Digital Rights

Pegasus Project: International Revelations

Abhishek Anand

Nine Bahraini activists' phones found to be compromised by the NSO spyware

Citizen Lab, an interdisciplinary research lab based at the University of Toronto in Canada, recently confirmed in a report that the phones of nine Bahraini activists both inside and outside the country were infected using the Pegasus spyware. At least four of these victims were almost certainly hacked by the Bahrain government, as per the report.

The phones of nine activists were successfully hacked through Pegasus between June 2020 and February 2021. These include three members of the Bahrain Centre for Human Rights, three members of Wa'ad, Bahrain's largest left-wing political party which was suspended in 2017 on flimsy terrorism charges, a member of the underground Shiite Al-Wefaq political party, and two exiled Bahraini dissidents.

One of the victims was in London when their phone was found to have been hacked. Citizen Lab claims that as per their research, the Bahrain government spies only in Bahrain and Qatar using Pegasus, which means that this particular victim was targeted by another client of the NSO Group, the Israeli firm that has developed and sells Pegasus.

Of these nine activists, the numbers associated with five were also found in the alleged Pegasus target list accessed by the Pegasus Project international media consortium, dating from 2016 up to several years ago.

The Kingdom of Bahrain, which has been ruled by the al Khalifa dynasty since 1783, has a long history of using commercial spyware to carry out surveillance on its citizens. It also has a terrible human rights track record. In spite of this, NSO sold its Pegasus spyware to Bahrain, which brings into question the former's claims of conducting due diligence on the human rights track records of potential clients.

Azerbaijan's digital control and targeting of journalists

The Organized Crime and Corruption Reporting Project (OCCRP), a member of the Pegasus Project consortium, reported last month that over a thousand numbers from Azerbaijan were present on the alleged snooping list. This indicated them being persons of interest and potential targets.

Out of these, the Pegasus Project has been able to identify 245 phone numbers. A majority of these identified numbers belonged to journalists, dissidents, human rights activists, and political opponents of the Azerbaijani regime. Furthermore, the snooping list also had the names of their family members and friends.

The list had names that had a long history of harassment by the Azerbaijani government due to questioning the government's autocratic policies, entrenched corruption in political circles, election malpractices, worsening human rights track record, and increasing restrictions on civil liberties.

It has become increasingly difficult to practise journalism credibly in Azerbaijan due to censorship and curbs on press rights. Most of the reporters, editors and media company owners on the alleged list have been at the receiving end of targeted harassment, trumped up criminal charges, travel bans, and even imprisonment at the hands of the by the authoritarian regime of President Ilham Aliyev, who has ruled with an iron fist since coming to power in a disputed election in 2003.

Journalists there operate under the threat of grave personal risk if they show Aliyev or his political party, the New Azerbaijan Party, which has been in power since 1993, in bad light. It is an open secret in the country that dissidents, political activists and journalists, including even some pro-government ones, are kept under surveillance, which the government does through increasingly sophisticated digital tools.

Most notably, female journalists are targeted by government agencies and pro-government forces through sexual shaming, as intimate photos and videos of theirs are either recorded without their knowledge, or procured from their digital devices through hacking, and then publicly leaked in order to scare them off and shut them up.

The female relatives of male journalists have been similarly targeted in order to attempt to blackmail them into silence.

OCCRP states that while it does not have any evidence to prove that the Azerbaijani government had access to the spyware, the number and identity of persons from Azerbaijan, combined with the government's track record in this regard, suggests that the Azerbaijani government indeed had access to Pegasus and is a client of the NSO Group.

Forensic analysis has confirmed that two of the Azerbaijani numbers, belonging to the female journalists Khadija Ismayilova and Sevinj Vaqifqizi, were indeed infected with the spyware for more than two years.

Azerbaijani authorities have been silent, and have not reacted to these accusations. The NSO Group has also declined to make any comment on its clients and the alleged misuse of its Pegasus spyware.

PSG boss and beIN sports channel chairman allegedly targeted by Saudi Arabia

According to Le Monde, two different phone numbers belonging to the Qatari businessman, sports executive and politician Nasser al-Khelaifi, were found to be on the alleged target list for surveillance through the Pegasus spyware.

The French daily reported that the potential hacking of the president of the French football club Paris Saint-Germain (PSG) and beIN Sports chairman took place during the Qatar diplomatic crisis in 2018, which, in turn, resulted in Saudi Arabia, the United Arab Emirates, Bahrain, and Egypt cutting ties with Qatar and enforcing diplomatic, travel, and travel blockade that only ended earlier this year.

This action was carried out on claims that Doha "supported terrorism" and had close ties with Iran. These allegations have been long denied by Qatar.

Le Monde further reveals that the NSO client who placed al-Khelaifi on the target list also used the spyware to potentially infiltrate the phones of PSG's communications director, Jean-Martial Ribes, members of the beIN Media Group's management, Lebanese, Turkish, and Emirati senior officials, and critics of the Saudi monarchy. This suggests that the client was a Saudi security agency.

The Pegasus Project could not have access to the phones of any of these potential targets, and hence could not verify if their phones were indeed infected with Pegasus.

The dispute between Qatar and Saudi Arabia escalated further in 2018 after it came to light that BeoutQ, a pirate channel based in Saudi Arabia, stole beIN signals to broadcast football leagues and sports tournaments to which beIN had purchased exclusive rights. Following this, Qatar had filed a formal complaint with the World Trade Organization against the pirate channel, and demanded $ 1 billion for the damages incurred. Saudi Arabia's conduct in this entire episode was severely criticized by several national and international football bodies.

The Saudi authorities are yet to fully comply with beIN Media's requests to takedown BeoutQ's distribution of its copyrighted content, and instead, banned beIN Media's operations in Saudi Arabia in July 2020. In June 2020, WTO backed beIN's claims that BeoutQ was promoted by individuals in Saudi Arabia.

The NSO had denied all these allegations made against the misuse of Pegasus and said the reports filed by the Pegasus Project are based on "false assumptions and unconfirmed theories."