The spyware came in the form of an altered version of the local news app, Qatif Today, which granted access to emails, text messages, files from applications like Facebook, Viber, Skype, or WhatsApp, as well as contacts and the call history of the phones it was installed on.
In 2018, Citizen Lab documented the surveillance of prominent Saudi political activist and Canadian resident Omar Abdulaziz, whose phone was hacked with NSO’s Pegasus spyware. As an associate of Saudi journalist Jamal Khashoggi, Abdulaziz’s phone contained private Whatsapp exchanges between the two regime critics, including their plans to launch a social media activism network, and has pointed to this information as playing a pivotal role in the Khashoggi’s brutal assassination at the Saudi Consolute in Istanbul months after the hack.
Dozens of journalists at Al-Jazeera, as well as a journalist at the London-based AlAraby TV, were targeted by a cyberespionage operation linked to Saudi Arabia and the UAE. Malware infected the phones of 36 journalists and media workers at Qatar’s Al Jazeera network in 2020, which Citizen Lab called “the largest concentration of phone hacks targeting a single organization”.
How to catch a Pegasus
Digital security experts and civil society organizations have repeatedly sounded the alarm over NSO Group’s military-grade spyware, Pegasus, and its sophisticated zero-click attack that gives authorities control over infected devices without a user’s interaction. While the company has remained steadfast in its denials, recent investigations led by the Paris-based journalism non-profit Forbidden Stories and a consortium of 17 news organizations have managed to reveal the full breadth and global reach of these attacks.
Dubbed “Project Pegasus”, the group conducted a forensic investigation of over 50,000 individuals whose phone numbers were targeted by the notorious spyware at the hands of government clients, including regional perpetrators like Morocco, Saudi Arabia, the UAE, and Bahrain.
From the region, targets on the list ranged from Jamal Kashoggi’s family, and his fiance Hatice Cengiz, to journalist Roula Khalaf, who became the first female editor of the Financial Times last year. Wadah Khanfar, the former director-general of Al Jazeera also appeared on the list, as did Moroccan journalists Omar Radi, Hicham Mansouri, and Taoufik Bouachrine. In perhaps an ironic demonstration of an out-of-control surveillance state, the investigations revealed King Mohammed VI may have also been targeted by the spyware by his own security apparatus.
In the wake of the reports, Amazon announced it was shutting down its Web Services infrastructure and accounts linked to NSO Group, while the Israeli government declared it would establish a task force to examine whether the country’s policy that has allowed for the unchecked export and deployment of these cyberweapons in the first place, was in need of reform.
The investigation has undoubtedly helped lift the fog on the digital surveillance battlefield, elevating its relevance as a global national security issue, and given fuel to civil society’s efforts to stem the rising tide of these cyber weapons in the region.
Part II: Beyond the panopticon
Civil society is fighting back.
As crackdowns across the MENA region continue unabated, governments in Western democracies should take action against companies that aid such repression. Rights groups have repeatedly called on the EU, US and Canadian governments to impose controls on the exports of spy-tech companies and prevent these actors from exporting technologies that facilitate censorship, blocking, and spying by repressive governments in the region.
In the EU, recently adopted new regulation measures on dual-use surveillance technology exports from European companies were welcomed by rights groups, who however also expressed their disappointment that the legislative text did not include clearer and stronger conditions on EU member states and exporting companies to implement the new rules, and disciplinary actions for members in breach of the law.
Meanwhile, UN experts and rights groups have called for a moratorium on the purchase, sale, and transfer of surveillance tools to authoritarian states, underscoring the need for establishing a regulatory framework to provide the necessary oversight.
In the battle for greater regulation, demands for transparency and mechanisms for accountability have been critical. In the US, the Reuters investigation into Project Raven led to new legislation requiring the State Department to disclose how it controls the sale of cyber tools and actions taken against American companies that violated its policies.
In 2018, Omar Abdulaziz filed a lawsuit against Israel’s NSO Group for infecting his phone, arguing the hacking “contributed in a significant manner to the decision to murder Mr. Khashoggi.” The company also faces a lawsuit from UK-based Saudi dissident and vocal critic Ghanem Almasarir, as well as a legal battle launched by Facebook in a US court and backed by other tech giants. Meanwhile, in Israel, lawyer Eitay Mack has led legal petitions to hold Israel’s NSO Group and Cellebrite tech firms accountable for the exports of their cyberespionage tools.
In December 2020, hacked journalist Ghada Oueiss also filed a lawsuit in a court in Florida accusing Saudi Crown Prince Mohammed bin Salman, Abu Dhabi Crown Prince Mohammed bin Zayed, DarkMatter, NSO, and several American social media account holders, of being responsible for her hack-and-leak.
This growing list of legal actions launched in courts outside the region are vital if we are to expose the inner-workings of these operations and bring transparency to a clandestine process – one where it has been difficult to track the tools being sold, and the perpetrators using them to violate human rights.
On this front, collective action from civil society is critical. Digital rights groups are increasingly leading efforts to hold surveillance companies accountable for their spy tool exports. Civil society organizations challenged Cellebrite’s bid to go public on the Nasdaq stock exchange, underscoring how the sale of the company’s products to repressive regimes like Saudi Arabia has enabled “detentions, prosecutions, and harassment of journalists, civil rights activists, dissidents, and minorities around the world.”
Google’s plans to establish its regional cloud services in Saudi Arabia has also been met with collective pushback. Rights groups pointed to the country’s track record of repression, cyber espionage, and “use of cyber surveillance software to spy on dissidents” as reasons enough to scrap the project.
Digital rights group Social Media Exchange (SMEX) says that the lack of a strong data protection framework in Saudi Arabia has also facilitated threats to users’ digital privacy. Throughout the wider region, the need to strengthen insufficient data protection and privacy laws is becoming vital to efforts to curb digital surveillance, and according to SMEX research, increasingly relevant in the context of governments deploying a myriad of COVID-19 tracing apps during the pandemic.
Several human rights and digital rights organizations from the region have also come together to form the MENA Coalition to Combat Digital Surveillance. The groups have called for an end to the sales of digital surveillance tools to repressive governments in the region, and aim to fight for a safe and open internet that protects “human rights defenders, journalists, and internet users from governments’ prying eyes.”
As digital surveillance technologies continue to rapidly evolve in their capacity, and their sellers and buyers continue operating with little accountability, we are likely to see growing calls within the international community to regulate exports of these tools, a growing awareness amongst users in the region on methods to protect themselves, as well as demands for stronger data protection and privacy rights.
But efforts to curb this dangerous trend will depend largely on empowering the capacity of digital rights organizations and independent researchers from within the region to conduct timely and unrestricted technical research. Their work does not only help shed light on a surveillance marketplace lacking in transparency, it also supports advocacy efforts to bring about substantive policy changes and better legal protections on both the regional and international front.
[This article was originally published on IFEX.org. It is also available in Arabic, French, and Spanish.]